October 23, 2018
2018 Department of Justice Report: Executing Your Response Plan
You’ve just been hacked. Now what? A hack is never 100% preventable, but you can still be 100% prepared by having a plan in place.
If you’ve followed the Department of Justice’s advice about the steps to take before a hack, you should have no problem gathering the right people, the right data, and the right technology to carry out your incident response plan.
As soon as you find out that your organization has been hacked, you need to collect as much data as you can to assess the scope of the incident. Was the hack malicious? Was it caused by an innocent employee error? The cause of the hack, whether it was due to ill-intentions or poor education, will determine how you should respond.
To get to the bottom of the hack’s cause, you need to be able to identify:
- Which computers were affected
- The origin of the attack
- Whether or not malware was used
- Where data is being sent remotely
- Identities of other potential victims
- Current external connections
- Open ports
- Users who are logged in
No matter what, don’t delete any relevant files. Doing so may destroy evidence and make it harder for law enforcement to track down the culprit.
Minimize Continuing Damage
You can’t undo the damage that has been done, but you can stop that damage in its tracks before it spreads to other devices, other departments, or even other corporations.
- Reroute network traffic
- Isolate the compromised network
- Block further unauthorized access
- Confirm the integrity of your backup data
- Contact law enforcement to coordinate efforts
Be sure to record any steps you take to mitigate the damage, as well as the costs of such strategies. Be as detailed as possible to ensure the perpetrator faces justice should he or she be caught.
Keep Logs & Records
Most of what actually is involved following a hack may be less glamorous than spy films and thrillers indicate. However, record-keeping can have unforeseen significance and impact. With adrenaline and anxiety high following a data breach, the written records of companies serve law enforcement much better than scattered recollections.
Businesses should be sure to record:
- Dates and times of all events, from the discovery of the hack onward
- The identity of the individuals working to remediate the issues
- Any phone calls or emails regarding the hack
- The amount and type of damage
- The systems affected
- Versions of software being run
Backups should also be available. In fact, several backups should be on hand. Since data breaches are hard to identify at times, a business could have been compromised for months without knowing.
One of the hardest things any business can do is go public with the news of their hack. It’s why we all-too-often hear of large corporations waiting months or even years to tell their customers and clients about a data breach.
No one likes to make mistakes and businesses never want their customers to stop trusting them. However, telling customers about a hack early does more to earn trust than damage it. Hiding a hack, on the other hand, is one way to ensure your doors never reopen.
You should tell:
- Senior management, IT coordinators, legal counsel, and public affairs coordinators within your organization
- Federal agencies and/or law enforcement like the FBI and Secret Service (Federal investigators have the power to obtain warrants and subpoenas)
- Potential victims (like customers, partners, etc.)
You’ve worked hard to gain the trust of your customers, partners, and employees. Be careful not to lose it.
STAY UP TO DATE WITH KDG
Subscribe to our blog and know when we publish new posts.