Page 29 - Cyber Warnings
P. 29
of preserving evidence that may be extremely useful in the subsequent investigation of the
incident. Organizations should confer with forensic experts as soon as possible following the
start of an attack to ensure that the actions taken in response will not compromise important
evidence.
Involving Law Enforcement. The decision about whether to involve law enforcement sometimes
involves competing considerations as well. On one hand, the increase in the prevalence of
these attacks has led to significant more attention from various law enforcement agencies,
which has resulted in significantly more success in identifying and prosecuting attackers.
Federal law enforcement frequently has significant intelligence on various groups responsible
for these attacks which can provide important information in responding to, containing, and
remediating these attacks. On the other hand, law enforcement agencies may be hesitant to
share much information, leaving some organizations feeling like information sharing is more of a
one-way street than a mutual exchange. Additionally, alerting law enforcement can result in
having the agency become significantly more involved in, or even controlling, the investigation
of the incident. This can have implications on privilege issues and, more generally, may not be
ideal in all circumstances. Organizations should consult with legal counsel to evaluate the
potential advantages and disadvantages of notifying law enforcement based on their specific
circumstances.
DDoS Mitigation. Companies should be aware that many DDoS mitigation vendors, including
Cloudflare and Akamai offer emergency DDoS hotlines or protection services that can be
deployed for new customers, even where a company has not proactively secured such services.
Engaging a DDoS mitigation service provider after an attack has started can help to reduce the
length and severity of an attack, allowing a company to get its affected servers and websites
back up and running more quickly.
After an Attack
External Communications. When and how an organization communicates about a DDoS attack
may have significant impacts on its exposure and liability following an incident. These
communications may include: (i) general communications about the incident with media,
investors, customers, or regulators; or (ii) formal notifications ranging from those necessitated
by legal or regulatory requirements to formal contractual notices necessary to exercise force
majeure or emergency circumstances.
Further Investigation. Once business critical functions and website functionality have been
restored, further investigation to investigate the circumstances surrounding the attack and to
help determine what types of legal consequences may have been triggered by the attack will
likely be necessary. From a technical perspective, the attacked company should utilize any built-
in incident detection measures to identify indicators of compromise and confirm that the
malicious activities were limited to the DDoS attack. Forensic analysis may also be employed to
determine whether any unauthorized access or acquisition to customer information or
confidential business information occurred under the guise of a potential DDoS “smokescreen.”
29 Cyber Warnings E-Magazine December 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
