Page 67 - Cyber Warnings
P. 67
In the pressure of a real incident, confusion can waste valuable time, so test the plan, review it
regularly, and test it again.
The starting point after an attack is determining the extent of the damage, the type of data that
has been targeted and any specific endpoints affected.
The scene of the digital crime then needs to be preserved correctly: any system or device
which has been impacted should be swiftly identified, with forensic images made as soon as
possible.
Without this, any forensic investigations can be seriously impeded.
These digital forensics provide the information needed to identify the risks, determine the next
course of action and then take steps to prevent it from happening again.
Organisations should collect any relevant network logs, suspect communications and files. To
maintain authenticity and a chain of custody, access to any preserved materials should be
restricted to prevent any compromise of evidence.
Preserving digital evidence can also assist law enforcement agencies to identify and prosecute
the perpetrators.
Prevent Additional Damage
In the immediate aftermath, organisations need to take steps to prevent further exfiltration of
data; intrusions often continue past the initial detection. If data is found to be leaking from the
network, steps need to be taken to close it down quickly.
Depending on the types of attack, they may need to re-route network traffic or isolate parts of
the compromised network to prevent further damage. Any systems suspected of being
compromised should not be used to communicate information about an incident.
Keeping a detailed record of response activities is important in both recovery and further threat
prevention. The incident response team should keep information on the systems, services and
data affected by the incident, and any changes made to systems and devices during the
incident response.
Working with the Police and Crime Agencies
In many instances, there is a reluctance for organisations to share information with law
enforcement agencies, often for fear of reputational issues at stake in disclosing security
incidents.
67 Cyber Warnings E-Magazine November 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
