Prepare for and plan against a cyberattack
Consider containment, mitigation, eradication and investigation. Stop the crime from getting worse, minimize further damage, and preserve evidence. Get the attackers and infections out of your system so you can resume normal operations.
There will be tension related to the competing needs to (1) contain a breach, (2) proceed rapidly toward recovery and resumption of normal business operations, (3) minimize expenditure of time and funds, and (4) investigate and collect evidence. Faced with the same set of circumstances, each individual or organization will have a unique response.
Professionals have the best tools and skills to preserve evidence, but this costs money and it takes time until they are on scene. Computing devices have permanent storage that can be forensically copied (imaged) for future analysis and evidentiary use. Applications and viruses running in volatile memory can be documented so long as the computer has not been turned off.
Beyond forensic techniques, we can preserve evidence by taking pictures, making notes and obtaining screen grabs, which is better than doing nothing at all. We should save all relevant emails, especially those to or from the criminal.
Cybersecurity and the law
A joint production of the ABA Journal and the ABA Cybersecurity Legal Task Force
Containment may require disconnecting infected devices from the network and internet and possibly turning them off (realizing some evidence may be lost). Ultimately, you will decide whether the device should be forensically imaged for evidence, can be properly cleaned or should be destroyed.
Containment and eradication include regaining exclusive control of cloud accounts and making sure that intruders don’t have access. Review the settings in cloud accounts, check recent logins and security settings, change passwords, enable two-factor authentication, and contact the provider.
Notification of law enforcement and potential victims can be an important mitigation step, even if it is not yet legally required. If funds have been stolen, notify the bank and law enforcement immediately, including the FBI. There is a chance the funds can be recovered if you work fast. If an email account was hacked, criminals might attempt social engineering frauds based on information within the account. So warn potential victims to alert them to this risk.
Recovery means getting the systems and business back to normal operation. This might require reconnecting to the network, restoring backups, setting up new computers, and properly testing them. An impartial and objective investigation can learn helpful facts to further the criminal investigation, determine root causes and security weaknesses, and help apportion fault or liability.
Further, when funds are stolen or businesses are damaged, stakeholders will want to know how and why it occurred, and business and legal decisions should be grounded in accurate information. Attorney-supervised investigations may have the additional benefit of being legally privileged.
NOTIFICATIONS AND LESSONS LEARNED
Consider legal duties of notification to the government and victims. Most states have data-breach reporting laws, requiring notification to law enforcement, the state attorney general, and individuals whose personal information was accessed or stolen (potentially customers, clients and employees).
If you already notified some of these parties as a mitigation step, now is the time to ensure legal obligations are complied with. Look to the laws of your home state and to other states where you operate or have clients.
If a law firm is breached, be mindful of fiduciary duties owed to current and former clients. There can be a conflict between the attorney’s self-interest (in preserving the legal practice and avoiding a claim) and the client’s interests. This would make it difficultfor the attorney to provide unconflicted advice to the client about how to proceed.
After the crisis has passed, with the benefit of hindsight and new experience, take time to improve defenses and incident response procedures. Many skip this step, exhausted from the incident or wrongly thinking lightning never strikes twice in the same place. Cybercrime is attracted to weak cybersecurity and fraud defenses, like lightning, are attracted to tall, conductive objects.
Preparation and planning will help you respond effectively to a data breach or a cybercrime and perhaps prevent one from occurring. Your incident response plan should be part of a broader cybersecurity program, which starts with improving your knowledge and awareness.
John Bandler is the founder of the Bandler Law Firm in New York City, which helps firms, businesses and individuals with cybersecurity, cybercrime investigations, litigation support and other areas. He is the author of the ABA-published book
John Bandler is the founder of the Bandler Law Firm in New York City, which helps firms, businesses and individuals with cybersecurity, cybercrime investigations, litigation support and other areas. He is the author of the ABA-published bookCybersecurity for the Home and Office: The Lawyer’s Guide to Taking Charge of Your Own Information Security, which includes sections on incident response planning and procedures.
This article was published in the July 2018 ABA Journal magazine with the title: “Preparing Today for Tomorrow’s Attack: A cybersecurity expert details how to prepare for and plan against a cyberattack.”