Jason Miller reports that US-CERT is offering best practices for after an attack. Here’s a bit of what he reports:
Hacked organizations shouldn’t automatically initiate reactive measures to the network without first consulting incident response experts. Barron-DiCamillo said US-CERT and a host of other companies do incident responses for a living as opposed systems administrators or other IT experts who respond to cyber problems only when they happen.
“This can cause loss of volatile data such as memory and other host-based artifacts. We also see them touching adversary infrastructure. It seems unusual, but we do,” she said. “They are pinging or doing name server (NS) look up, browsing to certain sites. Agency staff is trying to investigate the incident, naturally, and they want to conduct the analysis on suspicious domains or IPs. However, these actions can tip off the adversaries that they have been detected. Again, a no-no. You don’t want to do that.”
Read more on Federal News Radio.
Translated: “You smell of smoke. You find a small fire on your kitchen stove. DO NOT GRAB THE FIRE EXTINGUISHER AND PUT IT OUT OR TAKE THE POT OFF THE STOVE OR COVER IT OR DO ANYTHING ELSE! Just let it burn until the fire department, which is eight hours away, gets there. They will need to investigate how it started.”
I was an emergency responder for many years and in that kind of job the first two tasks are “Stop the burning and stop the bleeding.” The analogy holds here. Doing nothing while you wait for the “experts” to arrive can make the damage to you and your company worse. US-CERT and the consultants aren’t going to take the brunt of the damage; you are.
Figuring out how it happened is called attribution, which is usually not possible anyways, and does the breached entity little good. You’re still going to call it a “sophisticated cyberattack” no matter how much your negligence played into the cause.
I was an emergency responder, too, so I know exactly what you mean. 🙂
That said, I’ve seen entities screw themselves by their breach response making it impossible for them to ultimately figure out what data (and whose) was compromised. Case in point: the MCCCD breach that I’ve blogged a lot about. Their initial steps made more thorough investigation impossible.