News Feature | October 6, 2015

Advice For Protecting Key Evidence After A Cyberattack

Christine Kern

By Christine Kern, contributing writer

Advice For Protecting Key Evidence After A Cyberattack

Cyberattacks can be devastating to your IT clients’ businesses, but if a breach does occur, the response to the attack can make a different. If handled improperly, the response from your client could erase important forensic evidence.

In an interview with Federal News Radio, Ann Barron-DiCamillo, the director of the U.S. Computer Emergency Response Team (US-CERT), outlined some essential steps that administrators should follow in the wake of a hack.

1. Consult Incident Response Experts. Barron-DiCamillo explained that acting rashly “can cost loss of volatile data such as memory and other host-based artifacts. We also see them touching adversary infrastructure. It seems unusual, but we do. They are pinging or doing name server (NS) look up, browsing to certain sites. Agency staff is trying to investigate the incident, naturally, and they want to conduct the analysis on suspicious domains or IPs. However, these actions can tip off the adversaries that they have been detected.” US-CERT also discourages preemptive blocking of an adversary’s IP address or website, because alerting hackers that they have been discovered provides an opportunity for the cyber criminals to change infrastructure and escape detection.

2. Resist pre-emptive password resets. Changing the network and passwords systems too soon could remove the details that can help identify the way hackers infiltrated the system.

3. Preserve Audit Logs. While organizations could have a practice of overwrite audit logs to conserve storage, it’s important to keep logs for investigators’ review.

Barron-DiCamillo pointed out that in the case of government agencies using third-party solutions providers for cybersecurity services, it’s important for both parties to understand the terms of the contract when it comes to incident response.

Logicalis US also offers advice on what you can do to help your clients be prepared if cyberattack occurs:

  • See Everything. Remote monitoring and management can help IT solutions providers see everything happening on the network, on mobile devices, and in the cloud — at all times. This could even help you stop a threat before your client’s system is breached.
  • Have A Plan. It is important for your client to have pre-planned procedures to follow to keep damage to a minimum.

Eliminate Gaps. According to Logicalis US, “Having a unified set of policies and procedures as well as a method for centrally managing the corporate compute infrastructure from end to end will eliminate some of the gaps that spell opportunity for hackers and will increase the IT department’s ability to more quickly detect breaches that do occur and enforce security measures that will reduce the damage done.”