Security

How to Respond to a Cyber Breach

As cyberattacks on federal agencies continue, recovering from an attack is just as important as preparing for one.

Joel Keller spent more than a decade in IT before becoming a full-time journalist. He has written for The New York Times, Parade and others.

In March, the Justice Department announced the indictments of seven hackers with ties to the government of the People’s Republic of China on charges that included conspiracy to commit computer intrusions. Those intrusions happened on the networks of private citizens as well as those of various federal agencies.

The announcement serves as a stark reminder that cyberattacks — as always — are on the rise, and every organization should take steps to not only isolate threats but also recover from any damage they cause. Such incident response plans can help organizations recover more rapidly and return to business as normal when — not if — a breach occurs:

Contain the Breach

When teams detect a breach, the first and most important thing they must do is isolate the affected systems, taking them offline so they don’t perpetuate the attack. Disable any and all affected accounts and shut down services running code that could be compromised. Bring affected systems back online only after restoring them, along with any accounts and services, to their preattack states.

Click the banner to read CDW’s white paper on enhancing zero trust for your agency.

Assess the Incident

Forensic analysis is crucial to minimizing the risk that such breaches could happen again. Try to determine where the breach started, and what methods were used to gain access to the network. The recent DOJ indictments noted that hackers sent phishing emails that looked like messages from legitimate news sites. When users clicked on links, the hackers were given enough information to obtain access to the targeted networks.

Use cloud-based BIOS verification services to compare the BIOS of a user’s device to an off-host version to determine whether the device has been compromised.

Address Vulnerabilities

A more obvious way to address the vulnerabilities in an organization’s infrastructure is to ensure all devices are patched with the latest software and firmware updates. But IT teams also need to address points of entry that might be overlooked, such as printers and other passive devices, not only when trying to thwart an attack but also in response following an attack. Deploy monitoring programs that can identify out-of-the-ordinary behaviors on devices and services to head off attacks before they can penetrate too far into networks.

EXPLORE: Agencies moving to digital recordkeeping shouldn’t neglect backup and recovery.

Create a Notification Response Plan

Notifying the broader IT organization quickly about unusual activity is also crucial. Set up automated alerts to warn when unusual activity is detected to help speed response times, and pair those systems with a well-rehearsed plan that lists step-by-step actions to take, systems to check, devices to take offline, and processes and priorities for restoring affected systems. Investigate all known entry points.

Update Security Protocols for the Future

Have teams delayed deploying security patches because they must first test applications against the updates? Do users need to be updated on what to look out for in an environment where phishing has become more sophisticated and more difficult to detect? A thorough audit of an agency’s security protocols can identify where improvement is needed to prevent future attacks. That audit can be done internally, but it’s worth engaging external cybersecurity experts to identify any vulnerabilities an internal audit may miss.

Natali_Mis/Getty Images