Read this blog about ‘The Golden Hour’, written by one of our cyber crisis experts Kelvin Rorive.
In the dynamic and often unpredictable domain of cybersecurity, an organization’s ability to respond quickly and effectively to incidents is crucial to limiting damage. This responsiveness is nowhere better illustrated than during ‘The Golden Hour’ – the first hour after discovering a cyberattack or security breach. This critical timeframe is often decisive for the course of the crisis. If the right decisions are not made during this period, the consequences can be far-reaching and costly. Part I of this blog discusses the essential steps that need to be taken in ‘The Golden Hour’. Part II will further emphasize the importance of having a well-prepared crisis team.
The Importance of Rapid Action
One of the first and most important steps when detecting a cyberattack is not to shut down the affected computers, but to immediately disconnect all network connections. The instinct might be to turn off the affected systems in an attempt to limit damage, but this can be counterproductive. Shutting down systems can destroy valuable forensic data that is essential for investigating the attack and preventing future breaches. By isolating the equipment from the network instead of turning it off, the attacker is cut off from further access to the system, while crucial information is preserved for analysis.
Be Cautious of Signals to Criminals
While disconnecting systems from the network is a fundamental step in limiting damage during a cyberattack, it also brings a complex dilemma. This action can serve as a clear signal to the attackers that their presence has been discovered. In certain scenarios, this discovery can have unwanted consequences, such as prompting the attackers to change their attack tactics, destroy valuable data, or proceed to direct extortion attempts.
The trade-off between immediately isolating systems and the risk of alerting the attackers requires a thoughtful decision from the crisis team. This decision depends on various factors, including the type of attack, the identified objectives of the attackers, and the critical nature of the affected systems or data.
Factors Influencing Decision Making
- Type of attack: in a ransomware attack, rapid isolation can be crucial to prevent spread. However, in complex espionage or data theft operations, discretion may be desired to monitor the attackers and gain more insight into their methods and goals.
- Objectives of the attackers: if the attack seems aimed at direct financial extortion, revealing detection can influence the negotiation process. In situations where the attacker's motivation is less clear, maintaining the element of surprise can be to the defenders' advantage.
- Critical nature of affected systems: for systems containing essential business processes or sensitive information, the need to protect these may outweigh the risk of alerting the attackers.
- Gathering evidence: the ability to collect and preserve forensic evidence is crucial for both internal analysis and potential legal action against the attackers. This can be a strategic reason to keep systems operational or carefully choose the method of isolation, so as not to destroy valuable data and traces. Read more about Chain of Custody below.
The crisis team must make a strategic assessment, taking into account both the short and long-term consequences of their actions. In some cases, the decision not to disconnect immediately, but instead use techniques to monitor the attackers, can yield valuable intelligence. This information can not only help neutralize the current threat but also strengthen the security posture against future attacks.
The Importance of Evidence Collection and "Chain of Custody"
In addition to the immediate response to a cyberattack, collecting evidence plays a crucial role, both for internal analysis and potential legal action. Carefully collecting and documenting digital evidence can be essential for criminal investigation and possible prosecution of the perpetrators. This process is further strengthened by adhering to the ‘chain of custody’, a fundamental principle in evidence law that ensures the integrity of the evidence.
What is Chain of Custody?
Chain of Custody refers to the documentation process that records the complete history of evidence, from the moment of collection to its presentation in court. This includes who collected, stored, transported, and analyzed the evidence, as well as when and under what circumstances. The goal is to eliminate any possibility of manipulation, substitution, or contamination of the evidence, thereby ensuring its credibility in legal proceedings.
Implementing Chain of Custody
To meet the requirements of chain of custody, organizations must follow careful procedures when handling digital evidence:
- Documentation: every interaction with the evidence must be documented, including details such as date, time, and the individuals involved.
- Secure storage: evidence must be stored in a secure location, with limited access to prevent unauthorized manipulation.
- Transport: when moving evidence, protocols must be followed that ensure its safety and integrity.
- Access Control: only authorized personnel should have access to the evidence, and every access must be recorded.
Collecting traces provides an additional reason not to hastily disconnect systems from the network. By keeping systems operational, organizations can capture valuable data that would otherwise be lost. This information can not only be useful for internal recovery efforts but also for identifying, tracing, and legally prosecuting the attackers. However, it is crucial that this process is carried out under strict security protocols to prevent further damage or data breaches.
Adhering to the Chain of Custody and carefully collecting traces emphasize the importance of a thoughtful and methodical approach in the aftermath of a cyber incident. By following these guidelines, organizations can not only respond more effectively to incidents but also contribute to the broader goal of justice and combating cybercrime.
The next steps...
There’s a lot to do in the first hour, and that’s while there’s already so much stress. Want to know more about the right steps to take? Such as convening the crisis team, involving a forensic expert in making the right decisions, and arranging appropriate mandate and tight communication? Keep an eye on our LinkedIn and/or blog page for ‘The Golden Hour – Part II’.