US-CERT’s do’s-and-don’ts for after the cyber hack
Jason Miller reports that US-CERT is offering best practices for after an attack. Here’s a bit of what he reports:
Hacked organizations shouldn’t automatically initiate reactive measures to the network without first consulting incident response experts. Barron-DiCamillo said US-CERT and a host of other companies do incident responses for a living as opposed systems administrators or other IT experts who respond to cyber problems only when they happen.
“This can cause loss of volatile data such as memory and other host-based artifacts. We also see them touching adversary infrastructure. It seems unusual, but we do,” she said. “They are pinging or doing name server (NS) look up, browsing to certain sites. Agency staff is trying to investigate the incident, naturally, and they want to conduct the analysis on suspicious domains or IPs. However, these actions can tip off the adversaries that they have been detected. Again, a no-no. You don’t want to do that.”
Read more on Federal News Radio.