Even people who don’t know first aid or have never had medical training can intuitively apply the core tenet of the Hippocratic Oath: “First do no harm.” For example, if we come across the victim of a car accident lying wounded near the road, we know to apply common sense to protect the victim from further injury. If the victim is in a safe place, we know to call 911, and wait for professionals to arrive. If the victim is lying next to a burning car that could explode, we’d know to carry him to safety before calling for help. The same can’t be said, however, for people witnessing a cyberattack, and the results can be grave.
I’m a former search and rescue professional who has been in a lot of crisis situations where human lives were at stake. Now I’m a cyber “first responder”. What I’ve learned is that every crisis situation demands a similar approach, and this begins with the mandate to “do no harm”. But the similarities go even further. The steps of incident response published by FEMA and NIST are strikingly similar.
Both start with preparation. Without preparation, one’s ability to ‘do no harm’ is significantly reduced. Our natural instincts only get us so far; most people aren’t equipped to respond when a crisis hits without at least some preparation. In both cases, the final phase is also recovery, where lessons learned are applied, and preparation for the next crisis improves.
Let’s go back to the Hippocratic Oath. What does it mean to “do no harm” in a cyberattack? Most importantly, it means preventing the loss or alteration of data that is either evidence of a cybercrime, or an indication that the incident was the result of a misconfiguration, or the unfortunate combination of hardware and software failures. In the case of a deliberate attack, safeguarding data helps to catch intruders by preserving their footprints. Often, however, users’ first instincts actually cause them to do the opposite.
The most common mistake I’ve seen is to unplug a machine under attack from its power source. This can actually be quite destructive. For example, if you know your system is compromised, unplugging may seem like the right thing to do, but can cause the loss of key network connection information and volatile data in memory, including the attacker’s IP address, evidence of malware, and routine business data—a critical error. We see many cases where memory is the only place that malware resides. As a trained first responder, I’ve learned that unless there is obvious danger in doing nothing (e.g., when gasoline is leaking from a car in a wreckage and there is potential for a fire or an explosion), unplugging a machine under attack can corrupt key evidence that’s important to an investigation, and further encumber business operations.
In this example, ‘doing no harm’ means capturing memory contents to preserve volatile data before disconnecting a workstation. The use of virtual machines is increasingly common, making this easier—almost all virtualization solutions allow users to take a “snapshot” of a system that saves the state of the machine, including its memory. If you have a physical machine, you can use a memory capture tool to save critical evidence. Doing so will help investigators identify indicators of compromise more easily, and will also shorten the incident response lifecycle.
IT personnel can’t be expected to know how to respond to a cyber incident unless they are prepared, i.e., equipped with skills and training, and practice for foreseeable crises. Since so much of what professional cyber responders do in a crisis is counterintuitive, the most important way to equip IT teams to “do no harm” in a crisis is to prepare them and give them access to professional help. A clear incident response plan that includes having a cybersecurity first responder on speed dial, improves the chances of doing no harm by ensuring you have someone who can provide immediate expert advice, akin to 911, when needed.
In a crisis scenario like a cyberattack, seemingly harmless actions can cause irreparable damage. Prepare yourself and your IT team to do no harm.