The intelligence community is central to detecting the attackers and eliminating cyber-threats. During the investigation into a cyber attack, it is vital to determine the assaulters’ capabilities, motives, and sequence of actions. By virtue of analysis conducted by the intelligence community, it is possible to understand the tactics, techniques, and procedures implemented by the wrongdoers and classify cyber attack scenarios. Therefore, such knowledge can enable disrupting and degrading other potential attacks. In addition to this, in the light of the damage inflicted to the bank systems and panic aroused as a result of the attack, the president should refer to the citizens with the public announcements, briefly informing about the problem and perpetrators without get into too many details. Finally, the most effective method of defense and protection from further attacks is launching counter-attacks aimed at the raiders and nation-state that have been identified during the investigation.
After revealing the cyber attack on banks, the intelligence community should immediately come up with an appropriate response. The first and foremost step to take should be an early investigation, known as triage. It comprises such actions as classification of cyber attack in terms of the impact it entails, which can be critical, significant, normal or negligible; prioritization of the incidents – high, medium or low; and assignment of the attacks to corresponding personnel in accordance with the legitimacy, correctness, severity, and constituency origin (CREST, 2013).
After the initial investigation, the intelligence community needs to ensure containment of the damage being done by the assailants. This approach requires a number of concurrent measures to be undertaken, which aim at reducing the immediate impact of the assault, made possible by removing the attacker’s access to the banking system. At the same time, it is necessary to return to normal functionality, while continuing to analyze the incident and minimizing the risk of escalation of the attack (Conference of State Bank Supervisors, 2014).
Moreover, there are other four fundamental steps in responding to a cyber attack on a country’s financial system. They should follow the response triage procedure. Firstly, the intelligence community should identify the incident, determining the type, extent, and magnitude of the issue in a quick and consistent manner. Secondly, it is vital to define objectives of the perpetrators (CREST, 2013). As long as it is difficult to pinpoint a sophisticated traducer, the intelligence community with its capabilities may significantly contribute to the process of identification and make it more efficient and faster (Farhat, McCarthy, & Raysman, 2011). Furthermore, it is necessary to investigate case and take the appropriate actions to recover banking systems, data, and connectivity. Finally, it is necessary to devise efficient methods to record all aspects of the incident, using a consistent and comprehensive approach (CREST, 2013).
The intelligence community needs to undertake immediate measures to preserve existing logs. There should be a written record of all the steps taken while responding to the attack and costs incurred as a result of the attack. For instance, everybody involved in the investigation process needs to record the identity of the bank systems, accounts, data and network affected by the assault, and the information regarding the scope and kind of the damage inflicted. Intelligence community can help minimize additional blow, providing the information concerning the rerouting network traffic and isolating parts of the compromised financial network (Conference of State Bank Supervisors, 2014). In addition, there should be a restriction on the access to the material collected so as to maintain the authenticity. It is vital to safeguard this information from unidentified malicious insiders to prevent any other possible cyber-attacks (Rossi, 2014).
An appropriate response to an electronic attack includes management recommendations on main actions that different specialists for them to be responsible for specific relevant functions. Furthermore, such a method involves rebuilding systems and informing the customers (Rossi, 2014). In brief, the information gathered by the intelligence community can facilitate better coordination between the government, financial sector, and citizens during and in the aftermath of the assault.
The intelligence community needs to apply tools to perform content inspection and context awareness. It is critical to assess to the nature and the scope of the event. This will make possible to determine what kind of assistance is required, what type of toll reducing and remedial efforts need to be implemented. The first and foremost priority for intelligence community is to undertake a full-fledged breach investigation by collecting the evidence and analyzing the cyber attack. It is necessary to determine what kind of information has been disclosed, deleted, stolen or corrupted (Rossi, 2014). Moreover, threat agents should be identified and thoroughly inspected.
Intelligence community needs to analyze what financial networks and information have been infected or damaged. It needs to determine how the cyber attack became possible and successful, analyzing the methodologies the attackers have been using, their motivation, and overall focus. It is vital to know whether they intend to affect only the financial sector or they aim to disrupt other systems and organizations as well as realizing whether they attempt to disrupt other critical services or it is limited solely to financial crime. However, while investigating the case, intelligence community should be careful with designing and taking initial actions in order to avoid creating a detrimental affect by alerting an attacker and deleting or destroying vital evidence base (Amoroso, 2013).
Intelligence community can gather pertinent information from government agencies, such as CPNI, monitoring of internal resources, and open source data. It is vital to analyze resources available within the state’s financial system. In particular, the documentation for security systems, such as intrusion detection systems (IDS), SIEM, malware protection, log analysis, Data Loss Prevention (DLP), the list of critical assets, and/or network diagrams may help to detect the flaws and vulnerabilities that made the cyber-attack possible in the first place, as well as prevent further unauthorized access (CREST, 2013).
Gathering information about the attack and its analysis can help draft a post-attack plan of actions that will address the steps each citizen can take to mitigate the consequences of the attack. For this reason, it is vital to identify critical personnel, and mission important data. Moreover, the intelligence community needs to prioritize the methods of further protection and data preservation related to the incident (Farhat et al., 2011).
In order to provide constant information about possible threats and improvements with respect to the existing consequences of the current cyber-attack, it is necessary to create the Information Sharing and Analysis agency that consists of leading intelligence specialists. They can analyze cyber threat information relevant for every sector of the infrastructure, without being limited solely to the bank system. It can help utilize a full-scope approach to the protection of the state. Moreover, they will be entailed to prioritize security measures and exploit attacker’s vulnerabilities in order to defend the bank system and other critical sectors (Ohlin, Finkelstein, & Govern, 2015).
The President needs to give public announcements that should restore confidence and loyalty, as well as promote cyber security awareness within the financial system. (Farhat et al., 2011). It is decisive to tell people which banks and systems have been affected, briefly describing the methods of the cybercrime and damage that was inflicted. It will help reduce public’s tension and create conditions for enhanced understanding. As a result, it can lead to a more adequate response and reaction from every citizen. Nevertheless, there is no need to inform the society about every subtle detail of the investigation and counter measures. Moreover, citizens should not be aware of the attacking nation-state without solid proofs regarding its involvement in the cyber-attack. It is essential to convey what has been done so as to mitigate the repercussions and improve the overall situation. The public should know the approximate time of the recovery of the bank system. Furthermore, citizens should be told about the practical safety instructions and security strategic recommendations to protect themselves and help to control the existing situation.
It is imperative to identify the true attackers and the actual source sponsoring the attack because it can easily be elevated to total attacks on the whole critical infrastructure. Therefore, it is vital to know whom to defend against and to respond with a counter-attack strategies to a source or a nation-state that has a role and responsibility in the underlying assault. It makes possible to thwart the humongous destructive attempts and permit to trace and discover the offending terminal (CREST, 2013). Mounting a serious counter-attack can be the only way to confront a cyber assault, stop the perpetrators and mitigate the consequences of their successful attack. Moreover, it is inappropriate to call cyber counterattacks “attacks”, since these procedures are purely defensive because they serve as a shield that deter the malicious programs and viruses from entering computer banking systems (Ohlin et al., 2015).
Designing a counter-offensive should involve the following sequence of actions: the method of counter-attack, the support of the network infrastructure, collateral damage, and costs. In fact, a counteraction can have different forms. For example, it is possible to find vulnerabilities in the offensive tool and exploit the perpetrator’s network. Due to the intelligence community’s findings, it can be detected which banks have been attacked as well as the motivation of the attackers and the information they stole. Therefore, the counter-attack can be performed by providing fake information to the attackers (Ohlin et al., 2015).
Since the perpetrators are concentrated on the attack itself, they devote less efforts to their own defense strategies and patching their own attack tools. Moreover, a counter measure should have inbuilt instruments to log its trace and its operation history. Consequently, it is capable of providing means of determining the hacker’s techniques and identity. Another aspect is that the more risk attackers have of becoming identified, the less likely they embark on another attack (Ohlin et al., 2015).
The intelligence community is one of the most essential assets for addressing cyber-attacks and determining the aggressors. The analysis of such an assault is the primary task for the intelligence community in the incident response phase. During this stage, the main aim is to analyze the detailed technical forensics, network data, and financial process examination. Identifying the underlying causes of the raid may help develop the best solution in terms of further prevention and national-level recovery efforts. Intelligence community can assist in enabling a recover process. By identifying the methodology of the attack, it is possible to eliminate or fix vulnerabilities exploited by the attackers and determine the cyber security improvements that are essential to prevent similar incidents from reoccurring. It is essential to refer to the public, informing about the reasons of the failure in the work of the banks. Moreover, every citizen should be aware of the estimated time of the recovery and practical recommendations on how to behave in the situation at hand. Additionally, in order to deter the attackers, a counter-attack should be designed and launched as soon as possible. Combining the abovementioned steps, it is feasible to mitigate the repercussions caused by cyber-attack and ensure that the critical infrastructure sectors of the state are protected and well prepared for the future assaults of the kind.