In 66% of incidents, the breach went undiscovered for a month or longer.
It is paramount that your organisation responds quickly and efficiently when your organisation experiences a data breach.
We’ve simplified a 10 step process to help you respond to a data breach. If you think your systems have been hacked, please contact our 24/7 security team immediately at firstname.lastname@example.org
Preparation is the foundation of data breach management. Statistically speaking it is close to absolute certainty that if you are a computer networked organisation then you will be attacked. As society becomes more computer literate and the availability of free hacker tools increases, the chances of one or more of those attacks being successfully also increases. Having an Incident policy and plan is the first step in preparing for a data breach, however additional activities should be taken. Review logging capability and configuration across your organisation to see if it can be leveraged to assist in any future data breach investigation. Conduct a criticality assessment of your assets and document your findings. Carry out a threat analysis to understand what threats that your industry sector faces and what tools, techniques and procedures your adversaries will use against you. Make sure you also have an up-to-date network diagram in place.
Nettitude have produced a step by step guide on planning for a data breach - read it here: https://www.nettitude.co.uk/10-steps-to-prepare-for-a-data-breach
Gain some assurance around your preparations. At the very least you should test your Incident Response (IR) plan. This can be in the form of a table top exercise or a more sophisticated simulation based on your threat analysis. The objective is to ensure that your IR plan is fit for purpose and robust enough to deal with a broad range of scenarios. Further tuning of your IR plan will be performed in step 10.
Your ability to detect data breaches will largely be dependent on the people, processes and technology within your organization. Ensure your staff undergo training that will allow them to identify potential malicious activity. Your IT staff should have processes in place to review log data that you configured in step 1 to identify anomalous entries that might be worthy of further investigation. Similarly, logs from IDS/IPS, anti-virus and other security products should be reviewed regularly for anomalies. A robust process for log reviewing would be to automate that process by implementing a SIEM solution.
Any indications of a potential breach will first have to be triaged to establish if the indication was a false positive. First responder training should be given to IT staff who can undertake this type activity. Any confirmed incident will need to be classified with reference to its potential impact and prioritised based on its classification. Part of the prioritisation process will be to identify any specialist skills that will be required to effectively investigate the incident. Your preparation in step 1 should have identified pools of specialist skills that you can call on in the event of a security incident.
If you are in a corporate environment, and you don’t employ an incident response or forensics team, we would recommend that at this point you contact external assistance.
The external assistance should be a reputable organization that has both forensics and incident response capability. The following organisations have guidance on entities that can deliver strong forensics and Incident Response capability.
USA – Federal government – CIRA
UK – Central government – CIR
UK and US commercial sector – CREST CSIR
The investigation should have clear objectives set, such as establishing the scope and impact of a breach and determining the root cause of a breach. Any IR capability should be backed with malware analysis capability. Make sure that any third party investigators are aware of any logging capabilities that you developed in step 1.
It will be necessary to try and contain the incident, that could be something simple like removing a network cable (make sure to record the active network connections on impacted systems before doing this) or something much more drastic such as completely shutting down a critical system. In the latter case, your Incident Response plan should specify who has the authority to authorise such a shut-down and under what circumstances.
Once the breach has been investigated and contained, you can start the process of eradication of the threat. This may involve the disabling of compromised user accounts or removal of malware. Once again, robust preparation should help you in this step. Do you have a policy applicable to actions on systems infected with malware? Does that policy differentiate between different types of threat i.e. is the policy the same for PUP’s such as unwanted browser add-ons and ransomware. The severity of the threat should dictate your eradication policy.
Determine how systems can be recovered. This could be achieved through restoring critical systems of files from a backup, or it could be achieved through a full systems rebuild. The specific approach for recovery will vary according to the type of attack, and the time sensitivity of the systems that have been compromised. It is important that, where practical, forensic images are collected of from impacted systems prior to the commencement of the recovery process. This will facilitate opportunities to perform much deeper analysis once your systems have been recovered. Such analysis may assist in determining who attacked your organization and what vulnerabilities they exploited to gain access to your network.
You may have legal and ethical obligations to notify various parties if data is compromised during a breach. Establish which parties need to be notified and under what circumstances. Again, if you have prepared effectively you should already have a list organizations and individuals that you will need to contact in the event of a data breach. If data is compromised during a breach, involve internal stakeholders such as PR and HR, if it is employee data stolen, at an early stage.
If an organization is compromised, it is important that they understand what happened and when it happened so that an improvement plan can be formulated. The improvement plan should be based around a post-incident review that will examine how all of the previous steps were managed and what lessons can learnt. Gaps in capability around your people, process and technology should be identified and remediated at this stage.
To contact Nettitude's editor, please email email@example.com