Analysis: The first in a series of articles looking at what business should do after finding systems and data compromised.
Your business has been breached. A hacker has infiltrated your systems and now huge troves of valuable data are earmarked for the dark web. This is a reality which many businesses are waking up too – though many would say not quickly enough.
Business can prepare, but the consensus is that your business will suffer a data breach. Having previously detailed how to spot a data breach, the response to finding such an attack is crucial – evidenced not only by research, but by high-profile breaches such as Sony.
Firstly, a data breach costs money – £1.2m on average according to the Risk:Value report from NTT Com Security. Brand reputation also takes a huge hit from a data breach, you only need look at the impact of the TalkTalk data breach – over 100,000 customers and £60m lost.
In a series of articles, CBR will take you through the most important steps in how to deal with a data breach – immediate response, communication and public relations, long-term strategy and the perfect incident response plan.
The name of the data breach response game is protection – protect your assets, brand, reputation, customers and long-term future. With that in mind, this series kicks off with what to do in the first few hours following the discovery of a data breach.
Following a data breach you must lock down your systems. The first course of action for any business is to identify and isolate, as Piers Wilson, Head of Product Management, Huntsman Security, told CBR: "Following the discovery of a data breach, the first and most important step to take is to identify which systems and data were compromised and quarantine them in order to understand the nature and extent and to contain the risk."
After having quarantined the vulnerability, it is imperative that you find out if the attackers have any other paths into your systems – the ‘three pronged attack’ is becoming more and more popular among hackers, as Laurance Dine Managing Principal of investigative response at Verizon Enterprise Solutions told CBR:
"Although their ‘route’ into your system might be easy to trace, in some cases criminals leave other ways to gain access or find additional methods to attack in addition to the breach you might have found. This is something that we have seen being exploited in this year’s Data Breach Investigation Report with the rise of the ‘three pronged attacked’.
"This has seen criminals sending phishing e-mails with malicious attachments that download malware onto a PC, these create an additional foothold from where additional malware can be used to look for secrets and steal information and credentials through key logging. Once the credentials have been gained they are then used for further attacks such as into third party websites or other networked systems not necessarily directly linked to the first attack that you might have found."
The first few hours of a data breach are crucial. Businesses must stay cool, calm and collected; panicking may only serve to damage the business further with hasty decisions made. In the first few hours, Russell Kempley, Head of Cyber Technical Services at BAE Systems, advises implementing the following procedure:
1. Assign an incident co-ordinator who can liaise with investigation teams and management
2. Ensure evidence is being captured and preserved – logs should be collected from key devices and extra logging enabled if the attack is ongoing. Compromised assets should be isolated from the network if appropriate to the type of threat and business impact.
3. Conduct an initial assessment to identify actual or potential business impacts; this informs the response strategy and what the key outstanding questions are
4. Call in specialist investigation support to help get accurate answers quickly and guide the business through the recovery. The UK Government / CESG has a scheme to certify incident response specialists so that you can choose a firm with confidence.
5. Take action, inform management and other stakeholders and seek advice from legal and communications teams.
Your immediate response to a data breach really depends upon its discovery. A breach is a technical issue, but if the breach has come to light via the press or a third party, instead of an internal discovery, then your response will be more reactionary and focus more on corporate reputation. Both external and internal discovery of a data breach requires the technical team to work closely with other departments such as legal and PR to devise an incident response strategy in order to limit the damage to the company.
According to Rashmi Knowles, the Chief Security Architect, EMEA, at RSA, the technical response takes a back seat to people and process. Speaking to CBR he said:
"People and process are more critical than the technology when it comes to incident response. First, a security operations team must have clearly defined roles and responsibilities to avoid confusion at the crucial hour. But it is just as important to have visibility and consistent workflows during any major security crisis to assure accountability and consistency and help organisations improve response procedures over time."
Once a strategy and the roles of those working to execute it are clearly defined, then comes the next stage in dealing with a data breach – communication. After establishing what has been lost, who it impacts and how it happened, the need to communicate to the authorities, employees and customers is critical.
Stay tuned for the next article in CBR’s data breach series looking at communication and public relations.