Too many consumers have awoken one morning to find messages from a retailer or their bank detailing purchases made through their account of which they were unaware. While the realization that they have been hacked will cause some well-deserved panic for the account holder, it usually only takes a few phone calls to cancel purchases, change a password, and cancel a credit card to put a stop to the problem.
However, when an organization of any size experiences a similar data breach, the response must be much more complicated. The wrong response can endanger the firm's ability to function, the data it holds, and its clients. Unfortunately, a quick glance at the daily headlines shows that many organizations face this scenario.
In just the last few weeks, CDK Global, Change Healthcare, and Atlas Oil were all attacked, forcing these organizations to respond in some fashion to limit damage, notify clients, and then begin recovery operations. The most important takeaway from these or any attack is that no management team can put together an incident response plan on the fly after an incident has occurred. The plan must be in place and practiced by the organization's hierarchy to guarantee the best outcome possible in what will be a highly charged atmosphere where one can easily make a mistake.
The first step is ensuring an incident response plan is in place. This document will contain a wide range of information and pre-planned tasks to help guide an organization through an attack. The first step in creating an incident response plan is determining as closely as possible what problem the plan will solve, such as which assets need protection and what attack scenarios you might face.
Once the primary assets are understood, the plan must take into consideration the fact that an IT department or security team cannot stand alone when responding to an attack. The plan must detail who security will collaborate with within the broader organization. In general, this should include having an executive sponsor, essentially someone with enough oversight to support the security team's effort and insist that others get on board.
An incident response plan must have buy-in from managers across the company, who should review, contribute, and understand their roles in incident response. Build an advisory committee comprised of people from around the organization who will be involved in responding to the crisis. Include your public relations and corporate communications teams.
It also helps to reach out to local law enforcement for support. Many police departments now have dedicated cybersecurity teams that can help before and after an attack takes place. Additional outside help from a dedicated cybersecurity partner should also be an integral part of the plan, especially if your internal security skills are lacking.
As with any traumatic injury, the first step when attacked is to stop the bleeding, or in this case, identify the source of the breach and take immediate steps to prevent further data loss. Doing so might involve isolating infected systems, patching vulnerabilities, and reviewing access controls.
Securing the data on hand and other assets is the next step. If possible, attempt to regain control of the stolen data. Doing so may involve negotiations with the attacker (not ideal) or working with law enforcement. At this point, deciding whether or not to pay any ransom demanded may be necessary. This decision has pros and cons, but the FBI's general rule of thumb Is not to pay as there is no guarantee the criminals will release the data. Additionally, once a company is willing to pay, the threat group may come back and demand more money.
Take all affected equipment offline immediately — but don't turn any machines off until the forensic experts arrive. Closely monitor all entry and exit points, especially those involved in the breach. If possible, put clean machines online in place of affected ones. In addition, update credentials and passwords of authorized users. If a hacker stole credentials, your system would remain vulnerable until you change those credentials, even if you've removed the hacker's tools.
A cyberattack may be only one component of a larger plan, one involving physical properties. So, secure physical areas potentially related to the breach. Lock them and change access codes. Ask your forensics experts and law enforcement when it is reasonable to resume regular operations.
If the organization does not have the in-house capability to handle the problem, consider hiring independent forensic investigators to help you determine the source and scope of the breach. They will capture forensic images of affected systems, collect and analyze evidence, and outline remediation steps.
Consult with legal counsel and consider hiring outside counsel with privacy and data security expertise. Counsel can also offer advice on federal and state laws that may be implicated by a breach.
Once the initial triage has occurred, the team must identify the scope of the attack. They must determine the type of data stolen and how many individuals are affected. This action will help tailor the response and communication.
Find out if measures such as encryption were enabled when the breach happened. Analyze backup or preserved data. Review logs to determine who had access to the data during the breach. Also, analyze who currently has access, determine whether that access is needed, and restrict access if it is not. Verify the types of information compromised, the number of people affected, and whether you have contact information for those people. When you get the forensic reports, take the recommended remedial measures as soon as possible.
Check your network segmentation. When the network was created, it was likely segmented, so a breach on one server or in one site could not lead to a breach on another server or site. Work with forensics experts to analyze whether the segmentation plan effectively contained the breach. If you need to make any changes, do so now.
Next, find out if measures such as encryption were enabled when the breach happened. Analyze backup or preserved data. Review logs to determine who had access to the data during the breach. Also, analyze who currently has access, determine whether that access is needed, and restrict access if it is not. Verify the types of information compromised, the number of people affected, and whether you have contact information for those people. When you get the forensic reports, take the recommended remedial measures immediately.
One of the worst mistakes made by victimized organizations is not communicating pertinent information to the necessary parties that an attack has happened. While no business wants negative publicity to leak, those possibly unknowingly involved in the breach must be informed. Those informed could include law enforcement and specific agencies. For example, if personal health information (PHI) is involved, HIPPA compliance issues could be in play. With financial information, the organization might have to tell the Securities and Exchange Commission.
Communicate transparently with those impacted by the breach. Explain what data the attacker stole, the potential risks, and the steps they can take to protect themselves. Anticipate questions that people will ask then generate easy-to-understand answers and be prepared to make these public if necessary. Particularly, if clients could be impacted by the incident, as was covered by Trustwave SpiderLabs 2024 Professional Services Threat Landscape: Trustwave Threat Intelligence Briefing and Mitigation Strategies.
These steps are easier to complete if there is a communication plan in place. Craft a public statement acknowledging the breach and outlining the company's response efforts. Being open helps maintain trust and limit reputational damage. A comprehensive plan that reaches all affected audiences — employees, customers, investors, business partners, and other stakeholders. Don't make misleading statements about the breach. And don'tdon't withhold key details that might help consumers protect themselves and their information. Also, don't publicly share information that might put consumers at further risk.
The recovery process shouldn't become a vulnerability itself. Before restoring data, ensure backups haven't been compromised. Using infected backups would reintroduce the issue. Remember, legal considerations might exist. Verify your team has completed due diligence before ending the incident response.
Don't let the desire to move on overshadow the importance of a formal post-incident review.
Here's what it entails:
Learning from these points strengthens your security posture and helps you anticipate future threats. A quick and decisive response is essential to minimize the impact of a data breach. Companies have a responsibility to protect user data and communicate effectively during a crisis.
Establishing an incident response process takes time, effort, money, and skill, but it's important to remember that it can and must be done. If your organization cannot do so, calling in a security partner might be required.
If you are not ready for that step, a good first action is using some self-assessment tools supplied by Trustwave's Security Colony. A detailed incident response plan and additional text and video resources can be found here for free.
The industry analyst firm IDC cited Security Colony as a "major differentiator" and a powerful self-service resource for CISOs that gives them direct access to a variety of tools that will allow them to self-diagnose the problem.