Data Breach: a 5 Steps Response Plan

David Balaban

David is a computer security researcher with over 17 years of experience
in malware analysis and antivirus software evaluation. His recent focus is on
ransomware countermeasures.
MacSecurity.net | Privacy-PC.com

Introduction

A data breach is one of the worst scenarios in today’s enterprise security, and for good reason. It entails reputational problems, disruption of business processes, and penalties for noncompliance with increasingly rigid data protection laws. Unfortunately, these incidents are steadily gearing up for a rise. Even ransomware attacks can now be considered data breaches, as most extortionist gangs extract confidential information out of corporate networks as part of their raids.

There are different catalysts for this security nightmare. In most cases, cybercriminals retrieve proprietary data from a remotely compromised corporate server. The threat may also stem from an insider who abuses their access privileges and gets hold of valuable files behind your back. Sometimes sensitive data is unintentionally leaked via a company’s misconfigured application or component. Scenarios vary, but they all have one thing in common – the upshot can be devastating.

A roadmap to emerge unscathed

Imagine your organization is on the receiving end of a data breach. What’s your plan to remediate the situation, minimize the impact, and ensure business continuity? Although there is no such thing as a one-size-fits-all tactic, the following steps are crucial to a positive outcome.

Prevent further damage

First things first, you have to make sure that the predicament doesn’t get worse and the attackers can’t move laterally across your network to obtain more data than they already have. Mobilize your tech team to assess the scope of affected corporate infrastructure. Once you know what devices have been exploited, bring them all offline. Importantly, don’t shut down such equipment until a forensic analysis is performed.

Ascertain that all users who have access to the infiltrated equipment and systems update their credentials immediately. The same goes for service accounts. If you neglect to implement this emergency measure, hackers can maintain their foothold in the network even after you have spotted and eliminated harmful software. At the end of the day, this makes recovery efforts futile.

Consider hiring a crew of independent forensic experts who will help you prioritize your response steps and facilitate the process of collecting and analyzing evidence. These professionals can also look for signs of an insider threat, and if this theory turns out to be true they will help identify double-dealing employees.

Another important thing on your initial to-do list is to remove erroneously posted data. In case such information ended up on your website due to an admin’s blunder, delete it right away. Keep in mind that search engines cache content published on web pages, and therefore it may remain publicly available for some time after you erase it. It’s in your best interest to contact these services and request permanent removal. If you discover that a copy of your stolen data has been posted on a third-party resource, reach out to its owner and ask them to delete it.

Interview team members who discovered the incident or other individuals who claim to have additional information related to it. Document all bits and pieces of evidence provided by these people and avoid destroying this data until the investigation is over.

Close security gaps

Remember that your digital infrastructure stays susceptible to hacks as long as it has vulnerabilities that set the original breach in motion. Therefore, addressing these flaws is a prerequisite for foiling another attempt to infiltrate your network.

Keep in mind that an attacker (who exploited the initial vulnerability) may have also added some backdoor to be able to get back in even after the vulnerability has been patched… In some cases, it is better to start from a clean slate by reinstalling the server and application from scratch and migrate data.

Philippe Caturegli, Netragard

If your organization cooperates with a managed service provider (MSP) to sustain a specific business area, make sure that its network wasn’t the entry point for the hack. Unfortunately, this is often the case. Such firms have a certain extent of access to multiple customers’ assets, which makes them juicy targets. Contact such partners and check whether they have experienced a cyber-attack recently. If they have, revise their access privileges and verify that they took care of those security loopholes.

When building your network, you probably adhered to the principle of segmentation. It presupposes restricting the interoperability between different virtual environments so that hackers can’t easily extend their reach after accessing one server or website. If this has happened, though, your network segmentation might need an overhaul towards greater isolation of its different layers.

Examine event logs to find out who was working with the now-exposed data when the breach occurred. Additionally, analyze who has access to the information at this point and whether this access is necessary for that range of users. Change the permissions accordingly.

To estimate the severity of the incursion in terms of your company’s day-to-day operations, check if data encryption was in place at the time of the incident. This is a game-changer because crooks can get no mileage out of files protected with a cipher (unless they also had access to the encryption keys…). Furthermore, determine if you have unaffected backups.

Come up with a comprehensive communication strategy

Be sure to keep all appropriate parties informed about the breach, from employees and customers to investors and other business partners. Avoid making ambiguous or deceptive statements about what happened, what types of data were spilled, and how the recovery process is going.

Also, don’t hold back important aspects that may help affected individuals protect themselves against identity theft, targeted social engineering scams, and other abuse. For instance, if criminals have obtained your customers’ Social Security numbers in the aftermath of the attack, they may impersonate those victims to sign up for various services and perpetrate tax scams. That being said, you should encourage individuals who discover that their data has been mishandled to report these frauds to the Federal Trade Commission (FTC) or a counterpart in your country.

When properly notified, people can ask credit bureaus to include alerts about fraudulent activity in their credit reports or take other measures to forestall this kind of foul play. If possible, your organization should offer these clients a certain period of free identity theft protection services. This will help you regain trust that often bears the brunt of a breach.

Also, reach out to the businesses that may be affected. For example, if the stolen account information includes your customers’ credit card details and other financial data, then you must immediately notify the institutions that maintain these records so that they can adjust their fraud monitoring activity to a high risk of potential abuse. The same goes for data you handle on behalf of any other business entity.

Depending on the industry your company represents, align your breach response with the appropriate legal requirements. For instance, if you provide services to residents of the European Union, then your business activity is subject to the General Data Protection Regulation (GDPR). If your organization is based in the United States and operates in the healthcare sector, then you have to comply with the Health Insurance Portability and Accountability Act (HIPAA). Determine the specific provisions of the applicable laws and follow them diligently to avoid fines for breaking those rules.

In addition, make sure you notify law enforcement right after discovering the incident. Report the breach to local police and inform them about the likelihood of identity theft. If the department in your area doesn’t have the necessary competencies to investigate cyber-attacks, contact the nearest offices of national law enforcement authorities, such as the U.S. Federal Bureau of Investigation (FBI) or the UK’s National Fraud Intelligence Bureau (NFIB).

Update your recovery plan

The final step should be to review your process and recovery plan. Some months after the breach, you should review how you responded to it and what you could have done better as an organization. A data breach is a major adversarial event, and turning it into an opportunity for learning and improving is important. You should conduct a comprehensive review (why not designate a research team?) of your security posture, identify weak spots and take the necessary actions to prevent any future incident. A common finding in this kind of review is that staff lack the skills and knowledge to adequately respond to a hack – if that’s the case, set up a training program to bring everyone up to speed.

If the breach was caused by one of your third-party suppliers, things can get trickier. But even in this case, it’s possible to work on the plan that you both follow after a data breach and improve coordination.

Summary

Of course, it’s best to prevent data breaches from happening in the first place. Prevention includes:

  • It is critical that you respond to a data breach quickly and efficiently.  It's critical to have a plan in place before it is needed.  Penetration Testing & Red Team exercise can be part of the preparation.
  • Keeping your software up to date is one of the pillars of proactive protection against these incidents, as is stopping your developers’ secrets from leaking.
  • Another effective technique is to conduct penetration testing regularly. This simulation of an attacker’s activity will allow you to assess your detection capabilities (i.e. are you able to identify some of the action performed by the penetration testing team?) and give you actionable insights into the weak links in your organization’s security posture.
  • Remember that cybersecurity education is critical. It is important to encourage users to report any suspicious activities (or mistakes they have done). We often see that the user will just close the windows or move on to other activities without reporting the incident to the IT Security Team.
If breached, it’s important to not tackle the problem alone. Team with a trusted, experienced infosec company. You may have intimate knowledge of your infrastructure, but an experienced infosec team has experience with breaches.  The infosec team can not only identify the gap but can work with you to close the breach.

Philippe Caturegli, Netragard

If the worst-case scenario occurs, you have to know what to do and whom to contact. The recommendations above should point you in the right direction.