Your biggest fears have come true. The authorities are on the phone, telling you that your customers’ private data is on the Internet, along with credentials to your corporate network. On the other line is the media, asking for an interview while your CxOs are waiting for the status update. You have been breached; what do you do first?
As frightening as this scenario sounds, it happens more often as we know. Small to medium businesses and even Fortune 500 enterprises that have considerable technical resources defending their networks are susceptible from a data breach.
Before we continue let’s define what is a security incident and a data breach.
Security Incident – “An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.”
A data breach can be caused by a simple security incident like falling victim for a phishing email and downloading infected applications or it can be triggered by more advance attacks like exploiting a 0-day, gaining persistence access, and using stealthy and covert tactics of data exfiltration.
Containing the Risk
Once the breach is detected and validated, here are few initial steps to take to contain the risk:
- Carefully isolate the infected systems to retain the key volatile data and digital artifacts intact.
- Trust no one. Have key members of the incident response team, corporate executives, and your trusted advisors use an alternative secure channel to communicate about the breach.
- Lockdown the environment. Heighten your security measures on your network and systems. Reset credentials, and diligently monitor network and system activities.
- Provide a clear message and guidance to employees in heightening the security state of your environment and communicate the status of the breach to avoid miscommunication and false assumption.
- Prepare for multiple tracks of activities that includes remediation and investigation path.
- Collect and retain all log files, database, and other vital records from pre-breach and post-breach.
Actions to Avoid
Here are a few key points you should note:
- Do not panic.
- Do not turn off the affected systems until a proper triage and vital digital artifacts are collected.
- Do not act on your initial analysis and jump to conclusions.
Next week we’ll look at how to remediate a breach.