Blog: DFIR

The 5 breach readiness mistakes

Gerard Kerrigan 30 Sep 2019

The most common mistakes we see in engagements

Responding to cyber incidents and data breaches is rarely straightforward. You are generally faced with making on-the-spot critical decisions with little or no real information. This often leads to mistakes.

Let’s review some of the common mistakes we see when we are called upon to respond to an incident.

1. Failure to Plan

At the very least give some thought as to how you as a business will react to, and manage, a cyber incident and write that into a plan. Good forward planning should eliminate many of the common mistakes we see.

2. Failure to Collect and Retain

Understand where potentially relevant data can be collated, retained and accessed ahead of an incident:

  • Network diagrams – what your environment looks like and how it works
  • Asset list – what servers, workstations, laptops and other devices are in use
  • Build information – what is running on your systems, which versions, patching levels and so on
  • User list – which authorised users use which devices, and which parts of your environment can they legitimately access
  • Data Sources – where is the most useful stored, how can it be accessed quickly if needed
  • Logs – servers, endpoints, firewall, http(s), ftp and so on. Understand what you log, how long you keep it for and how you access it in an emergency. Preserve log data for a minimum of 90 days, 180 days is better
  • Contact lists – who needs to contacted and kept informed in the event of an incident

3. Failure to Preserve

It’s tempting to have a go at resolving the problem yourself in the early stages of an incident. Consider your actions beforehand so that you don’t destroy potentially useful data through your actions. The one thing that drives effective incident response is ready access to the right information:

  • Protect historical log data at the point of an incident so that it does not get overwritten
  • Maintain, or increase logging functions for the duration of the incident
  • Capture network or NetFlow traffic early in the incident timeline
  • Isolate suspicious devices from the network, but do not power them off
  • Document any actions taken prior to the incident team arriving

4. Failure to Upskill

Training suitably skilled internal teams with basic initial response techniques will save you time and money:

  • Knowledge of legal, procedural and ethical matters as they apply to forensic data collection
  • Understand concepts such as Orders of Volatility so that data likely to be quickly overwritten can be preserved
  • Understand disk imaging techniques
  • Understand where cloud data is stored and how the preservation of it may differ from on-premise data

5. Failure to Follow Up

When faced with a cyber-attack or data breach most businesses will focus on identifying the problem, seeing how far it has spread, containing and eradicating it.

In terms of getting a business back to normal operations this is absolutely the right approach. However, you should recognise that the level of analysis conducted during these stages will only be sufficient to get answers to the questions being asked at the time.

That may not be enough to give you a full understanding of the who, what, where, when, why and how of how you were breached.

It’s critical to learn lessons from a breach: the ingress route may just be one of many holes in your processes and environment. Yet the post mortem, or follow up analysis, is often forgotten now that the business is up and operational again.

Organisational change which may be required to mitigate against future events can be a much longer and costly operation, but it’s essential if you don’t want to be breached in future.