Blog: Breach Handling
Think you’ve had a breach? Top 5 things to do
Realising that you may have had a data breach can be the start of a stressful and confusing time.
Ideally, you would reach for your carefully crafted and practised incident management plan to guide you through the process. In reality though these plans fall into two camps:
- They don’t exist yet
- They have never been tested/updated and are found to be wanting at the point you need it the most.
So, in the absence of a credible plan, where do you start?
Number 1: Call your insurer
Why? If you have cyber liability or related cover, you may void your policy if you don’t immediately call your insurance company- or take actions without their guidance.
They will have expertise in claims management. Bear in mind their interest is in minimising your losses and therefore the size of a potential claim.
If your insurer tells you that you don’t have cover or advises you to respond to the incident yourselves, what next?
Number 2: Do No Harm!
Developing your response plan on the fly is rarely effective. Don’t try to manage the incident yourself, unless you have in-house incident response expertise.
Why not? Much of the useful data is volatile and easily overwritten. Data held in memory will quickly degrade if you cut the power to a device.
There are occasions, particularly with credit card fraud, where losses may be mitigated by allowing a breach to run a little longer. Specialist advice can help you make these decisions.
If you are forced for business reasons to start containment before talking to the professionals, take these steps to try and avoid compromising your incident response investigation:
- Isolate endpoints from the network but DO NOT POWER THEM OFF unless, for example, data is in the process of being encrypted by ransomware.
- Running a triage script, taking a volatile memory (RAM) image, or a disk image is going to be easy for someone with decent technical ability. Just be sure they know what precautions to take, particularly around write-blocking for evidence preservation.
- Get your people trained to be 1st Responders, so they can preserve all that vital information ASAP.
Doing this will save you hours, maybe days, during your initial response operations.
Clearly articulating the potential implications of an incident to your C-suite may make them reconsider their blanket instruction to ‘get everything back up and running as fast as possible’. Again, professionals are experienced in this.
Number 3: Identify and preserve relevant data sources
Unless you have a long standing working partnership with your incident response provider, you will always know your environment better than they do.
You know what systems are deployed, how they are configured and how data flows between them and the outside world. You will also understand what logging functions you have running and how to access them, so be prepared.
- Gather and preserve relevant log data and have it ready for the incident response team to analyse early in the investigation.
- Obtain packet captures and preserve data flow from relevant parts of your environment
- Don’t forget other useful information such as an up to date network diagram, asset list, user list etc.
- Where third party managed services are used, make sure you know how long it takes to process requests for data. Are there any unknown limitations on how much log data is available and can be processed at one time.
These steps all help towards successful incident resolution.
Number 4: Plan for emergency change control
There are many things that may have to happen in a network in order to identify, contain and eradicate a threat.
Change control processes may have to be bypassed in order to deploy scanning or detection toolsets that have to be installed and configured at very short notice. How do you bypass a Change Freeze, for example?
- Don’t underestimate the challenges relating to acquiring data from varied sources such as mobile devices, laptops, servers, cloud storage, IoT, OT and ICS devices.
The faster that such requests can be passed through change or configuration management controls the better.
- Understand how long things can take where third party managed services are used.
Ensure that your providers processes are flexible enough to allow for emergency requests.
Number 5: Be prepared to host an incident response team
This is an often overlooked requirement, but it is one that can and does cause significant delays when an incident response team arrives onsite. I’ll leave the debate about remote response options versus being onsite for another post but, if a response team comes to your offices to conduct an investigation, they will need certain things to be effective.
- A quiet area to work in
- A fast internet connection for research and communications during the response
- They will have a lot of kit so will need access to a number of power sockets
- They may need to leave kit onsite overnight, so the work area needs to be able to be lockable
- Consider setting up local user accounts for the incident response team to use if required
- Maybe set up a jump box into the environment and/or make provisions for if they need to connect forensic laptops to the network
Other ancillary items such as whiteboards, flip charts, network storage areas dedicated to the engagement and off network communication channels can also all assist in making the delivery of the incident investigation a fast and smooth process.
Work with your incident response team. As simple as that sounds, a strong understanding of what your incident response team can and can’t do for you, how they will do it and how long some things can take will always help to make any incident investigation run more smoothly.
Professional incident response is an intensive process on many levels, and you can be assured that the response team is working to resolve your incident as quickly as possible. The levels of data collection, processing and analysis conducted during response will be targeted at achieving any urgent goals.
Generally, an incident response investigation will be seeking to identify, contain and eradicate the threat in as short a time as possible.
The best response isn’t necessarily the fastest, it’s the one that is the most coherent, calm, and well managed.
Yes, do get your 1st responders on it ASAP, but by following my advice you’ll be in a much better place than you could be.