A successful data breach response plan starts with identifying the teams (both internal and external) responsible for handling a response, finalizing communication plans and rehearsing the process. When it comes time to act, it's imperative everyone is able to remain focused, react quickly and adhere to the following five steps:
System isolation is beneficial in two ways: Beyond simply isolating the affected machines, this phase enables law enforcement agencies to perform analysis that may help them identify the attacker and the vector of attack.
Isolate the breached machine from your network in order to prepare the system for forensic analysis. It will be important to look at all systems that interact with the compromised system. If any one of those systems has been breached, it will be necessary to repeat the process with systems further along the network. This should be repeated until all affected machines have been identified. After all systems have been isolated, create forensic copies and ensure all activity has been documented.
The only way to truly ensure isolation is to have a redundant system capable of cold or warm standbys that are known to be clean and use different authentication credentials. Without this system configuration, system isolation and cleanup become a lot more difficult.
This step should include a rotation of credentials (passwords, encryption keys, etc.), not just an install of the application or image of the machine. Your incident response team must work with system owners to ensure any system-to-system communication (including but not limited to authentication) remains in working order.
At the server level, the same steps should be taken in a virtual and physical environment. If rebuilding is not possible, bring in experts who are capable of cleaning the system. Attempting to have untrained personnel perform this activity could lead to further breaches down the road.
After your system has been rebuilt (or thoroughly cleaned), ensure that all systems are up to date with patches. It will take time, but data analysis will be required if any data repositories were breached. It will also be necessary to ensure the database is clean — this may require going back to a backup, analyzing the data and working with transaction logs to rebuild your server.
There are three main reasons for this, the first of which is that the compromised server might not have been the original server. It's possible your investigation missed the location of the initial breach, and increased monitoring can help you determine if that is the case. The second reason is attackers may attempt to enter your system a second time — and if they do, you'll want to be ready for them. Lastly, there's a good chance your system has a greater asset value than you originally thought. Increased monitoring is always a good option, helping you keep an eye on things no matter where you are in terms of security.
When increasing monitoring, it's imperative you ensure that the right monitoring tools are in place at a network level (intrusion detection/prevention systems), that applications have enough information to detect anomalies and that authentication credential rotations are in place.
It's always important to learn from a breach and the reaction of your incident response team. In the aftermath of a breach, it's best to look at the existing processes that enabled the attacker to access your firm's data, and identify any gaps in your incident response process.
After a breach, communication is important, not only within your organization and your incident response team, but also with customers and any other users who may have been impacted. It is imperative to make sure these communications go through your organization's legal department and/or outside counsel.
Just like in the consumer world, it would be nice if every product truly was identical, high quality and never failed. No matter what lengths you go to in order to protect your highly valuable and sensitive data, there's always a chance one mistake could occur and one extremely determined attacker could obtain access to it. Organizations with successful data breach response plans can recover quickly while regaining the trust of their customers.
For more information on response plans, check out Forrester's "Planning for Failure."
Photo Source: Pixabay