Vulnerability and Risk assessments can help you identify remediations to avoid security breaches and minimize the damage of incidents. At some point, however, an incident is due to happen, and you must have a plan of action ready for such an event. “Hope for the best and prepare for the worst” should be every security expert’s mantra when it comes to incident response and disaster recovery. Before enacting these two states across your group, there are, however, a few actions to keep in mind that can facilitate business continuity and disaster recovery while putting a first patch to potential damage.
You’ve been hacked!
According to ENISA, “Data breach is an intentional attack brought by a cybercriminal to gain unauthorized access and the release of sensitive, confidential or protected data”. According to the same source, in 2022, “about 82% of breaches
involve a human element and no less than 60% of the breaches […] include a
social engineering component”. These statistics show the importance of human behavior inside the mechanics that lead a vulnerability to become a breach. Being prepared to respond in such cases can prevent further damage from being taken, as panic exploitation is one of the many successful strategies that social engineering uses.
In the following sections, we’ll provide you with a to-do list that can help hold back panic.
Start by quickly summarizing infrastructure and people affected by the breach. The purpose of this action is not just to have a quick view of where the incident produced an impact but also to have a list of responsible people that should be immediately available.
Identify whether the data breach involves data falling in one or more of these categories:
- Personal names or legal entity names
- Contact details (mail, phone numbers, link to webpage etc.)
- Financial information (credit cards, bank accounts, invoices, transaction amount, payment statements etc.)
- Health records (medical data, drug prescriptions, health conditions, etc.)
This information can be related to both clients and employees, so be sure to check for both of them.
Once you have built a list of possible data affected and you are able to summarize the affected infrastructure, you should proceed to contact the responsible people identified by explaining to them what data was affected on which assets so that they have immediately a scope on the actions they have to take to contain the incident
If you performed the first step correctly, you should know on which infrastructure you should start to assess how the data leaked can lead to the expansion of data breaches.
For example, if the username and password for the google ads dashboards were leaked, the data breach will soon expand to all the data inside your google ads account such as statistics and billing information. The people responsible for each affected infrastructure must quickly asses the potential expansion of the known breaches.
While performing this step you have to keep in mind present security misconfiguration, such as the use of the same password for multiple accounts/tools. In case the Marketing team and IT team use the same password to access their mail accounts, a data breach for one team credential will son expand over the other.
In such a case, you must immediately address those misconfigurations so the breach does not expand.
Finally, keep in mind that the information leaked can indirectly help attackers expand the breach. For example, if the password for the Marketing team is “PassMarketing2020” and the password for the IT team is “PassIT2022”, anyone would be able to easily guess with three attempts or less that the password for the Logistics team is “PassLogistics2021”. In the same way, if all your users’ mail is in the format “email@example.com” a breach of their contacts should be considered a breach of their names as well. In short, assessing how the information involved in the breach can lead to attackers easily obtaining further information indirectly.
Look for evidence
Once you are sure you managed to scope the incident and block possible dripping of breach, gathering proof is the next important step.
The information you have to gather immediately are:
- Logs and event records: Reviewing log documents, machine occasion logs, and community device logs can offer valuable facts on the time and nature of the breach.
- System Images: an image of the compromised device can serve as evidence for later analysis. To fulfill this purpose, the image of a system must be taken as quickly as possible after the breach has been assessed, as the longer the machine is in use, the more the evidence may be lost or altered.
- Forensic Analysis: this includes network traffic that can be captured through software like Wireshark and data recovered through forensic analysis of the system with tools like Autopsy. Forensic analysis also includes user interviews. If any of your users had a direct experience with the issue and can give important insight into how the events developed, you should record their contribution.
It’s important to remember that gathering evidence in a cyber protection breach is a time-sensible activity, meaning the longer you wait, the more likely the proof will be lost or altered. Additionally, it’s essential to follow proper proof managing techniques related to the specific type of evidence to make sure the effort made is not wasted, as tampered with or not adequately preserved evidence is not admissible in court cases.
Contact authorities and stakeholders
Depending on the nature and severity of the breach, local law enforcement may be the appropriate authority to contact. They can assist with the investigation and provide support and resources for dealing with the breach’s aftermath.
For what concerns stakeholders, remember that the purpose is not to spread panic but to help contain the breach. You should have already contacted the people who had to be involved with priority. In this phase, extend communication to internal and external stakeholders with a clear indication of which data category was breached. Consider that internal and external stakeholder might need to take actions of their own to contain the data breach so give them as detailed as possible indications on how to do so.
If you follow the steps above, you are ready to start thinking about implementing a Business Continuity plan. The incident response must be prompt and precise, as mistakes can further the damage caused by the breach and hinder your ability to prosecute malicious actors. Have your tools prepared to contain breaches, have a list of internal and external contacts for such cases, and invest in training and preparation.