Well, you did everything you could do to prevent a data breach in your organization, but it still happened. These days, you shouldn't be concerned if a breach will occur in your organization — you should be asking when it will occur. But don't worry, we've got you covered.
We compiled cyber security best practices recently issued by the U.S. Department of Justice and asked our course expert rom Intel Security, David Brezinski, to give you smart ways to handle a data breach during and after the incident.
If your company hasn't gotten hacked, make sure to read David Brezinski's best practices on how to prepare for a cyber attack.
What You Should Do During a Cyber Incident
1. Make an initial assessment of the incident, particularly whether it is a malicious act or a technological glitch.
The sooner you determine the type and scope of incident (malicious, external, internal, inadvertent user-error, or technical glitch), the better.
It is also very important to have a documented and maintained incident response playbook that has a step-by-step guide on the actions that need to be taken following a breach.
In many cases, some incidents will be repetitive (e.g., a ransom-ware type malware incident where a system has been compromised but is limited to a single user/system) and others may be new or varied in their method or pattern. Because of this, your incident playbook should be a fluid document that is updated regularly.
Having a defined methodology and order of steps can reduce the time spent trying to diagnose the issue. It can also reduce the amount of time it takes you to respond to contain and limit a malicious act before it worsens.
Testing the incident response plan and going through exercises (see Red team exercises, SAN top-20) can help those involved become more knowledgeable and ensure readiness where such assessments can be accurately made.
2. Minimize your continuing damage.
Responding to a malicious incident is about acting quickly while ensuring you have a protocol to follow to limit damage.
In some scenarios, this might include temporarily blocking egress network (internet connectivity), activating some DNS blackhole (malware mitigation) or completely isolating impacted systems (e.g., moving them into an isolated/quarantine VLAN) so that further assessment or forensic activities can occur.
3. Collect and preserve data related to the incident.
Collecting this data can provide invaluable forensic information for further evaluation and analysis. Then you can use compensating controls, countermeasures, or other detection and prevention adjustments to mitigate future attacks.
Legal concerns may arise from a cyber incident, so all related event logs, access/authentication logs/events, network packet captures/traces, data/information, malware samples, etc. must be collected.
Any of these items that are collected as part of the incident response plan and response playbook should be protected and preserved. No related data should be modified or accessible to those without a “need to know.”
These items should also be stored only as long as needed per defined data retention policies or legal hold requirements. One excellent tool well suited for this purpose is Encase.
4. Notify appropriate management and personnel within your organization, law enforcement, other possible victims, and Department of Homeland Security.
Before a breach even occurs, your incident plan and incident response playbook should include a list of internal and external parties that need to be notified. Your privacy, HR, legal, and compliance teams should provide direct guidance and input as to when it is appropriate for external entities to be notified.
If you find an incident to be limited to an internal issue (user error or something like a spear-phishing attack), disclosure to external entities is typically not necessary. However, this determination can only be made once you determine the extent and nature of the incident.
Criminal activities, data theft, fraud, and other acts perpetrated by insiders may require the engagement of law enforcement, but this must be determined by the appropriate organizational representatives.
Keep in mind that there are regulatory requirements that indicate the total number of compromised records (e.g. HIPAA) where reporting is required. You should clearly document these so that notification thresholds and corresponding actions can be put forward.
5. Do not use compromised systems to communicate or “hack back” or intrude upon another network.
There are potential legal issues with "hacking back" and perpetuating or encouraging such behaviors crosses the line of ethical “white hat” cyber security best practices.
The bad guys are often better financed, have more access to technical resources and tools, and can also be enticed through responses to further escalate their attacks.
It is a much better use of your resources to focus efforts on containment, limiting the damage, and working to review and evaluate the situation to mitigate future attacks.
What to Do After a Cyber Incident
1. Continue monitoring the network for any anomalous activity to make sure the intruder has been expelled and you have gained control of your network.
Monitoring for anomalous activity should occur at all times and is a key part of detection capabilities.
Once you have enough information and understanding about the incident, tools such as IDS/IPS or network behavioral and anomaly monitoring can be tuned to provide additional detection of network activity.
At times, you may find it more useful to have an external professional cyber security team come in and help to ensure the appropriate safeguards and methods for continued detection monitoring are robustly executed.
2. Conduct a post-incident review to identify deficiencies in your incident response plan.
Performing an incident post-mortem is highly recommended; lessons learned can be identified and adjustments made to ensure the efficacy related to incident response.
At this point, cyber attacks and security breaches are an inevitable consequence of doing business in the digital age. But that doesn't mean your company is doomed. With a proactive cyber security strategy, a robust incident response plan, and proper training of your team, your organization can minimize any damage done and prevent it from happening again.
You haven't been hacked yet? Read our previous blog to find out how to prepare for a cyber attack.
Click the link below to start your free Cyber Security training!
As an Enterprise Security Architect with Intel Security, David leverages his vast expertise in information security to help organizations around the globe maximize their investments, online security, and foster a business environment with robust risk mitigation capabilities.
David's insight along with over 25 years of experience in enterprise architecture planning, security, operations, monitoring, and optimization make him an essential authority in the information security sector.