Oh boy, not the situation an organization wants to find itself in, and sadly…it’s one that is happening more and more each day.
First off some stats – not to bore you with numbers, but to underscore the importance of identifying and responding as soon as possible.
Data breaches are rising, with last year seeing the highest number of recorded incidents, according to CNET. Citing the Identity Theft Resource Center’s 2021 Data Breach Report, 1,862 breaches were registered last year in 2021 – a 68% increase from the year before. This exceeds the previous record of 1,506 set in 2017. (SOURCE)
Once a breach happens, the clock starts in the breach lifecycle, this is the time between when a breach occurs and it is 100% contained.
According to a recent study, the 2021 average time it takes to identify a data breach is 207 days. To make matters worse, it then takes an additional 70 days on average to contain the breach. That means that, on average, it takes nearly a year (277 days) for a company to detect and contain a data breach.
Start Your Incident Response Plan
Time to get started.
If the organization has an Incident Response Plan (IRP), break it out and start going down the checklist on what to do (Don’t have one? That’s ok, because CyberMaxx can help…in fact we excel in creating these plans).
Breaches can happen in a number of ways and we’ll dive deeper into that later in another piece.
Ultimately, if it is believed that data has been subject to a breach, the primary goal should be to prevent any further information from being stolen and to repair systems so that such a breach cannot happen again.
An effective incident response plan can be crucial to minimizing the impact of a data breach, reducing fines, and mitigating negative publicity. Having a plan in place and training employees on how to quickly respond to a data security incident can help get business back up and running faster.
As soon as an organization suspects a breach, the first reaction is to fix everything as soon as possible (Cue giant wrecking ball, scorched earth – something out of Mad Max).
However, without taking the necessary precautions and involving the right people, helping hands aimed at remediation could do more harm than good. Valuable forensic data that could be used to determine how and when the breach occurred could be destroyed, making it more difficult to secure the network against future attacks.
When it’s found out that systems have been breached, it is important to remember a few things: don’t panic, don’t take hasty actions, don’t wipe and reinstall your systems and follow the IRP.
Contain the Breach
Breaths have been taken, decisions have not been made in haste and the IRP is sitting out in the conference room and responsible parties are actively reading it.
The most important thing to do right now is to cut off any affected system to limit further damage.
That way, damage can be contained until a forensic specialist can provide guidance on more complex and long-term containment strategies.
So what does that mean to cut off all access and stop the unauthorized downloading of data?
Here’s a quick list in no particular order of importance. In fact, all of these should be completed:
- Disconnect anything that has a direct connection to the internet – This can be as simple as pulling the network cables from the firewalls/router.
- Disable remote access
- Changed credentials/passwords – Document old passwords for later analysis.
- It is important to document how any suspected breaches are learned about, as well as the date and time that the organization was notified. In addition, it is crucial to include details about how the organization was notified and what information was included in the notification. Finally, all actions taken between now and the end of the incident should be detailed.
- Create passwords that are at least 10 characters long and include a mix of upper and lower case letters, numbers, and symbols. Avoid using dictionary words, even if you replace some of the letters with symbols.
- Only connect to servers and ports that are absolutely essential for business.
- If your antivirus scanner detects malware, it is important to quarantine the infected file rather than delete it. This will allow you to analyze the file and use it as evidence later on.
- It is important to preserve firewall settings, firewall logs, system logs, and security logs. Taking screenshots of these items can help you remember what needs to be done in case of a security breach.
- There might be a need to hire a law firm that is experienced in managing data breaches. The law firm may hire a forensic firm (Hint: such as CyberMaxx) to immediately investigate and ensure that the breach has been properly contained.
Start Incident Response Management
- It’s time to put together your incident response team.
- Consider getting out ahead of the potential PR nightmare when, not if, this information becomes public knowledge
- Loose lips sink ships – Make sure employees don’t announce the breach before the organization does – Get everyone on the same page
Investigate, Fix Your Systems, And Implement Your Breach Protection Services
A data breach can be a nightmare for any company. After the initial shock of finding out that sensitive information has been compromised, it’s time to start the hard work – investigating and fixing the problem.
Don’t worry, all the work isn’t on the organization’s internal team – a forensic investigation team will carry out most of the work and then provide recommendations on how to make systems more secure in the future.
Start Bringing Breached Systems Back Online
After the causes of the breach have been identified and eliminated, it’s time to take steps to secure all systems before reintroducing them into the production environment again. This process should include hardening, patching, replacing, and testing systems.
As you go through this process, ask yourself the following questions:
- Have recommended changes been implemented?
- Have new tools been installed to help ensure systems are secure from a similar attack happening again?
- Have actions begun to prevent this from happening again?
If the organization doesn’t have an incident response plan, now is the time to create one.
Cough, cough – MAXX Response – CyberMaxx’s DFIR division is built with some of the best in the business.
Practice and review the plan regularly. Without annual tabletop run-throughs and simulation training, staff may not be prepared to respond effectively to a data breach.
Data breaches can be extremely stressful for businesses and organizations, but it is possible to recover from them. Having a solid incident response plan in place is essential to minimizing damage to your brand.
What’s more important than being prepared for a data breach (Remember it’s a matter of when not if it will happen. Scroll back to the top on the latest statistics on the frequency of data breaches if you’ve already forgotten)?
Having the people, processes, and technology needed to keep up and defeat the bad actors that are trying to break into organizational assets is not every organization’s strong suit.
From hiring and budget struggles an organization faces, to sifting through all the noise that happens each day in the cyber security space, it’s important to look at companies that augment well with internal teams in order to give them a fighting chance upper hand.