Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

So, You’ve Been Breached: 9 Steps to Mitigate the Fallout

Discovering that you’ve been the victim of a breach is never pleasant. Perhaps your customers’ data was stolen and now sits in the wilds of the internet. Maybe your intellectual property and trade secret were compromised. Or you could be concerned the adversaries are still actively lurking on your network.

If this is you, you should have a couple of things already in place, including a well-rehearsed response plan and a digital forensics and incident response (DFIR) retainer. Both help prevent you from having to mobilize a strategy and find expert help during a time of unfolding chaos.

That said, if you’re at the point where the rubber meets the road, it’s time to get moving. Here is what you can expect will be necessary to accomplish in the hours, days, weeks and months following a breach discovery. Part of the burden will naturally fall on you, but outside help is available to amplify your efforts or compensate for any internal resource shortfalls.

1) Make the call

If you can’t handle the full spectrum of breach response yourself, get in touch with a DFIR investigator immediately. The faster they can begin their investigation, the better.

2) Document the situation

Back in my university days, I was a Canadian Navy Reserve officer. A useful lesson from training school that applies here is that before starting any mission, document your situation. Write down the systems/data that have been impacted by the breach, methods that could contain the situation, and how those methods might affect your operations, data, and evidence.

3) And document some more

Time will speed up as you’re investigating a breach. You’ll be working on it, while also providing updates to others and figuring out next steps. Because of the pressure, it’s easy to forget steps if you’re not recording them. Keep a record of what actions are being taken and when. This detail will help immensely when you’re restoring systems and tracking evidence.

4) Make copies

Back up systems and data before making any changes. You might need that data later if changes don’t go well, or you might want to further study any malware or viruses on affected systems.

5) Identify what else might be affected

When an incident is identified, determining which systems are affected is the easy part. More difficult is tracking how those systems interact with the rest of the network, what information may be on them and how that information could enable an attacker to pivot to other systems. It’s better to be wrong and assume the worst than assume attackers got no further than the initial target.

6) Implement containment

Many options exist to stop the bleeding. Remove compromised systems, update firewall rules, change passwords and more. These steps probably won’t constitute a final resolution, but they will give you time to put a more comprehensive solution in place.

7) Review breach notification requirements

Ideally you already have this information available in your incident response plan, but if you don’t, you should know that requirements vary by state, country and even industry. And in some cases, you will have to provide notification for a region even if the affected systems weren’t in that region (e.g., if personnel in that region were impacted).

8) Consider legal counsel

Lawsuits are a common outcome following breaches, but your liability can be managed. Depending on the systems and data affected, you might want assistance from a law firm that specializes in cyber law.

9) Notify stakeholders

In addition to your requirements to provide breach notifications, you will likely want to proactively notify customers, partners or other interested parties if their data was affected or potentially affected. In your notification, you’ll want to include what actions they should take to protect their own systems and data.

Our DFIR team expands on this checklist here. And while it’s good to have a checklist to follow when you’ve been breached, it’s also good to prepare and practice in advance. Our Hassle-Free Guide to Dominating Your Next Security Incident delivers a step-by-step guide for prepping for and addressing a wide range of security incidents.

 

DOC_15699_hasslefreeguide_halfheight-2019

 

Latest Trustwave Blogs

Trustwave Named a Representative Vendor in 2024 Gartner® Market Guide for Co-Managed Security Monitoring Services

Trustwave has been named a Representative Vendor in Gartner just released the 2024 Market Guide for Co-Managed Security Monitoring Services. Gartner estimates that there are more than 500 vendors who...

Read More

Navigating Security Risks and Innovations in the Hospitality Industry

As technology has become available, the hospitality industry has focused on making the most out of innovations such as contactless services and eco-friendly practices.

Read More

Frost & Sullivan: Trustwave MDR Growth Will Exceed Industry Average

The security analyst firm Frost & Sullivan positioned Trustwave as a leader and top innovator in its research on the MDR market landscape, noting its innovative, industry-leading cloud-native Fusion...

Read More