Discovering that you’ve been the victim of a breach is never pleasant. Perhaps your customers’ data was stolen and now sits in the wilds of the internet. Maybe your intellectual property and trade secret were compromised. Or you could be concerned the adversaries are still actively lurking on your network.
If this is you, you should have a couple of things already in place, including a well-rehearsed response plan and a digital forensics and incident response (DFIR) retainer. Both help prevent you from having to mobilize a strategy and find expert help during a time of unfolding chaos.
That said, if you’re at the point where the rubber meets the road, it’s time to get moving. Here is what you can expect will be necessary to accomplish in the hours, days, weeks and months following a breach discovery. Part of the burden will naturally fall on you, but outside help is available to amplify your efforts or compensate for any internal resource shortfalls.
1) Make the call.
If you can’t handle the full spectrum of breach response yourself, get in touch with a DFIR investigator immediately. The faster they can begin their investigation, the better.
2) Document the situation.
Back in my university days, I was a Canadian Navy Reserve officer. A useful lesson from training school that applies here is that before starting any mission, document your situation. Write down the systems/data that have been impacted by the breach, methods that could contain the situation, and how those methods might affect your operations, data, and evidence.
3) And document some more.
Time will speed up as you’re investigating a breach. You’ll be working on it, while also providing updates to others and figuring out next steps. Because of the pressure, it’s easy to forget steps if you’re not recording them. Keep a record of what actions are being taken and when. This detail will help immensely when you’re restoring systems and tracking evidence.
4) Make copies.
Back up systems and data before making any changes. You might need that data later if changes don’t go well, or you might want to further study any malware or viruses on affected systems.
5) Identify what else might be affected.
When an incident is identified, determining which systems are affected is the easy part. More difficult is tracking how those systems interact with the rest of the network, what information may be on them and how that information could enable an attacker to pivot to other systems. It’s better to be wrong and assume the worst than assume attackers got no further than the initial target.
6) Implement containment.
Many options exist to stop the bleeding. Remove compromised systems, update firewall rules, change passwords and more. These steps probably won’t constitute a final resolution, but they will give you time to put a more comprehensive solution in place.
7) Review breach notification requirements.
Ideally you already have this information available in your incident response plan, but if you don’t, you should know that requirements vary by state, country and even industry. And in some cases, you will have to provide notification for a region even if the affected systems weren’t in that region (e.g., if personnel in that region were impacted).
8) Consider legal counsel.
Lawsuits are a common outcome following breaches, but your liability can be managed. Depending on the systems and data affected, you might want assistance from a law firm that specializes in cyber law.
9) Notify stakeholders.
In addition to your requirements to provide breach notifications, you will likely want to proactively notify customers, partners or other interested parties if their data was affected or potentially affected. In your notification, you’ll want to include what actions they should take to protect their own systems and data.
***Our DFIR team expands on this checklist here. And while it’s good to have a checklist to follow when you’ve been breached, it’s also good to prepare and practice in advance. Our Hassle-Free Guide to Dominating Your Next Security Incident delivers a step-by-step guide for prepping for and addressing a wide range of security incidents.***