One of your staff has been a victim of malware which has resulted in a data breach. The IT department has been alerted and now they are trying to find the ideal way to remediate the incident as quickly as possible.
Data breaches take an average of 229 days to identify and 82 days to contain according to research conducted by the Ponemon Institute.
Below is a high-level incident response plan:
This is already something that should be in place before an incident occurs. An incident response team leader needs to be assigned in this case. Identify internal technical contacts; such as the relevant security team and incident response team that need to be assigned. Also, have someone external you can contact for investigation purposes, for eg; law enforcement or a trusted third-party source.
Identification & Investigation:
Start the initial investigation by determining the issues and cause of the incident. Involve only the appropriate parties who need to be aware of the situation. Involve at least 2 members from the senior leadership team.
Step 1: Detect the issue- An incident notification process can be a good source of detection of internal information, eg. Unusual employee behaviour. A monitoring and alerting tool such as a IBM QRadar which helps keep an eye out on traffic leaving and entering the corporate environment. If a company already has a data loss prevention tool this can really help the incident response team to better handle the information leakage.
Step 2: Confirm the issue-
This is an important step, confirm what data was leaked, was it personal details like e-mail addresses or contact information or card payments or was it public data of the organisation? At least have an overview understanding of the cause of the incident and follow the required procedure mentioned below:
Look for e-mails sent to or received from a suspected account. On the e-mail of the suspect (if available), use a tool which allows you to search by filtering out the “PRIVATE” flagged e-mails.
Data might have been distributed to webmail/forums/dedicated websites. On the proxy server, check the logs relating to the suspect account connections on the suspected URL used to disclose data. On the desktop (if available), check the history of the installed browsers. Remember some people might have different browsers on the same desktop computer; be sure to check the history of all browsers. If the time of the data leak can be ascertained, log files can provide useful information. Also, check all the offline content left from each of the browsers.
External storage devices:
Numerous devices can be used to store data: USB keys, CD-ROM, DVD, external hard disks, smartphones, and memory cards. Little information will be found concerning data transfer using these devices. The USB key used to transfer data can be referenced by the operating system. Forensic analysis can confirm the use of hardware but not the data transmitted.
If nothing has been found yet, there are still chances to find traces in the local file system of the suspect. Local employment law should be considered at all stages when accessing employee devices.
Data may be extracted from the company through a variety of methods, such as: FTP, instant messenger, etc. Try to dig into log files showing such activity.
Data might also have been sent using a VPN tunnel or on an SSH server. In this case, the logs may contain a connection but it is unlikely to show any content transmitted.
Data can be sent to printers connected to the network. In this case, check for traces on the spooler or directly on the printer, since some constructors directly store printed documents on a local hard drive.
If nothing has been found, think of a possible malware compromise and act accordingly.
Note: Even when enough evidence has been found, always look for more. Simply because you proved that data got fraudulently from A to B with one method doesn’t mean that it wasn’t also sent to C with another method.
To prevent further data from being leaked this needs to be done across the environment network. Secure the staff members corporate account and remove their computer from the network.
Notify the points of contact you have in the management, legal and PR departments so they are aware of the disclosure.
Take actions to remove the threat and avoid future incidents. If data has been sent to public servers, ask the owners/webmasters to delete the disclosed data. If this is not possible, monitor the leaked data and whether it has gone viral on social media platforms, analyse the activity around it and share the analysis with the relevant departments for appropriate actions that need to be taken.
Following confirmation and isolation of the compromise, it is time to restore the system to normal operations. If appropriate, inform your employees and some of the local teams, this depends on the nature and size of the information leakage. Inform them about the issue to raise security awareness.
Based on the analysis and impact of the data breach consider notifying relevant authorities eg; DPC However in all incident types, consideration should be given to regulatory and legal ramifications. After the incident has been resolved and operations are back to normal, you can remove the official communication.
Reporting on the entire incident, from details of the attack, lessons learned to adjust plans for avoiding future attacks, is a very important step a business needs to have in place in their incident response plan.
Here are the following themes that should be described in the report:
- Initial Description
- Actions and timelines
- What went right?
- What went wrong?
- Incident Impact
- Improving Security Posture & Awareness
Arrange a meeting with the senior leadership team to report on completion and inform the relevant hierarchy, subsidiaries and partners on the best practices applied on this incident.
These steps are just a high-level overview of what needs to be done after a data breach. These steps are called out distinctly but they may overlap in an actual incident, which is normal.
Check out our latest video to see how we handle incidents in our SOC:
If you would like to speak to our subject matter experts for further advice, call us: 1800 903 552 or e-mail us.