Staying on Course in The Aftermath of a Security Breach

By: Fortunato Guarino, Solution Consultant, EMEA and Cybercrime & Data Protection Advisor, Guidance Software 

It’s the news that every security team fears, yet, the fact is that any business can – and will – be the victim of a data breach at some point, many more than once. This is a particular concern for businesses in the Middle East – according to a March 2016 report by PwC[1], 85% of respondents to the survey believe that businesses in the Middle East are more likely to suffer from a cyber-attack compared to the rest of the world (global average of 79%). Worse still are the monetary losses, with 56% of Middle East respondents reporting losses greater than $500,000 compared to 33% globally.

Despite this reality, there is little guidance available for most companies on what to do in the immediate aftermath of a breach. Critical decisions need to be made immediately after a breach is discovered to assess its scale and scope. This will determine the most effective next course of action, from which resources to mobilize, to which chains of command need to be activated and what evidence needs to be collected. When, what and how to share information with law enforcement and other external authorities is also critical to help prevent further damage and help reduce future attacks. 

With preparation in advance, organisations can ensure that, when the worst happens, they can respond quickly to protect themselves, their customers and their stakeholders.   

Implement a Tested Incident Response 

Being adequately prepared to deal with a cyberattack can significantly reduce the cost of a breach. However, having a plan in place and testing that response process to ensure that it works, are two different things. That’s why a critical part of the preparation process is to stress test the robustness of the response process.  Many organisations may think that they have sound policies in place but have not drilled these in a test scenario. The processes - for knowing which systems to shut down or who owns which assets and processes - need to be mapped and thoroughly practiced.  In the pressure of a real incident, confusion can waste valuable time, so test the plan, review it regularly, and test it again.

Assess the Impact

The starting point after an attack is determining the extent of the damage, the type of data that has been targeted and any specific endpoints affected. The scene of the digital crime then needs to be preserved correctly:  any system or device which has been impacted should be swiftly identified, with forensic images made as soon as possible. Without this, any forensic investigations can be seriously impeded. These digital forensics provide the information needed to identify the risks, determine the next course of action and then take steps to prevent it from happening again.  

Organisations should collect any relevant network logs, suspect communications and files. To maintain authenticity and a chain of custody, access to any preserved materials should be restricted to prevent any compromise of evidence. Preserving digital evidence can also assist law enforcement agencies to identify and prosecute the perpetrators.

Prevent Additional Damage

In the immediate aftermath, organisations need to take steps to prevent further exfiltration of data; intrusions often continue past the initial detection. If data is found to be leaking from the network, steps need to be taken to close it down quickly. Depending on the types of attack, they may need to re-route network traffic or isolate parts of the compromised network to prevent further damage. Any systems suspected of being compromised should not be used to communicate information about an incident. 

Keeping a detailed record of response activities is important in both recovery and further threat prevention. The incident response team should keep information on the systems, services and data affected by the incident, and any changes made to systems and devices during the incident response.      

Working with the Police and Crime Agencies   

In many instances, there is a reluctance for organisations to share information with law enforcement agencies, often for fear of reputational issues at stake in disclosing security incidents.

However, reporting an incident to the police can often provide insights into an attack that minimises further harm. Law enforcement has a significant role to play which goes beyond the remit of private organisations; they can gather evidence, prosecute and bring down cybercrime infrastructures, recover stolen data, and cut off their revenue streams.  

This is the most effective way of policing cybercrime; we need to get better at reporting crimes and pooling information. It is this collective intelligence that can build a more accurate picture of the nature and scope of threats, its long term impact and how to allocate resources most effectively.  

Th bottom line is that we can’t predict when or where the next incident will occur and as such, the ‘assumption of compromise’ now must inform key decisions on how security resources are allocated. What every organisation can do is take control of the processes to minimise damage, preserve digital evidence and aid quick recover. With improved information sharing, the industry, as a whole, stands to benefit in identifying and closing down crime syndicates.