BreachExchange mailing list archives
The First 24 Hours After the Breach
From: Inga Goddijn <inga () riskbasedsecurity com>
Date: Wed, 21 Sep 2016 16:40:07 -0500
http://www.corpcounsel.com/id=1202767918067/The-First-24-Hours-After-the-Breach?slreturn=20160821125921 The first 24 hours after a breach are often the most critical. It is in these moments that you set the stage for containment, investigation, notification and remediation efforts. As with many things in life, your first few steps will take you down a path, and you want it to be the right path. A rapid response is needed to minimize damages. However, some terrible mistakes have been made in moments of haste, stress, panic and pressure. The actions performed must not only be fast; they must also be correct. Companies need to know what steps to take and in what order so that customer, patient or business data is protected and risks minimized. *1:00 – Validation* The first step is validation, and this should take place within the first hour of the reported event. Validation occurs when an event is reported to the organization's incident reporting group. The group then evaluates the event by conducting a preliminary review of relevant log data and discussing the event with the person reporting it and others. The group then decides whether to escalate the event to an incident. Errors at this stage can cause serious problems. A false positive determination—one that incorrectly flags an event as an incident—results in wasted time and effort, needless stress for incident response members and others who may have been notified and a loss of confidence in the incident response team. Conversely, a false negative—failing to identify a real incident from an event—results in more damage to the company, its employees or its customers as the incident continues and information obtained from the incident is utilized or exploited. False negatives give attackers more time to steal data, gain a deeper foothold on your network or monetize the data they have already collected. *2:00 – Assembly* When an event is officially classified an incident, the incident response team must assemble quickly. Assembly requires either the ones that validated the event or a designated internal communications team to pull up the list of incident response team members and contact them to have them meet. Those contacting the members should make sure each person receives the message and is attending the meeting. This often involves more than just sending an email out to a distribution group. Alternates should be contacted when the primary person is unavailable so that a person is present to perform the duties for each of the incident response roles. Meetings do not need to be in person and often are virtual or over the phone to reduce response time. Some organizations have a specific conference bridge or virtual workspace set up for incident response calls. *2:20 – Strategy* The assembled team will need to review the information collected in the validation stage and then form a strategy for moving forward. This should take place as soon as the team can be assembled. Many of the incident response steps may already be laid out in incident response plans, and the team should not try to rewrite those plans. Incident response plans are created specifically to improve response time and decision-making, since they were developed under normal stress levels and with enough time to adequately evaluate the best course of action in light of best practices and regulatory requirements. However, the incident response team will need to identify which steps in the plan will be used in response to the incident when plans provide general steps and specific steps for different types of incidents. The team should also determine if there are additional factors of the incident that may not be addressed in the incident response plan and then identify actions to address these factors. The team then acknowledges their role in the response and the actions that they will take as outlined in the plan or discussion. *3:00-7:00 – Containment* The members of the incident response team now divide up to perform their tasks. Security team members should work with IT to evaluate the data on the incident to determine the scope. IT should disconnect from the network or block wireless access from the devices that are compromised or relevant to the investigation so that criminals cannot continue to use those machines to spread infections, exfiltrate data or communicate. Care should be taken not to alter evidence. IT should not pull the power from devices unless necessary because some evidence may reside in memory. Exceptions may be made when machines cannot be disconnected from the network or blocked from communicating or if it is determined that the continued presence of malicious code will cause further harm to data present on the device. *3:00-7:00 – Preservation* Preservation is performed concurrently with containment. A time frame of 3:00-7:00 is given here, but it may take more or less time depending on how many resources are allocated to the preservation task and the scope of the incident. Forensic teams should proceed in imaging relevant machines as identified in the initial strategy and then move on to imaging additional machines identified by security until each of the machines covered in the scope of the incident is imaged. These machines and their drives are now considered evidence and may be needed in court to prosecute criminals or defend the organization in future lawsuits. For this reason, evidence must be handled correctly and the chain of custody properly documented and preserved. Forensic teams may take memory captures of running devices and then image computer hard drives. This preserves the data in memory or on the hard drive so that it can be analyzed as part of the investigation. Forensic teams photograph the scene and document hard drive serial numbers, asset identifiers and other information that will be recorded in the case log and eventually on incident reports. *8:00-24:00 – Investigation* The next segment of time will be spent investigating, and this will likely take the remaining span of the first 24 hours. As with other estimates, the scope of the incident and resources allocated will determine how long this will actually take. It is also possible for the investigation to begin while evidence is still being preserved if data extracted from forensic images can be provided to investigators without significant impact on the continued preservation activities. The goal of the investigation is to determine what data, if any, was exfiltrated and how the incident occurred. The data from the investigation is provided to legal so that they can determine whether the incident should be classified as a breach according to regulatory requirements and applicable laws and what level of notification is needed to mitigate harm customers or patients may face from the exposure of their information. *Moving Forward* The first 24 hours following a breach determine the effectiveness of the overall breach response. When the investigation concludes in the days or weeks following, notification, remediation and improvement actions can then take place. The organization will also be equipped with evidence to back up internal decisions or defend itself in court. Decisive action requires effective preparation. Prepare today for the breach.
_______________________________________________ BreachExchange mailing list sponsored by Risk Based Security BreachExchange () lists riskbasedsecurity com If you wish to Edit your membership or Unsubscribe you can do so at the following link: https://lists.riskbasedsecurity.com/listinfo/breachexchange
Current thread:
- The First 24 Hours After the Breach Inga Goddijn (Sep 22)