6 Steps to Take Right After a Business Data Breach
During a security event, the last thing you want to be scrambling for is a response strategy. Incident Response (IR) plans seek to avoid this very situation - providing a clear protocol for responding to cyberattacks, unauthorized hardware/software changes, denial of service, etc. If there are any doubts about the integrity, confidentiality, or security of your business data - it's time to break out the IR plan. Your IR plan should be a joint effort between your organization's technical and legal teams, to ensure your client, employee, and business IP is covered. Here are six key incident response steps to take, if you suspect a breach or other security event.
6 Essential Steps for Cybersecurity Incident Response
1. Prepare Your Systems for 24x7 Responsiveness
In order to prepare for an attack, someone has to be on the lookout for one. Monitoring tools such as Security Operations Center-as-a-Service track network, log, and Office 365 threats around the clock. In the event of a vetted security event, SOC and related systems will send alerts to members of your team. Your organization should have a designated team of individuals who can identify and assess threats 24x7. They can help access critical applications and intellectual assets during a cyber attack, and help ensure a smooth transition to recovery. While cyber attacks may be unpredictable, having an established plan and set of responders can greatly reduce the amount of damage.
2. Identify the Cyber Threat
The sooner a threat is identified, the better. Your IT team needs to know if the threat is internal or external, and how successful it has been at evading established defensive measures. Some important data points include:
Current status of the incident
Date/time when the incident occurred
Description of the event (e.g. how it was detected, what occurred)
Source/cause of the incident (if known) - including hostnames and IP addresses
Description of affected resources - IP addresses, hostnames, type of system, etc.
3. Escalate the Incident
In the event of system/data compromise, it can be helpful to establish a framework for escalation. These priority levels can outline designated respondents, expected time frames for the response, methods of communication, etc. Here are three examples of incident prioritization, and the expectations surrounding each:
- Incidents at this level are high-risk events that have the potential to cause extreme damage to an organization. This level includes system or data compromises, Direct Denial of Service (DDoS) attacks, computer viruses, and similar incidences. Threats at this level require immediate intervention.
- This incident type affects data sources across multiple systems, wherein confidential data appears to have been read, modified, or destroyed by an unauthorized user. Example incidents include malware outbreaks, attacks targeted at specific servers, unauthorized local scanning activity, or systems communicating with bad threat vectors. If handled properly, medium priority events do not necessarily result in business interruption.
- This classification is for alerts contained to a single or small number of machines across a single data source. Examples include system infections or a malware alert from user browsing activity. If these incidents do not appear to impact confidential information, they're classified as "low priority".
4. Contain the Damage
Containment is a critical element in your Incident Response plan, outlining different containment strategies depending on threat type. Two common categories for containment are short-term and long-term. Short-term containment can be as simple as isolating a network device that is under attack or diverting traffic from compromised to backup servers. In the case of long-term containment, your team may apply temporary patches to a targeted system, while building a new system and bringing it online during the recovery stage.
5. Eradicate the Source
Now is the time to identify the root cause of the attack, remove malware and other threats, and establish prevention strategies. For example, if weak authentication was the entry point, replacing it with multi-factor authentication would be considered eradication. This stage builds upon containment, by eliminating identified threats from your network or your endpoint of application.
6. Recover Your Operations
Systems are carefully brought back online to ensure another incident doesn't occur. The recovery phase occurs when organizations restore their systems to full working order, just as it was before the incident occurred. Backups are critical during this stage, helping your team restore your computing environment. For more information about recovering from a cybersecurity incident, reach out to iCorps for a free IT consultation.