What is the most important thing to do if you suspect a security incident?
|
A data breach is one of the biggest threats to an organization. It can harm an organization’s reputation and entail huge financial losses. According to the Cost of a Data Breach Report 2020 by IBM [PDF], the average cost of a data breach is estimated at $3.86 million. Thus, preventing data breaches and investigating them in a timely manner are among the most sensitive pain points when it comes to an organization’s cybersecurity. Show
In this article, we describe seven steps of how to investigate a data breach and explain what to pay special attention to during data breach investigation and remediation.
What is a data breach?
A data breach is an event that results in exposing confidential, sensitive, or other protected information to an unauthorized person. Breaches of confidential information can lead to financial losses, legal liability, and reputational damage through media coverage and publicity. That’s why if a data breach has occurred, it’s necessary to take actions to mitigate its consequences and investigate the incident.
Investigation is an integral part of a data breach response. Its goal is to clarify the circumstances of the breach, assess the damage caused by it, and develop a further plan of action depending on the results of the investigation.
It’s important to begin investigations as soon as possible in order to respond to potential risks and limit access to leaked information before it’s too late. There are a number of cyber incident response guides that provide detailed recommendations on handling security incidents:
Below, we outline seven steps based on the recommendations in these guides.
7 steps for responding to and investigating a data breach
Although the reasons behind a data breach may vary, there’s a set of steps you need to take when responding to and investigating such a cybersecurity incident. Let’s take a closer look at this data breach investigation checklist.
Depending on the industry you operate in and the requirements you need to comply with, the order of steps may vary, and some steps may be omitted or added.
1. Detect the data breach
All tips for investigating a data breach begin with incident detection. This step is aimed at determining the fact that a data breach has occured. You can confirm this by inspecting the signs of a data breach.
In the Computer Security Incident Handling Guide, NIST distinguishes two types of data breach signs: precursors and indicators.
A precursor is a sign that an incident may occur in the future. It can be:
In general, precursors are rare and mostly help organizations to stay vigilant.
An indicator is a direct sign that an incident may have occurred or is occurring right now. Common examples of data breach indicators include:
MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) can also be of great help. This is a structured knowledge base of known attacker behavior, divided into tactics and techniques and expressed in tables (matrices). The MITRE ATT&CK model for threat mitigation provides a comprehensive view of attackers’ behavior and is extremely useful for data protection, monitoring, and employee training.
Read also: How Can MITRE ATT&CK Help You Mitigate Cyber Attacks?
2. Take urgent incident response actions
There are a number of urgent steps you should take when a data breach is detected. The first thing among data breach investigation tips is to record the date and time of detection as well as all information known about the incident at the moment.
Then, the person who discovered a breach must immediately report to those responsible within the organization. Access to breached information should also be restricted to stop the further spread of leaked data.
Overall, you may stick to this general checklist:
It’s also crucial to launch a thorough investigation as soon as possible so you can find the root causes of the data breach.
3. Gather evidence
Collecting and checking all evidence related to the data breach is another step in a list of data breach response best practices. Make sure to gather data from all your cybersecurity tools, servers, and network devices and to collect information from your employees during interviews.
First and foremost, act quickly and gather as much information about the data breach as you can. The better your understanding of the situation, the better your chances of minimizing the consequences.
The list of data you should collect includes:
Read also: Portrait of Malicious Insiders: Types, Characteristics, and Indicators 4. Analyze the data breach
Once you’ve gathered as much information about the incident as you can, you need to analyze it. This step is aimed at determining the circumstances of the incident. In addition, you may have to answer a series of questions that will further assist in the investigation:
Having carefully analyzed information on the data breach, you can draw some conclusions about the source of the breach to effectively stop it.
Read also: How to Calculate the Cost of a Data Breach
5. Take containment, eradication, and recovery measures
It’s also important to take actions to prevent the data breach from spreading. This can be accomplished with three сountermeasures:
Let’s see how each of these measures can help you effectively mitigate the consequences of a data breach.
Containment measures
The goal of these measures is not only to isolate compromised computers and servers but to prevent the destruction of evidence that can help investigate the incident.
Conduct a comprehensive data breach containment operation and preserve all evidence, being careful you don’t destroy it. For example, if a data breach is caused by malware, it may not create files on disk but may place itself entirely in RAM because it’s harder to detect this way. Therefore, it’s unacceptable to power off the computer, as all the information contained in RAM will be lost.
Also, monitor the attacker’s activities and determine whether any data is leaking during the investigation.
Eradication measures
Next, it’s important to eliminate all causes that led to the data breach. For example, if the breach occurred as a result of an insider threat, security specialists should disable all accounts that leaked information. If the threat was external, such as malware, it may be necessary to clean up the affected system and patch exploited vulnerabilities.
Recovery measures
After a successful eradication step, it’s necessary for the organization to return to normal operations. This includes putting the affected systems back into a fully operational state, installing patches, changing passwords, etc.
Security specialists should carefully monitor the network, recovered computers, and servers to ensure that the threat has been fully removed.
6. Notify related parties
Regardless of whether you’re legally obliged to do so, you should notify all affected organizations and individuals as well as law enforcement. Timely notification is a very important data breach investigation procedure as it will enable individuals to take measures to protect lost data, such as changing passwords, or at least to be careful in case scammers take advantage of the data breach.
The list of those to be notified will vary depending on the type of compromised data and may include:
Pay particular attention to notice periods. They depend on the regulations and standards you need to comply with and the type of data affected (personal data, financial data, etc.). Failure to notify regulators in a timely manner could result in liability and extensive fines:
Many other countries also have laws and regulations regarding the use and unauthorized disclosure of personal data. If your organization operates in more than one country, you should consider the local data breach legislation and include its requirements when creating an incident response plan.
Read also: What Is a HIPAA Violation? Fines and Penalties for Failed HIPAA Compliance
7. Conduct post-incident activities
Once you’ve taken basic actions to counter the data breach, it’s time to analyze the incident and its consequences and take steps to prevent similar issues in the future. Every data breach should be thoroughly audited afterwards. The specifics of each audit depend on the data breach itself and its causes.
In general, an audit may include:
By thoroughly implementing these steps, you can get a better understanding of the data breach that occured, discover its true causes, and determine the best pathway for mitigating its consequences.
Respond to data breaches with Ekran System
It’s extremely difficult to investigate a data breach and restore the full picture of what happened without detailed context. Ekran System can effectively help you in investigating a data breach.
By deploying Ekran System, you’ll get a full-cycle insider risk management platform that allows you to:
Also, Ekran System can help you comply with requirements of various acts, standards, and regulations such as NIST, HIPAA, PCI DSS, GDPR, and FISMA.
Learn more about Ekran System’s tools for security investigation
Conclusion
Data breaches carry significant risks and can incur significant losses, so the sooner you deal with them, the better. Proper investigation will help you identify the extent of an incident and take measures to mitigate it in order to minimize the risks.
It’s best to have a set of measures prepared to respond to data breaches, such as an incident response plan and a pre-assembled response team. Coordinated actions and a consistent approach can significantly speed up the process of recovering after a breach.
Ekran System offers a rich set of features for data breach investigation and mitigation. Request a trial version of the platform to enhance your data breach protection. What actions must be taken in response to a security incident?The security incident response process is centered on the preparation, detection and analysis, containment, investigation, eradication, recovery, and post incident activity surrounding such an incident.
What is the most important step in incident response?Detection (identification)
One of the most important steps in the incident response process is the detection phase. Detection, also called identification, is the phase in which events are analyzed in order to determine whether these events might comprise a security incident.
Which is the best first step you should take if you suspect a data breach has occurred?If you're notified that your personal information was exposed in a data breach, act immediately to change your passwords, add a security alert to your credit reports and consider placing a security freeze on your credit reports.
What is Step 1 of the investigating security incident process?Step 1 - Identification
The first step is to identify that there has been a cyber incident. You should also identify how the cyber incident was found. For example, this could be through a user reporting the issue, or through an alert from the monitoring system.
|
