View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
September 21, 2016updated 04 Oct 2016 4:26pm

Cyber security basics: 5 steps in breach forensics

Respond to a breach efficiently and legally with this guide.

By Alexander Sword

Avoiding a breach is a great aim. But if you have been breached, what comes afterwards? CBR looks at some key steps for addressing the aftermath of an attack.


1) Discovering the breach

In an increasingly security-conscious world, there will be all sorts of alerts and indicators landing on an IT professional’s desk that could suggest a cyber attack.


Dido Harding, CEO of TalkTalk, speaking to a select committee about the hack.

For Dido Harding, CEO of TalkTalk, the latency issues from a distributed denial of service (DDoS) on the TalkTalk website were the first indicators that the company was under attack.

It could be an alert generated from a cyber security defence product, or could even be a ransom demand from an attacker.

Once one of these red flags goes up, it is important to act decisively and ascertain whether the company has genuinely been breached or whether there is some other issue responsible: often called the false alert problem.


Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

2) Plan the forensics operation

Once an organisation is sure that it has been breached, the next obvious step to work out what exactly happened.

However, rushing into a potentially costly and time-consuming forensics operation without proper planning could cause as many problems as it solves, throwing up more false alerts and obscuring the real trail.

The attacked company needs careful planning here: what information are you looking for? Do you know where to look for it?

digital-forensicsPrioritise where to gather evidence: start with the most risky areas and move down to the more stable ones.

You may find that you have not got the required personnel or expertise, so a consultancy or partner might be required.

3) Where, when and what

This involves gathering human intelligence, narrowing down what the time and date parameters are for the attack. How long has the attack been going on for? When did it start?

Most importantly, it means discovering what data, if any, has actually been lost.

hands-1004271_1920For example, perhaps the attacker was able to access customer data, but this data was stored in an encrypted form, meaning that it is still safe.

Basic facts in place, the victim organisation then needs to gather more detailed evidence to eliminate false theories and establish what happened.

4) Action

Once you are sure what the vulnerability is that allowed the attackers to access the data or systems in question, you need to make sure that you have patched it.

The TalkTalk hack used an SQL injection, which involves sending a command to an online database.

cyber securityEven if you are not sure what the vulnerability is, take some time to go over the basics and ensure that you are in lines with cyber security best practices, especially in terms of complying with legal requirements.

Longer term, it is important to learn from the breach and, if applicable, build new cyber security methodologies that will prevent the same thing from happening in future.

5) Report

Some organisations choose not to report breaches, or to report them in the most limited way possible. Others opt for full disclosure.

Regardless, it is crucial that you have the correct facts before you report, which can include the quantity and type of data affected.

It is also important that the vulnerability has been comprehensively addressed before the report becomes public, in case anybody else tries to exploit it.

reportTimeliness is key here. The General Data Protection Regulation (GDPR) will soon place a very real time limit on notifying regulators about a breach, and the fines that can be levelled on organisations that fail to do so are potentially crippling.

In a broader sense, it may cause damage to a company’s reputation if it appears to have sat on information about a breach, or if the breach hits headlines before a company has admitted it.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.