Avoiding a breach is a great aim. But if you have been breached, what comes afterwards? CBR looks at some key steps for addressing the aftermath of an attack.
1) Discovering the breach
In an increasingly security-conscious world, there will be all sorts of alerts and indicators landing on an IT professional’s desk that could suggest a cyber attack.
For Dido Harding, CEO of TalkTalk, the latency issues from a distributed denial of service (DDoS) on the TalkTalk website were the first indicators that the company was under attack.
It could be an alert generated from a cyber security defence product, or could even be a ransom demand from an attacker.
Once one of these red flags goes up, it is important to act decisively and ascertain whether the company has genuinely been breached or whether there is some other issue responsible: often called the false alert problem.
2) Plan the forensics operation
Once an organisation is sure that it has been breached, the next obvious step to work out what exactly happened.
However, rushing into a potentially costly and time-consuming forensics operation without proper planning could cause as many problems as it solves, throwing up more false alerts and obscuring the real trail.
The attacked company needs careful planning here: what information are you looking for? Do you know where to look for it?
Prioritise where to gather evidence: start with the most risky areas and move down to the more stable ones.
You may find that you have not got the required personnel or expertise, so a consultancy or partner might be required.
3) Where, when and what
This involves gathering human intelligence, narrowing down what the time and date parameters are for the attack. How long has the attack been going on for? When did it start?
Most importantly, it means discovering what data, if any, has actually been lost.
For example, perhaps the attacker was able to access customer data, but this data was stored in an encrypted form, meaning that it is still safe.
Basic facts in place, the victim organisation then needs to gather more detailed evidence to eliminate false theories and establish what happened.
Once you are sure what the vulnerability is that allowed the attackers to access the data or systems in question, you need to make sure that you have patched it.
The TalkTalk hack used an SQL injection, which involves sending a command to an online database.
Even if you are not sure what the vulnerability is, take some time to go over the basics and ensure that you are in lines with cyber security best practices, especially in terms of complying with legal requirements.
Longer term, it is important to learn from the breach and, if applicable, build new cyber security methodologies that will prevent the same thing from happening in future.
Some organisations choose not to report breaches, or to report them in the most limited way possible. Others opt for full disclosure.
Regardless, it is crucial that you have the correct facts before you report, which can include the quantity and type of data affected.
It is also important that the vulnerability has been comprehensively addressed before the report becomes public, in case anybody else tries to exploit it.
Timeliness is key here. The General Data Protection Regulation (GDPR) will soon place a very real time limit on notifying regulators about a breach, and the fines that can be levelled on organisations that fail to do so are potentially crippling.
In a broader sense, it may cause damage to a company’s reputation if it appears to have sat on information about a breach, or if the breach hits headlines before a company has admitted it.