21 February 2019

When an organisation suffers a breach, it must take appropriate steps to minimise the potential for lasting damage. Drawing on our cyber security experiences and expertise, we’ve broken this down into the three Rs of breach response.

 

React

 

Just like dealing with a hole in a ship’s hull, the first step is to contain the breach to prevent further damage. Cybercriminals are adept at using an initial attack as a springboard to gain a foothold in other systems and continue their attack on an organisation. It’s important to ensure that systems are locked down to prevent this from happening.

If the attack has caused damage to systems, the next priority will be restoring operations as quickly as possible in order to minimise downtime. This could involve restoring systems back-ups, the use of parallel systems and in the worst case a reversion to pen and paper.

Next, it’s a case of commencing investigation into the root cause and scope of the breach. The initial focus should be classifying the breach by the type and amount of data compromised, data subjects affected and potential consequences. A full risk assessment and security review will also need to be conducted to produce a working plan for remediation.

To ensure that a response is timely and efficient, having a pre-existing and rehearsed incident response plan is highly advisable. A slow or muddled response can exacerbate the situation and inadvertently overwrite vital evidence. The requirements for speed plus evidence documentation and preservation are key reasons many organisations reach out to professional cyber incident responders for assistance.

 

Report

 

Next, it’s important to understand whether the breach needs to be reported, and if so, to whom. Not every breach needs to be reported to every agency, with overreporting a strain on both regulators and the reporting organisation.

There is a real possibility that some breaches may lead to multiple reports having to be submitted to a variety of bodies. For example, a criminal breach of client account details held by an investment broker would need reporting to the police, Information Commissioners Office (ICO) and Financial Conduct Authority (FCA).

With some regulations there are strict timeframes within which reports must be submitted. Under the GDPR, organisations operating in the EU have 72 hours from the discovery of a personal data breach to file it to the relevant supervisory authority. Some of the mandatory information requested may require security expertise to accurately answer.

If the breach poses a high risk to the rights, freedoms and privacy of individuals, then these people must be informed as soon as possible so that they can take suitable precautions, like resetting passwords and monitoring bank accounts for fraudulent activity. Consider whether you have a duty to assist your clients by instigating a compulsory password reset or paying for identity monitoring services.

 

Remediate

 

The first step in remediation is developing an understanding of how the attack was able to occur. This is likely to include identification of the vulnerabilities the hacker exploited, together with any controls and processes that have been found to be ineffective.

The attack kill chain should be documented, a process that is considerably easier if SIEM and EDR solutions are in place to monitor networks and endpoints. Without these solutions, conducting digital forensics will be significantly more complex and time consuming.

An intelligence-led response allows for the kill chain to be fully explored so that the true scope of the attack is fully understood. This may well reveal that the breach is bigger than initially thought, which is one of the key reasons many breaches seem to grow in size as they are reported. Showing that you understand exactly what has happened and know how to prevent it happening again is crucial.

The next step in the remediation process, likely to involve both your own team and external consultants, is to implement the measures recommended in the reports produced as a result of the investigation into the incident.

There may also be an ongoing requirement to communicate with law enforcement and regulatory bodies as they conduct their enquiries. A large part of the ability to take these steps rests on the quality of the reporting available and whether you’re presented with actionable advice or fighting blind. Crucially, it’s at this stage where the fight to maintain consumer confidence takes place and it’s essential that not only are the correct actions taken in a timely fashion, but also that they’re seen to take place.

 

The only R you really need – Redscan

 

Redscan is a leading provider of managed cyber security services, specialising in threat detection and incident response.

Our CREST accredited Cyber Incident Response team are experienced at investigating breaches and helping organisation meet their regulatory requirements. We don’t stop at the technical level, offering clear containment and remediation advice as well as PR and communications support to minimise the financial and reputational damage cyber-attacks can cause.

Rather than waiting for a breach to occur, our 24/7 Managed Detection and Response service can proactively monitor your environment and respond to incidents before they cause damage and destruction.

 

Read more:

When web applications are attacked – 2018’s biggest breaches

Choosing an MDR provider: 8 things to look for in a managed security service

Why phishers love HMRC

 

back to all posts