[BreachExchange] The First 24 Hours After the Breach

[Inga Goddijn]

http://www.corpcounsel.com/id=1202767918067/The-First-24-Hours-After-the-Breach?slreturn=20160821125921

The first 24 hours after a breach are often the most critical. It is in
these moments that you set the stage for containment, investigation,
notification and remediation efforts. As with many things in life, your
first few steps will take you down a path, and you want it to be the right
path.

A rapid response is needed to minimize damages. However, some terrible
mistakes have been made in moments of haste, stress, panic and pressure.
The actions performed must not only be fast; they must also be correct.
Companies need to know what steps to take and in what order so that
customer, patient or business data is protected and risks minimized.

*1:00 – Validation*

The first step is validation, and this should take place within the first
hour of the reported event. Validation occurs when an event is reported to
the organization's incident reporting group. The group then evaluates the
event by conducting a preliminary review of relevant log data and
discussing the event with the person reporting it and others. The group
then decides whether to escalate the event to an incident.

Errors at this stage can cause serious problems. A false positive
determination—one that incorrectly flags an event as an incident—results in
wasted time and effort, needless stress for incident response members and
others who may have been notified and a loss of confidence in the incident
response team. Conversely, a false negative—failing to identify a real
incident from an event—results in more damage to the company, its employees
or its customers as the incident continues and information obtained from
the incident is utilized or exploited. False negatives give attackers more
time to steal data, gain a deeper foothold on your network or monetize the
data they have already collected.

*2:00 – Assembly*

When an event is officially classified an incident, the incident response
team must assemble quickly. Assembly requires either the ones that
validated the event or a designated internal communications team to pull up
the list of incident response team members and contact them to have them
meet. Those contacting the members should make sure each person receives
the message and is attending the meeting. This often involves more than
just sending an email out to a distribution group. Alternates should be
contacted when the primary person is unavailable so that a person is
present to perform the duties for each of the incident response roles.
Meetings do not need to be in person and often are virtual or over the
phone to reduce response time. Some organizations have a specific
conference bridge or virtual workspace set up for incident response calls.

*2:20 – Strategy*

The assembled team will need to review the information collected in the
validation stage and then form a strategy for moving forward. This should
take place as soon as the team can be assembled.

Many of the incident response steps may already be laid out in incident
response plans, and the team should not try to rewrite those plans.
Incident response plans are created specifically to improve response time
and decision-making, since they were developed under normal stress levels
and with enough time to adequately evaluate the best course of action in
light of best practices and regulatory requirements. However, the incident
response team will need to identify which steps in the plan will be used in
response to the incident when plans provide general steps and specific
steps for different types of incidents. The team should also determine if
there are additional factors of the incident that may not be addressed in
the incident response plan and then identify actions to address these
factors. The team then acknowledges their role in the response and the
actions that they will take as outlined in the plan or discussion.

*3:00-7:00 – Containment*

The members of the incident response team now divide up to perform their
tasks. Security team members should work with IT to evaluate the data on
the incident to determine the scope.

IT should disconnect from the network or block wireless access from the
devices that are compromised or relevant to the investigation so that
criminals cannot continue to use those machines to spread infections,
exfiltrate data or communicate.

Care should be taken not to alter evidence. IT should not pull the power
from devices unless necessary because some evidence may reside in memory.
Exceptions may be made when machines cannot be disconnected from the
network or blocked from communicating or if it is determined that the
continued presence of malicious code will cause further harm to data
present on the device.

*3:00-7:00 – Preservation*

Preservation is performed concurrently with containment. A time frame of
3:00-7:00 is given here, but it may take more or less time depending on how
many resources are allocated to the preservation task and the scope of the
incident.

Forensic teams should proceed in imaging relevant machines as identified in
the initial strategy and then move on to imaging additional machines
identified by security until each of the machines covered in the scope of
the incident is imaged. These machines and their drives are now considered
evidence and may be needed in court to prosecute criminals or defend the
organization in future lawsuits. For this reason, evidence must be handled
correctly and the chain of custody properly documented and preserved.

Forensic teams may take memory captures of running devices and then image
computer hard drives. This preserves the data in memory or on the hard
drive so that it can be analyzed as part of the investigation. Forensic
teams photograph the scene and document hard drive serial numbers, asset
identifiers and other information that will be recorded in the case log and
eventually on incident reports.

*8:00-24:00 – Investigation*

The next segment of time will be spent investigating, and this will likely
take the remaining span of the first 24 hours. As with other estimates, the
scope of the incident and resources allocated will determine how long this
will actually take. It is also possible for the investigation to begin
while evidence is still being preserved if data extracted from forensic
images can be provided to investigators without significant impact on the
continued preservation activities.

The goal of the investigation is to determine what data, if any, was
exfiltrated and how the incident occurred. The data from the investigation
is provided to legal so that they can determine whether the incident should
be classified as a breach according to regulatory requirements and
applicable laws and what level of notification is needed to mitigate harm
customers or patients may face from the exposure of their information.

*Moving Forward*

The first 24 hours following a breach determine the effectiveness of the
overall breach response. When the investigation concludes in the days or
weeks following, notification, remediation and improvement actions can then
take place. The organization will also be equipped with evidence to back up
internal decisions or defend itself in court. Decisive action requires
effective preparation. Prepare today for the breach.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160921/d96edf8e/attachment.html>