Anyone that’s worked on a major data breach for their employer is familiar with this experience: in the space of 24 hours you can go from yet another day at the office, to feeling like the company is collapsing around you. To all my compatriots out there that have been ‘that person’ – pouring through all the log data – I salute you. Those of you that haven’t yet run this gauntlet should know that the days after the discovery of a data breach are a mélange of panic and discord. Following are some techniques to coordinate the chaos.
Build a timeline: More important than any other effort you engage in – as you embark on the forensic investigation – is the construction of a timeline about how everything went down. This is the information that your executive, legal and PR teams need the most.
Before you start any other work, those first few hours should be about preparing a coherent method of delivering information up the command chain, which means a timeline with details a business audience can understand. Put one person in charge of nothing else but managing this document, but make it visible for the rest of the team to spot discrepancies or submit changes as new information arises.
Build a map: Hand in hand with that timeline, you will need to create a visual representation of what was done and where. Show the attackers’ path through the system, your business processes and your data.
Don’t jump to conclusions: You’re going to see your attacker making leaps between systems that (at the time) could only be explained by psychic powers or extreme amounts of insider information. Just assume, for the time being, that there’s a simple explanation for this.
Now for the one that is perhaps hardest to accept. Don’t be afraid to carry out seemingly drastic reactions for ‘small’ breaches – that is, unless you have packet-by-packet analysis of everything an intruder did and saw, you’re better off safe than sorry. Forcing everyone in the company to change their password is a small price to pay, in comparison to an attacker coming back a few weeks later after cracking thousands of valid credentials.
When a data breach occurs, damage to information and systems has already occurred; the damage to a company’s reputation and corporate culture is just beginning. The biggest risk mitigation on your plate right now is don’t panic and make things worse. A few inept keystrokes can make the difference between finding the smoking gun and erasing vital evidence forever.
The timeline and map are keys to making sure no stone is left unturned. It may seem that intruders have already taken what they needed, but there is still a chance they left a few doorways to return through later. The timeline and map will be guides to finding blind spots – the places where you have not yet looked – to ensure, for the time being, you have closed the re-entry doors. You can bet money on being asked to prove this to your command chain; it’s best to have an answer prepared. Identifying how the attackers planned their assault is a vital part of the post-incident learning process. After an investigation of what went wrong, you will often find that what at first appeared miraculous becomes ordinary in hindsight.
Breaches of enterprise information systems are inevitable. Compartmentalization of data is vital to truly minimize the ROI for attackers. One person, one account, or one access role should never hold all the keys – separation of duty is a crucial concept. Think of the myth of the Coca-Cola, which only allows two executives to know the recipe, and each only possesses half of it. Look at the most vital corporate data you have, and find a way to break it up into different systems and stages. I can’t tell you how to do this, but it should be part of any mature risk management program.
To truly minimize the damage during a breach, follow the example of the medical profession: ‘first, do no harm’. Stop the bleeding, create time to breathe, and think. The damage an organization can do to itself during the discovery and investigation of a breach can far outlast the pain of a few copied gigabytes.
Conrad Constantine is a Research Team engineer with AlienVault. His early background in searching for forbidden knowledge, pushing computing hardware to its limits and a nose for the truth, made him a perfect fit for a career in incident response. For over a decade and a half, he has been on the front lines of defense work, including being at ground zero for the 2011 RSA SecurID breach. Constantine is a firm believer that incident response must become an accessible and effective discipline available to all, and he works on bringing the mysteries of open-source intelligence generation and defensive agility to those willing to take the leap from fear to action.
15 November 2012
I respect your article highly to provide understanding for responding such events. There could be a book to write from all this and as Conrad mentioned - without walking through all this - on can not have a NO CLUE what can and may happen during it. Even those 'high-velocity human factors' should be remembered.
I can't stress enough for the preparation and training importance. Not just theory, but real 24H lasting event.
Among those, using and familiarizing simple tools such as GREPping data and analyzing log files by hand may introduce significance while everything else collapses around.
The importance of timeline and "war journal" is the 1st thing, even without command structure. After that, most important thing which is obviously missing by mistake is 'build command structure'. None of the activities performed by group (not solo) of responders make sense in case there is solid understanding of doings and command chain.
Moreover, the command chain is NEEDED - no - it's IMPERATIVE for organizations/businesses leaders who may be required to communicate such outside the 'cyber mayhem' responders.
Next thing the conclusions. It would be advisable to create 'tasking' order and model to task the conclusions when and if at all they create activities following the understandings.
I do agree and support highly the 'compartmentalization' of data. Big things, involving thousands of people and malicious efforts as well, has been and can be protected with such a proper discipline and techniques. If I have to guess, 20% of organizations ever implement it, do nor understand the need behind of this.
The map and timeline altogether with understanding the 'assets' in which your game is handled can be defined as 'tactical depth of defense'. In this context, you can easily understand the meaning. It helps to prepare you within the space and allows activities to be carried out not just by pure guts feelings and conclusions, but maneuvered tactics.
Note: The majority of comments posted are created by members of the
public. The views expressed are theirs and unless specifically stated are not those
Elsevier Ltd. We are not responsible for any content posted by members of the public
or content of any third party sites that are accessible through this site. Any links
to third party websites from this website do not amount to any endorsement of that
site by the Elsevier Ltd and any use of that site by you is at your own risk. For
further information, please refer to our Terms & Conditions.
Comment on this article
You must be registered and logged in to leave a comment
about this article.