Ask The Experts: How To Respond to a Data Breach Effectively

Written by

Heath Renfrow, CISO and managing director of disaster recovery services, Conversant Group.

Heath is one of the world’s leading cybersecurity experts. He has more than two decades of experience as a high-level information security specialist, much of it as a CISO in the United States Department of Defense. 

Data breaches can range from business email compromise to ransomware attacks. With ransomware attacks, the threat actors aren’t only encrypting systems, they are also exfiltrating data to double blackmail victims.

What does your company do in the first 24 hours of discovering a data breach has occurred? There are five crucial steps your company should follow during the first day of discovering a data breach.

The first step is to execute your incident response plan (IRP). There should be a list of key incident response personnel in this plan, including cyber-insurance panels (outside counsel, data forensics firms, etc.). Start gathering facts, but be very careful of electronic communications until you execute step two of this process. Those internal or external communications could come back to hurt your company legally. Keep communications verbal. 

Step two is to engage an approved outside breach counsel. You might have this list in your IR plan, and if you can, find a list of approved IR panels on your insurance policy or the insurance company’s website. Contact one of the approved breach counsels and get under attorney-client privilege as soon as possible. These outside attorneys specialize in breaches and will help your company navigate the rough waters ahead. 

In step three, your breach counsel will help you engage panel-approved data forensics and incident response (DFIR) firms to get data forensics underway. These professionals are critical to discovering how the threat actors gained access into your environment, what data might be compromised and if they exfiltrated any of that data. This information is critical for future notifications to clients, users and regulatory bodies.

"Internal or external communications could come back to hurt our company legally. Keep communications verbal"

Step four may or may not be needed. In the case of a ransomware attack, you may or may not have backups available to help in the recovery process. Regardless, time is money, and the quicker you get your company back up and running, the less financial and reputational damage will occur. That is why it is important to call in a reputable company specializing in disaster restoration efforts that can bring your company back online efficiently and intelligently. Your outside counsel will have a list of companies they trust for this as most insurances do not have a panel for these efforts. 

Step five could be step three based on outside counsel’s guidance. Regardless, it is now time to engage your cyber-insurance company in conjunction with outside counsel. It is important to understand what coverage your company has for cyber insurance and stay in continuous contact with your representative during the entire incident response process. 

Last but not least, breathe. You have the professionals you need to make it through this chaotic time. Stay calm and let these various teams do what they do best.

Amar Singh, CEO and founder, Cyber Management Alliance &

Amar is a leading cybersecurity expert, crisis management practitioner and data privacy expert. He works as a senior C-level executive and CISO and has created multiple UK government certified training programs.

Instead of telling you what you should do in the first 24 hours of a cyber-attack, I will tell you how to prepare for the first 24 hours so that you can take effective response actions.

Cyber-attacks are not just impacting organizations and passwords but human life. The supermarket Co-op faced a supply chain attack and had to shut down 800 stores (and allegedly gave away food for free) in Sweden when the Russia-linked REvil ransomware group targeted Florida-based IT company Kasey.

Cyber-attacks will increasingly impact human life, and that’s why a rapid response to an incident may be the difference between saving or destroying lives. Remember, you are preparing to save lives, not passwords!

To be prepared for the first 24 hours, you need to understand and acknowledge some key facts.

FACT: Cyber-weapons are highly destructive and sophisticated

We are now in a world of connected devices, super-fast 5G and ultra-powerful central processing units that fit in tablets and watches. Today’s tools leverage these factors to wreak havoc on digital systems and wipe out systems in seconds.   

You need systems and processes that match the agility and sophistication of the tools and criminals attacking your systems.

FACT: Humans are incapable of responding (to most cyber-attacks)

Look at these quotes from Craig Williams, director of the talos outreach team at Cisco, about the malware that brought shipping giant Maersk to its knees in 2017: “To date, it was simply the fastest-propagating piece of malware we’ve ever seen” and “by the second you saw it, your data center was already gone.”

The malware that Williams is talking about crippled not just Maersk but several other companies. The malware (named Not Petya) spread at speed and destroyed systems equally fast. The IT systems were not usable, they were destroyed. Within a matter of minutes, the worldwide network of Maersk was no more.

The point about ‘the second you saw it, the data center was already gone’ is crucial to understand. You need to ensure that in the first 24 hours, you can match the malware’s speed to spread and destroy with your velocity of response.

FACT: Criminals love automation

Criminals and many regular folks, including myself, absolutely love automation and use it to reduce errors, increase efficiency and improve their chances of success. This is music to most senior executives’ ears. Criminals deploy automation at every opportunity.

You should strongly consider embracing and using automation as much as possible, especially in the first 24 hours after an attack. Automate the data enrichment for your security analysts, the triage process and the analysis components, etc.

Put simply, automate the boring manual steps so your analysts can focus on analyzing and disabling the attackers.

At Cyber Management Alliance, we have a whole training program certified by the UK Government’s NCSC, called Cyber Incident Planning & Response (CIPR) that goes deep into the planning and preparation for the first 24 hours post-breach. This 24-hour period is also known as the ‘golden hour’ in cyber-attacks.

David Gray, director, NTT Ltd. UK and Ireland

David Gray is a director for NTT Ltd. within its cybersecurity consulting services division. David is responsible for managing professional services engagement in incident response planning, global incident response/discovery, breach readiness, and other security-related consulting engagements.

First and foremost, it’s critical to develop an incident response plan now and embed it in everything you do.

Malicious actors are opportunistic and it’s safe to assume that, at some point, your organization will suffer a breach – responding to a breach effectively lies in the preparation.

If a plan is made ahead of time, organizations can successfully react to an incident in the first 24 hours, significantly reducing the risk and severity of negative consequences. Independent research from the Ponemon Institute showed that the average cost of a data breach for companies with an incident response (IR) team was $3.29m, compared to $5.39m for those without IR or IR test plans. 

Ultimately, understanding what to do when an attack occurs is the difference between limiting damage and catastrophic loss. 

The immediate aftermath of a breach is a stressful time for security teams. To avoid making a bad situation worse, organizations need to implement a credible IR plan tested against real-world scenarios. 

Building an IR plan involves several components. Defining the IR team and their roles and responsibilities, and identifying any skillsets that do not exist within your organization, should be the first action points. 

Outlining the communication process for during and after the incident is also essential – this includes defining when to alert industry regulators or law enforcement. In addition, laying out the criteria for declaring when an incident started and ended is critical. Any information about the attack is pertinent for reporting the crime and informing future training programs. 

When mitigating the attack your plan should include three phases: containment; removal; and restoration and recovery. 

"Every breach should provide an opportunity to learn and improve"

During containment, focus should be on limiting the scope of the attack and preventing further damage. Short-term containment requires immediate action to diminish the impact, involving locking down systems, changing passwords and rerouting traffic. Long-term containment means temporary containment to keep production going. Here, creating backups for forensic investigation and making sure all systems and applications are up-to-date are vital.  

The removal and restoration stage involves taking appropriate steps to clear malicious content from affected systems and addressing and removing vulnerabilities. The final recovery steps can then be taken, meaning testing and verifying the compromised systems to ensure they are clean and fully functional. 

Every breach should provide an opportunity to learn and improve. IR plans should contain a formal debrief session, where lessons learned are gathered for further review and integration into the program. 

Minimizing the impact of a security incident requires technical expertise, trained personnel and the ability to act rapidly. Making the first 24 hours count is dependent on teams knowing how to identify incidents quickly, knowing how to contain the damage and finally, knowing how to instigate remediation. If you don’t already have an IR plan in place, develop one now and embed it in everything you do – your team will thank you in the long run.

What’s hot on Infosecurity Magazine?