Anyone that’s worked on a major data breach for their employer is familiar with this experience: in the space of 24 hours you can go from yet another day at the office, to feeling like the company is collapsing around you. To all my compatriots out there that have been ‘that person’ – pouring through all the log data – I salute you. Those of you that haven’t yet run this gauntlet should know that the days after the discovery of a data breach are a mélange of panic and discord. Following are some techniques to coordinate the chaos.
Build a timeline: More important than any other effort you engage in – as you embark on the forensic investigation – is the construction of a timeline about how everything went down. This is the information that your executive, legal and PR teams need the most.
Before you start any other work, those first few hours should be about preparing a coherent method of delivering information up the command chain, which means a timeline with details a business audience can understand. Put one person in charge of nothing else but managing this document, but make it visible for the rest of the team to spot discrepancies or submit changes as new information arises.
Build a map: Hand in hand with that timeline, you will need to create a visual representation of what was done and where. Show the attackers’ path through the system, your business processes and your data.
Don’t jump to conclusions: You’re going to see your attacker making leaps between systems that (at the time) could only be explained by psychic powers or extreme amounts of insider information. Just assume, for the time being, that there’s a simple explanation for this.
Now for the one that is perhaps hardest to accept. Don’t be afraid to carry out seemingly drastic reactions for ‘small’ breaches – that is, unless you have packet-by-packet analysis of everything an intruder did and saw, you’re better off safe than sorry. Forcing everyone in the company to change their password is a small price to pay, in comparison to an attacker coming back a few weeks later after cracking thousands of valid credentials.
When a data breach occurs, damage to information and systems has already occurred; the damage to a company’s reputation and corporate culture is just beginning. The biggest risk mitigation on your plate right now is don’t panic and make things worse. A few inept keystrokes can make the difference between finding the smoking gun and erasing vital evidence forever.
The timeline and map are keys to making sure no stone is left unturned. It may seem that intruders have already taken what they needed, but there is still a chance they left a few doorways to return through later. The timeline and map will be guides to finding blind spots – the places where you have not yet looked – to ensure, for the time being, you have closed the re-entry doors. You can bet money on being asked to prove this to your command chain; it’s best to have an answer prepared. Identifying how the attackers planned their assault is a vital part of the post-incident learning process. After an investigation of what went wrong, you will often find that what at first appeared miraculous becomes ordinary in hindsight.
Breaches of enterprise information systems are inevitable. Compartmentalization of data is vital to truly minimize the ROI for attackers. One person, one account, or one access role should never hold all the keys – separation of duty is a crucial concept. Think of the myth of the Coca-Cola, which only allows two executives to know the recipe, and each only possesses half of it. Look at the most vital corporate data you have, and find a way to break it up into different systems and stages. I can’t tell you how to do this, but it should be part of any mature risk management program.
To truly minimize the damage during a breach, follow the example of the medical profession: ‘first, do no harm’. Stop the bleeding, create time to breathe, and think. The damage an organization can do to itself during the discovery and investigation of a breach can far outlast the pain of a few copied gigabytes.
Conrad Constantine is a Research Team engineer with AlienVault. His early background in searching for forbidden knowledge, pushing computing hardware to its limits and a nose for the truth, made him a perfect fit for a career in incident response. For over a decade and a half, he has been on the front lines of defense work, including being at ground zero for the 2011 RSA SecurID breach. Constantine is a firm believer that incident response must become an accessible and effective discipline available to all, and he works on bringing the mysteries of open-source intelligence generation and defensive agility to those willing to take the leap from fear to action.