GlobalSign Blog

The 5 Steps of Incident Response

The 5 Steps of Incident Response

Looking from the Perspective of a Data Breach

Wargames are useful the world over, providing the opportunity to refine strategies, test processes and optimize execution. This is certainly true when it comes to Business Continuity Planning and Disaster Recovery. Given the current threat landscape with the increasing level of cyberattacks, we wanted to share how we would potentially handle an incident response, in order to give our customers and clients a view of how they might want to handle their own should they fall victim to such an attack.

Planned Response and Defined Resources

There is an old Samurai saying: “matters of great concern should be treated lightly”. At first reading this might seem counter-intuitive, however the spirit of this is that when dealing with important matters your actions should be pre-planned; use the times of calm to think through and plan your responses. In an organization or business this can be translated as disaster planning.

Prepared business continuity, disaster recovery and incident response processes are all areas that should be discussed and agreed prior to an event occurring.  Defining these processes gives you a framework to respond to an incident in a timely and calm manner. These plans should not be locked away, but shared with stakeholders in the organization so that everyone is aware of the steps and how they will be executed, saving a lot of time if an incident does indeed occur.

In the case of a data breach your organization should outline the steps that you will need to undergo in order to react. You should have identified a dedicated resource for example an incident manager, who is fully aware of response procedures so they can lead the response if and when the time comes. In our case this is our Security Manager. As an incident can happen at any time, this member of staff will have to be prepared at all times and ready to react at any time of day (or night).

Preparation being the first key step, what are the remaining steps if we consider a data breach scenario?

Stop Anything Further from Being Removed

There are many ways in which data could end up on the wrong side of an organization’s security boundary. For example, it could be ‘simple’ human factors – a stolen laptop or misplaced USB drive. Here training and technical controls should be used to limit exposure. A more complex example is a targeted hacking attack whereby an attacker accesses your organization's systems in order to steal information.

You can already see that the detail of the response is dependent upon the scenario. For now, we’ll consider a targeted hacking incident. 

The first priority is to prevent any further data access or loss. This will mean blocking the communications channel that the attacker is using and could be as fundamental as cutting internet access. You need to ensure that nothing else can be added or removed.

Find Out What Has Happened

Once you have stopped them accessing your system(s), you need to know what they have done and where they have been.

This is where logging is key. Your servers and systems will all provide logs that can be configured to report from very little to almost everything. Making sure you have this logging correctly configured and being saved to a secure location is paramount to being able to gain maximum insight into various events.

It is recommended that smaller companies engage a security or IT consultant to define and implement best practice approaches to keep yourself protected. A good IT consultant will ensure you have strong separation between data sets, measures in place to quickly cut access to outsiders and separation between business identities. For example, sales data should only accessed by sales and accounts only accessed by accounts etc. This ensures that if there is a data breach to sales data, you minimize the risk of a breach to accounting data.

In larger and more security conscious organizations, stronger security measures will be in place. Because security is so important to us, we run active monitors on all of our internet connectivity points so should we ever need to, we are able to go back to the monitors and understand what has been transferred bit by bit. We are able to get a very precise understanding of commands run and obtain a detailed list of data that has been compromised.

Don’t just consider what might have been taken; look for what could have been left as well. It is entirely possible that new back doors could have been created during the attack for future use.

Understanding the Consequences of Data Going Public

In planning a response to a data breach, an organization must understand the value of its data and the consequences of the data going public. This will vary from organization to organization.

If there is any personal identifiable information (PII) that is stolen, you will need to consider who to notify. In larger companies there should always be a data protection officer who oversees the use of all private data and is aware of the impact that its theft can have in each region. Regional awareness is key due to the variations in data privacy laws.

An organization has a responsibility to inform those affected about a data breach. The biggest risk follows from being unable to determine what was taken and having to assume that all data on compromised systems has been accessed and is now in the public or your competitor’s domain.

Rebuilding, Backup and Recovery

Recovery is very much dependent on what happened during the incident.

It may be that the breach was tightly constrained, for example a website CMS hack, or a social media hack. The next steps would be to find out how the hackers got access so you can fix the vulnerability and prevent the event from happening again, followed by restore everything and resetting passwords.

For example, it could be that a misconfigured firewall setting was exploited in order to access the website’s CMS and change information on the company website; you would correct the configuration, restore your systems, recover the website and restore internal systems to a previous backup point. You would then reset passwords and if required, communicate the attack to the relevant bodies.

Once the incident is mitigated, a review of the incident response process will certainly be in order, as there are sure to be areas that were not covered or could not be handled as anticipated.

Now that our CTO has given you tips on responding to an incident, what can you be doing to prevent one? GlobalSign provide the identities that power the Internet of Everything. To find out more about how we can protect your organization with Digital Certificates, PKI and Identity and Access Management, visit our website today.

Share this Post

Recent Blogs