Posted by Kevon Graham
Why it may be time for an Incident Response Plan
Incident Response Mechanism
Imagine, your company has just been hit by a massive data breach compromising your employees, customers, partners and your own company’s information. You may find yourself asking the questions what should you do next? How do you know the full extent of the breach? Do you have the right resources to address this issue? Do you have a structured plan to effectively investigate the attack and ensure that your systems recover sufficiently? If you’re a bit unsure of the answers to these questions it may be time to discuss an Incident Response (IR) Plan.
Your company is neither too big nor too small to be victims of a breach. In the era of digitization where more and more data is being converted digitally for ease of access and efficiency, companies are now faced with the constant threat of data breaches. Over the past three (3) years, thousands of businesses worldwide have experienced some level of a breach, with many of them going unreported. This can be attributed to the exponential growth in the importance of data assets and their perceived value to malicious actors.
What is a data breach?
A data breach is an event in which resources containing sensitive information such as medical records, financial information, trade secrets or any other valuable information are compromised electronically or physically, putting them at risk. Such breaches can be classified as malicious or criminal attacks, system glitches or human error.
Attackers take advantage of companies they believe to have high-value information as well as weakened IT controls susceptible to attack. In addition, countries with limited data protection legislation, have been known to be a haven for attackers.
“From a study conducted by the ponemon institute on data breaches in top companies across the globe, the average cost of a data breach is USD 3.8 million reported in their 2018 Cost of Data Breach Study.”
Causes of a breach
There are many ways a data breach can occur a few of which may include but are not limited to:
- Inadequate assessment of risk exposure
- Lack of data protection policies, framework and/or legislation
- Lack of data encryption throughout the lifecycle (at rest, in use and in motion)
- Poor data management practices
- Absent of data loss protection/prevention tool
- Outdated and/or unpatched devices or systems
- Unaddressed vulnerability reports
- User errors or improper data disposal
- Untrained staff/social engineering
- Disgruntled staff members
Before having to deal with an attack, you should have an effective incident response plan which outlines how to respond to a data breach. This plan should consist of an incident response team comprised of key individuals internal or external to your organization. The sole responsibility of this team is to guide your organization back to a secured state. Your plan should consist of a framework outlining the steps for recognizing a data breach has occurred and what key activities the team should undertake in response to prevent the recurrence of a successful attack. New attacks continue to emerge as the race for discovering zero-day attacks remain a priority for both security professionals and malicious actors alike. As a result, a plan should always be in place to deal with the eventuality of an attack or the loss of data.
Management of Detection and Response to Perceived Attacks
In the event your company’s systems have been breached, the first thing you should do is to stop the attack in its tracks by identifying the specific area(s) that have been compromised, then contain and isolate these systems as soon as possible. Once this is complete, eliminate the threat to prevent the attack from causing further damages to your environment.
A comprehensive forensic analysis should follow the attack, examining system logs for the series of events leading up to the discovery of the breach. This is very important to gain traction on how the breach occurred, the methods used and if dormant malware exists for future attacks.
To reduce the damage to reputation that usually follows a breach, regulating entities if applicable and affected parties, should be notified as soon as possible. A breach of any size can lead to a reduction of your organization's customer base and a mass exodus of existing partnership relationships. As a result, a data breach in your organisation should be addressed and acknowledged promptly making the unauthorized release of information less damaging. However, seeing that a data breach is not always the end of the world, there should be a plan to harden your security controls around the compromised systems after an attack so your business can return to normal operations.
By studying the attack from the resulting breach, weaknesses in the IT security infrastructure and controls should be identified and the necessary adjustments made to reduce future attacks. This should also give insight into how the Incident response plan can be improved upon with the new information and also how the security posture of the entire organization’s IT infrastructure can be upgraded. Responding swiftly is important, by ensuring that appropriate forensics and investigative activities take place and a comprehensive report or updates are provided to the relevant stakeholders.
While these steps are a guideline for creating an incident response plan for your organisation, they are not the only methods for setting up a comprehensive plan as steps may vary according to your organisation’s needs. It is, however, important to note that your organisation should have a plan in place as a part of the overall security posture of your IT resources.
Topics: Information Security
Kevon Graham is an Information Security Consultant at Symptai Consulting. He is currently completing his B.Sc. in Computing majoring in Computer Science at the University of Technology Jamaica (UTech). He is a member of the Institute of Electrical and Electronic Engineers (IEEE) where he served at the Student Chapter at UTech as head of Ethics as well as a member of the Software Team. Kevon has represented the University at IEEE’s annual regional conference, Southeastcon, in 2017 as honorary finalist in the Student Technical Paper Competition. As a part of his interest in computer security, Kevon participated in a remote study at the University of North Carolina Chapel Hill, where he engaged in activities in Reverse Engineering and Offensive Security.