A routine security check indicates that an intruder circumvented your security measures to steal valuable data. No need to panic, just yet. First, you need to consult your incident response plan. Wait… You don’t have an IR plan? Okay, now it’s time to panic!
By crafting a detailed incident response plan before a breach occurs, you can reduce anxiety and stay focused on the issues that are most important. But frequently, IT admins face resistance from upper management in allocating resources to develop an IR plan. You may have to convince your superiors that a poorly-planned response can seriously harm your company’s reputation, costing far more than the resources required to implement a proper policy. This is a good time to pull out those chart making skills to demonstrate exactly what’s at stake.
To help get your IR plan off to a good start, it’s wise to read through the Department of Justice guide to Best Practices for Data Breach Response. The specifics of your response plan will depend on many factors that are unique to your organization, but most IR plans follow a similar general pattern.
1. Eradication of Threat
You may need to reroute traffic, implement a network filter, or isolate part of your network to halt the incursion. Obviously, this should be done quickly!
Once the traffic ceases, it’s important to take an image of your systems to store offline for later analysis. Not only can it be helpful in researching the cause, but it may be critical to law enforcement or your company’s legal team. (And it’s always a good idea to stay on the good side of the law!)
Then examine your systems for any damage, such as malicious code that was injected.
Pro tip: Hackers often use base64 encoding to disguise their work, so one of the easiest ways to scan your files and databases for malware is to execute a search for base64. This is a good time to temporarily take your servers offline and check for rootkits as well.
You might discover that the hacker’s code is present in previous backups. You should have a range of backups that allow you to return your files to a time before the intrusion, and you should keep the infected previous copies as a time log.
2. Restore Service to Customers
When you are confident that you can safely restore traffic, it’s important to get affected systems running again as quickly as possible. Customer perception is highly impacted by how quickly you can restore service. It’s a good idea to have a packet or port monitoring system in place that can be quickly deployed as soon as service is restored.
3. Lock Down Against Similar Breaches
Being hacked twice through the same vulnerability might be considered a lack of reasonable precaution, so we don’t want to go there. Spend time researching all of the weaknesses that led to the breach, and ensure that each is corrected. Some areas of research include:
- Open, but unnecessary, network ports
- Weak passwords or outdated encryption
- Inadequate filtering on database inserts
- Software that isn’t up to date on security patches
In addition, some of your software may have natural vulnerabilities that need to be accounted for with the setup of your infrastructure. Usually, this takes the form of server permissions that need to be customized for your particular situation or ports that must remain open on your internal network but closed to external access.
4. Notify Stakeholders
This can be a very delicate issue. You have to report what happened, but it’s just as important that you don’t over-communicate. This is no time to jump to conclusions or point fingers. Stakeholders will be looking at every word for the context.
One critical consideration is whether or not to contact law enforcement. If your organization’s legal team determines that criminal activity is involved, they may wish to involve the authorities. In this case, detailed logs and system images are critical. Don’t delete anything!
5. Reflect and reevaluate your response for future Incidents
Incident response needs to be constantly evolving in order to be most effective. Are there ways to improve monitoring? Is it possible to respond faster or more effectively if something like this happens again?
Finally, keep in mind that despite your best efforts to secure your systems, they still can be breached because there’s only so much you can do. Be well prepared for when the inevitable happens so you and your organization can recover quickly.
A positive attitude (and some solid training) will help ensure that your effectiveness will be at its peak. There will be plenty of time for reflection and forensic analysis later. Your focus on blocking the breach and restoring service will reduce the impact in the eyes of your customers, and will demonstrate to your superiors that even when the situation seems hopeless, you have what it takes to shine!
Not a CBT Nuggets subscriber? Start your free week now.
CBT Nuggets has everything you need to learn new IT skills and advance your career — unlimited video training and practice exams, virtual labs, validated learning with in-video quizzes, accountability coaching, and access to our exclusive community of professionals.
Learn more about the CBT Nuggets Learning Experience.