What should you do if you discover your accounts or systems were hacked? Security breaches come in many forms, dictating the context of your response.
For example, discovering someone hijacked your email and is spamming your contact list differs from realising bad actors are lurking in your company systems (and may have been there for months). It also makes a big difference in how you discover the breach—noticing a few odd emails on your account is not the same as receiving a ransomware note after someone encrypts your data. And your response will depend significantly on whether you have an incident response plan.
Each breach situation is unique. But there are fundamental steps and best practices that apply to most, sometimes all, breaches. This blog will look at those baseline choices.
How to respond to a breach
There are four fundamental responses to every breach situation:
Don't panic: A breach puts you on the defensive, and every defensive posture needs a cool head. This is the primary reason you should have a predetermined response plan because it will help reduce panic. Stay collected, and then take the next step. Do not reactively start ripping out network cables or restarting machines unless it's part of a measured and tactical response. And other people WILL panic, so be prepared to be the level-headed one in the room. Don't forget: cybercriminals leverage your emotional response (pre, during and post attack)
Determine the type of attack: This step might be hard to cover conclusively early in the breach discovery, but it will help inform how to contain the attack. For example, if someone took control of your social media accounts, you know to change those passwords. If it's a ransomware attack, disconnect the infected systems from the network and consider taking crucial yet untainted systems online once the initial access gap has been identified or closed, and lateral movement has been mitigated, or restoring to a DR environment. You could have extra indications of the attack depending on the type of security detection systems or partners you use. Whatever is available, use it to inform your quarantine actions.
Quarantine: Once you have a sense of the attack, you can try to isolate it. In most cases, you should change the passwords of the affected accounts, including administrator accounts, certificates, and Kerberos. Isolate affected systems by taking them off the network, but do not shut down or restart the machines, as that can remove crucial evidence. Also, draw your wagons around crucial 'crown jewels' systems and accounts. Assume the cybercriminals are after those systems, or already have those accounts in hand, an incident response plan would include a list of such systems and accounts.
Alert necessary parties: This is not the fourth step but one you should consider activating from the start, prioritising who needs to be informed. Security and incident response teams must be activated from the start, and you should also notify business leaders of the breach as soon as possible. If the breach targets outsiders, such as your contact list, be prepared for many confused incoming calls and emails. Also, notify your contacts of the situation so they can avoid spreading the attack. If the attack is against your business (as opposed to a personal account), your company must also notify regulators - discuss this with your legal experts.
The breach devil in the details
The above four steps are necessary yet not all-encompassing. In all breach events, preparedness is the best response. You should know several things before a breach occurs:
The importance of different systems and their security risks
How the systems integrate into local or external authentication
How these systems are segregated (or not) from other networks
Ingress and Egress traffic flows, choke points and logging mechanisms
The status of user accounts and their different sensitivity/access levels, including partner, guest accounts, and admin accounts.
The status of security measures such as multi-factor authentication and user training.
Discovery and visibility of appliances on your network and externally.
The security status of integrations and product suites
The patching status of systems.
Knowing these details will drastically reduce the time to uncover and stop a breach and get business systems back online.
You'll know these and other details if you created an active and periodically tested incident response plan, through appropriate attack simulations, tabletop exercises, and purple teaming You'll also be more likely to have invested in early detection and reporting systems such as EDR (Endpoint Detection and Response), SIEM (Security information and event management), and DLP (Data Loss Prevention). Creating a response plan will determine what security systems best suit your environment.
Prevention is better than cure. Responding to a breach is like medical triage and ending up in the emergency ward. How well and fast (and affordably) your systems recover from the attack depends on your incident response preparations.
The initial four steps will always matter. But how well they perform depends on your preparedness. Don't skimp on that. Work with a security partner like Performanta and ensure that if a breach occurs, it'll soon be the hackers who start to panic.