Incident Response

Incident Response: We’ve Been Breached – Now What?

It’s a common scenario and one every enterprise should be ready for: you’ve just learned your business has experienced a data incident, now what? However your data has been compromised, if it involves enterprise or customer assets (or both), regardless of the attack vector—which may be unknown at the outset of an incident—your response should be structured, efficient and rapid.

Here’s what your “Now what?” should look like.

Incident Response Basics – NIST Computer Security Incident Handling Guide

A picture containing drawing

Description automatically generated
NIST Incident Response Life Cycle, p. 21 Figure 3-1

The National Institute of Standards and Technology (NIST) has respected and oft-emulated guidelines for incident response. Many organizations use NIST guidelines by the book, or similar guidelines developed using NIST as a basis for action. The NIST incident response life cycle includes four elements:

1. Preparation is a two-pronged operation: incident prevention works hand-in-hand with establishing an incident response capability, although typically different teams handle each program. Primary practices for both prevention and response include:

  • Risk assessments
  • Host security
  • Network security
  • Malware prevention
  • User awareness and training

2. Detection & analysis determines the response strategies deployed in a given incident response. Understanding attack vectors can provide a basis for activating specific handling procedures, according to a pre-developed action plan. Some of the most common attack vectors include:

  • External/removable media
  • Attrition
  • Web
  • Email
  • Impersonation
  • Improper usage
  • Equipment loss or theft

3. Containment, eradication & recovery strategies are activated according to analytic criteria: What is the potential damage? Can evidence be preserved? What services are available? How much time and what resources are required? What is the solution duration? All actions should be accomplished in a phased approach that prioritizes remediation steps.

4. Post-incident activity engages processes aimed at learning and improving, which are critical in creating a framework for continual improvement of security response. Collecting incident data allows for both subjective and objective assessment exercises, to better understand what worked and what didn’t. Preserving evidence is required for not only potential prosecution, but also compliance purposes. If notification of all stakeholders (including the general public, in most instances) has not already occurred, that should be completed now.

NIST Incident Handling Checklist

NIST guidelines helpfully condense incident handling into a convenient checklist of actions to be engaged across the process spectrum, from detection through to lessons learned. This is an invaluable tool to help guide response preparation, planning, handling and resolution.

Detection and Analysis
Determine whether an incident has occurred
 Analyze the precursors and indicators
 Look for correlating information
 Perform research (e.g., search engines, knowledge base)
 As soon as the handler believes an incident has occurred, begin documenting  the investigation and gathering evidence
Prioritize handling the incident based on the relevant factors (functional impact, information impact, recoverability effort, etc.)
Report the incident to the appropriate internal personnel and external organizations
Containment, Eradication, and Recovery
Acquire, preserve, secure, and document evidence
Contain the incident
Eradicate the incident
 Identify and mitigate all vulnerabilities that were exploited
 Remove malware, inappropriate materials, and other components
 If more affected hosts are discovered (e.g., new malware infections), repeat  the Detection and Analysis steps (1.1, 1.2) to identify all other affected hosts, then  contain (5) and eradicate (6) the incident for them
Recover from the incident
 Return affected systems to an operationally ready state
 Confirm that the affected systems are functioning normally
 If necessary, implement additional monitoring to look for future related activity
Post-Incident Activity
Create a follow-up report
Hold a lessons learned meeting (mandatory for major incidents, optional otherwise)
NIST Computer Security Incident Handling Guide, p.42 Table 3

Study in Incident Response Success: Chili’s

A store front at day

Description automatically generated

What does a NIST-guided approach to incident handling look like? Chili’s might be famous for its baby back ribs and Awesome Blossom’s, however it’s equally deserving of merit for its response to a potentially devastating data breach in 2018. What did they do right? Just about everything:

  • Brinker International, the Chili’s chain operating entity, discovered the breach on May 11. They made an announcement to the public on May 12, sharing what they knew and (importantly) what they didn’t yet know – that level of swiftness and transparency established an immediate relationship of trust with potential victims and the public.
  • “We immediately activated our response plan upon learning of this incident,” Chili’s said, which included a forensics audit that revealed the incident took place more than a month earlier and “may have resulted in unauthorized access or acquisition of [customer] payment card data.” Mishandled discovery and investigation can cripple an effective response effort, so this created a strong foundation to build on.
  • Brinker contracted a third-party forensics specialist to manage the response and notified law enforcement immediately. Where many enterprises try to go it alone in these situations, typically in a misguided attempt to keep a lid on the situation, Brinker recognized the need for a diverse, expert, highly structured response and valued communication and collaboration in their process.
  • Recommendations and continuous action were accomplished as part of the remediation process. Chili’s recommended customers review their credit reports and notify relevant agencies and organizations of suspicious activity. Brinker filed a Form 8-K with the US Securities and Exchange Commission, which is used to notify shareholders of a significant event. They also set up a notification site dedicated to sharing news, information about the incident and their response, and a customers/potential victims FAQ.

Brinker’s successful incident response ensured that damage was minimized, especially to the Chili’s brand and customer loyalty, recovery was rapid, and baby back ribs with a side of Awesome Blossoms were back on the menu.

Study in Incident Response Failure: Equifax

Analyzing a bungled response can be more illuminating than reviewing a success story – hello Equifax! Let’s take a look at the low lights of how that company managed response to its notorious breach of November 2017:

  • The full scope of the breach – exposure of the personal data of up to 147 million Americans – was withheld from customers, regulators and the media. Instead, a slow drip of increasingly dire revelations created the impression of a snowballing catastrophe and a crisis the company was unable to get ahead of.
  • Company officers who knew the details of the breach and its potential severity sold their stock in the company before the incident was announced.
  • A separate support website outside the corporate domain was created to inform potential victims and connect them with remediation resources. This website was itself riddled with serious security flaws, and relocating outside the corporate domain spotlighted a lack of trust and accountability.
  • Equifax mistakenly tweeted a phishing link four times, instead of the correct support website.
  • When the company finally revealed that the breach had been caused by an unpatched server targeted by a pervasive security flaw, the company lost its final chance to rally trust in its security and response processes.

Equifax botched its response from the outset, which has led to an endless cycle of lawsuits, prosecutions, bad press, a $425 million settlement, and irreversible reputational damage (assuming that credit bureaus have positive reputations capable of sustaining damage, which is not an iron-clad argument). Other than those issues, everything went fine!

It’s Not If, It’s When You Will Suffer an Incident

The threat environment for enterprises is perilous and relentless: most organizations understand that experiencing a data breach incident is not something that’s a matter of bad luck or circumstance, it’s a given.

Preparation is crucial to meeting these moments: planning your response in the midst of a crisis is exponentially more challenging and prone to failure than having a response procedure and resources ready when the time is at hand. Having that response procedure ready can enable you to make informed, sound decisions that pay off and return you to a baby back ribs state-of-mind.

As NIST points out, preparation is everything. For a limited time, SecurIT360 is offering a free cyber security scorecard to provide businesses a snapshot of their cyber security posture. Your organization can use its scorecard results to understand if some basic vulnerabilities exist and make adjustments before a breach occurs.