Responding to a breach
- Isolate the affected machines from the network. In extreme cases, it may be necessary to take the entire company infrastructure offline for some time to prevent the intruder from counter-acting company activities by jumping to another machine and to confirm that all affected machines have been identified.
- Recover audit logs and other evidence of the intruder’s activity for later inspection and analysis. If a server or other machine that is not usually restarted regularly is affected, remember to consider whether you require dumps of Random-Access Memory data as well. It may be necessary to engage with a forensic computer analyst to ensure that the correct actions are taken to preserve evidence for potential prosecutions.
- Restore systems and data. Take into consideration that an intruder will in most cases have been on your network for a number of weeks or even months prior to detection.
- Analyse the breach. Consider the following questions:
- What are the details of the breach?
- What was compromised?
- Which avenues of attack were used?
- How was it detected?
- What systems were accessed?
- Was data taken or potentially modified?
- What other systems, data or users may be impacted?
- Is there evidence suggesting the motivations of the intruder?
5. Inform relevant stakeholders. Remember to involve specialists (such as Data Protection Officers), regulators (if required) and auditors early in the process to avoid unnecessary back and forth and potential loss of critical evidence.
Prevention and preparation
With the exponential pace of innovations in Information Management and Technology, the question of breaches becomes a matter of when, not if, however the when can be significantly delayed and the impact of an attack can be reduced through the following key steps:
- Continuously educate end users and IT response staff. The most likely avenue of attack is through the exploitation of an unwary user via various social engineering tactics, such as phishing (emails attempting to induce targets to click on a malicious link or open malicious attachments) or vishing (phone calls attempting to induce targets to disclose sensitive information).
- Prioritise security patch installation. While security patches and antivirus definitions are by definition reactive in nature and cannot protect against zero-day attacks, most breaches exploit well-known issues that have quite often been identified years prior, but which have not been addressed due to compatibility concerns, job scheduling failures or outdated hardware.
- Prepare for an attack by performing a business impact analysis, threat simulation and regular incident response training and simulations. Knowing what to do in an emergency goes a long way toward getting it done effectively and efficiently.
- Keep an orderly house on your data and applications. Having a data classification policy and process and information asset management policy and process assists in ensuring that data is not unnecessarily stored or duplicated in potentially exposed areas of your network and lets you determine much faster what was potentially compromised in an attack. Most data privacy laws require that any personally identifiable information only be obtained, processed and stored in accordance with strict rules (such as GDPR, POPI), but these rules should apply just as strictly on company data as this is what your business runs on.
Cyber criminals will first exploit easy targets. The above suggested actions, while certainly not an exhaustive list of information security controls, may just be enough of a deterrent to direct criminals away from your company. Deloitte can help you overcome these challenges, as we have experienced and specialized resources to deal with this type of situation.