If you came home to discover your home had been broken into, would you clean up the evidence while waiting for the police to arrive – restoring your home to how it was pre-break in? Hopefully, the answer is ‘no’. And not just insurance reasons.

Preserving the scene of the crime is crucial to learning how the criminal got in and the full extent of the damage.

Without a thorough investigation, you could end up buying new locks for your doors when the burglar actually entered through the windows. This would leave you no safer than before as they could easily continue exploiting the same weakness to your home security.

Too Close to Home

The same logic applies when dealing with data security. Just switch out ‘home’ for a cloud environment and personal belongings for your data.

It’s natural to panic after discovering a breach, especially when you consider that the intruder may still be in the network. The knee-jerk reaction is to eradicate the affected part of the network, pull the plug on your server or do something even more drastic.

However, this might do more harm than good, as any evidence of how the breach occurred will be swept away as well – limiting the effectiveness for any post-breach forensics. This leaves your company with a network that has the same vulnerabilities as before and the threat actor with a reliable way back in.

What you should do instead:

If you’re in this situation, then we can assume you’re responding to alerts from the indications and warnings team (I&W) monitoring your network. They’ve hopefully ruled out any false positives and logged the all of the suspicious activity.

All of this should paint a clear picture that you have in fact been breached.

What you do next will ultimately depend on the scope of the breach and can take multiple paths, however, there are common processes that everyone should adhere to.

The response to any breach should follow six basic points:

  1. Get out your IRP
  2. Assemble your team
  3. Preserve artifacts
  4. Stop the bleeding
  5. Return to normal operations
  6. Apply lessons learned

Excerpts from our upcoming whitepaper:

Our upcoming whitepaper, Oh #@$%! You’ve Been Breached, goes in-depth on each step of the response process. We’ll be sharing excerpts of this paper during the next three weeks. For this first blog, we’ll cover steps one, Get out your IRP, and two, Assemble your team. Be sure to check back every week as we share these insights on threat response and mitigation.

Get out your IRP

Your IRP is a complete roadmap that includes standard measures that are adapted with the help of your security provider to the unique needs of your company. Since a breach involves a number of legal issues, your IRP should include specific steps that must be followed so that your organization will be in a position to withstand any legal actions that might be taken with regard to lost or stolen data. Because every company is different, the legal issues relating to your organization and your industry will also be different. For example, companies that are in the financial services or e-commerce fields must meet the requirements for PCI compliance; healthcare organizations, meanwhile, must comply with HIPAA guidelines.

Assemble your team

The members of your incident response team are spelled out in your IRP, so there’s no need to scramble to recruit people. The team members may come from either inside or outside your organization. And because you’ve lined up the team ahead of time, each member understands his or her responsibilities and the importance of collaboration with other team members. The team should include:

• Security experts, including the director of your Security Operations Center
• IT managers who understand the data and applications
• Marketing officers, to assure your brand does not suffer
• Lawyers who are knowledgeable in matters relating to breaches
• Business stakeholders
• Contractors or third-party providers
• Compliance officers


Next Week: Preserve Artifacts and Stop the Bleeding