Planning Your Breach Response

FeaturesPCmag

A data breach can shut down your company for a critical length of time, sometimes forever; it can certainly put your financial future at risk and, in some cases, it can even land you in jail. But none of that has to happen because, if you plan correctly, you and your company can recover and continue in business, sometimes within minutes. Ultimately, it all comes down to planning.

Continue Reading Below

Last week, we discussed how to prepare for a data breach. Assuming you did that before your breach happened, your next steps are reasonably straightforward. But one of those preparedness steps was to create a plan and then test it. And, yes, that's going to take a significant amount of work.

The difference is that the advance planning done before any breach is intended to minimize the damage. After the breach, the plan needs to focus on the recovery process and dealing with aftermath issues, assuming there are any. Rememberm your overall goal, just as it was before the breach, is to minimize the impact the breach has on your company, your employees, and your customers.

Planning for Recovery

More From PCmag

Recovery planning consists of two broad categories. The first is fixing the damage caused by the breach and making sure the threat is actually eliminated. The second is taking care of the financial and legal risks that accompany a data breach. As far as the future health of your organization goes, both are equally important.

"Containment is key in terms of recovery," said Sean Blenkhorn, Vice President, Solutions Engineering and Advisory Services for managed protection and response provider eSentire. "The faster we can detect the threat, the better we can contain it."

Blenkhorn said that containing a threat can differ depending on what sort of threat is involved. In the case of ransomware, for example, it may mean using your managed endpoint protection platform to help isolate the malware along with any secondary infections so that it can't spread, and then removing it.

However, other types of threats may require different tactics. For example, an attack that's seeking financial information, intellectual property (IP), or other data from your enterprise won't be handled in the same way as a ransomware attack. In those cases, you may need to find and eliminate the path of entry, and you will need to find a way to stop the command and control messages. This, in turn, will require that you monitor and manage your network traffic for those messages so that you can see where they originate and where they're sending data.

"Attackers have first mover advantage," Blenkhorn said. "You have to be looking for anomalies."

Those anomalies will take you to the resource, usually a server, that's providing access or that's providing exfiltration. Once you've found that, you can remove the malware and restore the server. However, Blenkhorn warns that you may need to re-image the server to be sure that any malware is really gone.

Breach Recovery Steps

Blenkhorn said that there are three additional things to remember when planning for a breach recovery:

  1. The breach is inevitable,
  2. Technology alone is not going to solve the problem, and
  3. You have to assume it's a threat you've never seen before.

But once you've eliminated the threat, you've only performed half the recovery. The other half is protecting the business itself. According to Ari Vared, Senior Director of Product at cyber insurance provider CyberPolicy, this means preparing your recovery partners in advance.

"This is where having a cyber recovery plan in place can save the business," Vared told PCMag in an email. "That means making sure your legal team, a data forensics team, your PR [public relations] team, and your key staff members know in advance what needs to be done whenever there's a breach."The first step there means identifying your recovery partners in advance, informing them of your plan, and taking whatever actions are necessary to retain their services in the event of a breach. That sounds like a lot of administrative burden, but Vared listed four important reasons that make the process worth the effort:

  1. If there is a need for non-disclosure and confidentiality agreements, then those can be agreed to in advance, along with fees and other terms, so that you're not losing time after a cyberattack trying to negotiate with a new vendor.
  2. If you have cyber insurance, then your agency may have specific partners already identified. In that case, you'll want to use those resources to ensure costs are covered according to the policy.
  3. Your cyber insurance provider may have guidelines for the amount it's willing to cover for certain aspects and the small to midsize business (SMB) owner will want to make sure their vendor fees fall within those guidelines.
  4. Some cyber insurance companies will have the necessary recovery partners in-house, making it a turnkey solution for the business owner, as the relationships are already in place and the services will be automatically covered under the policy.

Addressing Legal and Forensics Issues

Vared said that your legal team and forensics team are a high priority after an attack. The forensics team will take the first steps in recovery, as outlined by Blenkhorn. As the name implies, this team is there to find out what happened and, more importantly, how. This isn't to assign blame; it's to identify the vulnerability that allowed the breach so you can plug it. That's an important distinction to make with employees before the forensics team arrives to avoid undue rancor or worry.

Vared noted that the legal team responding to the breach wll probably not be the same folks who handle traditional legal tasks for your business. Rather, they'll be a specialized group with experience in dealing with the aftermath of cyberattacks. This team may defend you against lawsuits stemming from the breach, dealing with regulators, or even handling negotiations with cyber thieves and their ransoms.

Meanwhile, your PR team will work with your legal team to handle notification requirements, communicate to your customers to explain the breach and your response, and possibly even explain the same details to the media.

Finally, once you have taken the steps required to recover from the breach, you'll need to gather those teams together with the C-level executives and have an after-action meeting and report. The after-action report is critical for readying your organization for the next breach by determining what went right, what went wrong, and what could be done to improve your response next time.

Testing Your Plan

All this assumes that your plan was well-conceived and executed competently in the event of a Bad Thing. Unfortunately, that's never a safe assumption. The only way to be reasonably certain your plan stands any chance of success is to practice it once it's prepared. The specialists you've engaged who deal with cyberattacks as regular events in their business won't give you much resistance to practicing your plan—they're used to that and likely expect it. But since they're outsiders, you'll need to make sure they're scheduled for the practice and you'll probably have to pay them for their time. This means it's important to factor that into your budgeting, not just once but on a regular basis.

Just how regular that basis is depends on how your in-house employees respond to your first test. Your first test will almost certainly fail in some or possibly all aspects. That's to be expected since this response will be far more complex and burdensome for many than a simple fire drill. What you need to do is measure the severity of that failure and use it as a baseline for deciding how often and to what extent you need to practice your response. Remember that a fire drill is there for a disaster that most businesses will never experience. Your cyberattack drill is for a disaster that's practically inevitable at some stage.

This article originally appeared on PCMag.com.