Best Practice Response to a Breach
Regardless of the cause, perpetrator or damage there are some things your organisation should do following a breach. A breach is any intrusion or unauthorised access to your systems, in this case digital.
To best understand the methodology and guidance below its important to consider each breach a symptom rather than the cause i.e. a ransomware attack that encrypts your files is the result of a breach not the underlying vulnerability that allowed it nor the cause. IT systems are typically large and complex adding a challenge to isolating the route cause which is often a feature (something that exists to allow access), a flaw (a part of the system that has a known or unknown flaw in its design or implementation) or a user event (a user with access either authorised or not exploiting given access).
The steps below work best when integrated in to a continuity and/or disaster recovery plan
Once a breach has been identified the response team should be notified. A secure shared report should be created in tandem with the response to the breach and continuously updated with information as it is verified. This should contain a chronology of verified known events.
The report should be handled by an incident manager and shared with previously identified decision makers. It should be objective and rely upon verified events and avoid supposition or guess work
While the incident manager liaises with management providing intelligence for consideration the response team (technical) are able to work through the breach, identifying faults, flaws and issues as they resolve these and feedback to the incident manager. Having a single point of contact for both the response and management team creates a clear separation of responsibility and allows both parts of the organisation to proceed appropriately.
Management manage the businesses response and interactions with employees, clients, suppliers and authorities.
Response team deal with the technical aspect of the breach including investigation, report and remedy.
Incident manager is the go between management and the response team.
Report to the authorities within 72hours you must notify the ICO (https://ico.org.uk/) of a breach and we recommend you advise the NCSC https://report.ncsc.gov.uk/. You should also notify Action Fraud in the UK (https://www.actionfraud.police.uk/) and/or Police Scotland for Scotland only (https://www.scotland.police.uk/contact-us/report-cybercrime).
Any effect you see is likely the result of an ongoing attack that has possibly been silent within your infrastructure for years. You should assume that all systems and data have been compromised until you can establish otherwise.
Whether access was gained via a flaw, feature or user you need to react to the breach. This will require a change to procedure and policy as well as the technical implementation. A good rule of thumb is that if you haven’t made access to critical system more difficult for yourself you haven’t made it more difficult for bad actors either.
Once you have reacted to the breach you should begin to verify all requests for login, access to files and movement within your perimeter. For management this is about understanding and approving users for access to resources such as the internet, document stores and software and limiting this access as much as possible. For IT, its crucial to constantly verify user activity; knowing the user's geographic location, trends in activity, device usage allows for machine automation to looks for unusual patterns and challenge access.
Use Least Privileged Access
Limit user access with just-in-time and just-enough-access (JIT/JEA), risk-based adaptive polices, and data protection to help secure both data and productivity. In short only grant access to the systems, files, software and services users require and no more.
Frequently review your cyber security policy and strategy and the steps you have taken to protect your perimeter.
While any breach will possibly require a specific technical response that complements your cyber security policy there are some fundamental steps that should follow any breach.
Change All Passwords
Based on the "assume breach" principal you should reset all user credentials and passwords across all systems. You won't know if a bad actor has gained access to other systems following the initial symptom that made you aware of their activity, not until it's too late. It's imperative that you assume the breach was further ranging than the symptoms you have seen.
Multi Factor Authentication / 2 Step Login
If you haven't already implemented MFA roll it out immediately on any system that has the option. As it is illegal in some countries not to offer MFA it's unlikely that any fit for purpose software won't have this option.
MFA adds an additional layer of security to your login requiring users to physically verify all logins using their username and password.
Patch and Upgrade
If any software or system has any patches outstanding or upgrades available ensure you run these immediately. Patching often resolves known vulnerabilities and flaws in software so failing to successfully patch leaves your exposed to known issues. Be assured that bad actors are aware of known vulnerabilities and will exploit these on a massive scale.
Review and Enhance
If you have been the victim of an attack the better the tools, information and expertise you have on hand the shorter your recovery time, the less likely you are to suffer future serious affect and you will be better placed to understand your risk.
If you don't already invest in cyber security tools now's the time. We recommend all clients should have enhanced information and asset protection tools like:
- Data Loss Prevention
- Advanced Data Analytics
- Advanced User Analytics
- Remote Device Management and Enforcement
In addition you should consider whether your backup process is robust enough to prevent it from becoming a future target or victim and if it is adequate to deal with a total loss of service and data.
At Wardman UK we embrace the Zero Trust approach to cyber security which, you'll find more information on best practice, responses and guidance within the Hacked section within our help centre.
Our team of experts on are hand to support you, just get in touch.