Recently, I cracked a joke suggesting that whenever a reporter asks during a breach investigation, "so who do you think is behind this…" I should start making up outlandish answers like:
- “My sources believe it’s an alien plot to study human behavior.”
- Or, “Definitely the underground mole people.”
- A colleague even suggested, “I think it was actually all filmed on a soundstage like the moon landing.”
In real life, however, discovering who is responsible for an incident might ultimately lead to some sort of recourse, but attribution generally takes a long time, a lot of work, and a healthy dose of luck. Identifying what happened and working to prevent that from happening again can't get my data back. But it can help reduce how often it's exposed.
So instead of pointing fingers, I do my best to steer the conversation toward two things that matter a lot more: verifying what happened and keeping it from happening again. If I get a notice that something like my social security number has been accessed, my major concerns are why it happened in the first place and what steps are being taken to protect my information in the future.
Identifying precisely what information was accessed and communicating this information to those compromised is a major first step. A victim who knows that their credit card number has been stolen can act to set up credit freezes or alerts on its use; the longer that notification is delayed, the more time an attacker has to complete their scams and distance themselves from the event. During investigations, evidence should be preserved so that an attempt can be made to identify the culprit later and first response can focus on determining the entire scope of the attack.
The concept of continuous improvement -- taking the lessons learned from a security incident and using them to mature the incident response program -- is also frequently overlooked. The post-breach time is obviously hectic, but it can also be turned into a huge learning opportunity, where weaknesses in the existing security program are highlighted so that they can be improved. Worse, if these aren't remediated, attackers face a lower barrier of entry to your systems, as these vulnerabilities have already been identified.
President Obama in his State of the Union in January proposed legislation that would require companies hit by a data breach to inform affected customers within 30 days of discovering exposure of the data. It is my hope is that any new cybersecurity legislation or regulation will also encourage information sharing of useful data, such as what was accessed and what is being done to improve security for next time.
What do you think about current practices in data breach response? Do you think that President Obama’s proposed reporting requirements are a step in the right direction? If you handle incident response, how much weight do you place on attribution versus other information gathered in the course of the investigation? Let’s chat about these issues in the comments.