6 Questions to Ask Once You’ve Learned of a Breach
With GDPR enacted and the California Consumer Privacy Act on the near horizon, companies have to sharpen up their responses. Start by asking these six questions.
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt02298a579ee45706/64f0d3ccb873344baacd4d76/1.jpeg?width=700&auto=webp&quality=80&disable=upscale)
Companies don't have the luxury of waiting days and even weeks before they report a data breach to the public. Many global firms do business overseas and are subject to GDPR, and California's data privacy law goes into effect Jan. 1, 2020. There are other such measures on the way in India and Brazil.
All these new measures require that companies report a breach within 72 hours.
That means it's more important than ever for companies to know how to respond once they learn that they've been breached. The M-Trends 2019 report released by FireEye Mandiant found that 59% of breaches are self-detected, while 41% are reported to breached companies by external sources.
Charles Carmakal, strategic services CTO for FireEye Mandiant advises companies to start by validating that a breach took place and if you haven’t already, develop a comprehensive incident response plan.
"It's really important to know what the attack was and why the bad threat actors broke in," Carmakal says. "Do your due diligence and have this information because it will really help you from a legal perspective if the case gets turned over the law enforcement and there's an indictment."
While some companies have clear processes and procedures in place, many companies (especially SMBs) are not at all prepared to handle a breach. Start by asking the following six questions.
Once the company has confirmed malicious activity and has notified the appropriate people up the chain of command, it's important to find out how the threat actor gained access to the company's IT environment and how long they've had access, says FireEye Mandiant's Carmakal. The most common access methods are via a phishing email or a password spraying or credential-stuffing attack.
A lot of people reuse passwords and employ easy-to-guess passwords, so it's important to train people to use unique and complex passwords. It's also important to know if access was gained through a hack to a third party or other business partner.
So you're well into the process and even have determined how the attacker got in; now it's time to find out if the attacker still has access and how are they maintaining access, says FireEye Mandiant's Carmakal. For example, the attackers may have installed a persistent backdoor, may be leveraging the company's VPN, or may have credentials for user accounts with privileged access.
FireEye Mandiant's Carmakal says threat actors take advantage of both privileged and non-privileged accounts. Privileged accounts often undergo less scrutiny by security teams. But Shay Nahari, who heads red-team services for CyberArk, points out that infiltrating privileged accounts gives attackers access to sensitive resources and databases, a good reason to focus in on managing those accounts.
Now it's time to find out just what was accessed or stolen, says FireEye Mandiant's Carmakal. If it's personally identifiable information (PII) - such as Social Security numbers, credit card information or protected health data - all of that must be reported to the impacted individuals, which often leads to public disclosures.
In fact, Carmakal says the terms "data breach" and "security incident" are often used interchangeably, but they are not the same. He says the common legal interpretation of a data breach is the unauthorized access or theft of sensitive information. A security incident might occur in which no sensitive data is accessed or stolen at all. Or, if the data breach only affected the business' own intellectual property, but not PII, it might not trigger data breach disclosure obligations.
Finally, the company needs to determine the motive for the attack, says FireEye Mandiant's Carmakal. If they were hunting after intellectual property or highly sensitive business information, were they Chinese nation-state actors, or were they planning industrial espionage or gathering information for a targeted attack on your company? Were they planning on gaining financially? Security pros need to determine if the hackers were just looking to temporarily disrupt operations or if they made lasting changes to the systems and are likely to return.
Finally, the company needs to determine the motive for the attack, says FireEye Mandiant's Carmakal. If they were hunting after intellectual property or highly sensitive business information, were they Chinese nation-state actors, or were they planning industrial espionage or gathering information for a targeted attack on your company? Were they planning on gaining financially? Security pros need to determine if the hackers were just looking to temporarily disrupt operations or if they made lasting changes to the systems and are likely to return.
Companies don't have the luxury of waiting days and even weeks before they report a data breach to the public. Many global firms do business overseas and are subject to GDPR, and California's data privacy law goes into effect Jan. 1, 2020. There are other such measures on the way in India and Brazil.
All these new measures require that companies report a breach within 72 hours.
That means it's more important than ever for companies to know how to respond once they learn that they've been breached. The M-Trends 2019 report released by FireEye Mandiant found that 59% of breaches are self-detected, while 41% are reported to breached companies by external sources.
Charles Carmakal, strategic services CTO for FireEye Mandiant advises companies to start by validating that a breach took place and if you haven’t already, develop a comprehensive incident response plan.
"It's really important to know what the attack was and why the bad threat actors broke in," Carmakal says. "Do your due diligence and have this information because it will really help you from a legal perspective if the case gets turned over the law enforcement and there's an indictment."
While some companies have clear processes and procedures in place, many companies (especially SMBs) are not at all prepared to handle a breach. Start by asking the following six questions.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024