Everybody tends to think that hackers will never ever target them or their company/organisation until a breach occurs. We have already published several practical examples explaining why hackers target you and your data.
Here, I will try to concentrate on post-incident actions and provide some brief advice on what to do after you have been hacked.
Step 1: Avoid panic and focus
Many companies aggravate the consequences of a data breach and disrupt legal investigation through enormous internal panic. Keep in mind that you are not the first victim of hacking, nor the last one. Now, your role is to focus your and your team’s efforts on minimizing the consequences of the actual data breach.
Moreover, the fact that you have identified the breach - is positive, as many companies do not even know they have been compromised due either to highly sophisticated hackers or the internal technical team’s negligence.
Step 2: Gather your team and assign roles
Once the initial panic has subsided, gather the incident team. Each company structure is unique, but make sure that your technical, legal, public relations, and sales teams are present.
Technical teams will obviously be in charge of the technical aspects of the incident handling, the legal team will assure compliance of your investigation with the law, PR needs a clear corporate position for the media, while the sales team needs to be clear about what to say to your customers.
It is very important to synchronize all teams, make sure that no team takes an initiative without your approval and without notifying the others.
Step 3: Understand what happened, which data was compromised and how
One of the most important steps is to understand what really happened. Sometimes companies panic on hearing of fake hack announcements organised by unhappy customers or unethical competition. Others deny data breaches until all compromised data appears online and makes headlines.
Your technical team should be able to tell you which systems and data were compromised, which vulnerabilities were used by hackers to get in, assure that compromised systems are properly isolated, and ensure that hackers didn’t leave any backdoors or logic bombs.
Step 4: Carefully collect logs and other evidence
Make sure your security guys don’t erase or alter any logs during the investigation process, otherwise a court of law may reject them as evidence later. If you don’t have enough in-house expertise to properly conduct incident forensics – call an external company to perform the technical aspects of the work.
If you know which systems are breached – disconnect them from the network (including the local one) as hackers may still be here mining your data, installing backdoors, and erasing logs.
Step 5: Analyse and evaluate the origins of the breach
It is very important to understand how hackers got into your network. Depending on the entrance path, you need to take urgent action to prevent them re-using the same vulnerability or similar hacking method.
For example, if one of your trusted supplier’s accounts was hacked and used to login into your network – make sure that all the accounts of this supplier are blocked until they perform their own incident forensics, as their entire network may be compromised and backdoored.
Make sure that other systems and networks under your control cannot be compromised in the same way. For example, if hackers exploited a zero-day in one of your applications hosted on dozens of different servers – make sure that a temporary solution that prevents exploitation of the vulnerability is implemented ASAP, otherwise you will see a domino-effect compromise.
Step 6: Analyse the consequences of the incident and prepare a disclosure plan
Once you know what happened and how happened, it is time to analyse the business, legal, reputational, and financial consequences of the breach. Make sure your legal team participates fully, as legislation on data-breach disclosure is very different from state to state, and from one country to another.
In any case it is better to disclose the breach to all concerned parties, as even if you’re not legally obliged to declare the incident – your reputation will suffer much more if someone else (including the hackers) discloses the hack instead of you. Remember, that if you disclose the breach – you will be able to present information properly and even reinforce your business reputation by demonstrating that you are handling the incident seriously.
While if hackers or someone else discloses for you – don’t count on their mercy in detailing the hack. Obviously, you don’t need to shout on every corner about the data breach: if a limited number of customers were impacted – just make sure all of them are notified in a proper and timely manner.
Step 7: Disclose the incident to concerned parties and notify law enforcement agencies
Timing of disclosure is very important. Assuming there is no legal obligation to disclose, , it’s very important to choose the right timing. If you disclose before you see a full picture of the incident, you may help hackers and scare your customers who will not appreciate the uncertainty. If you disclose after hackers have already re-used all passwords and other customer data to hack them – your business reputation will suffer a lot, you risk losing loyal customers and facing several lawsuits.
When disclosing the incident make sure that all your customers, or any third-parties that suffered from the breach, feel that you do care about them, about their data, and that you are doing your best to help them, to punish the criminals, and to prevent such incidents in the future.
Once again – a properly performed incident forensics and handling may reinforce your reputation and brand value, while other businesses fail to act properly after a hack. As soon as you finish the technical part of incident forensics, notify law enforcement agencies. Despite the fact that a well-organised hack by skilled attackers will hardly be solved via technical investigation, your data may be extremely helpful for detectives, who may be looking for a missing piece of puzzle to uncover a hacking team breaching companies in your industry.
This is how many hacking teams were stopped, as in one or two breaches they made a couple of tiny mistakes unveiling them.
Step 8: Revise your security policies and strategy
No security policy is perfect, and the data breach confirms the need for your security policy and strategy. Even if your systems were not breached directly, but a third-party’s with privileged access – now it’s your task and responsibility to prevent such similar hacks in the future. Use the data breach as a lesson to prevent more expensive hacks in the future that may cost you much more.
If you read this article – you are already on the right way to responsible and proper incident handling!
Ilia Kolochenko, High-Tech Bridge’s CEO and Chief Architect of web application security service ImmuniWeb