Breach: A term associated with stress and ambiguity; the meaning of which changes with each context; signifies an act of a violation of a code: of conduct, an agreement, a law, or a physical state. In the context of a business, it is the violation of confidentiality, integrity, and availability of a particular state of an asset, most likely DATA or more so INFORMATION. The ways of doing business have changed over the years. At any given point in time in an enterprise, there are 1000s if not 10000s of connections in the realm of the Internet, always testing the perimeters each time the data passes through the fences and defenses. And it's just a matter of time…
A notification wakes up a group of senior officials, a collective activity hitting the top of the priority list for many. If it’s a natural calamity, they wear a “disaster recovery hat”. In the event of a data breach, more or less, the same ‘hat’ turns into a breach response. Parameters of considerations switch from known-unknown to unknown-unknown. It can happen to any organization doing business utilizing the internet as a resource. Breach itself may not be the worst thing, but how to manage it can be. An oversight can be of help to contain the damages, not solely from the financial but the organization's goodwill and reputation point of view.
Most of the organizations doing business on the internet would definitely have a response plan to handle high severity incidents. If not, a good time to start making one is as of yesterday. If there is one, double-check the approach to breach response with few additional considerations.
The DOs and DONTs
DO # 1 Call upon the authorized personnel and advise invoking the response plan. Assemble all the stakeholders, for example, business owners, technical experts, SMEs, and Analysts who can help reverse engineer the root cause and assess the impact. Define the roles and responsibilities of all involved. Announce the authority, set up, and agree to ground rules.
DO # 2 Set up a secure room called a WAR-Room with enough facilities to support the well-being of all concerned who are present. Such as supplies, consumables, drinks, and eatables, a bunker set up to rest if need be, and most importantly, communicate over secure channels only and STAY CALM.
DO # 3 Consult the legal counsel, understand the disclosure and regulatory requirements to notify relevant authorities and affected parties. Assess the time in hand.
DO # 4 Task the SMEs and data owners to assess types of data in the systems for its sanity. PII (Personally Identifiable Information), PHI (Protected Health Information), Financial, Operational, Marketing, and Intellectual Property.
DO # 5 Associate each data type with potential sources of breaches such as social engineering, intrusions, malware, APT, human error, etc and plot an exercise to reverse engineer or reverse the threat model to pursue the attributes and/or root causes: Establish the duration of the exercise and Agree for a HARD STOP. This exercise cannot be indefinite.
DO # 6 Outline the communication for disclosure. Task appropriate stakeholder for the content of disclosure, prep the authorized spokesperson, ready the notification response, and also provision to include information related to the findings.
DO # 7 Deliberate the response plan in time-bound activities: 1. Detection Analysis, 2. Forensics, 3. Contain & Mitigate, 4. Recovery, 5. Post-Mortem and notifications.
The Breach Response is dynamic in nature evolving with every passing hour and discoveries. Handling all those ambiguous dynamics can be arduous and extremely stressful. Respect everyone involved for the objective at hand, assure and reassure all concerned to stay balanced in the gyroscopic breach environment, and remind one another to follow instructions from the authorized personnel as agreed. Nevertheless, these DONTs are a big no-no.
DON'T # 1 - PANIC: Arrest all panic-agents to assure what is presumably a non-life-threatening state of affairs.
DON'T # 2 - NO BLAME GAME OR GOING DEFENSIVE: No matter who in the hierarchy; collaborate, cooperate and trust in one another's abilities.
DON'T # 3 - CONTAMINATE THE ENVIRONMENT: Adopt a logical approach and avoid random rush. If needed, call in the forensic experts to handle the evidence as they might be required to be presented in the court of law with a complete chain of custody.
DON'T # 4 - GO PUBLIC WITHOUT ENOUGH INFORMATION OR PREPARATION: Only authorized individuals should be communicating to relevant authorities and with complete preparation. As far as possible, be proactive.
DON'T # 5 - NO COVER-UPS: If someone can steal your important data, a coverup can harm the organization's reputation beyond repair when discovered.
For organizations of all sizes, an elaborate and documented response plan is a must, which if simulated and tested twice or thrice a year can definitely ensure preparedness to respond to breaches more effectively and quickly. Only then mitigation and rebuilding can be quickly swung into action which in turn boosts the stakeholder's confidence. This could be one piece of evidence to prove that you have been a part of a resilient organization.