Posted on Mar 24, 2021
In a hyper-connected world, data breaches continue to increase in size and scope. Cybersecurity threats come in various forms, from social engineering to database vulnerability exploitation. With that in mind, data breaches are more likely than ever, regardless of an organization’s size. To bolster your cybersecurity posture, you should put together a data breach response plan as a way to prepare your organization.
The short answer to this question is that you can use either framework, depending on how you want to organize your staff. The National Institute of Standards and Technology (NIST) “Computer Security Incident Handling Guide” and the SANS Institute “Incident Handler’s Handbook” both set out the same necessary steps for responding to a data security incident. The primary difference is how they organize the actions.
NIST takes a four-pillar approach that includes:
Meanwhile, SANS consolidates the second NIST pillar while separating the third into three distinct categories:
Although similarities exist between the two approaches, they offer different details and suggestions. Combining the best practices of the two, as done below, helps you create a data breach response plan that will guide you towards a more secure IT stack.
The foundation of a robust data breach response plan lies in the pre-planning process. Although many of the steps you take at this point cross over to other areas of cybersecurity, each part of the pre-planning process needs to be aligned with how you respond to a data breach.
Risk categorization and analysis may seem obvious first step since nearly everything in cybersecurity revolves around risk. Referring to the risk assessment you did when writing your information security policy gives you a head start.
Cybercriminals want to steal sensitive data such as personally identifiable information (PII), non-public personal information (NPI), cardholder data (CD), electronic Protected Health Information (PHI), and intellectual property (IP).
High-risk information includes:
Critical applications are the gears that keep the wheels of your business running. Sometimes referred to as the “crown jewels,” these applications store large amounts of data, spread globally, and interconnect deeply with other mission-critical applications.
Some examples of critical applications include:
Whether you’re worried about device theft or someone accidentally installing malware, you need an asset inventory to catalog all the devices that connect to your network. As part of your asset inventory, you want to include at least:
The list of users accessing your systems, software, and networks might seem logical at first since you know all your employees. However, digital transformation is changing the definition of “user.” You need to understand the different types of identities - human and machine - that access resources.
Some users to consider include:
Predicting when a data breach will occur is difficult. However, predicting the data breach attack type is easier. As part of your data breach response plan, you want to research the types of data breaches that impact your industry and the most common attack methodologies. In some cases, the two will be the same. For instance, social engineering attacks are common across all industry verticals. However, cybercriminals can target certain attack types against industries with unique data handling risks. For example, malicious actors leverage card skimming attacks against the financial services industry’s ATMs.
Cybercriminals increasingly use ransomware attacks that encrypt companies’ data to make it unusable and exfiltrate it to “hold hostage.” Planning for a ransomware attack needs to include additional factors now that malicious actors incorporate exfiltration.
As part of planning for this scenario, you want to consider reviewing:
Although credential theft can be used as part of a ransomware attack, cybercriminals often engage in this methodology for other reasons. For example, they may want access to NPI or corporate secrets.
As part of planning for this scenario, you want to consider reviewing:
During a DDoS attack, malicious actors overwhelm an organization’s networks. This leads them to stop responding, essentially shutting them down.
As part of planning for this scenario, you want to consider reviewing:
Policies are the written foundation of how you secure your IT stack and mitigate risks. Therefore, every data breach response plan must be integrated into the company’s IT, security, and privacy policies. Generally, organizations create a series of policies that interconnect through cross-references and appendices.
The general information security policy is based on the company’s risk assessment and risk tolerance. It outlines the controls you put in place that mitigate risks.
As a best practice, this policy should cover:
The network security policy focuses on controls that protect your network from intrusions.
As a best practice, this policy should cover:
Whether on-premise or in the cloud, servers contain an organization’s most important asset, data. Digital transformation has increased the Infrastructure-as-Code (IaC) model, where you store data in code-based cloud repositories rather than on-premise hardware.
As a best practice, this policy should cover:
As malicious actors continue to leverage vulnerabilities in Software-as-a-Service (SaaS) applications, your web application security policy becomes more critical.
As a best practice, this policy should establish guidelines for how an organization assesses a web application’s security and outline the process for engaging in the assessment.
Every data breach response plan needs to identify roles and responsibilities. Since a data security incident can touch various departments, you want to make sure that you define a role in the department responsible for specific activities. If everyone knows what they need to do before a data breach occurs, you create a more efficient and effective response plan.
The leadership team reviews and approves the policy, budget, and staffing. They also coordinate with the internal and external stakeholders throughout the remediation and post-event analysis stages.
This group handles prevention, containment, remediation, and removal with threat research and technical control remediation.
System and network admins work as part of the daily prevention team, but they also understand remediation actions such as taking an affected system offline.
The legal team reviews all policies, plans, and procedures to ensure compliance with laws and industry standards. They also coordinate post-breach activities like engaging outside counsel, collecting evidence, prosecuting a suspect, managing a lawsuit, and coordinating customer notification activities.
Data breaches lead to a lot of negative press that can ruin a company’s reputation. The PR team works with the media and public to share information about the breach, post-breach activities, and reduce reputation risk.
The HR department should handle any data breach related to malicious insider activity.
In today’s hyper-connected world, a data breach can lead to downtime for businesses. For example, DDoS attacks overwhelm networks, ultimately leaving web-based applications unresponsive. Meanwhile, ransomware attacks leave data unusable.
A strong disaster recovery policy is a data backup that stores recent images of all data necessary. Following the 3-2-1 best practices for creating a data backup includes having three copies of all information, on two different media types, with one of them offsite. Leveraging cloud solutions reduce the time to recover, reducing the downtime costs associated with a data breach.
Obtaining a cyber insurance policy helps transfer some of the costs that come from a data breach. Typically, a cyber insurance policy should include:
Your disaster recovery and business continuity plan should also consider the internal and external stakeholders that keep the business running when a data breach happens. In a lot of ways, this process is similar to when a robber steals physical items.
As part of this process, you should include the following parties:
The compliance team wears many different hats when a data breach occurs. As part of your disaster recovery processes, you should consider the following responsibilities for your compliance team:
Policies are the plans for how you plan to respond to a data breach. However, you need to follow best practices for handling incidents. Whether you choose the NIST or SANS model, best practices remain similar.
Intrusion detection is the process of monitoring for and detecting abnormal activity and analyzing the activity to determine whether it qualifies as an incident.
Identifying or detecting starts by noticing abnormal activity from compromised credentials, malware, phishing, or system/network vulnerability exploitation.
The first step in the identification/detection process is to understand the most common attack vectors to focus monitoring on those areas. Some of these include:
Information, software, and hardware that enable this process include:
As part of this process, your team should be considering:
Your incident response team should document their activities and should include the following:
During the containment phase, your incident response team focuses on limiting damage and preventing additional damage from happening.
As part of the containment process, you want to make sure that you consider:
During the containment period, the incident response team should focus on preventing additional harm to data and engage in activities that help identify the attacking host. Some commonly performed activities that do not undermine the containment process include:
Often, companies take a two-step approach to containment using short-term and long-term strategies.
Short-term containment activities involve rapid response to limit the damage. Some strategies include:
Long-term containment focuses on getting systems to function normally and preventing the threat actor from moving within the systems and networks. Some strategies include:
During the eradication step, incident handlers remove all the attack components and work toward restoring the affected systems. As part of this process, some activities may include:
Finally, the recovery process brings the affected system back online after testing, monitoring, and validating that attackers will be unable to compromise it again.
Recovery activities include:
During recovery, you also want to consider the following:
After completing the recovery process, your organization needs to review its data breach response capabilities and incorporate any lessons learned. Engaging in a post-data breach incident handling analysis gives you insight into what processes worked well and what actions you can take to prevent a similar event.
Conducted as soon as possible after the incident, the lessons learned meeting should incorporate objective and subjective information that you can use to enhance processes, justify spending, and incorporate into the annual risk assessment.
As part of this process, you want a written report documenting the following:
A fundamental part of your data breach response plan should focus on prevention. Continuous monitoring, prioritizing alerts, and proactively remediating potential attack vectors enable you to mitigate data breach risks. Threat mitigation strategies focused on data breach prevention enhance the detection portion of your data breach response plan.
SecurityScorecard enables robust data breach response plans by continuously monitoring your IT stack and giving you an outside-in view of your controls’ effectiveness. Our platform monitors across ten categories of risk, including network security, IP reputation, patching cadence, endpoint security, and web application security. With our A-F security ratings, you get real-time, at-a-glance visibility into your security posture. Additionally, our alerts prioritize risks so that you can more efficiently prevent a data breach.
Stopping attackers before they are successful cuts the head off the beast. SecurityScorecard gives you the sword you need to detect and prevent a data breach more proactively.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.