Pierluigi Paganini April 13, 2013

The number of cyber attacks is increased in an impressive way, cyber criminals, hacktivists, independent and state-sponsored hackers are daily operating in cyberspace conducting more or less dangerous offensive. Everyone is exposed to concrete risks of cyber attacks, internet users, private business and government offices, that’s why is fundamental to have a clear idea on how to response to an incident and which are the steps to be taken to secure compromised infrastructure and related damages. Consider first of all that a prompt response to a data breach is crucial, time factor is essential for the propagation of effects of the incidents, within any company must be in place an incident response team that must define and share the incident response procedure monitoring of the overall operations in case of incidents. The procedures must be shared with personnel within the company created the proper level of awareness to promptly respond to a data breach. Corey Nachreiner, Director of Security Strategy at WatchGuard proposed his response procedure that I desire to share with you reviewing them with my personal opinion and considering it very useful for victims of cyber attacks:

Analysis of the breach –  this is probably one of the most important phase, in this phase are triggered all response practices to mitigate the adverse event. In this phase the company tries to classify the event evaluating the impact on its infrastructures and start all necessary activities to secure company and related data. In this phase company representatives also start the investigation that could be also supported by external consultants such as digital forensics experts. It’s necessary to identify exactly the flaws exploited by attackers and fix them as soon as possible.

Report to the authorities and sharing of data related to data breach – Depending on the level of data breach occurred it is necessary to report the fact to authorities to permit to prompt start investigations. In many cases the exposure of sensitive data or client’s personal information must be public disclose to avoid further damage, disclosure strategy must be concerned with company top management and all the team involved in the investigation, included law enforcement. Nachreiner remarked that some authorities may have a threshold on the size of breach that they are willing to look into.

Communicate the breach – All internal components of the company must be informed and must follow instructions provided by incident policy response.

Patch the discovered holes – Once identifies the flaws exploited by attackers it is necessary to fix them, an efficient patch management process is vital, the applied patch must fix the bug and avoid integration problems. During this phase other vulnerabilities may be uncovered and must be fixed with same priority of the flaws that caused the incident avoiding the attackers could benefit of their knowledge in successive attacks.

Recover from backups – In case internal systems have been compromised it is necessary to restore a working a secure situation recovering the systems from a backup in order to reduce the amount of information lost from the breach. Of course a backup policy must be adopted by the company and periodically the internal security team must backup data and test the restore procedure to avoid surprises in case of attacks.

Review authentication and authorization – After a data breach is necessary to assess all authentication and authorization processes. Must be analyzed all authentication processes analyzing the resources exposed,  for example in case of data breach simplest action to do is to reset all passwords related to the systems compromised. In this phase limit access to the system to strictly necessary personnel and investigators.

Run an audit – Run a full system security audit to verify the absence of other flaws occurred as a result of the breach or already existing, also this phase could be executed by external professionals.

Update software patches – Patch all software and OSs present in the organization according corporate patch management processes. It is suggested to test the patches in a test environment before deploying them in production.

Install missing security and visibility controls – Review total company IT architecture identifying and installing missing security controls and layers of defense. Consider the proposed steps as minimal actions to include in an incident response procedure to trigger once a data breach occurred … In any case, prevention is better than cure! Pierluigi Paganini

(Security Affairs – Security)