What to do if you have a data breach? You better check on your data backup before taking any decision.
Governments advise ransomware victims not to pay criminals in order to regain access to their data. However, an experienced digital forensics and incident response expert concedes that there are situations when giving in is justified.
“No one wants to pay,” Jaycee Roth, associate managing director for cyber risk at Kroll LLC in Toronto, said during the Canada West Virtual Summit last week. “You really do need to weigh the pros and cons.”
“This involves conducting a cost-benefit analysis of how much it will cost to be out of business,” she said.
The most expensive aspect of a data breach
The business interruption is the most expensive aspect of any data breach (representing 38% of spending); this covers not only money loss, but also customer and reputation loss.
However, whether the IT staff can restore data from backups is a major consideration in the selection.
“I can’t tell you the amount of times when clients think they have backups, think they have all the information they need. But it boils down to testing, making sure you’ve actually used the backup before.”
She continues saying “We’ve come into so many situations where the backup is outdated, or it doesn’t have the information you thought it had, or it’s missing that one database file that is critical to your business.”
After a data breach, what is the first thing the IT team should check?
Another essential component for IT administrators in the event of a cyberattack is a thorough inventory of their environment.
When a management/IT/consultant team is created to respond, the first technical inquiries will be: how many workstations and servers are there, is virtualization there, are firewall logs available, describe the email architecture, and so on.
“You will be surprised how many people cannot answer these questions,” she remarked. “If you don’t know your environment, if you don’t know how many endpoints you have, how can you protect or secure it?”
At 5 p.m. on a Friday, when many cyberattacks are launched, Roth is one of the specialists that corporations call in a panic.
She explained that incident response will look like this for companies that aren’t large enough to tackle a cyber catastrophe on their own: “Hopefully, you have a cyber insurance policy.”
This is advantageous because insurers maintain a list of pre-approved vendors that can assist.
The importance of a cyber insurance policy in a data breach
The response quarterback will be an outside counsel or breach coach. A vendor would next be hired to lead the IT side of the response under a three-party agreement (the insurer, the coach, and the organization).
After that, there will be a scoping call, during which the question about characterizing the environment will be asked, among other things. Finally, a statement of work will be agreed upon that describes what will be accomplished.
There are three steps to remediation:
- Stabilize the environment (remove any active threats).
- Restore service (which could include anything from installing backups to rebuilding the network to negotiating with the threat actor for decryption keys).
- Conduct an investigation into the incident’s cause.
To aid the forensic inquiry, Roth emphasized that this must be done in the correct order and without erasing critical evidence. Rolling back the system before log data is collected is the worst thing IT can do.
The role of endpoints during a data breach
Because of its ability to detect anomalous network behaviour, Kroll insists on installing an endpoint detection and response solution (EDR) if the organization doesn’t already have one, Roth said. This will aid in ejecting an attacker attempting to maintain a network foothold.
Some elements, such as zero-day vulnerabilities, are out of your control when it comes to defending a business, according to Roth.
However, defense in depth, EDR, network segmentation, patch management, and even “canary accounts” – an admin account that is never used so that if someone tries to log in with it, it’s an indication of intrusion — are all essential.
She also cautioned that IT must be able to comprehend — and not dismiss — the signals that its systems generate. There were blocked notifications for days before a client using EDR had a compromise, Roth said.
“I can honestly say in the last couple of years every time I get online with insureds, with people who have suffered these breaches, I can hear that they’ve really responded to the top cybersecurity risks of the past few years.”
She also said: “They’ve increased multifactor authentication, they’ve retired old and vulnerable operating systems, updated and secured remote access points.”
To finish, she said: “But it’s important to note that as we progress, so do our adversaries. They’re not going to stop or give up tomorrow. They’re going to keep going.”