Every organization, big and small, experiences security incidents, but a data breach containment plan can make a crucial difference in the extent of your exposure and losses. While it’s true that different types of incidents like business email compromise, ransomware, or stolen data all have specialized response steps to contain the incident and recover from it, there are a few common early steps that should happen regardless of the type of security issue you’re facing.
The data breach containment strategies outlined below are designed to:
- Remove active attackers from your network
- Prevent further attacks
- Contain the incident
The medical field refers to this phase as “triage”; your goal is to stop the bleeding.
Crucial Steps for Data Breach Containment
Step 1: Isolate the threat
Once you recognize that an incident is occurring, your first steps in data breach containment should be to remove active intruders and to prevent further unauthorized access. That is accomplished by isolating the affected device, systems, or network. If the breach is limited to one device, like a server or workstation, remove that device from the network by removing the network cable, or if wireless, disabling wireless access. If you can see active processes running on the affected system, try to kill those processes.
In the early days of enterprise ransomware, we used to recommend powering infected systems down if they had not finished the encryption process, but with more modern versions, interrupting that process is likely to corrupt or destroy the files to the point where they are unrecoverable. So, pull the network to isolate, not the power.
If you’re unable to pinpoint the devices affected by the incident but can trace them to a particular segment of your network, isolate that segment from the rest of the network. In some cases, you may not be able to isolate to a particular device or segment, and in those cases, you need to disconnect your entire network from your firewall, router, or ISP, as well as any tunnels or connections to remote sites to prevent the spread of the incident to your other locations.
If your incident is tied to a particular port or service, like remote desktop protocol (RDP), virtual private networks (VPNs) or a specific email account, disable those. Close the RDP port, shut the VPN down, or temporarily disable the email account. In these days of working from home, that may mean losing your own remote access to your network. If possible, have an alternative option, such as a dedicated direct connect VPN with multi-factor authentication ready to go to provide IT management access in the event of an emergency. If that’s not possible, it may be necessary to get someone on site.
Step 2: Reset Passwords
In many incidents, unauthorized access is gained by guessing, phishing, or brute-forcing credentials for a legitimate account. If that is the case, the attacker has – and may have already shared or sold – a legitimate username and password for your network. Therefore, it’s important to quickly reset passwords.
If you are absolutely certain you know which account or accounts have been compromised, focus on those accounts first. However, unless it is very clear, a better data breach containment recommendation is to force password resets for all the accounts on the domain or authentication system.
Remember the impacted passwords may go beyond those associated with a particular user. If you are using service accounts, local administrator accounts, shared device management accounts (router, switch, firewall, and so on) those need to be reset, too. Once an attacker has gained access to your environment, it’s fairly trivial to use credential stealing tools to sniff the network and capture more usernames and passwords. Think broadly and cast a wide net. If the account is only protected by a username and password, it needs to be reset.
Step 3: Implement Multi-Factor Authentication
You may be wondering what Multi-Factor Authentication (MFA) has to do with data breach containment. This is an important step for preventing a repeat compromise. You probably recall that there are three primary authentication types: something you know, something you are, and something you have. MFA uses a combination of two or more of those types. A username and password are not multi-factor authentication – they are single-factor authentication, because both are something you know.
MFA, while not foolproof, provides a good measure of protection against unauthorized access to accounts because it means that the attacker would need not only a username and password (something you know) but also either a token (something you have) or a fingerprint (something you are) in order to access the account.
Once you’ve isolated systems and reset passwords, consider adding MFA to any accounts that are not currently using it to prevent a repeat compromise.
Step 4: Don’t Destroy Evidence
In the mad scramble to contain an incident, responders are often so focused on restoring services that they forget about preserving data. Why is data preservation important? At some point, when the dust settles, you may need to determine whether or not your incident constitutes a data breach, which would in turn mean that you need to notify people whose data was lost in the compromise of your network. Keeping evidence intact and usable means that you may be able to prove that there was no access or exfiltration of sensitive data and avoid the time and expense of data breach notification and reporting.
During data breach containment, some changes may need to be made immediately. For example, if you experience an email compromise and the attacker set up a rule to forward messages to an unknown email account, you will want to disable the rule or the compromised account. If that is not possible, you may need to delete the rule to stop the flow of email. However, before you delete it, take a photo of the rule and forwarding address on the screen. Alternatively, you could take a screenshot, just keep in mind that if the workstation itself is going to be investigated, the screenshot changes the evidence, so you’ll need to make note of the date, time, file name, and location of the screenshot.
If you want to learn more about preserving evidence during an incident, we have a 1 day Cyber First Responder class on March 10th.
As always, Don’t Panic
Finally (or maybe this should be first on the list) don’t panic! Take a moment to take a deep breath, gather your thoughts, and gather the resources you need for data breach containment. Panic leads to poor decisions and mistakes in response, which in turn lead to delays, increased costs, and inability to recover. (And for all of you Douglas Adams fans, don’t forget your towel. It can’t hurt.)
When you experience your next security incident, remember: IRIDD (“I rid”)
- Reset Passwords
- Implement MFA
- Don’t Destroy Evidence
- Don’t Panic