A data breach is one of the biggest threats to an organization. It can harm an organization’s reputation and entail huge financial losses. According to the Cost of a Data Breach Report 2020 by IBM [PDF], the average cost of a data breach is estimated at $3.86 million. Thus, preventing data breaches and investigating them in a timely manner are among the most sensitive pain points when it comes to an organization’s cybersecurity.
In this article, we describe seven steps of how to investigate a data breach and explain what to pay special attention to during data breach investigation and remediation.
What is a data breach?
A data breach is an event that results in exposing confidential, sensitive, or other protected information to an unauthorized person. Breaches of confidential information can lead to financial losses, legal liability, and reputational damage through media coverage and publicity. That’s why if a data breach has occurred, it’s necessary to take actions to mitigate its consequences and investigate the incident.
Investigation is an integral part of a data breach response. Its goal is to clarify the circumstances of the breach, assess the damage caused by it, and develop a further plan of action depending on the results of the investigation.
It’s important to begin investigations as soon as possible in order to respond to potential risks and limit access to leaked information before it’s too late. There are a number of cyber incident response guides that provide detailed recommendations on handling security incidents:
- Computer Security Incident Handling Guide [PDF] from the National Institute of Standards and Technology (NIST)
- Incident Handler’s Handbook from the Escal Institute of Advanced Technologies, also known as SANS
- Microsoft Incident Response Guide [PDF]
- And more
Below, we outline seven steps based on the recommendations in these guides.
7 steps for responding to and investigating a data breach
Although the reasons behind a data breach may vary, there’s a set of steps you need to take when responding to and investigating such a cybersecurity incident. Let’s take a closer look at this data breach investigation checklist.
Depending on the industry you operate in and the requirements you need to comply with, the order of steps may vary, and some steps may be omitted or added.
1. Detect the data breach
All tips for investigating a data breach begin with incident detection. This step is aimed at determining the fact that a data breach has occured. You can confirm this by inspecting the signs of a data breach.
In the Computer Security Incident Handling Guide, NIST distinguishes two types of data breach signs: precursors and indicators.
A precursor is a sign that an incident may occur in the future. It can be:
- Web server logs indicating a search for vulnerabilities in an organization’s network
- Discovery of a vulnerability that affects the organization’s network
- An announcement by a hacker group that they intend to attack the organization
In general, precursors are rare and mostly help organizations to stay vigilant.
An indicator is a direct sign that an incident may have occurred or is occurring right now. Common examples of data breach indicators include:
- Buffer overflow attempts against a database server
- Multiple failed login attempts from an unfamiliar remote system
- Bounced emails with suspicious content
MITRE ATT&CK (Adversarial Tactics, Techniques & Common Knowledge) can also be of great help. This is a structured knowledge base of known attacker behavior, divided into tactics and techniques and expressed in tables (matrices). It provides a comprehensive view of attackers’ behavior and is extremely useful for data protection, monitoring, and employee training.
2. Take urgent incident response actions
There are a number of urgent steps you should take when a data breach is detected. The first thing among data breach investigation tips is to record the date and time of detection as well as all information known about the incident at the moment.
Then, the person who discovered a breach must immediately report to those responsible within the organization. Access to breached information should also be restricted to stop the further spread of leaked data.
Overall, you may stick to this general checklist:
It’s also crucial to launch a thorough investigation as soon as possible so you can find the root causes of the data breach.
3. Gather evidence
Collecting and checking all evidence related to the data breach is another step in a list of data breach response best practices. Make sure to gather data from all your cybersecurity tools, servers, and network devices and to collect information from your employees during interviews.
First and foremost, act quickly and gather as much information about the data breach as you can. The better your understanding of the situation, the better your chances of minimizing the consequences.
The list of data you should collect includes:
- The date and time the data breach was detected
- The date and time a response to the data breach began
- Who discovered the breach, who reported it, and who else knows about it
- What was stolen and how
- A description of all events related to the incident
- Information about all contacts involved in the breach
- Identification of the systems affected by the incident
- Information on the extent and type of damage caused by the incident
4. Analyze the data breach
Once you’ve gathered as much information about the incident as you can, you need to analyze it. This step is aimed at determining the circumstances of the incident. In addition, you may have to answer a series of questions that will further assist in the investigation:
- Was any suspicious traffic detected?
- Did the attacker have privileged access to data?
- How long has the data been compromised?
- Were people or special software involved in the data breach?
- Was the data breach intentional and were outside attackers involved?
Having carefully analyzed information on the data breach, you can draw some conclusions about the source of the breach to effectively stop it.
5. Take containment, eradication, and recovery measures
It’s also important to take actions to prevent the data breach from spreading. This can be accomplished with three сountermeasures:
Let’s see how each of these measures can help you effectively mitigate the consequences of a data breach.
The goal of these measures is not only to isolate compromised computers and servers but to prevent the destruction of evidence that can help investigate the incident.
Conduct a comprehensive data breach containment operation and preserve all evidence, being careful you don’t destroy it. For example, if a data breach is caused by malware, it may not create files on disk but may place itself entirely in RAM because it’s harder to detect this way. Therefore, it’s unacceptable to power off the computer, as all the information contained in RAM will be lost.
Also, monitor the attacker’s activities and determine whether any data is leaking during the investigation.
Next, it’s important to eliminate all causes that led to the data breach. For example, if the breach occurred as a result of an insider threat, security specialists should disable all accounts that leaked information. If the threat was external, such as malware, it may be necessary to clean up the affected system and patch exploited vulnerabilities.
After a successful eradication step, it’s necessary for the organization to return to normal operations. This includes putting the affected systems back into a fully operational state, installing patches, changing passwords, etc.
Security specialists should carefully monitor the network, recovered computers, and servers to ensure that the threat has been fully removed.
6. Notify related parties
Regardless of whether you’re legally obliged to do so, you should notify all affected organizations and individuals as well as law enforcement. Timely notification is a very important data breach investigation procedure as it will enable individuals to take measures to protect lost data, such as changing passwords, or at least to be careful in case scammers take advantage of the data breach.
The list of those to be notified will vary depending on the type of compromised data and may include:
- Business partners
- And others
Pay particular attention to notice periods. They depend on the regulations and standards you need to comply with and the type of data affected (personal data, financial data, etc.). Failure to notify regulators in a timely manner could result in liability and extensive fines:
- Organizations that need to comply with the Health Insurance Portability and Accountability Act (HIPAA) must notify each affected individual within 60 days after discovering a breach. Fines for a HIPAA violation may be up to $25,000. The minimum fine is $100.
- The General Data Protection Regulation (GDPR) requires data supervisors to notify the appropriate supervisory authorities no later than 72 hours after discovering a data breach. The GDPR sets a maximum fine of €20 million or 4 percent of annual worldwide turnover (whichever is greater) for a data breach.
- Brazil passed its own legislation that’s similar to the GDPR, called the Brazilian General Data Protection Law [PDF], which includes breach notification requirements.
- Breach of Security Safeguards Regulations is legislation including additional notification requirements for data breaches that has been passed in Canada.
Many other countries also have laws and regulations regarding the use and unauthorized disclosure of personal data. If your organization operates in more than one country, you should consider the local data breach legislation and include its requirements into your incident response plan.
7. Conduct post-incident activities
Once you’ve taken basic actions to counter the data breach, it’s time to analyze the incident and its consequences and take steps to prevent similar issues in the future. Every data breach should be thoroughly audited afterwards. The specifics of each audit depend on the data breach itself and its causes.
In general, an audit may include:
- Reviewing the organization’s cybersecurity systems
- Analyzing causes of the data breach
- Creating a plan to prevent similar incidents in the future
- Reviewing policies and procedures to reflect lessons learned from the data breach
- Improving cybersecurity awareness among employees
By thoroughly implementing these steps, you can get a better understanding of the data breach that occured, discover its true causes, and determine the best pathway for mitigating its consequences.
Respond to data breaches with Ekran System
It’s extremely difficult to investigate a data breach and restore the full picture of what happened without detailed context. Ekran System can effectively help you in investigating a data breach.
By deploying Ekran System, you’ll get a full-cycle insider risk management platform that allows you to:
- Perform comprehensive user activity monitoring by collecting information about login and logoff times, requests to access sensitive assets, visited websites, keystrokes, etc.
- Prevent the incident from happening with Ekran System’s automated and manual incident response and alerting
- Use Ekran System’s robust built-in reporting tools to speed up and simplify the auditing process
Data breaches carry significant risks and can incur significant losses, so the sooner you deal with them, the better. Proper investigation will help you identify the extent of an incident and take measures to mitigate it in order to minimize the risks.
It’s best to have a set of measures prepared to respond to data breaches, such as an incident response plan and a pre-assembled response team. Coordinated actions and a consistent approach can significantly speed up the process of recovering after a breach.
Ekran System offers a rich set of features for data breach investigation and mitigation. Request a trial version of the platform to enhance your data breach protection.