Incident Response and Breach Notification

What are the common causes of security incidents?

There are seven common ways a cyber incident can occur:

1. Weak or compromised credentials, such as easily guessed usernames and passwords, provide access to company networks.
2. Social engineering attacks trick individuals into divulging sensitive data and credentials or making fraudulent payments or fund transfers.
3. Zero-day attacks exploit software vulnerabilities or system backdoors to gain access to valuable data.
4. Malware (malicious software) gets loaded onto a victim’s system, giving attackers access to steal, corrupt or delete valuable data.
5. Insider threats from disgruntled employees and contractors. Whether they’re motivated by greed or revenge, their access to company systems enables them to do real damage.
6. Lax permissions give too many people access to valuable information, which can open the door to bad actors.
7. User error results in improperly configured networks, storage or systems, giving bad actors an easy way to steal data.

Digital Forensics and Incident Response (DFIR)

What are digital forensics?

Digital forensics is the process of identifying, collecting, analyzing and preserving evidence from computer, storage and mobile devices that can be used to respond to and investigate a cyber event.

What’s the role of digital forensics in incident response?

An integral part of effective incident response, digital forensics provides the team with insights critical to respond to a cyber event — both in the short term to mitigate potential damage, maintain compliance, and in the long term to reduce future risks and improve the organization’s resiliency.

Are there essential incident response forensics tools?

There are specific capabilities needed for incident response forensics. These include network and endpoint monitoring; workflow and data management; threat scanning, detection and neutralization; log preservation and analysis; and data collection. Many of these are available via branded products or using open-source solutions.

How to build an incident response computer forensics toolkit

To build an incident response computer forensics toolkit, you’ll need to assemble several essential components, including:

Market Guide for Digital Forensics and Incident Response Services

What are the latest trends and innovations in incident response services?

Courts in several states are increasingly certifying class action lawsuits with fewer potential victims. Companies are now dealing with legal expenses for cyber events involving as few as 200 individuals. The increased legal exposure means organizations need to have cyber insurance policies with limits that cover related legal expenses — and a cyber protection service that provides access to lawyers adept in handling cyber incident cases. 

What are the different types of services involved in incident response?

When it comes to cyber security, incident response services touch on:

What should be considered when seeking digital forensics and incident response services?

You should thoughtfully consider the following factors:

1. Comprehensive services — A quality IR partner will offer a holistic approach that includes services like continuous monitoring, threat hunting, vulnerability assessments, and readiness training. Breach notification services, credit monitoring and identity protection services that support impacted individuals are also vital for post-event support.
2. Assessment and preparedness services — Thorough risk assessments and readiness planning is essential. An IR provider should help identify key assets and ensure the organization recognizes potential attack vectors. The vendor should also provide regular training sessions so the organization’s staff responds appropriately if an incident occurs.
3. Strategic IR planning: Creating a thorough, detailed incident response plan is crucial. Components of the plan should include steps to identify, contain and eradicate threats, as well as the specific roles and responsibilities of team members. Post-incident analysis and remediation steps should also be reflected in the plan. How affected customers and partners will be notified should also be incorporated.
4. Experienced team: The incident response vendor should be able to demonstrate it has seasoned team to handle each phase of the response, including IR managers, security analysts, threat researchers, risk management specialists and legal professionals.
5. Appropriate technology: IR providers should take advantage of innovative tools, such as security information and event management (SIEM) systems which enable fast analysis of data from multiple sources to detect and react to security incidents.
6. Proactive approach: While IR services are historically reactive in nature, addressing incidents after they occur, advances in technology and strategies now enable proactive IR services that can help stop incursions before they can cause significant damage. Planning for how an organization will respond to a cyber event is also a key proactive measure.

Planning and Implementing an Incident Response Plan

What is an incident response plan?

An incident response plan is a formalized, written document designed to help an organization prepare for, react to and recover from a cyber security incident or data loss event. Tested, reviewed and approved by the organization’s senior leadership team, an incident response plan details roles and responsibilities during a cyber incident while outlining steps and guidelines to be followed.

What are the steps to develop and implement an effective incident response plan?

There are several stages organizations should follow when developing an IR plan:

1. Create an incident response policy. This high-level policy will serve as a foundational document that drives all decisions for responding to a cyber event. It should name one senior leader as the primary authority when responding to an incident
2. Establish an incident response team. Staff members with the relevant skills and knowledge to tackle the necessary response tasks should be formed into an IR team that works with the senior leader responsible for incident response. Team members generally should represent cyber security, data owners, and management. The roles and responsibilities for each team member should be clearly defined and documented.
3. Generate IR playbooks. While the IR policy is a general, high-level document, IR playbooks get into the granular details needed to respond to cyber events. These involve step-by-step instructions to guide the team when specific incidents occur, such as a data breach, suspected phishing attempt, ransomware attack, or a lost or stolen device.
4. Develop a communications plan. Following a cyber incident, it’s often necessary to communicate with both internal and external audiences. Examples include sharing changes to security procedures with employees, breach notifications to customers, informing regulators of incident details and, in certain instances, alerting law enforcement.
5. Conduct regular response exercises. While the IR plan details steps and roles, regular testing can help confirm employees know and can follow the plan. Running simulations can also identify potential gaps that can be addressed before they’re needed in a real-life situation. Regular training sessions ensure the plan is updated as team members change or threats evolve.
6. Document lessons learned. When a cyber event happens, it can uncover new insights into the organization’s defenses and response effectiveness. The plan should specify a formal process for reviewing lessons learned during an event so procedures can be improved in advance of any future incidents.

What are the components of a well-designed incident response plan?

Since they’re intended to help reduce the damage from a cyber event, incident response plans should provide clear, well-organized guidance to restrict financial and reputational impacts. An effective plan clearly defines the roles, responsibilities, escalation requirements and action steps needed if an event occurs. It also lays out who should be notified when an incident happens. Consider following the best practices outlined in a cyber security framework offered by organizations like the Center for Internet Security (CIS) or National Institute of Standards and Technology (NIST).

Roles and Responsibilities Following a Data Breach

Who should consider incident response services?

Any organization relying on data for its operations should have an incident response plan in place. Considering the highly digital nature of today’s business world, most companies should plan some kind of incident response — whether that involves an internal team or external resources.

For the good of the organization, key decision-makers — from board members to executives — should work with IT and security personnel to best ensure a viable IR plan is implemented.
 

What do I do if I’ve experienced a data breach?

When an organization discovers it has experienced a data breach, there are several steps to take:

• Mobilize the incident response team to reduce the damage caused by the event
• Secure the organization’s networks and systems quickly
• Fix any vulnerabilities that may have contributed to the breach
• Conduct a digital forensics examination to detail the scope and source of the breach
• Consult with lawyers to ensure compliance with any regulatory or legal obligations
• Notify the appropriate parties, including individuals whose data may have been exposed in the incident, as well as law enforcement and regulatory agencies 
   

How do I know if I need to notify customers following a data breach?

For business customers, notification is recommended if account access information has been compromised or the breached organization gathers and stores personal information on behalf of another business.

For consumers, the sooner they’re notified their data was compromised, the faster they can respond to protect themselves. Keep in mind, there are often legal requirements governing the notification of consumers depending on the type of information exposed (e.g. Social Security numbers, medical records), so being aware of those requirements is critical.

After a data breach, when are notifications to potentially impacted individuals necessary?

States regulate the specific requirements organizations must follow in the wake of a cyber event. The rules governing when consumers must be notified are often determined by the nature of the compromise, type of information compromised, how likely that data can be misused, and what the damage from misuse might be. It is advisable that organizations access legal advisors familiar with IR regulations to ensure they’re meeting notification requirements.
 

Who can help me if I’ve had a breach?

After experiencing a data breach, an organization may find it does not have the internal resources necessary to adequately respond. A privacy attorney or breach advisor can help ensure the organization can access the resources needed to address its security posture, breach notification requirements and victim support responsibilities. Retaining incident response services like those offered by TransUnion can also streamline the response process to reduce potential disruptions, restore customer confidence, and prepare the organization for the future.

Continuous Improvements in Incident Response

Why should incident response plans should be regularly updated?

Just as cybercriminals constantly adjust their attacks, organizations need to modify their IR plans to reflect evolving threats, new technologies, and changes in personnel and resourcing. In addition, organizations may uncover needed changes to the planned response while conducting simulations and regular training exercises. Keeping its IR plan up to date helps ensure an effective response when a cyber event occurs.
 

Are there training and awareness programs for incident response?

Several training programs are available to help organizations become familiar with incident response. Some are designed to help executives identify and organize the appropriate personnel to serve on their organization’s incident response team. Others provide technical training so an organization’s IT and cyber security teams can better monitor, detect and neutralize threats. Incident response services like those offered by TransUnion can guide an organization in the creation and testing of its IR plan before an event occurs.
 

What are the metrics and KPIs for measuring incident response effectiveness?

Measuring an organization’s IR effectiveness is helpful in gauging potential downtime and employees’ reactions to cyber events. These include the duration of an incident, frequency of incidents, mean time to detect (MTTD), mean time to acknowledge (MTTA) and mean time to resolution (MTTR). These insights enable an organization to refine its IR plan so the response performance best ensures business objectives can be met despite a cyber event.

What should be considered when seeking digital forensics and incident response services?

You should thoughtfully consider the following factors:

1. Comprehensive services — A quality IR partner will offer a holistic approach that includes services like continuous monitoring, threat hunting, vulnerability assessments, and readiness training. Breach notification services, credit monitoring and identity protection services that support impacted individuals are also vital for post-event support.
2. Assessment and preparedness services — Thorough risk assessments and readiness planning is essential. An IR provider should help identify key assets and ensure the organization recognizes potential attack vectors. The vendor should also provide regular training sessions so the organization’s staff responds appropriately if an incident occurs.
3. Strategic IR planning: Creating a thorough, detailed incident response plan is crucial. Components of the plan should include steps to identify, contain and eradicate threats, as well as the specific roles and responsibilities of team members. Post-incident analysis and remediation steps should also be reflected in the plan. How affected customers and partners will be notified should also be incorporated.
4. Experienced team: The incident response vendor should be able to demonstrate it has seasoned team to handle each phase of the response, including IR managers, security analysts, threat researchers, risk management specialists and legal professionals.
5. Appropriate technology: IR providers should take advantage of innovative tools, such as security information and event management (SIEM) systems which enable fast analysis of data from multiple sources to detect and react to security incidents.
6. Proactive approach: While IR services are historically reactive in nature, addressing incidents after they occur, advances in technology and strategies now enable proactive IR services that can help stop incursions before they can cause significant damage. Planning for how an organization will respond to a cyber event is also a key proactive measure.