Quick: What’s a data breach? The answer is simple: A data breach occurs when an unauthorized person gains access to confidential data.
What happens next is not so simple. An attacker can take that confidential data and modify or delete it. Or, they can exfiltrate it and share it with others. All of these acts have serious negative consequences for the entity that is breached.
This article deals with what can be done about this threat. It discusses data breach response, along with the importance of developing a coordinated data breach response strategy. Effectively responding to a breach involves coordinating people, processes, and technologies that typically span multiple departments of an organization. The response actually starts before the breach occurs, with preparation and preventive measures.
There are many different kinds of data breaches. Some are stealthy, such as those mounted by intelligence services. For example, it is suspected that Chinese intelligence operatives breached systems at aerospace companies and exfiltrated the digital plans for the F-35 fighter jet. The attack was not evident to the target for quite some time afterward.
Other attacks are immediately obvious, with the attacker leaking embarrassing information to the public, e.g., Wikileaks.
While one goal of a data breach can be the theft of data, another may be to install malware in a data repository. Ransomware can be installed during a data breach—attacks that can also happen publicly and in real-time, others stealthily dormant until activation. Such an attack can encrypt the target’s data and hold it for ransom.
Attackers have a wide range of attack vectors to choose from when mounting a data breach.
Stolen Credentials: Attackers can exploit bad password practices or use phishing campaigns to commandeer legitimate user accounts
Brute Force: Attackers use trial-and-error methods to attempt to guess the details of legitimate user credentials and gain access to the system
Man-in-the-Middle: Attackers use networks exploits to access data as it moves among various systems
Social Engineering: Attackers take advantage of human interaction and error to extract credential data directly from users
A data breach can be a disaster. Or, it can be a nuisance. But even a minor breach will require a response that includes remediation of affected systems and notification of key stakeholders.
Regardless, dealing with a data breach means a lot of work and a not insignificant outlay of funds.
Costly breach response tasks include:
Forensic analysis of the origin of the attack and its impact on systems and data
Remediation of affected systems
Restoration of data that was deleted or modified in the breach
Determination of the extent of the breach and the scope of affected parties, e.g., customers and partners
Notification of relevant parties, including government agencies such as the State of California for violation of the CCPA, customers, insurance carriers, etc.
Payment of fines, e.g., for violations of the EU’s GDPR law
Determination of legal liability, if any
Handling customer, media, and investor inquiries
Paying for these activities can add up. According to research from IBM, a data breach in 2023 cost $4.45 million on average, a 15% increase over the previous three years.
And these costs don’t factor in reputational damage, which can be severe. For example, a financial firm with a brand built on the perception of trust could lose the confidence of the marketplace by mishandling the loss of customer data to hackers. In addition, regulatory fines can be significant; GDPR violations, for example, can cost up to 10 million Euros. And the scope of regulations affecting data breach reporting and remediation continues to grow.
If you’re not eager to spend $4.45 million and take a forced digression from regular business operations, it’s essential that your organization develop and implement a coherent data breach response plan.
A data breach response plan is a must have. Without one, you’re responding to a potentially business-ending crisis without a script. If you are caught unprepared for a breach, you’ll have to improvise a response—which can extend the length, damage, and cost associated with a data breach.
A good plan can mitigate some of the liability and regulatory impacts of a breach. The plan demonstrates your commitment to security and “due care” in handling sensitive data. In the event of a breach—and it is probable that every organization will experience one at some point—the plan guides your people through the response process. It makes the experience as simple and economical as possible.
A data breach response plan can be a part of an overall business continuity plan.
What makes for an effective data breach response plan? While every plan is different, adapting to the unique needs of a given organization, the best plans all adhere to a similar template. Loosely speaking, they follow the process of the breach itself, starting with the events occurring before the attack occurs. Here are the four key elements of a data breach response plan:
Breach prevention starts with a strong overall cybersecurity countermeasures. If it’s hard to break into your environment, you’ve reduced your breach risk.
It also makes sense to implement breach preparation practices like sensitive data discovery. Knowing what data you have and where it is can be very useful if you experience a breach. It also helps to have a firm grasp of user roles—who is who—and what data they have access to.
Also, seek the support of experts who can translate your organization’s cybersecurity strategy into concrete cyber resilience procedures. When a cyber incident occurs (and research shows, a cyber incident likely WILL occur), it’s essential to keep a cool head and follow the plan.
A key part of that plan: having a good backup and recovery system in place. That way, if data is damaged or incapacitated, you can quickly get operations back up and running again. With automated run books, your cybersecurity team can recover mission-critical and sensitive data by pushing a big button labeled “Start Cyber Recovery.” Then data contained in an isolated recovery location can be copied back into production, in accordance with cybersecurity plans
Being prepared for a breach also means being able to discover and identify threats that could put your data at risk. This involves data threat analytics, which incorporates the use of threat monitoring technology to engage in threat hunting.
For example, a system like Rubrik Threat Monitoring can automatically identify indicators of compromise within backups using a up-to-date threat intelligence feed. Working this way, it’s possible to identify malware lurking in your infrastructure. Threat hunting involves analyzing backup snapshots and discovering malware that can lead to reinfection during data recovery. In parallel, the process looks for uninfected snapshots to use in recovery.
If you suffer a breach, you will want to limit the damaging “blast radius” of the attack and figure out what was affected.
From there, it’s best to move on to containment, which is about closing off pathways for malicious actions and malware to cause more damage. For example, if the attacker breaches one SQL Server instance, it would be good if they cannot move onto the next instance, and so forth.
Accomplishing this goal might require network segmentation or a zero trust architecture. With zero trust, users are only permitted to access the most limited range of data assets, a practice that minimizes the impact of a breach.
Once a breach occurs, a quick and complete recovery is necessary. But how do you restore the latest version of your enterprise data without reintroducing a vulnerability or exploit that predated the breach? Here, the choice of backup and restore systems is critical.
The right solution will be one that enables rapid recovery. In the case of ransomware, recovery may be possible without paying a ransom if you maintain an air gapped copy of your data. That way, the attackers cannot capture your backup data. Also, you can hunt for threats in your recovery system, preventing reinfection. With such a recovery solution in place, you can quickly resume IT operations without much interruption.
A breach requires follow up, too. This might include a thorough forensic investigation to determine the cause of the attack and a follow up process to ensure that any vulnerabilities that led to it are remediated. Follow up might also involve bolstering cyber defenses. Follow up should also include a deep search for “implants.” Cyber attackers, especially with ransomware, often leave malware hidden behind so they return and cause more damage. It’s best if you can discover and eliminate these embedded threats.
The reality of cybersecurity is a bit of a mixed blessing: there have been so many data breaches that we have a rich set of best practices to draw upon for data breach response. But all responses have one common element: keeping people and organizational factors in focus when dealing with a breach. The response process requires people from different parts of a business to work well together. Communication is essential.
From there:
Be timely: Ideally, you’ll respond to the breach before it does serious damage, but otherwise, rapid awareness is a desirable capability. From there, the faster you can take the required recovery action steps and notify key stakeholders, the better off everyone will be.
Test regularly: As technology changes in an organization and people change roles, it’s imperative to test the breach response and update it accordingly.
Maintain compliance: If you follow the relevant compliance rules and conduct mandatory reporting, you will find that you’ve already done a fair amount to mitigate the impact of a data breach, e.g., by implementing strong access controls.
Monitor your data: Always be watching your data for anomalies and other signals that a breach is about to take place.
Never stop improving: Learn from others and work on getting better at data breach response.
The Lewis County Public Utility District (LCPUD) serves 35,000 customers in Washington State and was the target of a ransomware attack in 2019. Almost instantly, the utility’s data was encrypted and the attackers demanded a shocking $10 million ransom to decrypt it. This potentially devastating incident turned out to be a minor inconvenience, however, because the company had previously implemented the Rubrik Security Cloud.
With Rubrik Security Cloud, LCPUD’s data was backed up in immutable form. The attackers could not encrypt or delete it, so the data was safe—and easy to restore. The data was recovered and all systems were up and running in just two hours.
Data breach response will have to keep evolving, because attackers are not standing still. The future of data breaches is likely to include more sophisticated and difficult-to-detect threats, but also new modes of extortion. The simple encrypt-decrypt ransomware attack is rapidly being replaced by multi-faceted extortion attacks. For example, in a double extortion attack, the hacker might steal and sell the target’s data in addition to locking it up. A triple extortion attack might involve adding a Denial of Service (DoS) attack or other modes of disruption to the original ransomware demand.
The risks are high. A data breach is likely, if not inevitable. And, the threats are significant, as are the costs of handling a breach. For these reasons, the best practice is to be prepared with a thoroughly thought-through and tested data breach response plan. Rubrik Security Cloud can help. Rubrik enables you to protect your data, monitor data risk, and recover data and applications so you can keep your business moving forward.