Experiencing a Data Breach? 8 Steps for Effective Incident Response

Data breaches have been all over the news lately. Understanding how to prevent them—and what to do when they happen—is essential to every organization’s operational success.

A well-prepared enterprise has an incident response plan (IRP) ready to deploy in the event of a breach. These plans involve immediate communication with legal counsel, followed by engagement with an incident response team. SentinelOne advocates for a proactive approach, emphasizing the importance of evidence identification and data preservation to manage the situation effectively.

In this blog post, the SentinelOne Vigilance Respond Team provides key recommendations and best practices for strong breach management, including the eight key steps for responding to breaches. Making the right series of decisions directly after discovery of a breach can help organizational leaders secure their operations and get the support they need.

A Brief Refresher | What Is a Data Breach?

It’s important to start with the basics: What exactly is a data breach? A data breach is an unauthorized access or exposure of sensitive or confidential information. They can be caused by a wide variety of factors, including hacking, malware attacks, malicious insiders, or even innocent human error. Regardless of their origin, the repercussions of successful data breaches are often dangerous and far-reaching, potentially leading to the loss of personal, financial, or proprietary information in the short term, and loss of revenue, brand trust, and reputation in the long run.

Have You Been Breached? | Eight Next Steps to Take During a Security Event

Incident response revolves around structured processes designed to identify and manage cybersecurity incidents. Before such incidents occur, well-prepared organizations will have collaborated with stakeholders, security leads, and department heads to map out business and industry-specific risks and create a response plan tailored to the needs of their business. Incident response plans formally document roles and responsibilities, determine threshold criteria for defining an incident, and plan for containment, business continuity, and ongoing recovery.

When breaches happen, organizational leaders are expected to act fast to preserve evidence and support an efficient investigation. These eight steps are the foundation for a robust and effective response.

1. Engage Legal Counsel & Incident Response

Organizations are required to navigate a complex landscape of legal obligations and both internal and external communication plans. While often varying by region or industry, these obligations usually involve notifying those affected, informing relevant authorities, and taking steps to minimize the spread and mitigate future risks.

Additionally, companies may need to disclose details of the breach to regulatory bodies depending on what compliance frameworks are applicable to them. Always inform your internal or external counsel of a potential cybersecurity event. Once counsel is engaged, contact your incident response retainer provider.

2. Keep Affected Endpoints Online

While reactive legal and compliance considerations are critical immediately after a breach, security leaders can also take on a proactive approach based on preserving data and evidence.

To do so, do not shut down any suspected compromised endpoints. Random Access Memory (RAM) contains valuable evidence but when systems are shut down, that RAM is permanently lost.

3. Disconnect from the Network

Disconnect suspected compromised systems from the network. There are a few ways you can do this:

For endpoints deployed by SentinelOne – Quarantine the suspected systems so they can only connect to the SentinelOne platform.
For endpoints deployed by other providers – Disconnect wired networks and turn off all wireless connectivity.
For all endpoints – Consider segmenting the compromised network from the clean network (e.g., virtual local area networks (VLAN) and network access control lists (ACL). This can assist with continuing business operations for non-impacted networks.

4. Identify & Preserve Evidence

Identify potential sources of evidence in all firewalls, intrusion detection systems (IDS), virtual private networks (VPN), antivirus solutions (AV), event logs). Ensure that they are configured to preserve evidence and will not automatically roll over older logs.

5. Collect IOCs & Samples

Collect all known indicators of compromise (IOCs) and malicious code samples. This may include suspect IP addresses or domains, hashes, PowerShell scripts, malicious executables, ransom notes, and any other known or suspected items that may contribute to an investigation.

6. Prepare for Restoration

Review and prepare to restore network functionality via any backup solutions, if applicable. What is important here is to make an effort to preserve forensic images of compromised systems prior to restoring clean images. Failure to preserve such evidence may hinder a successful investigation. Ensure backups are viable and clean before proceeding with any restoration efforts.

7. Develop a Timeline

Prepare a timeline of known suspect events that shows when the attack is believed to have started and the most recently identified malicious activity.

8. Identify Endpoints

Attempt to identify endpoints that have exhibited suspicious activity, specifically with an effort to identify the first impacted system (patient zero), and potential sources of exfiltration.

Understanding Additional Steps After Breach

The aftermath of a data breach can be complex and difficult to manage, and it can take a significant amount of time and resources to recover from the damage. Be aware that the most difficult part of a data breach isn’t necessarily the evidence preservation, system restoration, or even the legal and financial implications.

When sensitive data is compromised, it can cause serious damage to the business’s reputation and erode customer trust. Following these eight steps is a great way to begin restoring that trust and brand reputation, but keep in mind that this is just the beginning.

Mitigating Future Breaches

To avoid future data breaches, organizations can ensure that strong security measures are put in place across their systems. Recommended best practices include:

Investing in robust cybersecurity solutions such as extended detection and response (XDR) and managed detection and response (MDR) ensures a holistic approach to defense.
Implementing strong authentication methods such as multi-factor authentication (MFA) or role based access control (RBAC) to prevent unauthorized access to systems and data.
Conducting regular security assessments and audits to identify and address vulnerabilities.
Regularly monitoring and analyzing network traffic to identify and respond to potential threats.
Implementing data encryption and other security controls to protect sensitive data from unauthorized access.
Creating and communicating a well-defined incident response plan to key leaders across the organization to guarantee quick and effective response in the face of a potential data breach.
Developing partnerships with cybersecurity experts and organizations to gain access to the latest threat intelligence and security solutions.
Regularly monitoring and analyzing network traffic to identify and respond to potential threats.
Providing training and education to employees on data security and best practices.

Conclusion

Security breaches can come from a number of different sources and the implications are complex and far-reaching. For organizations that have been affected by a data breach, there are immediate steps that ensure evidence is preserved and an effective investigation can take place. Once systems are restored, organizations may need to work with their stakeholders, security providers, and regulatory bodies to deal with legal, financial, and any potential long-term challenges.

As threat actors constantly refine their methods, organizations need to stay responsive. XDR empowers organizations to refine their security approaches and stop attacks before they can become all-out breaches. SentinelOne offers Singularity XDR, a leading solution in the security space powered by autonomous response. Learn how Singularity leverages artificial intelligence (AI) and machine learning (ML) to respond across entire security ecosystems and protect each attack surface.

If you’re currently experiencing a breach, please call us immediately at 1-855-868-3733.