Since the start of the COVID19 pandemic, the world has witnessed a massive shift towards implementing a remote-work model. The rapid acceleration of digital transformation, which became apparent with the increased adoption of the hybrid-cloud model by companies across the globe, has moved a significant volume of data and applications to the cloud. Moving to the cloud brought numerous benefits to enterprises. However, it also increased the cyber-attack surface of enterprises and made them more vulnerable to a plethora of cyber threats.

In today’s complex IT threat landscape, enterprises cannot guarantee complete security by just installing security solutions (such as Firewalls, IPS, NDR, and SIEM) and monitoring them to ensure they can detect malicious code. Enterprises also need to be prepared for cyber incidents once they occur, because regardless of a company’ implemented cyber defense strategy, no organization is 100% immune to cyberattacks. Due to the constant threat to cybersecurity, it is imperative to have an incident response plan ready to execute once a data breach is discovered.

When enterprises respond quickly to data breaches and other security incidents, it lowers the impact on the company’s most precious asset, data. As data privacy regulations continue to emerge worldwide (e.g., GDPR, PCI DSS, HIPAA), the cost of a data breach has increased significantly. A recent study conducted by IBM and the Ponemon Institute found that the average cost of a data breach in 2021 was $4.24 million. This number is expected to increase as more enterprises adopt digital-only solutions to run their business in the coming years.     

What is a Data Breach?

A data breach can be defined as any security incident where confidential information is stolen from a target system without data owner permission. As more companies leverage digital solutions to store customer and business data, the potential impact of a data breach rises and can have catastrophic consequences on the victim enterprise. For instance, breaching stored customer information in a database could make the victim enterprise subject to compliance fines, customer lawsuits, revenue losses, and reputation damage.

Many people think that outsiders are the main cause of data breaches; however, this is not always the case. Although some data breaches do come from outside hackers, others can come from inside an organization. For instance, negligent employees, malicious insiders, stolen or lost devices, misconfiguration errors in IT infrastructure or software solutions, and unintentional insider mistakes all provide opportunities for a potential data breach.  

Stages of a Data Breach

There are three main phases to a data breach. The first of which is Information Gathering, followed next by Attack Execution, and finally concluding with Data Exfiltration.

Information Gathering

Collecting information is the first and most important phase of a data breach. The adversary will collect as much information about the target system as possible to discover security vulnerabilities and any weakness that can be exploited to sneak into protected areas. Attackers commonly utilize Open Source Intelligence (OSINT) techniques to collect technical and non-technical information about their targets, whether that be individuals or enterprises. For example, attackers will use social media platforms to understand details about their target when creating a spear phishing email. Similarly, when researching a target organization’s IT system for security vulnerabilities, they will use different sources, including:

• Internet of Things search engine, such as Shodan
• Position requirements for vacant roles posted by the company to determine the type of IT infrastructure used by the organization
• Internet archives to view previous versions of the target company’s website because it may reveal valuable information, such as emails and phone numbers of key employees
• Metadata of target company files can reveal additional information about the software used to create these files and the users (authors) who create them
• A network scanner can be used to discover open services and protocols

Attack Execution

Now that the target enterprise’s security weaknesses or information about its key employees have been identified, the adversary can initiate the attack.

• If the adversary aims to attack the target company’s IT environment, it will exploit security weaknesses, such as open ports, unpatched servers and endpoints, operating systems, or outdated applications to gain a foothold in the target network.
• Suppose an adversary aims to execute a direct attack against an individual. In that case, the adversary has several options, the most common of which is preparing a phishing email containing malware or a phishing link. The intention of the phishing email is to deceive the recipient, convincing them the email is from a trusted source and that they can safely open the attachment (installing malware upon opening) or click on the phishing link (which would take the victim to a website pretending to be from a trusted entity and ask them to provide sensitive information).      

Data Exfiltration

After gaining access to the target company’s network, adversaries will begin extracting data. Some attackers launch a ransomware attack after extracting data to achieve two purposes: (1) to steal confidential information and sell it on the darknet for a high price, and (2) to demand a ransom, usually paid in Bitcoin, to decrypt the data back to its original status.

Investigating a Data Breach

Step 1: Detecting a Data Breach

The first step in investigating a data breach is detection. There are several signs to look out for to determine if a data breach has occurred, the most common include:

• Failed login attempts from a remote location
• Sudden file changes and database manipulation
• Strange files that unexpectedly appear in the system  
• User accounts that are abruptly locked out of the system – this could happen if attackers successfully stole the credentials of some users and changed their passwords
• Slow computing devices and a decrease in network and internet speed – these symptoms are associated with malware infection. When malware propagates across the network or encrypts files (as in the case of ransomware), it will consume computer resources.
• Leaked sensitive company information showing up in Pastebin and similar data leak repositories both on the surface and on the dark web

Step 2: Inform the Incident Response Team

After confirming a data breach has occurred, the incident response team should be notified immediately. Some companies outsource the incident response service to a third-party managed service provider, while others have an in-house team.

Actions that the victim company should perform in addition to informing the incident response team include:

• Recording the date and time the breach was first detected
• Isolating the infected network device
• If the breach is detected in multiple network places, disconnecting the entire network
• Interviewing the users or employees who discovered the data breach
• If the data breach resulted in exposing Personally Identifiable Information (PII) or Protected Health Information (PHI), regulatory bodies such as HIPAA, PCI DSS and GDPR should be notified
• Informing law enforcement
• Initiating a digital forensics investigation to understand the root cause of the incident

Step 3: Collect Digital Evidence

The third step in investigating a data breach is to gather evidence. In addition to conducting interviews with relevant employees regarding the breach, the incident response and security teams will also collect evidence from the following locations:

1. Security solution logs, such as Firewalls, IDS/IPS, email gateways, antivirus, and antimalware. SIEM can collect and view all log data in one dashboard.
2. Networking devices, such as routers and switch logs, should also be checked for any indicator of compromised evidence.
3. If the breached data was discovered on the darknet or a Pastebin website on the surface internet, an OSINT investigation into the person(s) who leaked the data should be performed.

Step 4: Containment, Eradication, and Recovery

The following urgent measures should be performed to prevent the data breach from spreading.

Containment

Isolate all infected devices, including servers and network segments. For example, if a ransomware infection affected the email server, it should be taken offline immediately.

Eradication

Disable the reasons for the data breach. For example, suppose the breach was conducted because of malware infection from a phishing email. In that case, the compromised user account should be temporarily disactivated. If the data breach resulted from exploiting a server vulnerability, then the security hole should be fixed through OS patch or updating outdated applications and closing any unnecessary services.

Recovery

After eradicating all compromised systems and accounts, the company should return to its regular work operation as quickly as possible to avoid further losses.

Step 5: Post-Incident Activities

After the data breach has been contained and work operations have stabilized, the final step is to analyze the cause of the data breach, specify the affected systems, identify the exposed data, and understand what is necessary to prevent similar data breaches from happening in the future.

A company’s main goals during the post-incident phase should be to:

• Update the company’s IT security policies to prevent similar security incidents
• Strengthen or update company cyber defense systems
• Revisit the incident response plan and revise for any inefficiencies that appeared during incidence handling

Summary

In today’s interconnected world, data breaches are unavoidable. It is imperative to have a robust data breach incident response plan so that your team can act promptly to contain the breach, prevent it from spreading, and lower the financial and reputational damage that your company may suffer.

How DruvStar Can Help

Our MDR service provides several important features that go beyond the scope of many standard MDR solutions, including:

• 24/7 monitoring by a team of dedicated security experts 
• incident response and escalation in line with the NIST cybersecurity standard 
• vulnerability management to help uncover configuration and credential exposure risks that endanger your digital assets and sensitive data
• comprehensive visibility through unlimited log access and event data
• cloud monitoring to identify cloud risks and simply cloud security
• SIEM technology included, which essentially makes it two solutions in one 
• compliance reporting capabilities

Contact us today to learn more about how we can help your business improve its information security posture.