Home > Articles > Responding to a Breach

Responding to a Breach

Chapter Description

In this sample chapter from Investigating the Cyber Breach: The Digital Forensics Guide for the Network Engineer, you will explore the basic concepts for proper incident response procedure to understand why organizations commonly fail at the process when responding to a breach. The authors also share techniques used by organizations that have a successful incident response plan and provide an overview of industry-proven components required to build an incident response process within your organization.

Assessing Incident Severity

Assessing the severity of a breach is impossible if the IRT does not understand the systems or the data the systems contain. Most administrators understand a situation is really bad when personal or credit card information is lost. The challenging part is understanding value associated with business-related data that is not as obvious as credit card or Social Security numbers. Usually, the value of business data comes from speaking to the data owners directly. Another place to get the value of data is in the business continuity plan, which addresses different types of data and associated sensitivity. Qualifying risk and value to different parts of the organization should occur proactivity rather than reactively when the IRT is engaged. Mature organizations spend the time to properly develop a business continuity plan that sits within their risk management strategy.

How do you assess the severity of a breach? There a few quantifiable methods that investigators can use:

  • Number of records stolen

  • Number of customers affected

  • Number of geographical regions affected

  • Difficulty of acquiring stolen data

  • Difficulty of breach containment

  • Difficulty of system security

These high-level methods help put a dollar amount on things, which is part of the process to determine how large a breach may have been. However, you must look beyond just the number of records or other basic numbers to determine the extent of the breach. The Sony Pictures attack in 2014 affected a relatively small number of records but at the time had extremely wide implications. It forced Sony to forgo mass release of the movie The Interview, in part because of the attack, which possibly led to millions of dollars’ worth of losses.

As a cyber forensics investigator, you will likely need to understand what type of information may have been accessed during an incident and the potential value of that information accessed. Then you will need to determine whether exfiltration of the data occurred. To do this, you will need to notify one or more different parties of your findings.

8. Following Notification Procedures | Next Section Previous Section

There are currently no related articles. Please check back later.