How to Investigate, Contain, Recover From Breaches

Data breaches and cyber-security incidents are becoming more complex and far-reaching, extending to every department in an organization. A swift, effective response is critical: Left unchecked, breaches can result in enterprise-wide damage that can affect a company’s stock price and customer confidence.

That’s the central message of the “2017 Verizon Data Breach Digest,” which draws from real-world cyber-investigations by Verizon’s RISK (Research, Investigations, Solutions and Knowledge) Team. The report identifies common scenarios and provides a detailed analysis of how each attack occurred, the tactics and techniques used, and recommended countermeasures.

“The digest is designed to help businesses and government organizations understand how to identify signs of a data breach, important sources of evidence, and ways to quickly investigate, contain and recover from a breach,” said Bryan Sartin, executive director, the RISK Team, Verizon Enterprise Solutions.

Today’s threats take various forms, often involving some combination of human factors, hardware devices, exploited configurations and malicious software. “Continued research into our recent caseload supports our initial inklings that just over a dozen or so prevalent scenarios occur at any given time,” the study’s authors stated. Researchers concluded that nine incident patterns account for more than 90 percent of data breaches. Among the most common are insider and privilege misuse, cyber-espionage and crimeware.

One situation highlighted in the Data Breach Digest involves attacks on mobile devices that are used by employees when they travel. Airport security personnel might hold a device and extract data, for example, or WiFi hotspots could serve as rogue access points to embed malicious software in a device.

When one client suspected malicious activity, the RISK team confirmed it, resolved the case and suggested, among other things, that employees be given travel smartphones and laptops that can be wiped and rebuilt after every trip.

Another scenario concerns internet of things (IoT) devices, which can easily be conscripted into a botnet army by brute-forcing default and weak passwords. One preventive measure: Create separate networks that are air-gapped from other critical networks whenever possible.

Five Steps to Take in the Aftermath of a Breach

The Verizon experts recommend that companies have a strategy in place before a breach actually occurs in order to recover as quickly as possible. To help minimize damage, organizations should be ready to take these five steps in the aftermath of a breach:

  • Preserve evidence and consider consequences of every action taken.
  • Be flexible and adapt to evolving situations.
  • Establish consistent methods for communication.
  • Know your limitations and collaborate with other key stakeholders.
  • Document actions and findings, and be prepared to explain them.

The digest, which focuses on experiences rather than metrics, is a companion to the annual Data Breach Investigations Report. The DBIR is full of statistics, metrics and insights into the who, what, where, when and how of data breaches and cyber-security incidents.

In explaining how to use the two reports, Sartin advised, “Use the Data Breach Investigations Report to frame your argument for enterprise change; use the Data Breach Digest to illustrate why such change is needed.”