YOU’VE BEEN BREACHED:

EIGHT STEPS TO TAKE

WITHIN THE NEXT 48 HOURS
By Scott Matteson

COPYRIGHT ©2018 CBS INTERACTIVE INC. ALL RIGHTS RESERVED.

 YOU’VE BEEN BREACHED: EIGHT STEPS TO TAKE WITHIN THE NEXT 48 HOURS

INTRODUCTION
“A data breach itself is the second worst possible event that can occur in an organization; the mismanagement
of the communication about the response is the worst.” This observation comes from Exabeam chief security
strategist Steve Moore, who has tracked criminal and nation-state adversaries and led the largest healthcare
breach response in history. Moore added that the time spent on a breach, including audit, regulatory, and
litigation support, can last not months but years.

I previously covered 5 ways you can prepare for a breach, which can help reduce risks. If a breach still occurs
despite those precautions, however, here are eight things you should do within 48 hours to manage and contain
the situation as best as you can.

Regardless of the type of breach, these steps should apply—whether it involves a single device, a series of
systems, or a company-wide intrusion.

1. FREEZE EVERYTHING
Take affected devices offline but do not shut them down or make any changes just yet. The goal here is to stop
any ongoing activity by limiting communication to and from the impacted systems but not commit any action
that might erase clues, contaminate evidence, or otherwise inadvertently aid the attacker.

In the case of virtual machines or other systems you can snapshot, I recommend doing so now so that you will
have a recorded version of the system at the time the breach was occurring. You can analyze the snapshot later
in an offline state.

2. ENSURE THAT AUDITING AND LOGGING ARE ONGOING

Ensuring that existing system auditing remains intact and has been operational will be one of the most useful
steps you can take to determine the scope of the breach and devise remediation methods. If auditing has been
disabled (to cover someone’s trail, for instance), restore it before proceeding. It will also assist in establishing
whether breach activity is still occurring and when the breach can be safely determined to have concluded.

3. CHANGE PASSWORDS OR LOCK CREDENTIALS

Changing passwords or locking credentials are common tactics in preparing to investigate a data breach
since that will help ensure the cessation of the breach if it is ongoing, and data breaches commonly rely on
compromised passwords and credentials. Be sure to apply this step to all involved accounts, whether confirmed
or suspected.

2
COPYRIGHT ©2018 CBS INTERACTIVE INC. ALL RIGHTS RESERVED.
 YOU’VE BEEN BREACHED: EIGHT STEPS TO TAKE WITHIN THE NEXT 48 HOURS

4. DETERMINE THE IMPACT “One thing that often gets

Now the investigation starts. Figure out what
missed: if your organization
happened here, what information was accessed,
what systems were compromised, and which is being targeted it’s not
accounts may have been utilized. You’ll need uncommon for multiple
the logs referenced above, as well as the tools
adversary groups to attack
discussed in step number two. Determine and
establish the scope of the breach to formulate without awareness of one
how to solve it. another. This could include
attacking directly, via supply
5. DETERMINE HOW IT chain, partners, subsidiaries,
HAPPENED
It’s not enough to remediate a data breach based
or contracted help.”
on impact alone. You have to determine root —Steve Moore
cause or you may simply be slapping a temporary
Band-Aid on the situation. Did someone erroneously give out their password? Was a system not patched for
a particular vulnerability? Did someone plug an unauthorized laptop into the company network, infecting the
organization with malware? Or did an employee simply leave their unencrypted mobile device in a taxicab and
was subjected to blackmail?

Moore said, “One thing that often gets missed: if your organization is being targeted it’s not uncommon for
multiple adversary groups to attack without awareness of one another. This could include attacking directly, via
supply chain, partners, subsidiaries, or contracted help.”

6. DETERMINE WHAT NEEDS TO BE DONE

Now comes the step where you build out your remedy to seal the hull of the ship from the iceberg damage, so
to speak. Establish whether you need to remotely wipe a stolen mobile device, update software, change network
firewall rules, segregate subnets, run anti-malware scans, increase logging and alerting, or some other technical
steps. Get these planned out, then enact them immediately.

3
COPYRIGHT ©2018 CBS INTERACTIVE INC. ALL RIGHTS RESERVED.
 YOU’VE BEEN BREACHED: EIGHT STEPS TO TAKE WITHIN THE NEXT 48 HOURS

7. COMMUNICATE THE DETAILS TO THE APPROPRIATE

INTERNAL PERSONNEL
Technical steps aren’t the only things you need to worry about. There’s also the communication and notification
process. Who do you have to involve to let them know the breach occurred, how it occurred, what details were
involved, and what has to be done? You may need to talk to legal, PR, the HR department, customer service, or
some other stake-holding group that has to be involved in the post-breach cleanup.

8. MAKE PUBLIC ANNOUNCEMENTS AND PREPARE FOR

RESPONSES
This is never going to be the most fun of these steps, but quite likely someone will need to make a
public announcement, perhaps in the form of a press conference, series of emails, social media posts,
website announcements, or some other form of communication that exists between the company and the
outside world.

Describe what the organization has done to remedy the breach, what it intends to do in the future, and what (if
any) steps customers should take to protect themselves, such as by changing passwords, contacting credit card
companies, or placing fraud alerts.

If possible, establish a hotline or name a specific group/contact information to address customer concerns
regarding this breach so they can answer questions and provide guidance.

AFTER THE BREACH

After the dust has begun to settle, you need to do a couple of additional things if you want to ensure that you
won’t find yourself back in the same place:

• Identify areas for improvement. Every data breach occurs through some sort of gap—a gap in training,
awareness, security measures, technological capabilities, or some other point of entry. Figure out where the
gaps occurred so you can fill them in, likely with increased education and heightened compliance require-
ments, then apply them as needed.

• Work on preventing the next breach. Focus on efforts to help reduce the risk of a reoccurrence. Improve
patching mechanisms if exploited vulnerabilities were the source of the breach. Mandate encryption if
company information was stolen from a micro-SD card in an Android tablet. Implement improved authenti-
cation methods (two-factor authentication is highly recommended) where required. Consider other elements
that can help your company’s chances in the future and apply them as necessary.

4
COPYRIGHT ©2018 CBS INTERACTIVE INC. ALL RIGHTS RESERVED.
 CREDITS
Global Editor in Chief ABOUT TECHREPUBLIC
Jason Hiner
TechRepublic is a digital publication and online community
Editor in Chief, UK that empowers the people of business and technology. It
Steve Ranger
provides analysis, tips, best practices, and case studies
Managing Editor aimed at helping leaders make better decisions about
Bill Detwiler technology.

Editor, Australia DISCLAIMER

Chris Duckett
The information contained herein has been obtained
Senior Features Editors from sources believed to be reliable. CBS Interactive Inc.
Jody Gilbert
disclaims all warranties as to the accuracy, completeness,
Mary Weilage
or adequacy of such information. CBS Interactive Inc. shall
Senior Editor have no liability for errors, omissions, or inadequacies in
Conner Forrest
the information contained herein or for the interpretations
Senior Writers thereof. The reader assumes sole responsibility for the
Dan Patterson selection of these materials to achieve its intended results.
Teena Maddox The opinions expressed herein are subject to change
Chief Reporter without notice.
Nick Heath

Staff Writer
Alison DeNisco Rayome
Associate Editor Copyright ©2018 by CBS Interactive Inc. All rights reserved. TechRepublic
and its logo are trademarks of CBS Interactive Inc. ZDNet and its logo are
Amy Talbott trademarks of CBS Interactive Inc. All other product names or services
identified throughout this article are trademarks or registered trademarks of
Multimedia Producer their respective companies.
Derek Poore

Cover image: iStock/gorodenkoff