Security response and the 'Richter Scale' of incidents

Anthony Di Bello explains how it is necessary to understand the scale of various security incidents and their ramifications to provide a measured response.

Anthony Di Bello, director, strategic partnerships at Guidance Software
Anthony Di Bello, director, strategic partnerships at Guidance Software

The seismic shockwaves of a cyber-security incident can ripple through an organisation in minutes. However, incidents differ significantly in terms of both their severity and their ramifications for an organisation. From minor incidents with minimal impact on an organisation's sensitive data assets, to those involving millions of lost records and widespread negative publicity, their scale can vary widely.  

Having the ability to quickly determine the size and nature of a breach matters, because, whether it's a large-scale DDoS attack, phishing attack, loss of a USB or an intrusion on an individual PC, the decisions made in determining what has happened, to whom and where, will govern the level of response required – and this has a serious business trade-off.

In the immediate aftermath of an incident, big decisions need to be made, swiftly, on what happens next: over-estimate the threat and you risk unnecessarily wiping data from machines, shutting down systems and making unnecessary wholesale changes to the business.  On the flip side, under-estimate the threat and the consequences can be devastating: from the legal and financial to reputational costs associated with large-scale breach.   A nuanced response, which objectively takes into account the nature and scope of the threat, on a case-by-case basis, will help to ensure that the magnitude of the response fits the magnitude of the breach

Critical factors of measurement

Measuring the scale of an incident may not be as straightforward as applying a mathematical calculation; however, we can identify the key questions to which response teams will need answers. Once a threat has been identified, you need to understand its scope, the extent of the compromise and its ongoing capabilities.

The impact

What type of data is affected?

Probably the most significant starting point for determining the scale of the threat is assessing the type of data that has been targeted. Assessing whether an incident poses a clear threat to sensitive data will inform the next decisions made in response. Clearly an incident involving a large amount of sensitive data – credit or debit card information, social security data, names, addresses and phone numbers will require a highly coordinated response.  This will also determine the legal and regulatory impact of the incident.

This is why it's important to have mapped exactly where sensitive data is held and to prioritise responses based on the sensitive data profile. This can save countless hours of inventory that would need to be performed in the heat of the moment after a cyber-attack. 

The number of endpoints affected

Once you have uncovered a genuine threat, you need to discover how far it has spread and the specific endpoints on which it has been unleashed.  If specific devices are at risk, then who owns them and what data is on them? Has it impacted those at the highest level with access to critical data—the CEO or CFO?  From here you can prioritise the response.

The numbers of devices affected can be surprisingly difficult to determine in multi-location or multi-site organisations handling thousands of endpoints. Devices are lost or stolen, personnel leave an organisation, or move departments.  However, keeping a handle on ownership of devices is critical in assessing the risk and mitigating the impact of a breach. This intelligence becomes vital information that can be used in minutes to fight the attackers early.

Status: what stage has the data breach reached?

Are you in the middle of data exfiltration? Is an attacker merely testing your defences? Is data leaking from the building right now? If so, what steps need to be taken to close it down quickly? Early detection provides a window of opportunity to cut off the attacker's access to data before there is opportunity for exfiltration.

The framework of assessment and response

These questions are fundamental to assessing the scale of the incident and should be set within a wider framework of security detection and response, which incorporates the following: 

  1. Know yourself: Create a security plan, build a baseline, identify your blind spots, and close the gaps.
  2. Detect: Detect known threats, then detect unknown threats.
  3. Respond: Automate response, enable remote investigation, analyse malware, and determine its scope.
  4. Recover: Remediate, verify and update, enrich data, and repeat.

Properly managing cyber-breaches when they occur requires understanding the risk that each threat poses. This means that, when an incident strikes – whether it's a high level of relatively minor – we can apply a measured response that balances security with the needs of the business.  

Contributed by Anthony Di Bello, director, strategic partnerships at Guidance Software