What should a company do after it’s been hacked? It’s a question Target, Home Depot, Sony Pictures Entertainment and others have had to ask over the past year or so. And it’s likely that other organizations will be facing the same question over the coming months.
Getting hacked is never a good thing, especially when the result is stolen or compromised customer data. But how a company reacts to the attack can make all the difference in the long run.
A prompt and effective reaction can minimize the damage or at least paint the organization in a fairly positive light with customers, business partners and the community at large. A poor or sluggish reaction can make a bad situation worse, and cost a company for years to come.
Here are six key things to do after your company has suffered a security breach by a hacker.
1. Keep cool — and implement a coherent response plan.
The first thing to after you are hacked is to implement your well-thought-out incident response plan. Assuming you have one. If not, you need to quickly put one together.
The plan of attack needs to include who should be in charge of the overall response effort, who else should be involved, what actions should be taken by which groups, which technology tools are needed for timely detection and rapid response, etc.
“It is easy to panic and start trying to control the damage,” says Eric Cole, a faculty fellow and director of the SANS Cyber Defense Program at the SANS Institute. “But very often, without a proper plan, you could actually be destroying evidence and making things worse.”
The plan should include determining the extent of the breach, identifying what data was compromised, deciding how best to work with the legal department to determine if disclosure to law enforcement and other authorities is required, figuring out how the attack compromised the organization as a whole, and performing damage assessment.
“Once a proper plan is in place, the focus should be on implementing the plan,” Cole says. During the implementation phase companies should focus on several key areas. One is containment.
“It is critical to make sure that the attacker is no longer in the network, once you start implementing the plan,” Cole says. “Attackers can be very aggressive, and if they know you are trying to clean up your systems and they still have access, they could cause significant damage.”
Typically, organizations should try to isolate or control traffic flow to minimize any further damage from the attack.
Another key area is eradication. “While being down during an incident is not ideal, it is critical to take the time to fix the problem to prevent reinfection,” Cole says. “Organizations very often during an incident try to rush and get back up and running as quick as possible, but do not properly fix all of the exposure points the attacker used to break in.”
If an adversary breaks in once, they will break in a second time if you don’t take the time to fix the problems.
A third area of implementation is recovery. Once the exposures that were used to compromise the system are fixed, the focus turns to recovering the data and getting the systems back up and running, Cole says. “It is critical to always verify the systems before they go live,” he says. “Very often during recovery, systems could be accidentally re-infected.”
Once the systems are verified, monitor them to make sure the attacker does not get back in. “The emphasis is not actively stopping the adversary, but to passively monitor the activities and make sure that they can no longer break in and re-infect the systems,” Cole says.
2. Pull together the incident response team.
“The incident response team should kick into gear after a breach to assess the situation,” says Tim Francis, enterprise lead for cyber insurance at Travelers.
The team should include IT, business leadership, human resources, public relations, legal and operations.
“You may wish to retain a breach coach, a lawyer with experience in security and privacy compliance issues, to assist in your defense and the interpretation of various state and federal regulations that may have been triggered following a data breach event,” Francis says.
3. Work with vendors and security experts as needed.
Many times companies will need the help of key vendors and security consulting firms to identify the cause of the breach and ensure that further attacks are stopped before they can do damage.
In early 2014, the Illinois Institute of Technologies virtual machine (VM) infrastructure was being exploited for use in a distributed denial of service (DoS) attack aimed at a different university.
“We discovered that we had an unpatched vulnerability in our VMware platforms,” says Louis McHugh, computer systems manager and adjunct associate industry professor of IT and management at the institute.
“This was discovered by doing our own research on the issue and consulting directly with VMware support,” McHugh says. “All told, it was a simple NTP [network time protocol] reflection attack used to amplify the DDoS, as we were still using NTP to keep time on our servers.”
The patch was missed at that time because the institute was not following best practices guidelines, McHugh says. “We made the changes to the servers that were recommended by VMware in terms of patching and hardening them against future attacks.”
“We have also taken steps to harden all of the servers in our environment by turning off services that are not needed, establishing regular patching cycles for both Windows and Linux servers, and defending the network with a firewall on the edge routers,” McHugh says.
4. Deal effectively with legal concerns.
After there’s been a hacking incident, IT, security and other senior executives should meet with corporate and external legal teams to discuss the potential implications.
Lawyers “will also help address notice issues, as state laws differ, but there are also potential notice requirements in vendor contracts, including with credit card processors,” says Larry Kunin, chair of the data security and breach practice at law firm Morris Manning & Martin LLP.
Remediation of the problem might take a while because the root cause of the hack might not always be readily apparent, and companies need to take care to preserve any evidence, says Scott Vernick, head of the Privacy and Data Security Practice at national law firm Fox Rothschild.
“There’s always one eye toward what law enforcement or an enforcement agency may require, or litigation down the road,” Vernick says. You have to be careful to conduct investigations and remediations without disturbing the evidence. “This can include but is not limited to cloning the server, laptops and desktops; making images of documents so that you are investigating the image as opposed to the original,” he says.
The legal concerns are centered around potential government investigation, whether on a federal or state level; and making sure that under the relevant breach notification statutes stakeholders are informed, as well as business partners. “And then of course you have the potential litigation that flows from that,” Vernick says.
Some policies and procedures for reporting a hacking incident are determined by the state breach notification or by industry sector, Vernick notes. For example, if you’re in the healthcare area, it’s determined by the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH).
Scott Vernick, head of the Privacy and Data Security Practice at national law firm Fox Rothschild
“The bottom line is that organizations should try to be as up front and transparent as possible,” Vernick says. “Some of that is difficult to do because usually it’s a moving target in terms of understanding what happens in developing the information. But certainly with respect to your stakeholders— particularly customers or employees or government agencies—the sooner you’re transparent and the more transparent you are, the better it generally ends up.”
5. Cover your insurance bases.
Following a breach, notify your agent and claims representative as soon as possible.
“You should be sure to have your IT staff gather and document facts surrounding the incident,” Francis says. “Network security event logs are often vital in helping verify the date, time and machine involved in an incident.”
Data should be categorized to understand whether personally identifiable information such as Social Security numbers or medical records; financial information or other confidential data was compromised.
“This way, the organization can focus on protecting and securing its most confidential items,” Francis says. Document the time and man-hours spent on dealing with the attack as well as the cost of remediation.
6. Keep the lines of communication open.
It’s important to keep employees, customers, business partners and other interested parties up to date on what’s happening with regard to the attack, its impact and the organization’s response. Silence can imply incompetence, confusion or worse.
“Too often companies need to restate what they know about the breadth of a network breach,” says Darren Hayes, an assistant professor and director of cyber security at Pace University’s Seidenberg School of Computer Science and Information Systems.
“Companies like Target might still be unsure how many customer records were stolen,” Hayes says. “Therefore, inform all customers who need to be vigilant, and never be conservative with your estimates” about the impact of a hack.
Application developer Evernote is a good example of a company that was breached but exercised an “abundance of caution” with regard to informing people about the risks.
“They forced all users to reset their passwords, including those who had not been compromised,” Hayes says. “They informed customers through multiple communication channels about what was stolen and what was not stolen.”
Use sentiment analysis tools to identify and respond to customers voicing their concerns through social media. “We often think of sentiment analysis for marketing campaigns, but it can be highly effective in the aftermath of a breach,” Hayes says.
Along with effectively communicating, companies need to consider the psychological impact of a hack attack on employees and customers, especially if it involves a violation of emails or personally identifiable information.
“There is a profound sense of violation of our personal space if our company’s [system] is penetrated by unauthorized person,” says Tom Keenan, professor of Computer Science and Environmental Design at the University of Calgary and author of the book Technocreep.
“Rightly or wrongly, most people assumed that emails are private,” Keenan says. “Companies should find appropriate professionals who can help people deal with the shock” of having private information made public, he says.