In this industry perspective, Thomas Hofmann, the Vice President of Intelligence at the firm Flashpoint* warns that the effects of data breaches can often be felt months or years after the actual incident, as stolen data bubbles up in underground marketplaces. He has three pieces of advice for companies that want to develop an incident response plan that mitigates the damage of breaches in the short term and over the long term.
Just as data breaches have become an all-too-familiar phenomenon, so too have the residual impacts of these breaches. It is not uncommon for the material exposed in a breach to resurface years later, often leading to more exposure and new information about the full extent of the initial incident.
In many cases, this second-life of previously exposed material isn’t apparent until long after the breached organization has returned to “business as usual” (or BAU). Given that incident response (IR) plans aren’t traditionally designed to account for activity that occurs years later, many organizations are prepared neither to monitor for- nor address the long term residual impacts of data breaches. The following best practices can help organizations minimize and mitigate the impact of a breach before, during, and after it occurs:
Be Proactive about InfoSec and OPSEC
Having near-perfect information security (InfoSec) and operations security (OPSEC) can’t always prevent breaches, but they can help minimize damage in the event a breach occurs. Appropriately storing sensitive data, maintaining stringent user-access controls, identifying and patching vulnerabilities quickly and effectively and conducting frequent, enterprise-wide security awareness training go a long way toward mitigating the impact of future breaches.
If an organization encrypts customer data, for example, any exposure would be lessened for victims because encrypted data is difficult to abuse. However, the breach of an unencrypted database of customers’ personally identifiable information (PII) could have substantial ramifications, putting victims at risk for identity theft, doxxing, credential stuffing attacks, various types of fraud, and other crimes.
Uphold Honest and Transparent Disclosure
Another reason to proactively maintain InfoSec and OPSEC stems from a crucial component of every IR plan: disclosure. While some degree of public backlash is to be expected following the public disclosure of a breach, organizations that 1) have upheld adequate security practices and 2) are honest and open about what happened, why it happened, the known extent of the damages, and how they plan to address these damages will likely face less backlash and be better equipped to handle any residual impacts that arise in the long term.
[You might also like: “How to make your threat intelligence program ready for executive consumption.”]
For example, a breached company that encrypts data, forces a reset of all passwords and delivers prompt disclosure along with consumer fraud protection for all customers, is in a much better position than a breached company that doesn’t encrypt data and makes the mistake of resetting passwords only for accounts estimated to have been compromised. Should it be revealed months or years later that the breadth of the breach was much greater, the company would need to concede that many accounts were subject to ongoing abuse and would then likely suffer the embarrassment of a second round of public disclosures and crisis control
Indeed, one of the major dangers in failing to alert and reset passwords for all users following a breach is the increased risk of password reuse attacks. When credentials are left unknowingly exposed for a long period of time, customers who reused the same username and password combination across multiple websites face a significantly higher risk of being victimized in further attacks. As a result, the breached company would need to disclose not only the extent to which it miscalculated the scale of the breach, but also how it failed to protect customers’ data from years of abuse.
It’s also important to recognize that the frequent and sometimes unavoidable nature of security incidents in recent years has led to a generally greater sense of understanding and empathy toward organizations that suffer breaches. This is especially true when such organizations are honest and open about the details. The reverse, however, is also true: organizations that are not forthcoming can expect to feel the ire of customers and public opinion.
Augment Existing Incident Response Plans
Incident Response plans are designed to help businesses evaluate, mitigate, and recover from a security incident as quickly as possible. This emphasis on short-term expediency and efficiency, however, means that the timelines of most IR plans don’t account for residual effects that could potentially occur years after a breach. As a result, organizations should ensure that their IR plans include the following:
- A long-term monitoring plan that can indicate when previously exposed material has resurfaced. These indicators can include relevant sale offerings or forum discussions on the “deep and dark web” (or DDW). It is essential for an IR plan to have ongoing visibility and monitoring capabilities throughout these less visible regions of the Internet.
- A plan for assessing the extent to which resurfaced material reveals any new information about the initial incident. When data from a past breach is offered for sale on the DDW, for example, details such as the authenticity, price, and specific contents of the sale offering, the identity of the vendor, the marketplace, and any related discussions on the DDW may provide greater insight into how the breach occurred, who was behind it, and what the full impact and extent might be.
- A plan for mitigating and disclosing any residual impact of past breaches. If an organization has practiced proper OPSEC and InfoSec, any previously exposed material that resurfaces is unlikely to result in substantial consequences. In any case, having an adequate, long-term disclosure plan in place is crucial should residual impacts arise.
Regardless of how commonplace data breaches have become, it is important to remember that the consequences of these incidents can be severe. While organizations with even the most robust defenses aren’t immune to breaches, those with proper InfoSec and OPSEC, honest and transparent disclosure policies, and comprehensive and strategic IR programs tend to be far more prepared to minimize and mitigate the short- and long-term impacts of a breach.
(*) This post is sponsored by Flashpoint, which is a supporter of The Security Ledger.