📑
To deal with the threat effectively and remedy the situation, the first step is to confirm and identify the incident, then contain it.
The reflex sheets from InterCERT France (in French) offer practical advice for following these steps one by one. Here is a summary.
Prerequisites for classifying a data leak
Effective coordination of people and resources is essential for classifying a data leak. The teams involved need access to the administration and monitoring of the information system, security equipment, the directory of emergency contacts, customers, partners, etc., and they must be informed of business priorities.
In addition, the organization must open a logbook that records:
- The date and time of the action or event
- The name of the person or department that detected or reported the event
- A detailed description of the action or event, and the progress of the actions taken
This log allows you to track the actions that follow the security event and share feedback to improve coordination and efficiency. Let’s now move on to the steps required to assess a data breach.
Assess the data breach
Confirm the data breach
Identify the source of the data breach alert
A data leak can be reported by an employee or a partner, or an external alert can be issued by the media, social networks, or even claimed by the attackers; an exfiltration can also be reported by security equipment or network analysis tools.
Verify the credibility of the data leak report
At this stage, the report must be validated: is the source of the report reliable (CTI providers, official institution, CERT, etc.)? Is a sample of the data available? Was this data already publicly accessible? Is this a recent leak or an aggregation of previous leaks? Has the organization’s data been leaked, or is the organization simply mentioned? If the leak has been claimed, who is behind the claim and is it a proven threat? Has any abnormal behavior been observed on the information system?
Determine whether the data leak concerns the organization or a third party
If the leaked data is published, further investigation is useful to verify whether this data comes from the organization’s information system or from third parties.
Also, in the event of suspected data exfiltration — particularly in the case of usernames and passwords — any traffic or behavior anomalies can be investigated and monitored using an EPP or EDR.
All of these elements together aim to confirm or rule out a data leak. If a data leak is confirmed, the source of the data must be identified.
Identifying the source of leaked data
A data leak can be linked to human error or malicious intent.
It may involve information from a database, an application, emails, files on a user’s workstation, usernames and passwords, etc., and may originate from internal or external equipment (web server, public GitHub or GitLab, personal device, internal network, etc.).
Subsequently, examining traces and configurations (authentication and system logs, access rules, suspicious access, etc.) helps teams understand what may have caused the data leak. Correlation with other events may also lead to the conclusion that there has been a broader compromise than the data leak, which must also be identified and contained.
Assess the scope of the data leak
Analyzing the scope of the leaked data requires answering the following questions:
- What is the nature of the data (business data, customer data, data related to a single project or multiple projects, etc.)?
- Is it old or recent?
- How much data has been leaked, and could a larger volume be published after the fact?
- Does the data leak pose a risk to other systems inside or outside the organization?
Assessing the impact of the data leak
The data type and sensitivity are key factors in assessing the impact of the leak. It could expose trade secrets, strategy, contracts, personal data protected by regulations (GDPR, DORA, NIS 2, etc.), access to sensitive systems, classified information, and more.
The repercussions of the leak must also be assessed to anticipate the potential risks of business interruption, media and reputational risks, financial losses, and penalties. Although it concerns data, the leak may also have consequences for physical security, for example by enabling access to premises.
Expert advice
A data leak may be followed by encryption and a ransom demand. It is therefore necessary to assess the potential for the situation to worsen and be prepared to take further investigative steps.
Assess the urgency of remedying the data leak
If the data leak is still active and there is an immediate risk of intrusion or compromise of the information system, containment measures must be taken. It is also important to prevent the risk of recurrence by the attacker or other attackers.
In addition, the incident must be reported to insurance companies and authorities within 72 hours, and external communication actions must be prioritized if the leak is or is likely to be publicized.
Assessing the status and risks associated with the data leak helps determine the urgency with which the incident must be resolved — the severity can range from a common anomaly to a cyber crisis. Once this assessment phase is complete, containment measures can be taken.
Contain the data leak
Technically contain the spread of the attack linked to a data leak
Block suspicious access by employees
If an employee or external party is responsible for the data leak (whether intentionally or unintentionally), their access must be blocked and the HR and legal teams must be informed of the situation. Where possible, their IT equipment must be recovered.
Block and monitor exfiltration flows
Identifying suspicious flows can be done using security tool logs (EDR, EPP, IPS, IDS, proxy, DLP, etc.).
In addition, network blocking mechanisms can be useful, by IP, ports, or protocols, taking care to preserve flows that are essential to the organization’s activity. Suspicious devices or network segments can also be isolated and communication with third-party equipment interrupted to contain the data leak.
Monitoring must also be reinforced using alerts from a SIEM or DLP, and sensitive data must be encrypted.
Secure compromised accounts and systems
If the leaked data consists of user credentials, it is essential to identify compromised user accounts (internal, external, customers, partners) following the exposure of this data, and to renew their passwords.
In addition, all active sessions must be revoked, passwords strengthened, system rights reviewed, and associated SSH certificates renewed.
Finally, privileged accounts must be subject to advanced security measures (multi-factor authentication, security tokens, biometric authentication, etc.) and enhanced access controls.
Limit data exposure
Data that has been exposed illegally may be exposed within or outside the organization.
In the case of exposure outside the organization, the platform on which the data was exposed may be asked to delete it with proof of deletion. In some cases, this may be done in the presence of a bailiff.
If the data is exposed within the organization, it is necessary to cut access to the data (API route or web server page, for example) without turning off the machine, which needs to remain on for investigation purposes.
At the same time, increased monitoring of documents and information disclosed via internal tools and management of external attack surfaces must be put in place.
Preserving traces
Keeping logs for as long as possible and with as much detail as possible greatly aids the investigation process. Traces and logs from security equipment (firewalls, VPNs, EDR, DLP, proxies, etc.) and authentication logs are therefore essential. The same applies to files related to the data leak. Any evidence may also be used in legal proceedings.
Maintain business continuity
Measures to contain the data leak must also include securing critical systems, data, and vulnerable systems, as well as coordinating resources and prioritizing essential tasks to ensure the continuity of the organization’s activities and services.
Communicate about the incident
Communicate internally about the data breach
Decision-makers, particularly the DPO, must be kept informed of the risks and actions being taken, and communications teams must be informed of the language to be used externally.
The incident must be reported to the relevant authorities within the required time frame, with a filed complaint if necessary.
Communicate publicly about the data leak
Communication with customers and partners is necessary if their data has been leaked or if services affecting them are impacted, and the press may be alerted to the incident at the request of management.
Finally, raising awareness among employees and administrators is critical to remind them of essential cybersecurity best practices.
Data breaches, cyberattacks, ransomware…
How can you prepare to manage a crisis? Follow this guide:
More articles
Cybersecurity: how to optimize false positives
Reacting quickly to security incidents is crucial, but you also need the right information at the right time, with the…
Cyber resilience: 7 key points for better risk management
In an ever-changing and challenging cyber landscape, cyber resilience will help better navigate and adapt to the dynamic nature of…
Key metrics to evaluate EDR performance
Want to assess the performance of an EDR, but what to measure is not totally clear to you? Here are…
OSINT as a vector for cyber threat intelligence, from indicator collection to attribution
This article was originally written in French and has been automatically translated into English. Cyber threat intelligence is the…