In the first stages of an incident, there are several steps to be taken. We have discussed some already, such as speaking with a lawyer, establishing a communications strategy, and enlisting the help of an experienced incident responder. Another early-stage goal — perhaps the most important— is to stop data loss. Here are a few reasons why, as well as some suggestions on what to do about it.
To Delete or Not to Delete
There are a few schools of thought on how to stop data loss after a breach. One way is to delete everything that may have been infected and start over from scratch. While this will certainly stop data loss, deleting everything is almost never a good idea. You will be permanently destroying valuable evidence that can help you understand how you were breached and what data was exfiltrated. There are also legal and regulatory considerations with this choice. Depending on your industry, you may need to follow specific containment guidelines, which may include reporting. Deleting the evidence makes following the guidelines very difficult.
Taking Infected Systems Offline
Rather than delete everything, a better course of action may be to take the infected systems offline. That can mean anything from removing the infected systems’ network access, to completely powering them off. This action, too, comes with its own set of considerations. Powering off machines will ensure that no further harm can be done, but in doing so, you will lose access to evidence that may exist in volatile memory or RAM.
Fortunately, there are ways to preserve the information in RAM before powering off the computers. The most effective is to image the computers’ memory. This imaging can take anywhere from a few hours for a laptop, to multiple days for large servers, depending on the amount of RAM and the speed of your connection.
You’ll need specific tools to image the computer’s memory. There is an entire category of software called Endpoint Detection and Response (EDR) that features the ability to acquire a memory image at the push of a button. Crowdstrike Falcon, Trend Micro XDR, and Cisco Secure Endpoint are all popular examples of EDR software. Keep in mind that these types of acquisitions also add time to the process as that much data traveling across your network is slow.
Deployment of an EDR typically would have needed to be done prior to an incident, but all hope is not lost if you have not done so. You can use tools like Volatility, BlackLight, or a suite like Kali Linux to image RAM after the incident.
The Hybrid Strategy to Stop Data Loss
The hybrid strategy to stop data loss involves taking some immediate steps to prevent further loss without destroying evidence and then also leaving steps for further down the road.
The immediate, short-term steps may involve isolating network segments to prevent the further spread of the infection while you track down exactly what happened. In the long term, further down the road, you are going to want to make sure that the initial causes are dealt with, which means ensuring patches are deployed and misconfigurations are corrected.
Rebuilding from Backups
In the aftermath of a breach, whether you are rebuilding machines in the cloud or buying new servers to put in your racks, you will most likely be rebuilding from a backup. But if an attacker has been in your network for some time, there’s a chance that your backups are infected. You want to prevent yourself from restoring bad backups. At the very least, virus and vulnerability scans are in order. If time permits, having threat hunters examine your backups for indicators of compromise can give you peace of mind.
There are no hard and fast answers that can apply to every incident. Each investigation is unique and comes with its own challenges. There is a true balancing act between performing a complete and thorough investigation and keeping costs and downtime under control. In other words, these are not simply IT decisions. Top executives and others from around your business will need to be involved in the process. As long as you show up armed with knowledge, options, and flexibility, you will be in an excellent place to advise your business and accordingly act on decisions to prevent data loss.
Want more cybersecurity insights? Subscribe to the Cybersecurity as a Business Enabler channel: