Behind The Scenes of a Data Breach: What You Need to Know

By Daniel Clayton, Director, Rackspace Managed Security.

In today’s security landscape, it’s not a matter of if a company will be attacked, the question is when. For retailers especially, the concern is not just the financial impact of the data loss, but the damage done to that organization’s brand, and the resulting impact to customers’ confidence to shop there.

Response is critical and retail organizations should prioritize readiness and agility. Attacks will happen.

The retail industry is an attractive target for hackers as Payment Card Industry (PCI) data, or credit card data, is an easy data set for hackers to monetize quickly. In addition, the industry’s overworked tech systems and equally over worked employees, on known high-commercial days like Black Friday, make retail businesses a high-value opportunity for adversaries at a time when a breach would inflict the most damage to the business.

What to Do When There’s a Security Breach

So, what should a retailer do when they experience a breach and how do they respond? While each security operation is different, the first thing to do is gather all the appropriate parties into a war room – a large conference room or digital platform where people can talk about the situation. The goal is to keep lines of communication open between teams.

Once the war room has been set up, the team must assess the situation to understand what data has been lost, who needs to be pulled in from various departments, and then determine the who, what, when, where, why and how. Specifically understanding who or what actor was the behind the breach can help identify the why and how to understand motivations, tactics, techniques and procedures. It’s important, though, to not spend too much time on this step because you run the risk of bogging down answering other key questions. While attribution is helpful, it’s not the end of all be all in an investigation.

Next, determine what data was taken and the scope of the data compromised. This can help understand what data is of interest to the adversary and their motivations. Identify when the data breach occurred and the duration of the breach. This will narrow down a timeframe for the security team to analyze. It is also important to determine where the breached data was stored to help limit the scope of the investigation and focus efforts on a specific set of systems, cutting down the time it takes to begin the investigation.

Consider why the adversary targeted these systems to better understand the adversaries’ motivations. This can help identify who the adversary is, and what types of data and objectives they are trying to achieve.

Once the who, what, when, where, how is determined, the next step is to figure out the best way to stop or slow the bleeding. This will depend on the adversary and how long the breach has been active. If it’s determined this is the first time they’ve come into the environment and have only been in for 24 hours or less with minimal actions taken, it’s advisable to cut off access immediately. If the breach has gone on over six months or longer, it’s likely they have multiple ways to get back into the environment, and the war team needs to assess those before the team fully engages.

Communication Is Key 

Communication in a constant layer in each step identified above. Putting an internal communications plan is critical. Multiple teams within the organization will be responding to the breach and it’s important for each internal team to be aligned. Second, the retailer must think about communicating to customers. It is critical for any external communication to customers to be timed appropriately – communicating too soon before the retailer can address the questions above can create more chaos. Finally, there’s the legal side. Take into account what is obligated to tell customers, what is the right thing to do in terms of transparency, when to make those calls and speak to the press, etc. Oftentimes, security experts assume the worst, so it’s important to have the communication piece buttoned up and be clear about what is being said, otherwise the situation can be made worse.

When it’s all said and done, go back to the drawing board and prepare for the future.

Determine key learnings from each step and practice. Even the most forward-thinking companies that do war gaming and practice often are only testing the security operations center. In any war game activity, simulate the same level of pressure or higher that would be expected for Black Friday or holiday shopping to prepare for the worst.

Contributed by Daniel Clayton, the Director of Security Operations at Rackspace, where he is responsible for global customer security operations and strategy. Prior to Rackspace, Daniel held position in cybersecurity in intelligence with the NSA and British Army. He currently oversees the Rackspace Customer Security Operations Center and is part of the executive team that aligns strategy, technology and execution across the Rackspace global enterprise.