The Sky’s Not Falling – Post Breach Analysis

The sky’s not falling.  Stick to your guns.  And a few other clichés.  In the wake of the Home Depot, Target, Premera, Anthem and other breaches it is understandable to feel like you are going to be next.


Resist the urge to run back to the cube farm and scream “Lock down everything!”


Take a deep breath and do some introspection.  Perform some post breach analysis to maximize your INFOSEC bang for your buck.


If you break out the bucket brigade to fight whatever the new fire is after each and every breach, then you will sabotage the confidence in the current information security plan, you will drain resources away from endorsed projects and activities and you will either contradict yourself or not adequately implement something before jumping to the issue du jour.


Information security decisions should be made within whatever risk management framework your organization is using.  The stakeholders and data owners have decided what the acceptable level of risk is and what are acceptable controls and mitigating factors in the protection of the organization’s data.


There are a couple of questions that you need to ask yourself during post breach analysis.

  • How mature are my information security operations?
  • How similar am I to the breached organization?
  • What is my current plan to mitigate known risks?
  • Does information released about these breaches materially change my risk?

How mature are my information security operations?

Do you have a robust incident response team that will be able to identify breaches and compromises in a timely fashion?  Do you have the appropriate logs and being collected in order to allow your analysts to identify anomalous behavior?  It should be understood by now that it is a given that you will be compromised.  The question is how quickly can it be identified and isolated.  It is ideal to stop intruders before they have the ability to exfiltrate any data.

Are there specific change control processes and baseline standards?  Can you tell when personnel are logging in as administrative users as opposed to a standard user?  Should they be logging on as an administrator at that time and on that machine?  For example, not using administrator credentials would have kept 90% of last years Windows patches from being exploitable.

Do my operations enforce and support the organizational information protection policies?  There are tools and automation that will help to make these actions sufficient but it always comes back to humans to ensure that the tools are used correctly and that auditing occurs to verify compliance.

How aware are my users?  Do they alert me to suspicious items they run across?  Do I need to re-engage my users in a security awareness program?


How similar am I to the breached organization?

Do I have the same kind of data?   Do I use the same hardware or software?  Do I use the same procedures or training?  Am I required to comply with the same standards or regulations?  Do I have similar audit findings as them?  Do I leverage the same third-party services?  Am I vulnerable to the same type of compromise?


What is my current plan to mitigate known risks?

Generally organizations have a yearly (multi-yearly) plan for projects, capital purchases and process improvements.  How do the issues identified from a compromise fit into the plan?  Does it make sense to rearrange projects, resources or efforts?  If you feel that the risk from newly discovered vulnerabilities is high enough and there are not current controls and mitigations in place, perhaps it is a good idea to identify the best place to insert a remediation effort.


Does information released about these breaches materially change my risk?

Was the breach the result of zero days?   Was the breach a new exploitation that currently has no defense?  Are there indicators of similar activity as the breach had?  Do I have confidence that I have sufficient controls and mitigations in place to maintain my risk level?


Assimilate new information, then alter course if needed.

Acting as if the sky is falling without making analysis of your current status and how information released about the breach affects you can be damaging to your program.  Maintain your flexibility and ability to react to identified compromises and incidents.  Measure what will give the most bang for your security buck.  Every organization and environment is different.   Don’t assume that what secures another organization will give you the same return on investment.


What actions  do you take after information is released of the latest breach?  Do you have a set process to intake new information and assess how it affects your current plan and operations?

Leave a Reply

%d bloggers like this: