Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Is it a breach or not? InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Is it a breach or not?

Published: 2015-04-08
Last Updated: 2015-04-08 12:39:59 UTC
by Tom Webb (Version: 1)
0 comment(s)

Incidents happen, and the most important part of IR is the planning stage. You should have a process or checklists with steps to make sure it goes as smoothly and fast as possible.

When your forensic analysis shows or likely determines PII was accessed, your executives need to have the right information to make a decision.  You should have a memo which breaks down what data was on the system and factual  evidence of the data accessed.  It should be in layman terms where the executives can lean on the analysis for decisions.  (e.g. A copy of our sensitive database was put in an unusual area of the system and the attacker used methods to hide the file. We have evidence that this file left our company through analysis of our network connections from the compromised system.)

Additionally, its good to have the investigators opinion of the likelihood data was accessed in the memo.  A typical example is a web server defaced, but no additional tools or activity happened on the server.  The likely motive of the attacker was only defacement and your analysis may suggest that the likelihood of leakage of data was low.

The key is understanding your management and have discussions early on about when to notify and when not to notify.

--

Tom Webb

0 comment(s)
Diary Archives