Companies of all kinds are attacked all the time, every day. Not just large corporations, but everything from tiny mom and pop shops to giant corporations and governments. Attacks are indiscriminate, with the goal being to gain access somewhere, anywhere. The attackers are fishing, looking to hit different places and gain access wherever there is a weakness. They will attack every URL – especially if its signature matches a particular framework, like WordPress or nginx. They will hit any URL or IP address on any port that has a weakness. That site will be is culled from a list that is scanning the whole internet and the exploit will be sent back for easy access. Having proper incident response to these attacks is vital to the success of your business.
The hackers will move through this process indiscriminately. They don’t care what kind of business you have or how big you are. Governments and large corporations are hard targets which have only become harder over time, so they are fairly well defended. Small to medium sized businesses, however, are more likely to see these attacks be successful because cybersecurity is an afterthought. It’s an understaffed department or nonexistent because cybersecurity isn’t taken seriously in budget and strategy meetings. Soft targets include businesses in the healthcare industry, accounting firms, law firms, companies which are robust in data but they have very little defense. Hackers want access, and without protection, they will get it.
So, let’s say your IT forgot to patch in time or someone on the team missed a weak spot when reviewing code – this never happens – right? If it does, you likely have a breach on your hands and you might not even know it. Now what? How do you respond?
The first thing to do is respond as if the breach is still happening, no matter if it was caught as soon as it started or days or months afterward. Even if you think the attacker is done and gone, you have to operate under the assumption that the hack is still happening. Oftentimes, hackers will bounce around a system for months trying to get more and more data, and more and more information. So you cannot assume that because the breach happened a month or even two years ago that the hacker is gone. As long as they can safely maintain access, you have to assume that any breach you discover is still ongoing. If you are able to safely determine that it is legitimately not still happening, then you need to inventory and isolate to find out what was breached to the best of your knowledge.
You may not be able to discover with 100% certainty what has been breached. If this is the case, always assume the worst. Making everyone reset their password is a lot less painful than finding out that all of your passwords have been hacked and bad things are happening to your customers which you could be legally responsible for.
It is important to respond to an attack, any attack. Internal investigation is where you start to determine the depth of the attack or incident. Breaches are sometimes completely innocuous. You can go down the rabbit hole to find the breach and discover that some small marketing server that has a bunch of publicly available information is what was breached. It’s not good that you had a breach, someone is targeting your business even if it’s indiscriminately, but nothing significant was exposed. But you need to fix that weakness so that another breach cannot occur which goes deeper than that. This is the first step in proper incident response.
At this point, bringing in law enforcement is kind of moot and will mostly waste your time and everyone’s resources. However, once you know that there is an escalated breach, you have a fiduciary duty to report it in many states and countries. It’s wise to report it to the FBI who handles these matters. Even if there is nothing they can do, reporting it creates a paper trail. Yes, the press is bad, the trust loss is bad, but it’s so much worse when attacks go unreported and the hacker can hit company after company after company.
Reporting the breach, giving the authorities information about what has occurred, is a good idea. Your breach could be a new attack vector that the authorities haven’t heard of or seen yet. This could be a new set of targeting or someone is really out to get this certain type of company or data, or maybe they are attacking a specific set of flaws. Notifying the authorities and security community gives them information they need to attempt to protect themselves and others.
It is really important to treat a breach of any kind as an incident with proper incident response. It needs to be tracked, and if it is a real breach, you have to track it all the way through legal and compliance processes. So there’s investment in that process, but in order to protect your business, its assets and its information, it is necessary.