business: response, Part 5: Recovery
Incident Response to Data Breach, Part 4: Strategy
by Brent Kirkpatrick
(Date Published: 11/22/2017. Revised: 4/27/2018.)
Documentation of the breach and of the hacker's intrusion vectors is crucial. This documentation allows you to interpret primary evidence, defend your network, and defend yourself in court. Should the hackers ever be identified, this documentation aids the prosecution.
The announcement of a breach is strategic. It cares with it the attendant risk of increased hacking. By the principle of responsible disclosure, you should contain your risk before announcing. This means removing highly sensitive information from hacker-controlled computers and blocking the worst of the intrusion routes.
Rebooting computers is a strategic way to clear exploits out of active memory. A simple security measure is to reboot once or twice a day at irregular times for the duration of the attack.
Re-installing operating systems is a strategic way to clear exploits off the hard-disk. When done very carefully, this usually yields a computer that is clean until re-infection. This is more expensive than rebooting.
Upgrading software can strategically improve security. However, if your network is compromised, this may lead to further compromise. For example, trojan updates might lead to more cyberattacks.
These strategic elements matter in their timing. They can be employed to keep the hackers off balance. The effective use of these strategic elements is termed clean-up.
Clean-Up. Incident response driven by data.
Incident Response, Part 1: Planning