Data Security

Navigating a data leakage: a six-step incident response guide

Data Leaks

Data leaks are a common occurrence that often make news headlines to alert consumers that their personal information has been stolen from companies they buy from. These headlines only scratch the surface of a more extensive issue as data trading goes well beyond the surface level incident.

When a data breach happens, various types of information becomes available for sale by hackers, including internal documents, login credentials, personal information, and financial information, and this potentially has negative consequences on the affected company’s reputation and resilience.

How can businesses protect themselves against consequences of loss of data? Let’s dive in with our six steps:

Step 1: Proactive monitoring

Organizations should proactively prepare for a potential incident by compiling a list of relevant resources on the dark web to monitor for mentions of various assets related to their company such as brands, domains, and IPs. Automation has become vital for efficient monitoring as searching for a company’s asset mentions and related discussions in the dark web manually is labor-intensive and impractical. Teams can implement automation in-house or using a specialized solution. As a result, a company will receive alerts whenever something related to its business gets mentioned on a shadow market.

Step 2: Analysis

Upon receiving an alert, verify the threat’s authenticity, considering that cybercriminals are potentially peddling fake data. To begin, analyze if the posted data genuinely originates from the company. In addition to internal attack indicators, analyze factors such as the price of the bid made for the data and the seller’s community rating as this information can also offer crucial insights into verifying the leak.

During this step, construct an attacker profile by examining their activity on dark web forums and looking at their responses on various threads. Verifying whether the published content is real or fake requires a grasp of the dynamics of the dark web market and even insights into various cybercriminals' activities. Profiling and tracking all company-related publications enhances in-house expertise, but swift, effective responses often demand the involvement of an outside specialist.

Step 3: Verification 

Next up, we need to confirm the incident by assessing potential compromises within the company’s systems. The specific incident response process depends on the type of leak: a data breach, compromised infrastructure access put up for sale, or leaked passwords, for example.

Step 4: Response

Once the team confirms an incident, promptly notify stakeholders, including top management, regulatory authorities, and clients. After implementing necessary measures to mitigate risks, such as changing passwords, some cases may require proactively prepare a public statement in cooperation with legal and PR departments. This ensures a thorough and timely response to potential threats and media requests.

Step 5: Containment

Once all the necessary parties are aware of the incident, thoroughly investigate it by analyzing the affected IT systems and users. Identify the cause of the data leak and ascertain if cybercriminals still have system access. Investigate compromised information, accounts, or accesses.

In some cases, the incident might have occurred a long time ago, even if the data has only just been posted on the dark web. It still requires prompt action. For example, old, compromised accounts pose a risk, as their passwords may remain unchanged or repeated. If an account has been compromised by an infostealer, a type of malware that collects data on the user’s system and sends it to attackers, the user’s device could still be infected, posing an ongoing threat.

Step 6: Eradication and recovery

At this stage, companies should address the causes that led to data theft. Depending on the specific case, teams can do this by eliminating vulnerabilities, changing passwords, or removing the attacker’s presence. If access to company systems has been compromised, restrict remote access and lock down accounts. In cases of compromised accounts, change passwords, notify potentially affected users, then ensure no suspicious activity has occurred and enforce strict password policies.

It's not possible to stop all data leaks. That’s why with a defined plan in place, security teams have a better shot at detecting them in advance, and then mitigating the damage once they do occur.

Anna Pavlovskaya, senior digital footprint analyst, Kaspersky

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.