Organizations tend to fall into two categories: those that have been breached and those that don’t yet realize they’ve been breached.
If you belong to the first group, believe it or not, you’re in luck. Once the breach has been acknowledged, your organization is closer to fixing the problem and overcoming the damage. You can use your existing tools and onboard new ones like systems isolation, multi-factor authentication (MFA) and least privilege on endpoints to start the remediation process as soon as possible.
If you fall into the second group, you’re either not aware of a breach or you might know you don’t have the proper controls in place to mitigate one. For these organizations, it’s time to build an extended identity security program from the foundation of protecting the most privileged accounts and users. Advanced privileged access management (PAM) solutions can significantly reduce the risk of human error when accessing privileged accounts and sensitive environments or data. These tools can help remediate and prevent breaches caused by compromised credentials.
Organizations are increasingly realizing that no one is immune to security breaches. In a recent CyberArk survey, 92% of global organizations indicated identity security is critical for a robust Zero Trust implementation. But how should these organizations tackle the challenge of staying ahead of attackers while always assuming breach and adopting a Zero Trust mindset? Enter breach remediation – a cyclical, never-ending process that, when done properly, helps organizations improve after every incident and can significantly reduce damages and subsequent risks to their environments.
Breach Remediation in Five Steps
There are five steps in the breach remediation cycle:
Step 1: Identify Vulnerabilities
Once your security team discovers an internal breach, it’s time to jump into action. The team must first determine the status of the attack and its origin. It also needs to identify the vulnerability that the intruder used to gain access and track their actions. Popular attack patterns tend to change from time to time, but most frequently, threat actors sink their hooks into someone on the inside who is unaware of the risks of the actions (or inactions) that allowed access to systems and data.
Common examples of these actions include internal employees not using multi-factor authentication (MFA) or endpoint controls, running untrusted applications and sharing credentials.
Step 2: Investigate the Breach in Its Entirety
While it’s critical first to identify the point of attack, you must then dig deeper to better understand the complete picture. This is where an internal incident response team or external advisory should come in. The team reviews the forensic findings and data to track the breach path. Incident responders seek information about compromised controls or identities and exploited vulnerabilities.
Piece together as many details as you can early on with the remediation team to help inform your remediation strategy. Correlating data from systems, accounts and users will allow you to understand the attack and how it affects your organization.
Ask focused questions: What data was exposed? Is the attack still happening?
Step 3: Take Action to Repair the Situation
Once you’ve gathered your facts, you need to decide what action to take immediately. This step is the most challenging part of the breach remediation process, and the correct choice will vary depending on the situation. Just as breaches differ, so do remediation actions.
For example, you may decide to disclose the incident publicly or take down the compromised service – or both. Whatever you decide to do, you must consider any impact the actions will have on your customers and internal users. And you also need to be mindful of the financial consequences of your post-breach actions and how they may affect the extent of the damage to your organization and its reputation.
“During remediation, being informed, having the right tools and understanding how to implement controls is critical, but as importantly, you should always consider the part played by the people in the situation.”—CyberArk Senior Security Consultant Aaron Fletcher
Step 4: Collaborate With a Remediation Team
Now that you’ve decided on a path forward, it’s crucial to collaborate with subject matter experts like a remediation team. They can assist in regaining control of your environment and evaluating the hygiene of your existing identity security tools and policies – and, if needed, onboarding new ones that suit your organization’s needs. Working with an experienced remediation team can help you contain a breach, identify any gaps that attackers may exploit and implement tools like MFA or session isolation. With support from a remediation team, you can eventually eradicate the breach and enforce new, stricter access policies within your environment.
The third benefit of collaborating with a remediation team is recovery. The team can help ensure that the new tools and policies work as planned.
Then, once the risk is contained, it’s time to look back at everything – from understanding what happened that allowed the breach to occur to what your organization could have done better in responding to it. You can better prepare for future incidents when you and your team acknowledge and understand any mistakes and necessary improvements to your response.
Step 5: Prepare for the Next Security Event
Preparing and responding to security threats and breaches is cyclical. You prepare and defend, tackle the incident, learn from it – and then prepare again. And preparation is always the first and the last stage of the cycle. With each new cycle, you learn and work to improve your security posture. After an incident, teams should return to the drawing board to further develop their identity security strategy and PAM program.
And don’t forget your employees. A full post-breach recovery requires considerable effort from your internal teams, and you must set them up to succeed. While onboarding new services is an important first step, coaching and educating your employees is crucial for being perpetually prepared for cyber threats.
Golden Rules for Successful Breach Remediation
Cybersecurity often feels like a numbers game, where professionals focus most on preventing and stopping attacks. But defenses can always be breached – and in today’s threat landscape, that probability is increasing.
When considering your own comprehensive, ongoing breach remediation plan, keep these essentials top of mind:
- Understand the sensitivity of what you’re trying to protect and the privileged access provided to those protected resources. Always be mindful of human involvement in any change in process or implementation of identity security controls, policies or strategies.
- Train and educate your end users. Invest in informing internal teams of upcoming changes and start preparing them as early as possible. You should enable your employees with the right tools and assistance to learn how to protect themselves and your organization while working in secure environments and accessing organizational assets.
- Implement the right identity security tools. Among others, PAM, MFA and endpoint controls at the right time can help increase security significantly and reduce the risk of an attack.
With a solid breach remediation strategy, your organization will be more likely to respond quickly to a breach, limit the damage and rapidly regain control.
Lilach Faerman Koren is a product marketing manager at CyberArk.