The term “data breach” now enters the common lexicon of IT professionals. With legislation like HIPAA and PCI DSS requiring that data breaches be reported, now is a good time for all cloud service providers to review their incident response policies and procedures to make sure they are ready for the inevitable.
One element of your response plan should be what information needs to go into an incident report (IR). The IR serves as part of the record-keeping about the event. Still, it also communicates the nature of the breach to management and other teams responsible for fixing it. That’s why many courses on IRs spend time covering who’s responsible for writing it up, how much detail is required, and what not to include in it.
To help you out, here are ten elements that should not go into incident reporting:
1. What Was Affected?
The breached customer has already told you what user information was stolen, if you’re lucky. If this is not the case, it’s best to focus on your own data and forgo listing items like names of users whose passwords were reset or credit card numbers that were present in your systems before they got compromised. You can find all of this information later without messing up the IR. Instead, list only what was lost or accessed during the breach itself. This makes it easier for management to prioritize getting new passwords issued or cards reissued – whatever needs to be done first will stand out more.
“What was affected” is a tricky one. Sometimes, it’s the users who were potentially exposed. Still, even that shouldn’t be your top priority – at least not in the initial report. First, you need to document how many accounts are involved, their types (e.g., admin vs. regular), where they are located, what activities have been performed on them by whom, and when. You’ll need all of this information to determine which passwords will need to be reset first. So, focus on getting it right before worrying about how exactly individual users might have been affected by the breach.
Of course, “what was affected” when you define incident changes with every type of data breach, so feel free to modify this depending on your own situation! Happy documenting!
2. How Did It Happen?
You will likely nail this down once you get into the investigation and how to write reports. But, listing specific technologies or procedures in an IR is like saying, “Hey! Use my report to figure out what happened!” That’s not your job. Leave it to the security team and their incident report template, and make sure they know that you’ve written up all of the details needed to assess what actually took place. The rest of us do not want to read about how SSH logins failed, Apache Tomcat was enabled on port 80 (yes, we’re aware), Java was installed (no need for version…), etc. You can shut off access to specific systems if necessary; this might be done without ever mentioning them in writing again.
3. How Did We Fix It?
Most of the time, IRs just report accidents on what was discovered and how many users were affected. The last step – resolving the issue – is left for management to figure out. If you know about a specific process for fixing breaches (e.g., changing passwords), go ahead and mention it in an appendix. Put it in the body of your report if it’s simple enough; then keep quiet until there’s something more to say! You don’t want to give any bad guys extra information that could help them find their way back into your systems and cause further damage (see item #7).
4. Why Did We Get Hacked?
Even though this might be interesting, don’t bother listing all the possible reasons your infrastructure was breached. There’s no need to include “criminal action” or “internal (mis)use,” as well as all the other possibilities you might come up with because if it looks like an accident, it smells like an accident. Trust us, managers already know that they need to hire more security professionals and speed up their patching process for accident reports. It’s much too early in the investigation to start pointing fingers!
5. What Technologies Were Used?
Similarly to #2, this is just not important enough for incident reports. How could anyone use this information effectively? We don’t want to read through a list of web servers [“apache”, “tomcat”], software versions [“10″,4”], programming languages [“Java”, “PHP”], and operating systems [“Linux”, “Windows”] – it’s all too much to process. If something like this needs to be included, name only the services that were breached, e.g., “MySQL database” instead of “MySQL version 5.1 running on Linux (kernel 2.6)” (which is a real example, by the way).
6. How Did We Recover?
This almost belongs in #4 (“Why did we get hacked?”). Because it’s about how you respond to being hacked rather than whether or not your security controls worked as expected! You wouldn’t want somebody looking at a credit card breach report and seeing that a password wasn’t changed three months before the incident occurred. As with everything else on this list, it’s simply not your job. The same holds true for other parts of incident response, e.g., dealing with customers, media, etc.
7. How Did Bad Guys Get In?
Okay, maybe you can mention how they got into your infrastructure (see #2). But if details are lacking at first (or even later!) There is absolutely no reason to mention specific malware used or sites visited by attackers. These things change too quickly and might provide details helpful to individuals looking to attack you again (e.g., ports that weren’t closed after using a tool like a map ) or evade detection. It may sound counter-intuitive, but I’ve seen reports that were too detailed and included much more sensitive information than was appropriate! The point is to focus on how your security controls worked (or didn’t, if the breach happened) without providing attackers with additional helpful information.
8. How Many Records Were Involved?
This question can be answered much later in a forensics process – even at a court hearing – not before an incident response has been completed successfully. Once again, specifics only provide details that might be used by bad guys for planning follow-up attacks or evading detection once detected. Make sure you have a checklist to refer to avoid missing details. Obsessing over numbers makes you forget #1: “was there enough evidence collected to show that there was actually an attack?” Too often, we’ve seen reports where zero affected users were mentioned!
9. What Was Involved?
This ties into #8, but this one’s even more important: it’s better not to include information about what types of data were involved at all . Again, you don’t want to provide any extra details that might be used by bad guys. “I’m sorry, sir/madam, for the delay in reporting on the breach – we had some trouble identifying user accounts within our database….” It seems like a stupid thing to say when your site got hacked, and passwords are being sold online! But trust me, hackers are really good at using publicly-available information about attacks against also-attacked companies. There is nothing more frustrating than finding out that you’ve been applying patches or taking other actions in response to a threat from the same source you know the attacker’s using.
10. What Should We Do?
I’ve seen two types of incident reports already: “can’t tell you” (because it might affect ongoing investigations) and “here are some recommendations based on our investigation.” Which sounds like your incident report is ready for publication in an official government journal! It takes time to understand what happened, let alone figure out how to protect against similar incidents in the future. The recommendation may change down the road when more information becomes available. And the guidance that companies publish tends to be too generic or even useless, e.g., change passwords frequently, encrypt files containing personal information. So maybe it’s not to include any recommendations at all. And if it’s going to be a list of recommendations, do you have any data to back them up? Placing them in a separate document would be better.
It’s important to not overload an incident report with unnecessary information. Hence, it’s crucial to refer to premade templates rather than racking your brain “new” ones. Incident reporting needs to be processed quickly yet accurately. Check out Venngage’s professional and detailed incident report templates! It’s straightforward, with all the elements of an incident report ready for you to fill out. Moreover, it’s easily customizable; all there is to do is click, drag, drop, or upload!
Media Contact
Pete Varoufakis
pete@360prwire.com