How to Execute An Investigation & Recover From Breaches - NETSEC


Learning, Sharing, Creating

Cybersecurity Memo

Friday, March 3, 2023

How to Execute An Investigation & Recover From Breaches

What is Breach?

Breach is defined as an incident involving the loss of, or unauthorized disclousre of, sensitive, classified, sometimes regulated information as a reslt of a compromise or breakdown in the organization's security and protection systems.

Once breach happened in your environment, as cybersecurity professional, how will you prepare to execute the investigation and ask the questions?

8 Steps Process

Further details can be found from

1. Prepare for a data breach before it happens

2. Detect the data breach

3. Take urgent incident response actions

4. Gather evidence

5. Analyze the data breach

6. Take containment, eradication, and recovery measures

7. Notify affected parties

8. Conduct post-incident activities


RCA: root-cause-analysis

Fish bone diagram mapping all integrated controls in your environment to the six primary assets used to delivery services and products:

Questions to Answer for Cybersecurity Team

1 Was it human error or technology error led to this breach?

Example: the vulnerability was not been patched for what reason?

2 Was it due to weak governance?

Example: Was CEO knowing about this vulnerability existing or only knows by the technician?

Roles and Responsibilities:

3 Are we stuck in the elevator?

Do we live in the glass bubble? = Has IT Audit put themselves into a glass bubble by not communicating with other groups such as I&IT?

Or could be another way around, has IT Audit been exiled by I&IT?

Are we a victim of our own culture?

Does our organization support interaction of IT audit during incident response situations? 

There are so many attacking surface / exploit code around your Technology stack.

4 Was it sophisticated?


Undectectable Malware. 

5 Was it due to a lack of guidance?

6 Was it due to a lack of knowledge?

None of popular Cybersecurity frameworks (CIS Controles, NYCRR 500, NIST CSF, General Data Protection Regulation) includes managment system and audit process. 

Management System:

ISO 27001 ISMS

IIA 3 Lines of Defense

The Three Lines Model - The model previously known as the Three Lines of Defense

The Three Lines Model helps organizations identify structures and processes that best assist the achievement of objectives and facilitate strong governance and risk management. The model applies to all organizations and is optimized by:
 Adopting a principles-based approach and adapting the model to suit organizational objectives and circumstances. 
 Focusing on the contribution risk management makes to achieving objectives and creating value, as well as to matters of “defense” and protecting value. 
 Clearly understanding the roles and responsibilities represented in the model and the relationships among them. 
 Implementing measures to ensure activities and objectives are aligned with the prioritized interests of stakeholders.

The IIA’s Three Lines Model:

About The IIA 
The Institute of Internal Auditors (IIA) is the internal audit profession’s most widely recognized advocate, educator, and provider of standards, guidance, and certifications. Established in 1941, The IIA today serves more than 200,000 members from more than 170 countries and territories. The association’s global headquarters is in Lake Mary, Fla., USA. For more information, visit

Defense in Depth

 DiD architecture was designed from ISO27001

Recovering from Breaches and Preventing Future Attacks


1. The Importance of Addressing Breaches

In today's digital age, businesses are increasingly reliant on technology to store and manage sensitive information. Unfortunately, this also means that they are vulnerable to cyber attacks. Breaches can have devastating consequences for a business, including loss of revenue, damage to reputation, and legal repercussions. It is crucial for businesses to address breaches as soon as possible to minimize the impact and prevent future attacks. Ignoring breaches or failing to take appropriate action can result in even greater damage and potentially lead to the downfall of the business. Therefore, it is essential for businesses to prioritize cybersecurity and take proactive measures to protect themselves and their customers.

2. Steps to Take After a Breach

Once a breach has occurred, it's important to act quickly and efficiently to minimize the damage. The first step is to isolate the affected systems and devices to prevent further spread of the breach. This can involve disconnecting affected devices from the network or shutting down compromised servers.

Next, it's crucial to assess the extent of the breach and determine what data may have been compromised. This will help you identify any legal obligations you may have to report the breach to authorities or affected individuals.

Once you've assessed the situation, it's time to start the recovery process. This may involve restoring data from backups, patching vulnerabilities that were exploited in the breach, and implementing additional security measures to prevent future attacks.

Throughout this process, it's important to communicate with stakeholders, including employees, customers, and partners. Be transparent about what happened and what steps you're taking to address the breach. This can help build trust and mitigate any negative impact on your business's reputation.

Finally, it's important to conduct a post-mortem analysis of the breach. This involves identifying the root cause of the breach and determining what steps you can take to prevent similar incidents in the future. By learning from the breach, you can strengthen your security posture and better protect your business going forward.

3. Understanding the Root Cause of Breaches

In order to effectively prevent future cyber attacks, it is important to understand the root cause of breaches. Many times, breaches occur due to vulnerabilities in software or hardware systems that have not been properly updated or patched. Hackers can exploit these weaknesses to gain access to sensitive information.

Another common cause of breaches is human error. Employees may accidentally click on a phishing email or download malware onto their work computer. It is crucial for businesses to educate their employees on cybersecurity best practices and provide regular training to ensure they are aware of potential threats.

In some cases, breaches may also be caused by malicious insiders who have access to sensitive information and intentionally leak it. This highlights the importance of implementing strong access controls and monitoring systems to detect any suspicious activity.

By understanding the root cause of breaches, businesses can take proactive steps to address vulnerabilities and prevent future attacks. It is important to conduct regular security assessments and stay up-to-date on the latest cybersecurity trends and threats. With a strong security posture and vigilant approach, businesses can protect themselves and their customers from the devastating consequences of a data breach.

4. Implementing Stronger Security Measures

As technology continues to advance, so do the methods of cybercriminals. It's no longer enough to simply have basic security measures in place. To truly protect your business from breaches, it's crucial to implement stronger security measures.

One effective way to strengthen security is by using multi-factor authentication. This requires users to provide two or more forms of identification before accessing sensitive information. For example, a user may need to enter a password and then verify their identity through a fingerprint scan or a code sent to their phone.

Another important measure is to regularly update software and systems. Outdated software can contain vulnerabilities that hackers can exploit. By keeping everything up-to-date, you can ensure that any known security flaws are patched.

Encryption is also an essential tool for protecting sensitive data. This involves converting information into a code that can only be deciphered with a key. Even if a hacker gains access to encrypted data, they won't be able to read it without the key.

Finally, consider implementing a firewall to monitor incoming and outgoing network traffic. Firewalls act as a barrier between your internal network and external networks, allowing you to control what information is allowed in and out.

By implementing these stronger security measures, you can significantly reduce the risk of a breach occurring. Remember, prevention is always better than cure when it comes to cybersecurity.

5. Educating Employees on Cybersecurity

One of the most important aspects of securing your business against cyber attacks is educating your employees on cybersecurity. Your employees are often the first line of defense against potential threats, and their actions can have a significant impact on the security of your organization.

To start, it's important to ensure that all employees understand the basics of cybersecurity. This includes things like creating strong passwords, avoiding suspicious emails and links, and keeping software up-to-date. You may also want to consider providing training on more advanced topics, such as identifying phishing scams or recognizing signs of a potential breach.

In addition to formal training sessions, it's also important to foster a culture of cybersecurity within your organization. Encourage employees to report any suspicious activity or potential threats, and make sure they feel comfortable doing so. Consider implementing policies that require regular password changes or restrict access to sensitive information.

Finally, don't forget to lead by example. As a business owner or manager, your own actions can set the tone for the rest of your organization. Make sure you're following best practices for cybersecurity, and encourage others to do the same.

By educating your employees on cybersecurity, you can help to create a more secure environment for your business. With everyone working together, you'll be better equipped to prevent future breaches and protect your organization from potential threats.

6. Staying Vigilant Against Future Attacks

As the saying goes, prevention is better than cure. This is especially true when it comes to cybersecurity. After experiencing a breach, it's important to take steps to recover and prevent future attacks. However, staying vigilant against future attacks should be an ongoing effort. 

One way to stay vigilant is to regularly update your security measures. Cybercriminals are constantly finding new ways to infiltrate systems, so it's important to stay up-to-date with the latest security technologies and best practices. This could include implementing multi-factor authentication, using firewalls, or regularly backing up data.

Another way to stay vigilant is to monitor your systems for any suspicious activity. This could involve setting up alerts for unusual login attempts or monitoring network traffic for any anomalies. By catching potential threats early, you can take action before they cause significant damage.

Finally, it's important to educate employees on the importance of cybersecurity and how they can help prevent future attacks. This could include training on how to identify phishing emails or how to create strong passwords. By making cybersecurity a priority for everyone in the organization, you can create a culture of security that will help protect your business from future attacks.




No comments:

Post a Comment