Cyber Incident Response

Database breach Playbook v2.3


 

Document Control

Title

Database compromise Playbook

Version

2.3

Date Issued

17/06/2021

Status

Circulation

Document owner

StreamMarket Development team

Creator name

Amaresh Devarajan

Creator organisation name

StreamMarket

Subject category

Cyber Incident Response Management

Access constraints

None outside development, security analyst teams and other teams mentioned in this playbook

Document Revision History

Version

Date

Author

Summary of changes

2.3

11/06/2020

AD

Change to reflect new DB team

 


 

Contents

1. Introduction. 4

1.1. Overview.. 4

1.2. Purpose. 4

1.3. Database Breach Definition. 4

1.4. Scope. 4

1.5. Review Cycle. 5

2. Preparation Phase. 6

3. Detect 7

4. Analyse. 12

5. Remediation – Contain, Eradicate and Recover 16

6. Post Incident 20

7. Annex A: Flow Diagram.. 22

 


 

1. Introduction

1.1. Overview

In the event of a cyber incident, it is important that we respond, mobilise, and execute an appropriate level of response to limit the impact on the brand, value, service delivery, suppliers, and customer confidence. Although all cyber incidents are different in their nature and technologies used, it is possible to group common cyber incident types and methodologies together. This is in order to provide an appropriate and timely response depending on the cyber incidents type. Incident specific playbooks provide incident managers and stakeholders with a consistent approach to follow when remediating a cyber incident.

Playbooks describe the activities of those directly involved in managing specific cyber incidents. However, it is important to acknowledge the speed at which cyber incidents can escalate and become a significant business disruptor requiring both business continuity and consequence management considerations. Early consideration should be given to engaging Business Continuity, Resilience and Policy Area Leads in order that the wider issues can be effectively managed. Business Continuity and Development leads within the organisation must therefore be familiar with the Cyber Incident Response Plan (CIRP) and Playbooks and how they link to wider Incident response arrangements.

1.2. Purpose

The purpose of the Cyber Incident Response: Database compromise Playbook is to define activities that should be considered when detecting, analysing, and remediating a database loss. The playbook also identifies the key stakeholders that may be required to undertake these specific activities.

1.3. Database breach Definition

A Database compromise is an incident, breach of security or accidental or unlawful destruction, unauthorised retention, misuse, loss, alteration, unauthorised disclosure of, or access to, data transmitted, stored in database, or otherwise processed by the business, its employees, contractors or service providers.

1.4.Scope

This document has been designed for the sole use of the first responders such as the Developers, Database Administrators (DBA) and Security analyst team when responding to a cyber incident. It is not standalone and must be used alongside our CIRP and Dataloss and Unauthorised access playbook.

1.5.Review Cycle

This document is to be reviewed for continued relevancy by the Development, DBA & Security lead at least once every six months; following any major cyber incidents, a change of vendor, or the acquisition of new security services.

 


 

2.Preparation Phase

Preparation Phase

Phase objectives

The preparation phase has the following objectives:

·     Prepare to respond to cyber incidents in a timely and effective manner.

·     Inform employees of their role in remediating a Data Loss incident including reporting mechanisms.

Activity

Description

Stakeholders

Prepare to respond

Activities may include, but are not limited to:

Review and rehearse cyber incidents response procedures including technical and business roles and responsibilities, escalation to CEO and CTO where necessary.

·     CEO

·     CTO

·     Information governance and security team

·     Development Team Leader

·     Service Delivery Manager

·     Marketing team

·     Communications Team

·     DBA

·     Partners, suppliers

·     Business Continuity Lead

 

Review recent cyber incidents and the outputs.

·     Development team

·     DBA

·     Information governance

Review threat intelligence for threats to the organisation, brands and the sector, as well as common patterns and newly developing risks and vulnerabilities.

·     Development team

·     Security Analysts

·     DBA

Ensure appropriate access to any necessary documentation and information, including out-of-hours access, for the following:

·     CIRP;

·     Database architecture

·     Data Flow Diagrams

·     Development team

·     DBA

Identify and obtain the services of a 3rd party Cyber Forensic provider.

·     Development team and UK FAST SoC team

·     DBA

Define Threat and Risk Indicators and Alerting pattern within the organisation’s security information and event management (SIEM) solution.

·     Development team/Security analyst

·     DBA

Activity

Description

Stakeholders

Inform staff, partners, suppliers

Activities may include, but are not limited to:

 

Conduct regular awareness campaigns to highlight cyber/information security risks faced by employees, including:

·     Legal and regulatory requirements around data security;

·     Phishing attacks and malicious emails;

·     Ransomware;

·     Reporting a suspected cyber incidents.

·     CTO

·     Development team

·     Communication Lead

·     DBA

 

 

Ensure regular security training is mandated for those employees managing personal, confidential or high risk data and systems.

·     CTO

·     HR

·     Communication team

·     Training provider

 

3. Detect

Detection Phase

Phase objectives

The detection phase has the following objectives:

·     Detect and report a breach or compromise of the confidentiality, integrity or availability of organisational/personal data;

·     Complete initial investigation of the Data Breach or compromise;

·     Report the Data Breach or compromise formally to the correct team as a cyber incidents.

Activity

Description

Stakeholders

Detect and report the incident

Activities may include, but are not limited to:

 

Monitor detection channels, both automatic and manual, customer and staff channels and social media for indications of a Database Breach or compromise, these can include but are not limited to:

·     Customers, employee or confidential data published online.

·     Clients or their customers being contacted by an unauthorised third party with access to personal or confidential information.

·     Targeted emails to clients or employees containing personal or confidential information;

·     Data loss prevention logs or alerts;

·     Lost or stolen devices containing confidential information;

·     Lost or stolen paperwork or hardcopies of data;

·     Other incidents that suggest data has been extracted outside of the network perimeter.

·     Information governance and security team

·     Core IT UK Fast team

·     DBA

·     Development team

·     Security analysts

Report the cyber incidents via the Service Desk. If a ticket does not exist already, raise a ticket containing minimum information.

To report an incident, follow the process defined in the Cyber Incident Response Plan (CIRP)

·     Information governance and security team

·     Core IT UK Fast team

·     DBA

·     Development team

·     Security analysts

Classify the cyber incidents, based upon available information related to the Data Loss and the incident types (see CIRP).

·     Information governance and security team

·     Core IT UK Fast team

·     DBA

·     Development team

·     Security analysts

Report the Cyber incidents in accordance with the organisation’s CIRP and if incident related to Amazon PII inform 3p-security@amazon.com

 

 

·     Information governance and security team

·     Core IT UK Fast team

·     DBA

·     Development team

·     Security analysts

Where appropriate consider reporting requirements to Information Commissioner’s Office (ICO), relevant regulator National Cyber Security Centre (NCSC) and / or Police

·     Information governance and security team

·     Core IT UK Fast team

·     DBA

·     Development team

·     Security analysts

 

Activity

Description

Stakeholders

Initial investigation of the incident

Activities may include, but are not limited to:

Mobilise the CIRT to begin initial investigation of the cyber incidents (see staff contact details within CIRP).

·     Information governance and security team

·     Core IT

·     Development team

 

The following may also be included in the incident response team where appropriate for the incident:

·     Server Desk Technicians

·     Server Team

·     Partner IT team

·     DBA

·     Supplier technical team

Identify likelihood of employee involvement and notify HR (e.g., insider threat).

·     Information governance and security team

·     HR

·     DBA

Collate initial incident data including as a minimum for the following.

·     How was the cyber incidents reported

·     What has caused the cyber incidents (i.e., lost laptop, suspected hacker, malware. Etc.);

·     Location of data, both physical and logical.

·     Quantity of data i.e., number of accounts, unique numbers, customer names.

·     Is financial data included? i.e., credit card numbers, pins, expiry dates, etc.?

·     Is personal data included? i.e., names, address, postcodes, email address, etc.?

·     What is the format of the data i.e., redacted, encrypted, layout, length, etc.?

·     Was there any encryption around the data and if so, how was this provided?

·     Preliminary business impact assessment; and

·     Any current action being undertaken.

·     Information governance and security team

·     Core IT

·     Development team

·     DBA

·     Data protection officer

Secure artefacts, including copies of the data, via secure download and screenshot.

·     Information governance and security team

·     DBA

·     Core IT

·     Development team

Review critical systems and assess for any indicators of similar data sets being compromised.

·     Information governance and security team

·     DBA

·     Core IT

·     Development team

Identify possible sources or owners of the data.

·     Information governance and security team

·     DBA

·     Core IT

·     Development team

Preliminary review of data involved to determine if personal data has been compromised.

·     Information governance and security team

·     DBA

·     Core IT

·     Development team

Research Threat Intelligence sources and consider Cyber Security Information Sharing Partnership (CiSP) submission to gain further intelligence and support mitigation by others.

·     Information governance and security team

·     DBA

·     Core IT

·     Development team

Review cyber incidents categorisation to validate the cyber incidents type as a Data Loss incident and assess the incident priority, based upon the initial investigation. (See CIRP for Incident Severity Matrix)

·     Information governance and security team

·     DBA

·     Core IT

·     Development team

Activity

Description

Stakeholders

Incident reporting

Activities may include, but are not limited to:

Report the cyber incidents in accordance with the organisation’s CIRP and if incident related to Amazon PII inform 3p-security@amazon.com

 

 

·     Information governance and security team

·     Core IT

·     Development team

Immediately report Data Breaches that have occurred to the relevant Data Protection Officer.

Consider whether reporting suspected or confirmed unauthorised access to any personal data to the authority is appropriate at this stage.

·     Information governance and security team

·     Core IT

·     Development team

·     Data Protection Officer

Where appropriate consider reporting requirements to Information Commissioner’s Office (ICO), relevant Regulator and or Competent Authority (NISD), National Cyber Security Centre (NCSC) and / or Police

·     Information governance and security team

·     Core IT

·     Development team

·     Data Protection Officer

Report the Cyber incidents in accordance with the organisation’s CIRP.

Consider the Intelligence value to other organisations and share on the CiSP

 

·     Information governance and security team

·     Core IT

·     DBA

·     Development team

Where appropriate consider reporting requirements to Information Commissioner’s Office (ICO), relevant Regulator and National Cyber Security Centre (NCSC), and / or Police

 

·     Information governance and security team

·     Core IT

·     Development team

·     Communication team

·     DBA

Activity

Description

Stakeholders

Establish the requirement for a full forensic investigation

Activities may include, but are not limited to:

Consider conducting a full forensic investigation, on the advice of legal counsel

·     CTO

·     Information governance and security team

·     Core IT

Development team


 

4. Analyse

Analysis Phase

Phase objectives

The analysis phase has the following key objectives:

·     Analyse the cyber incidents to uncover the scope of the attack;

·     Identify and report potentially compromised data and the impact of such a compromise;

·     Establish the requirement for a full forensic investigation;

·     Develop a remediation plan based upon the scope and details of the cyber incidents.

Activity

Description

Stakeholders

Analyse the extent of the incident

Activities may include, but are not limited to:

Confirm any data involved is:

·     Legitimate.

·     Current;

·     Originating from the organisation;

·     Connected to the organisation or its Clients or their Customers.

·     Information governance and security team

·     Core IT

·     DBA

·     Development team

Conduct a detailed technical investigation of the cyber incidents which may include, but is not limited to:

·     Analyse any suspicious network traffic;

·     Review security and access logs, vulnerability scans and any automated tool outputs;

·     Analyse any suspicious activity, files or identified malware samples;

·     Review AV logs or events, without jeopardising future forensic activities;

·     Correlate any recent security events, or indicators of compromise, with suspicious activity seen on the network;

·     Identify the source of the data compromise;

·     Identify the specific data set which was compromised as well as how it was compromised.

·     Information governance and security team

·     Core IT

·     Development team

·     DBA

Determine the attack methodology and cyber incidents timeline.

·     Information governance and security team

·     Core IT

·     Development team

·     DBA

Analyse the data types and quantities to determine if there has been a privacy breach (i.e. involving personal data).

·     Information governance and security team

·     Core IT

·     Development team

·     DBA

Analyse the data types and quantities to determine if there has been a breach of financial data (e.g. organisational financial reports, customer or employee credit card details, bank details etc.).

·     Information governance and security team

·     Core IT

·     Development team

·     DBA

Analyse the data types and quantities to determine if the data is only found in the organisation’s environments, or shared with third party systems.

·     Information governance and security team

·     Core IT

·     Development team

·     DBA

Review the data type and quantity compromised for any compliance regulations that have been breached.

·     Information governance and security team

·     Core IT

·     Development team

·     DBA

Activity

Description

Stakeholders

Identify and report potentially compromised data

Activities may include, but are not limited to:

Engage data owners and senior stakeholders to understand the business impact of the compromised data.

·     Information governance and security team

·     Core IT

·     Development team

·     DBA

Report the cyber incidents in accordance with the CIRP, as required.

·     Information governance and security team

·     Core IT

·     Development team

·     DBA

Establish the likelihood that database confidentiality, integrity or availability has been compromised.

·     Information governance and security team

·     Core IT

·     Development team

Consider whether reporting suspected or confirmed unauthorised access to any personal data to the authority is appropriate at this stage.

·     Information governance and security team

·     Core IT

·     Development team

·     DBA

Update the senior stakeholders (see CIRP) of any suspected or confirmed Data Breach including the unauthorised access to any personal data.

·     CTO

·     Information governance and security team

·     DBA

·     Core IT

·     Development team

In line with the GDPR (Article 33) the ICO must be informed within 72 hours of the organisation becoming aware of an incident resulting in a “risk to the rights and freedoms of those involved”.

Determine whether the Data Breach needs to be reported to the ICO further guidance can be found at https://ico.org.uk/.

·     Information governance and security team

·     Core IT

·     Development team

·     Communication team

·     DBA

 

Where a decision to notify the ICO has been made the following must be included as a minimum:

·     Describe the nature of the personal Data Breach including where possible, the categories and approximate number of data subjects and personal data records concerned.

·     Communicate the name and contact details of the contact point where more information can be obtained.

·     Describe the likely consequences of the personal Data Breach.

Describe the measures taken or proposed to be taken to address the personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

Consider other Reporting requirements such as Reporting as a crime to Police Scotland or to Regulators or Competent Authorities where relevant

·     Information governance and security team

·     Core IT

·     Development team

·     DBA

·     Data Protection Officer

Activity

Description

Stakeholders

Develop a remediation plan

Activities may include, but are not limited to:

Incorporate technical and business analysis to develop a prioritised remediation plan.

·     Information governance and security team

·     Core IT

·     Development team

Implement a communications strategy in line with the remediation plan.

·     Information governance and security team

·     DBA

·     Core IT

·     Development team

·     Communication plan

 


 

5. Remediation – Contain, Eradicate and Recover

Remediation Phase

Phase objectives

The remediation phase has the following objectives:

·     Contain the technical mechanism of the Data Breach;

·     Eradicate the technical mechanism of the Data Breach;

·     Recover affected systems and services back to a Business As Usual (BAU) state.

Activity

Description

Stakeholders

Containment

Contain the technical mechanisms of the Data Breach, including:

Isolate all affected systems or accounts from the infrastructure through removal from the network or application of strict access controls, to prevent further data exfiltration.

·     Information governance and security team

·     Core IT

·     DBA

·     Change team

·     Development team

Implement rules to block detected suspicious traffic leaving the network.

·     Information governance and security team

·     Core IT

·     Change team

·     Development team

·     DBA

Secure copies of infected systems and malware for further investigation, if not already completed.

·     Information governance and security team

·     Core IT

·     DBA

·     Development team

Reverse engineer malware to identify the indicators of compromise that will assist with eradication phase.

·     Information governance and security team

·     Core IT

·     Development team

·     DBA

Safeguard critical assets to prevent further harm or theft of data.

·     Information governance and security team

·     DBA

·     Core IT

·     Development team

 

Remotely erase any lost or stolen assets where possible.

·     Information governance and security team

·     Core IT

·     DBA

·     Development team

Reset passwords of legitimate user accounts and reduce permissions where possible and if appropriate

·     Information Security Manager

·     DBA

·     Core IT

Isolate unauthorised user accounts and analyse any removal of database

·     Information governance and security team

·     Core IT

·     DBA

·     Development team

Contain the business effects of the cyber incidents:

Implement the notification strategy including any internal or external notifications, the notification of employees, third parties, service providers and customers.

·     Information governance and security team

·     Core IT

·     DBA

·     Development team

Support the development of external communications by providing accurate, simple lines to take, in line with technical remediation activities.

·     Information governance and security team

·     Core IT

·     DBA

·     Development team

·     Communication team

Engage the Data Protection Authority, if appropriate.

·     Information governance and security team

·     Core IT

·     DBA

·     Development team Data Protection Officer

·     Legal Services

Activity

Description

Stakeholders

Eradication

Activities may include, but are not limited to:

Remove any malware identified during the analysis phase using appropriate tools.

·     Information governance and security team

·     Core IT

·     DBA

·     Development team

Remove any identified artefacts used to facilitate the breach, such as scripts, code and binaries.

·     Information governance and security team

·     Core IT

·     DBA

·     Development team

Disable system and user accounts that have been used as a platform to conduct the attack.

·     Information governance and security team

·     Core IT

·     DBA

·     Development team

Identify common removal methods from trusted sources (AV providers).

·     Information governance and security team

·     Core IT

·     DBA

·     Development team

Complete an automated or manual removal process of the malware using appropriate tools.

·     Information governance and security team

·     Core IT

·     DBA

·     Development team

Conduct a restoration of affected networked systems from a trusted back up.

·     Information governance and security team

·     DBA

·     Core IT

·     Development team

Re-install any standalone systems from a clean OS back-up before updating with trusted data back-ups.

·     Information governance and security team

·     DBA

·     Core IT

·     Development team

Change any compromised account details.

·     Information governance and security team

·     Core IT

·     DBA

·     Development team

Confirm policy compliance across the estate.

·     Information governance and security team

·     Core IT

·     DBA

·     Development team

Activity

Description

Stakeholders

Recover to BAU

Activities may include, but are not limited to:

Recover systems based on business impact analysis and business criticality.

·     Information governance and security team

·     Core IT

·     Development team

·     DBA

Complete AV and advanced malware scanning of all systems, across the estate.

·     Information governance and security team

·     Core IT

·     Development team

·     DBA

Re-set the credentials of all involved system(s) and users account details.

·     Information governance and security team

·     Core IT

·     DBA

·     Development team

Reintegrate previously compromised systems.

·     Information governance and security team

·     Core IT

·     DBA

·     Development team

Restore any corrupted or destroyed database

·     Information governance and security team

·     Core IT

·     Development team

·     DBA

Restore any suspended services.

·     Information governance and security team

·     Core IT

·     DBA

·     Development team

Establish monitoring to detect further suspicious activity.

·     Information governance and security team

·     Core IT

·     DBA

·     Development team

·     UK Fast SIEM Provider

Co-ordinate the implementation of any necessary patches or vulnerability remediation activities.

·     Information governance and security team

·     Core IT

·     DBA

·     Development team


 

6. Post Incident

Post-Incident Activities Phase

Phase objectives

The post-incident activities phase has the following objectives:

·     Complete an incident report including all incident details and activities;

·     Complete the lessons identified and problem management process;

·     Publish appropriate internal and external communications.

Activity

Description

Stakeholders

Incident reporting

Draft a post-incident report that includes the following details as a minimum:

·     Details of the cause, impact and actions taken to mitigate the cyber incidents, and including, timings, type and location of incident as well as the effect on users;

·     Activities that were undertaken by relevant resolver groups, service providers and business stakeholders that enabled normal business operations to be resumed;

·     Recommendations where any aspects of people, process or technology could be improved across the organisation to help prevent a similar cyber incident from reoccurring, as part of a formalised lessons identified process.

·     Provide final report to 3p-security@amazon.com

·     Senior Stakeholders

·     Information governance and security team

·     Core IT

·     DBA

·     Development team

·     External stakeholders

Lessons Identified & Problem Management

Complete the formal lessons identified process to feedback into future preparation activities.

·     Information governance and security team

·     Core IT

·     Development team

·     DBA

Conduct root cause analysis to identify and remediate underlying vulnerabilities.

·     Information governance and security team

·     Core IT

·     DBA

·     Development team

Consider sharing lessons identified with external stakeholders where relevant

·     Information governance and security team

·     Core IT

·     DBA

·     Development team

·     Communication team

Human Resources

Review staff welfare; working hours, over time, time off in lieu (TOIL) and expenses.

·     Information governance and security team

·     Core IT

·     DBA

·     Development team

Communications

Activities may include, but are not limited to:

Publish internal communications to inform and educate employees on Database Breach attacks and security awareness.

·     Information governance and security team

·     Core IT

·     DBA

·     Development team

Publish external communications, if appropriate, in line with the communications strategy to provide advice to customers, engage with the market, and inform press of the cyber incidents.

These communications should provide key information of the cyber incidents without leaving the organisation vulnerable or inciting further Data Loss attacks.

·     Information governance and security team

·     DBA

·     Core IT

Development team