Currency
|
Database breach Playbook v2.3
Document Control
|
Title |
Database compromise Playbook |
|
Version |
2.3 |
|
Date Issued |
17/06/2021 |
|
Status |
Circulation |
|
Document owner |
StreamMarket Development team |
|
Creator name |
Amaresh Devarajan |
|
Creator organisation name |
StreamMarket |
|
Subject category |
Cyber Incident Response Management |
|
Access constraints |
None outside development, security analyst teams and other teams mentioned in this playbook |
Document Revision History
|
Version |
Date |
Author |
Summary of changes |
|
2.3 |
11/06/2020 |
AD |
Change to reflect new DB team |
Contents
1.3. Database Breach Definition
5. Remediation – Contain, Eradicate and Recover
1. Introduction
1.1. Overview
In the event of a cyber incident, it is important that we respond, mobilise, and execute an appropriate level of response to limit the impact on the brand, value, service delivery, suppliers, and customer confidence. Although all cyber incidents are different in their nature and technologies used, it is possible to group common cyber incident types and methodologies together. This is in order to provide an appropriate and timely response depending on the cyber incidents type. Incident specific playbooks provide incident managers and stakeholders with a consistent approach to follow when remediating a cyber incident.
Playbooks describe the activities of those directly involved in managing specific cyber incidents. However, it is important to acknowledge the speed at which cyber incidents can escalate and become a significant business disruptor requiring both business continuity and consequence management considerations. Early consideration should be given to engaging Business Continuity, Resilience and Policy Area Leads in order that the wider issues can be effectively managed. Business Continuity and Development leads within the organisation must therefore be familiar with the Cyber Incident Response Plan (CIRP) and Playbooks and how they link to wider Incident response arrangements.
1.2. Purpose
The purpose of the Cyber Incident Response: Database compromise Playbook is to define activities that should be considered when detecting, analysing, and remediating a database loss. The playbook also identifies the key stakeholders that may be required to undertake these specific activities.
1.3. Database breach Definition
A Database compromise is an incident, breach of security or accidental or unlawful destruction, unauthorised retention, misuse, loss, alteration, unauthorised disclosure of, or access to, data transmitted, stored in database, or otherwise processed by the business, its employees, contractors or service providers.
1.4.Scope
This document has been designed for the sole use of the first responders such as the Developers, Database Administrators (DBA) and Security analyst team when responding to a cyber incident. It is not standalone and must be used alongside our CIRP and Dataloss and Unauthorised access playbook.
1.5.Review Cycle
This document is to be reviewed for continued relevancy by the Development, DBA & Security lead at least once every six months; following any major cyber incidents, a change of vendor, or the acquisition of new security services.
2.Preparation Phase
|
Preparation Phase |
||
|
Phase objectives |
The preparation phase has the following objectives: · Prepare to respond to cyber incidents in a timely and effective manner. · Inform employees of their role in remediating a Data Loss incident including reporting mechanisms. |
|
|
Activity |
Description |
Stakeholders |
|
Prepare to respond |
Activities may include, but are not limited to: |
|
|
Review and rehearse cyber incidents response procedures including technical and business roles and responsibilities, escalation to CEO and CTO where necessary. |
· CEO · CTO · Information governance and security team · Development Team Leader · Service Delivery Manager · Marketing team · Communications Team · DBA · Partners, suppliers · Business Continuity Lead
|
|
|
Review recent cyber incidents and the outputs. |
· Development team · DBA · Information governance |
|
|
Review threat intelligence for threats to the organisation, brands and the sector, as well as common patterns and newly developing risks and vulnerabilities. |
· Development team · Security Analysts · DBA |
|
|
Ensure appropriate access to any necessary documentation and information, including out-of-hours access, for the following: · CIRP; · Database architecture · Data Flow Diagrams |
· Development team · DBA |
|
|
Identify and obtain the services of a 3rd party Cyber Forensic provider. |
· Development team and UK FAST SoC team · DBA |
|
|
Define Threat and Risk Indicators and Alerting pattern within the organisation’s security information and event management (SIEM) solution. |
· Development team/Security analyst · DBA |
|
|
Activity |
Description |
Stakeholders |
|
Inform staff, partners, suppliers |
Activities may include, but are not limited to: |
|
|
Conduct regular awareness campaigns to highlight cyber/information security risks faced by employees, including: · Legal and regulatory requirements around data security; · Phishing attacks and malicious emails; · Ransomware; · Reporting a suspected cyber incidents. |
· CTO · Development team · Communication Lead · DBA
|
|
|
Ensure regular security training is mandated for those employees managing personal, confidential or high risk data and systems. |
· CTO · HR · Communication team · Training provider
|
|
3. Detect
|
Detection Phase |
||
|
Phase objectives |
The detection phase has the following objectives: · Detect and report a breach or compromise of the confidentiality, integrity or availability of organisational/personal data; · Complete initial investigation of the Data Breach or compromise; · Report the Data Breach or compromise formally to the correct team as a cyber incidents. |
|
|
Activity |
Description |
Stakeholders |
|
Detect and report the incident |
Activities may include, but are not limited to: |
|
|
Monitor detection channels, both automatic and manual, customer and staff channels and social media for indications of a Database Breach or compromise, these can include but are not limited to: · Customers, employee or confidential data published online. · Clients or their customers being contacted by an unauthorised third party with access to personal or confidential information. · Targeted emails to clients or employees containing personal or confidential information; · Data loss prevention logs or alerts; · Lost or stolen devices containing confidential information; · Lost or stolen paperwork or hardcopies of data; · Other incidents that suggest data has been extracted outside of the network perimeter. |
· Information governance and security team · Core IT UK Fast team · DBA · Development team · Security analysts |
|
|
Report the cyber incidents via the Service Desk. If a ticket does not exist already, raise a ticket containing minimum information. To report an incident, follow the process defined in the Cyber Incident Response Plan (CIRP) |
· Information governance and security team · Core IT UK Fast team · DBA · Development team · Security analysts |
|
|
Classify the cyber incidents, based upon available information related to the Data Loss and the incident types (see CIRP). |
· Information governance and security team · Core IT UK Fast team · DBA · Development team · Security analysts |
|
|
Report the Cyber incidents in accordance with the organisation’s CIRP and if incident related to Amazon PII inform 3p-security@amazon.com
|
· Information governance and security team · Core IT UK Fast team · DBA · Development team · Security analysts |
|
|
Where appropriate consider reporting requirements to Information Commissioner’s Office (ICO), relevant regulator National Cyber Security Centre (NCSC) and / or Police |
· Information governance and security team · Core IT UK Fast team · DBA · Development team · Security analysts
|
|
|
Activity |
Description |
Stakeholders |
|
Initial investigation of the incident |
Activities may include, but are not limited to: |
|
|
Mobilise the CIRT to begin initial investigation of the cyber incidents (see staff contact details within CIRP). |
· Information governance and security team · Core IT · Development team
The following may also be included in the incident response team where appropriate for the incident: · Server Desk Technicians · Server Team · Partner IT team · DBA · Supplier technical team |
|
|
Identify likelihood of employee involvement and notify HR (e.g., insider threat). |
· Information governance and security team · HR · DBA |
|
|
Collate initial incident data including as a minimum for the following. · How was the cyber incidents reported · What has caused the cyber incidents (i.e., lost laptop, suspected hacker, malware. Etc.); · Location of data, both physical and logical. · Quantity of data i.e., number of accounts, unique numbers, customer names. · Is financial data included? i.e., credit card numbers, pins, expiry dates, etc.? · Is personal data included? i.e., names, address, postcodes, email address, etc.? · What is the format of the data i.e., redacted, encrypted, layout, length, etc.? · Was there any encryption around the data and if so, how was this provided? · Preliminary business impact assessment; and · Any current action being undertaken. |
· Information governance and security team · Core IT · Development team · DBA · Data protection officer |
|
|
Secure artefacts, including copies of the data, via secure download and screenshot. |
· Information governance and security team · DBA · Core IT · Development team |
|
|
Review critical systems and assess for any indicators of similar data sets being compromised. |
· Information governance and security team · DBA · Core IT · Development team |
|
|
Identify possible sources or owners of the data. |
· Information governance and security team · DBA · Core IT · Development team |
|
|
Preliminary review of data involved to determine if personal data has been compromised. |
· Information governance and security team · DBA · Core IT · Development team |
|
|
Research Threat Intelligence sources and consider Cyber Security Information Sharing Partnership (CiSP) submission to gain further intelligence and support mitigation by others. |
· Information governance and security team · DBA · Core IT · Development team |
|
|
Review cyber incidents categorisation to validate the cyber incidents type as a Data Loss incident and assess the incident priority, based upon the initial investigation. (See CIRP for Incident Severity Matrix) |
· Information governance and security team · DBA · Core IT · Development team |
|
|
Activity |
Description |
Stakeholders |
|
Incident reporting |
Activities may include, but are not limited to: |
|
|
Report the cyber incidents in accordance with the organisation’s CIRP and if incident related to Amazon PII inform 3p-security@amazon.com
|
· Information governance and security team · Core IT · Development team |
|
|
Immediately report Data Breaches that have occurred to the relevant Data Protection Officer. Consider whether reporting suspected or confirmed unauthorised access to any personal data to the authority is appropriate at this stage. |
· Information governance and security team · Core IT · Development team · Data Protection Officer |
|
|
Where appropriate consider reporting requirements to Information Commissioner’s Office (ICO), relevant Regulator and or Competent Authority (NISD), National Cyber Security Centre (NCSC) and / or Police |
· Information governance and security team · Core IT · Development team · Data Protection Officer |
|
|
Report the Cyber incidents in accordance with the organisation’s CIRP. Consider the Intelligence value to other organisations and share on the CiSP
|
· Information governance and security team · Core IT · DBA · Development team |
|
|
Where appropriate consider reporting requirements to Information Commissioner’s Office (ICO), relevant Regulator and National Cyber Security Centre (NCSC), and / or Police
|
· Information governance and security team · Core IT · Development team · Communication team · DBA |
|
|
Activity |
Description |
Stakeholders |
|
Establish the requirement for a full forensic investigation |
Activities may include, but are not limited to: |
|
|
Consider conducting a full forensic investigation, on the advice of legal counsel |
· CTO · Information governance and security team · Core IT Development team |
|
4. Analyse
|
Analysis Phase |
||
|
Phase objectives |
The analysis phase has the following key objectives: · Analyse the cyber incidents to uncover the scope of the attack; · Identify and report potentially compromised data and the impact of such a compromise; · Establish the requirement for a full forensic investigation; · Develop a remediation plan based upon the scope and details of the cyber incidents. |
|
|
Activity |
Description |
Stakeholders |
|
Analyse the extent of the incident |
Activities may include, but are not limited to: |
|
|
Confirm any data involved is: · Legitimate. · Current; · Originating from the organisation; · Connected to the organisation or its Clients or their Customers. |
· Information governance and security team · Core IT · DBA · Development team |
|
|
Conduct a detailed technical investigation of the cyber incidents which may include, but is not limited to: · Analyse any suspicious network traffic; · Review security and access logs, vulnerability scans and any automated tool outputs; · Analyse any suspicious activity, files or identified malware samples; · Review AV logs or events, without jeopardising future forensic activities; · Correlate any recent security events, or indicators of compromise, with suspicious activity seen on the network; · Identify the source of the data compromise; · Identify the specific data set which was compromised as well as how it was compromised. |
· Information governance and security team · Core IT · Development team · DBA |
|
|
Determine the attack methodology and cyber incidents timeline. |
· Information governance and security team · Core IT · Development team · DBA |
|
|
Analyse the data types and quantities to determine if there has been a privacy breach (i.e. involving personal data). |
· Information governance and security team · Core IT · Development team · DBA |
|
|
Analyse the data types and quantities to determine if there has been a breach of financial data (e.g. organisational financial reports, customer or employee credit card details, bank details etc.). |
· Information governance and security team · Core IT · Development team · DBA |
|
|
Analyse the data types and quantities to determine if the data is only found in the organisation’s environments, or shared with third party systems. |
· Information governance and security team · Core IT · Development team · DBA |
|
|
Review the data type and quantity compromised for any compliance regulations that have been breached. |
· Information governance and security team · Core IT · Development team · DBA |
|
|
Activity |
Description |
Stakeholders |
|
Identify and report potentially compromised data |
Activities may include, but are not limited to: |
|
|
Engage data owners and senior stakeholders to understand the business impact of the compromised data. |
· Information governance and security team · Core IT · Development team · DBA |
|
|
Report the cyber incidents in accordance with the CIRP, as required. |
· Information governance and security team · Core IT · Development team · DBA |
|
|
Establish the likelihood that database confidentiality, integrity or availability has been compromised. |
· Information governance and security team · Core IT · Development team |
|
|
Consider whether reporting suspected or confirmed unauthorised access to any personal data to the authority is appropriate at this stage. |
· Information governance and security team · Core IT · Development team · DBA |
|
|
Update the senior stakeholders (see CIRP) of any suspected or confirmed Data Breach including the unauthorised access to any personal data. |
· CTO · Information governance and security team · DBA · Core IT · Development team |
|
|
In line with the GDPR (Article 33) the ICO must be informed within 72 hours of the organisation becoming aware of an incident resulting in a “risk to the rights and freedoms of those involved”. Determine whether the Data Breach needs to be reported to the ICO further guidance can be found at https://ico.org.uk/. |
· Information governance and security team · Core IT · Development team · Communication team · DBA
|
|
|
Where a decision to notify the ICO has been made the following must be included as a minimum: · Describe the nature of the personal Data Breach including where possible, the categories and approximate number of data subjects and personal data records concerned. · Communicate the name and contact details of the contact point where more information can be obtained. · Describe the likely consequences of the personal Data Breach. Describe the measures taken or proposed to be taken to address the personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. Consider other Reporting requirements such as Reporting as a crime to Police Scotland or to Regulators or Competent Authorities where relevant |
· Information governance and security team · Core IT · Development team · DBA · Data Protection Officer |
|
|
Activity |
Description |
Stakeholders |
|
Develop a remediation plan |
Activities may include, but are not limited to: |
|
|
Incorporate technical and business analysis to develop a prioritised remediation plan. |
· Information governance and security team · Core IT · Development team |
|
|
Implement a communications strategy in line with the remediation plan. |
· Information governance and security team · DBA · Core IT · Development team · Communication plan |
|
5. Remediation – Contain, Eradicate and Recover
|
Remediation Phase |
||
|
Phase objectives |
The remediation phase has the following objectives: · Contain the technical mechanism of the Data Breach; · Eradicate the technical mechanism of the Data Breach; · Recover affected systems and services back to a Business As Usual (BAU) state. |
|
|
Activity |
Description |
Stakeholders |
|
Containment |
Contain the technical mechanisms of the Data Breach, including: |
|
|
Isolate all affected systems or accounts from the infrastructure through removal from the network or application of strict access controls, to prevent further data exfiltration. |
· Information governance and security team · Core IT · DBA · Change team · Development team |
|
|
Implement rules to block detected suspicious traffic leaving the network. |
· Information governance and security team · Core IT · Change team · Development team · DBA |
|
|
Secure copies of infected systems and malware for further investigation, if not already completed. |
· Information governance and security team · Core IT · DBA · Development team |
|
|
Reverse engineer malware to identify the indicators of compromise that will assist with eradication phase. |
· Information governance and security team · Core IT · Development team · DBA |
|
|
Safeguard critical assets to prevent further harm or theft of data. |
· Information governance and security team · DBA · Core IT · Development team
|
|
|
Remotely erase any lost or stolen assets where possible. |
· Information governance and security team · Core IT · DBA · Development team |
|
|
Reset passwords of legitimate user accounts and reduce permissions where possible and if appropriate |
· Information Security Manager · DBA · Core IT |
|
|
Isolate unauthorised user accounts and analyse any removal of database |
· Information governance and security team · Core IT · DBA · Development team |
|
|
Contain the business effects of the cyber incidents: |
||
|
Implement the notification strategy including any internal or external notifications, the notification of employees, third parties, service providers and customers. |
· Information governance and security team · Core IT · DBA · Development team |
|
|
Support the development of external communications by providing accurate, simple lines to take, in line with technical remediation activities. |
· Information governance and security team · Core IT · DBA · Development team · Communication team |
|
|
Engage the Data Protection Authority, if appropriate. |
· Information governance and security team · Core IT · DBA · Development team Data Protection Officer · Legal Services |
|
|
Activity |
Description |
Stakeholders |
|
Eradication |
Activities may include, but are not limited to: |
|
|
Remove any malware identified during the analysis phase using appropriate tools. |
· Information governance and security team · Core IT · DBA · Development team |
|
|
Remove any identified artefacts used to facilitate the breach, such as scripts, code and binaries. |
· Information governance and security team · Core IT · DBA · Development team |
|
|
Disable system and user accounts that have been used as a platform to conduct the attack. |
· Information governance and security team · Core IT · DBA · Development team |
|
|
Identify common removal methods from trusted sources (AV providers). |
· Information governance and security team · Core IT · DBA · Development team |
|
|
Complete an automated or manual removal process of the malware using appropriate tools. |
· Information governance and security team · Core IT · DBA · Development team |
|
|
Conduct a restoration of affected networked systems from a trusted back up. |
· Information governance and security team · DBA · Core IT · Development team |
|
|
Re-install any standalone systems from a clean OS back-up before updating with trusted data back-ups. |
· Information governance and security team · DBA · Core IT · Development team |
|
|
Change any compromised account details. |
· Information governance and security team · Core IT · DBA · Development team |
|
|
Confirm policy compliance across the estate. |
· Information governance and security team · Core IT · DBA · Development team |
|
|
Activity |
Description |
Stakeholders |
|
Recover to BAU |
Activities may include, but are not limited to: |
|
|
Recover systems based on business impact analysis and business criticality. |
· Information governance and security team · Core IT · Development team · DBA |
|
|
Complete AV and advanced malware scanning of all systems, across the estate. |
· Information governance and security team · Core IT · Development team · DBA |
|
|
Re-set the credentials of all involved system(s) and users account details. |
· Information governance and security team · Core IT · DBA · Development team |
|
|
Reintegrate previously compromised systems. |
· Information governance and security team · Core IT · DBA · Development team |
|
|
Restore any corrupted or destroyed database |
· Information governance and security team · Core IT · Development team · DBA |
|
|
Restore any suspended services. |
· Information governance and security team · Core IT · DBA · Development team |
|
|
Establish monitoring to detect further suspicious activity. |
· Information governance and security team · Core IT · DBA · Development team · UK Fast SIEM Provider |
|
|
Co-ordinate the implementation of any necessary patches or vulnerability remediation activities. |
· Information governance and security team · Core IT · DBA · Development team |
|
6. Post Incident
|
Post-Incident Activities Phase |
||
|
Phase objectives |
The post-incident activities phase has the following objectives: · Complete an incident report including all incident details and activities; · Complete the lessons identified and problem management process; · Publish appropriate internal and external communications. |
|
|
Activity |
Description |
Stakeholders |
|
Incident reporting |
Draft a post-incident report that includes the following details as a minimum: · Details of the cause, impact and actions taken to mitigate the cyber incidents, and including, timings, type and location of incident as well as the effect on users; · Activities that were undertaken by relevant resolver groups, service providers and business stakeholders that enabled normal business operations to be resumed; · Recommendations where any aspects of people, process or technology could be improved across the organisation to help prevent a similar cyber incident from reoccurring, as part of a formalised lessons identified process. · Provide final report to 3p-security@amazon.com |
· Senior Stakeholders · Information governance and security team · Core IT · DBA · Development team · External stakeholders |
|
Lessons Identified & Problem Management |
Complete the formal lessons identified process to feedback into future preparation activities. |
· Information governance and security team · Core IT · Development team · DBA |
|
Conduct root cause analysis to identify and remediate underlying vulnerabilities. |
· Information governance and security team · Core IT · DBA · Development team |
|
|
Consider sharing lessons identified with external stakeholders where relevant |
· Information governance and security team · Core IT · DBA · Development team · Communication team |
|
|
Human Resources |
Review staff welfare; working hours, over time, time off in lieu (TOIL) and expenses. |
· Information governance and security team · Core IT · DBA · Development team |
|
Communications |
Activities may include, but are not limited to: |
|
|
Publish internal communications to inform and educate employees on Database Breach attacks and security awareness. |
· Information governance and security team · Core IT · DBA · Development team |
|
|
Publish external communications, if appropriate, in line with the communications strategy to provide advice to customers, engage with the market, and inform press of the cyber incidents. These communications should provide key information of the cyber incidents without leaving the organisation vulnerable or inciting further Data Loss attacks. |
· Information governance and security team · DBA · Core IT Development team
|
|