M-unition -

Have You Received Notification of a Security Breach?

By on September 19, 2012

Given the dedication and persistence of attackers, no one is immune from network security breaches. More often than not, organizations learn of a security breach from an external source. This post explores victim notifications and factors to consider before and after receipt of a notification.

What is a Victim Notification?
Victim notifications alert the recipient of a network security breach. The notification may arrive as an email or phone call and the value of the information is only as good as the notification source. Compelling notifications provide key details, such as hostnames and probable data loss. In other words, the best notifications provide concrete details incident responders can use as effective leads to begin an investigation.

Though victim notifications only reveal the “tip of the iceberg”, the most effective victim notifications educate organizations about the threat in a manner that offers a path forward. Well-crafted victim notifications describe how the attacker accessed and progressed through the environment. Furthermore, well-crafted notifications provide insight into an attacker’s possible motive and recommend best practices to enhance the security posture of the compromised network.

Who Issues Notifications?
Sources of victim notifications vary, and it is always important to consider the source when evaluating victim notifications. Historically, sources of victim notifications were limited to government agencies involved in cyber crime investigations. These agencies include the Federal Bureau of Investigation (FBI), Air Force Office of Special Investigation (AFOSI) and Naval Criminal Investigative Services (NCIS). Government (law enforcement) agencies have extensive backgrounds in cyber crime investigations and apply their experience when providing a victim notification. As a result, government victim notifications are considered trusted sources.

Over the past two years, Mandiant has noticed an increase in the number of non-government issued notifications. While protecting public safety is part of the mandate for law enforcement agencies, commercial notifications do not share this same mandate. Consequently, it is important to consider the motivation of notifications from commercial entities. In some cases, motives are altruistic: good citizenship, providing a service, boosting overall security. Other motivations are a little less pure: advancing one’s professional stature, visibility or receiving credit for notification.

Responding to a Notification
Operate from the mindset that security breaches are inevitable and build an incident response plan that includes details on how to evaluate or respond to a victim notification. At a minimum, identify individuals who have access to information needed to quickly validate the details contained in a notification. Without clear roles and responsibilities, the response to a notification may be unorganized and delay the investigation. Speed and a clear path forward are critical when responding to network intrusions regardless of the method of detection.

I hope this post has informed you on victim notifications and explained who typically issues them. Next week Carlos Carrillo will release the second post in the notification series on how to best respond to a notification.

 

Category: The Suite Spot

Comments

    Leave a Comment

Get M-Unition in Your Inbox:

Follow @mandiant

Follow @mandiant on twitter.

Career Opps @ Mandiant

We’re growing fast, but we’re as demanding as ever. Our clients come to us in their hours of need, so we need the best. That means more than just the right education and the right experience in information security.

As Mandiant continues to grow, we are able to offer certain positions in multiple locations. For details on the location(s) of each opening, please refer to the position descriptions.

Click here to view available positions.