Given the dedication and persistence of attackers, no one is immune from network security breaches. More often than not, organizations learn of a security breach from an external source. This post explores victim notifications and factors to consider before and after receipt of a notification.
What is a Victim Notification?
Victim notifications alert the recipient of a network security breach. The notification may arrive as an email or phone call and the value of the information is only as good as the notification source. Compelling notifications provide key details, such as hostnames and probable data loss. In other words, the best notifications provide concrete details incident responders can use as effective leads to begin an investigation.
Though victim notifications only reveal the "tip of the iceberg", the most effective victim notifications educate organizations about the threat in a manner that offers a path forward. Well-crafted victim notifications describe how the attacker accessed and progressed through the environment. Furthermore, well-crafted notifications provide insight into an attacker's possible motive and recommend best practices to enhance the security posture of the compromised network.
Who Issues Notifications?
Sources of victim notifications vary, and it is always important to consider the source when evaluating victim notifications. Historically, sources of victim notifications were limited to government agencies involved in cyber crime investigations. These agencies include the Federal Bureau of Investigation (FBI), Air Force Office of Special Investigation (AFOSI) and Naval Criminal Investigative Services (NCIS). Government (law enforcement) agencies have extensive backgrounds in cyber crime investigations and apply their experience when providing a victim notification. As a result, government victim notifications are considered trusted sources.
Over the past two years, Mandiant has noticed an increase in the number of non-government issued notifications. While protecting public safety is part of the mandate for law enforcement agencies, commercial notifications do not share this same mandate. Consequently, it is important to consider the motivation of notifications from commercial entities. In some cases, motives are altruistic: good citizenship, providing a service, boosting overall security. Other motivations are a little less pure: advancing one's professional stature, visibility or receiving credit for notification.
Responding to a Notification
Operate from the mindset that security breaches are inevitable and build an incident response plan that includes details on how to evaluate or respond to a victim notification. At a minimum, identify individuals who have access to information needed to quickly validate the details contained in a notification. Without clear roles and responsibilities, the response to a notification may be unorganized and delay the investigation. Speed and a clear path forward are critical when responding to network intrusions regardless of the method of detection.
I hope this post has informed you on victim notifications and explained who typically issues them. Next week Carlos Carrillo will release the second post in the notification series on how to best respond to a notification.