How to Identify a Data Breach in 7 Steps (Checklist Included)

Data breaches don't always make it clear when they happen. Instead, they start out as small things like strange login activity, small changes to settings, strange outbound traffic, and so on. The companies that do the best job of limiting the damage from a breach are not the ones that didn't have one in the first place, but the ones that find it quickly and deal with it well.

Below is a practical, operations-focused framework your security team can follow.

What a data breach is (and why fast identification matters)

A data breach is a type of security incident wherein private, sensitive, or protected information is accessed, disclosed, altered, or destroyed without authorization. This information can include personal data, IP, financial information, credentials, or information that is subject to regulation, such as PHI or PCI.

According to IBM's Cost of a Data Breach Report, on average, a data breach costs an organization around $5 million globally. However, if a data breach has a shorter lifecycle, it results in a far lesser financial impact.

Speed is a critical factor because it can cause damage. A data breach with a longer lifecycle allows for a higher volume of data to be exfiltrated and a deeper level of entrenchment by an attacker, especially if it is a privileged account.

7 Basic Steps to Identify a Data Breach

These steps is a checklist of things to do for detection, prevention, remediation, and resilience.

Step 1: Identify the breach

The first step in detecting an attack is to recognize whether an event is a signal or noise. Some common signs include:

• Unusual activity detected in privileged account access
• Logins from unusual locations or travel behavior that is incongruous
• Unusual changes to access control or security groups that were not anticipated
• Disabling of security tools or changes to log settings

Incident identification is a formal process in which an organization recognizes that an event is a security incident, according to the National Institute of Standards and Technology (NIST SP 800-61). The primary objective is to confirm, not to suspect. Alerts can be evaluated using log correlation, EDR data, IAM data, and SIEM analysis.

Step 2–3: Immediate containment and evidence collection

In the event of a breach, it is necessary to simultaneously conduct containment as well as forensic preservation of the breach.

The immediate actions to be taken to contain the breach:

• Disable the breached credentials
• Isolate the breached endpoints or servers
• Segment the breached network zones
• Terminate the active sessions of the suspicious identity

At the same time, it is necessary to conduct the forensic preservation of the breach by collecting evidence such as:

• Authentication and authorization logs
• Recordings of the privileged sessions, if available
• Network traffic captures
• Memory dumps of the systems
• Change management records

According to the Cybersecurity and Infrastructure Security Agency (CISA), it is necessary to preserve the forensic evidence as it is necessary for remediation as well as for providing legal protection. It is not necessary to modify the breached systems as much as possible to conduct the containment of the breach because it can impact the forensic evidence.

Step 4–5: Analyze, restrict, eradicate, and recover

This is the operational part of the incident response process.

First, determine:

• The type of attack vector that initially led to the incident (phishing, credentials, vulnerability exploit, misuse by insider)
• The scope of the compromise
• The data accessed or exfiltrated
• The methods for privilege escalation

Then, move on to eradication, where:

• Persistence mechanisms are eliminated
• The vulnerability that led to the exploit is patched
• All credentials are rotated that were exposed in the incident
• The systems are rebuilt or reimaged if necessary

You need to keep an eye on and control recovery. Only after validation testing shows that the systems are still working properly should they go back into production.

Step 6–7: Notify stakeholders and improve post-breach operations

Depending on the industry and region, the regulations for notifying individuals are different. For instance, the GDPR says that certain data breaches must be reported within 72 hours if they expose consumers at risk.

Stakeholders can include:

• Regulatory bodies
• Customers/users
• Executive management and board members
• Cyber insurance
• Law enforcement agencies

Improvement after a breach is a must. This includes a lessons learned exercise and updating:

• Access control policies
• Privilege management
• Logging and monitoring thresholds
• Incident response runbooks
• Employee security awareness programs

A security breach should result in structural security maturity and not just a band-aid solution.

How Privileged Access Management helps minimize future breaches

Privileged credentials are at the center of the majority of critical cyber breaches. After acquiring elevated access, attackers can freely move laterally, turn off the defenses, and exfiltrate data on an unprecedented scale.

Privileged Access Management (PAM) reduces the likelihood and consequence of breaches by:

• Enforcing least privilege access
• Vaulting and rotating privileged credentials
• Removing existing administrative access
• Monitoring privileged sessions
• Applying just-in-time access controls
• Flagging abnormal behavior from high-risk accounts

PAM greatly reduces the dwell time and the blast radius of breaches by reducing the attack surface and limiting the misuse of privileged credentials. In the case of complex hybrid environments, the need for PAM is not an option but rather an absolute necessity.