0A9F E785 1857 50AD 05CA A188 A708 1DB6 7F35 2F2A
Data Breach Playbook
A Data Breach Playbook is a formal, step-by-step operational guide that an organization uses to prepare for, detect, respond to, contain, and recover from a data breach in a consistent, legally compliant, and efficient manner.
Introduction
Overview
In the event of a cybersecurity incident, it is important that any organisation can respond, mobilise, and execute an appropriate level of response to limit the impact of a cybersecurity attack or breach. Although all cybersecurity incidents are different in their nature and technologies used, it is possible to group common cybersecurity incident types and methodologies together. This is to provide an appropriate and timely response depending on the cybersecurity incident type. Incident specific playbooks provide incident managers and stakeholders with a consistent approach to follow when remediating a cybersecurity incident.
A cybersecurity incident response playbook is a set of predefined steps and procedures that outline how to respond to a specific type of cybersecurity incident. For each playbook, the steps and procedures are structured according to the National Institute of Standards and Technology (NIST) Incident Response Lifecycle. The plan outlined in this playbook is developed to assist the constituents of the South African National Research and Education Network (SA NREN) to respond to data breaches. A data breach is an incident where unauthorized individuals gain access to sensitive, confidential, or protected data. This can include personal information (e.g., names, addresses, social security numbers), financial records, login credentials, or corporate secrets.
Purpose
The purpose of the SANReN CSIRT Data Breach Playbook is to provide guidance regarding the appropriate and timely response to a cybersecurity incident or attack.
Scope
This document has been designed for the sole use by the constituents of the SA NREN.
Review Cycle
This document is to be reviewed for continued relevancy by the SANReN CSIRT team at least once every 12 months; following any major cybersecurity incidents or as access to new information becomes available.
Preparation
Outlining the recommended steps required to prepare the constituent to respond to a data breach in a timely and effective manner.
| Activity | Description | Action(s) |
| Maintain Documentation | Develop, maintain, and review cybersecurity incident procedures, including a formal data breach response plan. Regularly update technical documentation and establish comprehensive policies and procedures. | Create a Cyber Incident Response Plan (IRP) focused on data breaches. Define what constitutes a data breach. Define the roles and responsibilities of the incident response team. Assign key personnel (IT, legal, PR, HR, compliance). Train team members on security protocols. Conduct tabletop exercises. Have legal counsel and external incident response contacts (SANReN CSIRT and TENET) on retainer. Establish communication protocols. Document legal and regulatory requirements. |
| Identify Critical Assets & Data | Maintain an understanding of the constituent’s environment: Keep a list of all company-owned domains. Maintain a list of all company-owned assets. Map out sensitive data and systems. | Maintain an asset inventory and list of end-use devices. Perform a data inventory. Classify data based on sensitivity and importance. Implement strong access controls. |
| Review available information | Review cybersecurity incidents and the outputs. Review threats to the constituent, risks & vulnerabilities. Analyse common data breach attacks. | View SANReN CSIRT weekly articles, alerts, and advisories. |
| Implement Security Measures | Deployment of appropriate tools and technologies to monitor and detect data breach attacks. Strengthen security posture to reduce breach risks. | Deploy firewalls, intrusion detection systems (IDS), and encryption. Enforce strong password policies and multi-factor authentication (MFA). Regularly update software and patch vulnerabilities. Use security information and event management (SIEM) tools. Conduct regular security audits, vulnerability assessments, and penetration testing. |
| Establish Data Backup & Recovery | Ensure business continuity in case of data loss. | Implement automated and encrypted backups. Test backup restoration processes regularly. Define a disaster recovery plan |
| Test & Train Employees | Educate employees through awareness campaigns and training. | Internal and external training sessions. Simulations and tabletop exercises |
| Legal & Regulatory Compliance | Ensure compliance with data protection laws. | Understand regulations: Local: PoPIA International (if applicable): GDPR, HIPAA, etc. Establish breach reporting requirements and timelines. Work with legal teams to ensure adherence. |
Detection and Analysis
Providing the recommended steps to follow to enable detection of the data breach and conduct the investigation of the collected data to determine the scope and impact of the data breach.
Escalate findings to the SANReN CSIRT team for further analysis and report identified Indicators of Compromise (IoC) with the CSIRT.
Detect
| Activity | Description | Action(s) |
| Deploy Continuous Monitoring Tools | Implement tools to detect suspicious activity in real time. | Use Security Information and Event Management (SIEM) solutions. Enable Intrusion Detection/Prevention Systems (IDS/IPS). Set up automated anomaly detection for unusual access patterns. |
| Establish Log & Audit Trails | Maintain detailed logs for system and network activities. | Ensure logging is enabled for critical systems and databases. Retain logs for a set period for forensic analysis. Regularly review and audit logs for anomalies. |
| Set Up Incident Detection Alerts | Define key indicators of compromise (IoCs) for quick detection | Configure alerts for unauthorized access, failed login attempts, or unusual data transfers. Utilize endpoint detection and response (EDR) solutions. Investigate flagged activities promptly. |
| Conduct an Initial Breach Assessment | Verify whether an actual breach has occurred. | Analyze alerts to confirm legitimacy. Cross-check with threat intelligence feeds. Escalate confirmed incidents to internal and external (SANReN CSIRT and TENET) security teams. |
Analyse
| Activity | Description | Action(s) |
| Collect the relevant evidence | Capture and preserve the collected evidence. | Export relevant logs (Windows Event Logs, firewall logs, etc.). Memory dumps. Document all indicators: file hashes, IP addresses, domain names, file names, and registry keys. |
| Analyse the breach indicators | Identify signs of a potential data breach. | Monitor security alerts for unusual system activity. Investigate unauthorized access attempts or data transfers. Review recent security patches and vulnerabilities. Contact the SANReN CSIRT team if further assistance is required. |
| Analyse system & network logs | Examine logs to trace breach origins and scope. | Analyse logs from firewalls, servers, and SIEM systems. Identify unauthorized access patterns and IP addresses. Cross-check logs with threat intelligence databases. Contact the SANReN CSIRT and TENET if further assistance is required. |
| Assess compromised data | Determine what data was accessed or stolen. | Classify affected data (personal, financial, intellectual property). Identify if encryption or security controls were bypassed. Determine the number of affected records and users. |
| Determine the severity | Determine severity based on data sensitivity. | Consider the following: whether personal data (or other sensitive data) is at risk. number of affected assets. preliminary business impact. whether services are affected. Consult the internal security team, legal department, and/or the SANReN CSIRT team. |
| Reporting | Continuous reporting as the investigation progresses to ensure all relevant parties are up to date. | Establish appropriate communication methods (e.g., email or website – internal or external). Escalate internally based on severity classification. Inform employees. Inform the SANReN CSIRT and TENET. |
Containment, Eradication and Recovery
Outline the necessary steps to isolate a data breach and subsequent threats, eliminate its effects, and recover to resume normal operations.
Containment
| Activity | Description | Action(s) |
| Isolate affected systems | Identify and quarantine affected systems and endpoints. Prevent further data loss or attacker movement. | Remove endpoints from the network. Isolate endpoints from the production network. Disconnect compromised devices from the network. |
| Contain affected accounts | Identify compromised accounts or at-risk credentials. | Reduce access to critical systems or data until the investigation has been completed. Disable affected user accounts if needed. Implement temporary access restrictions. |
| Block malicious activity | Block activity based on identified indicators of compromise. | Block malicious domains and IP addresses. Update firewall rules and proxies. Block messages with similar headers, subjects, links, and/or attachments. |
Eradication
| Activity | Description | Action(s) |
| Identify root cause | Determine how the breach occurred. | Review analysis findings to determine how the breach occurred (e.g., phishing attack, misconfiguration, or exploited vulnerability). |
| Removal of the threat | Remove threat artifacts. | Conduct password reset for affected accounts. Delete phishing emails via admin consoles or using a spam filter. Use EDR or SIEM to detect and remove downloaded attachments. Purge related messages from inboxes. Update signatures and conduct an anti-virus scan. Remove malware infection – if present. |
Recovery
| Activity | Description | Action(s) |
| Return systems and endpoints | Recover systems based on business impact analysis and business criticality. | Conduct a restoration of affected systems from a trusted backup. Re-install any standalone system from a clean OS backup before updating with a trusted data backup. Re-integrate previously compromised systems and endpoints. Restore suspended services. |
| Update defences | Conduct a vulnerability scan of all systems. Establish and improve monitoring for suspicious behaviour. Improve the security of user accounts. | Implement necessary patches. Update anti-virus and anti-malware solutions. Enforce multi-factor authentication (MFA). |
Post Incident Activity
Recommended steps to conduct after the data breach has been investigated and resolved to ensure lessons are learned and improvements are put into place.
| Activity | Description | Action(s) |
| Lessons learned | Process the incident, review strategies and revisit preparations for potential future incidents. | Hold a “lessons learned” meeting. Questions to be discussed: How well did staff and management perform in dealing with the incident? Were the documented procedures followed? Were they adequate? What information was needed sooner? Were any steps or actions taken that might have inhibited the recovery? Update the data breach playbook based on lessons learned. |
| Incident reporting | Draft the post-incident report. | Share with the appropriate security response teams (e.g., SANReN CSIRT and TENET). File breach reports (if legally required). Notify affected parties with breach details and recommended actions. |
| User awareness training | Educate employees about potential risks and threats, equipping them with the knowledge and skills to recognize cyberattacks linked to data breaches. | Internal communication (e-mail) or announcement on the internal website. Educate employees: Danger of following links. Danger of opening attachments. |
Checklist
| Action | Completed | |
| Detection and Analysis | Detection and Analysis | Detection and Analysis |
| 1. | Determine whether an incident has occurred – employees received and interacted with a Phishing email. | |
| 2. | Identify the type of attack that caused the data breach. | |
| 3. | Monitor security alerts for unusual activity. | |
| 4. | Review system and network logs for anomalies. | |
| 5. | Check for malware, unauthorized accounts, or backdoors. | |
| 6. | Report the data breach incident to the appropriate internal personnel and external organizations – SANReN CSIRT and TENET. | |
| Containment, Eradication and Recovery | Containment, Eradication and Recovery | Containment, Eradication and Recovery |
| 7. | Isolate affected systems to prevent further damage. | |
| 8. | Disable compromised accounts and reset credentials. | |
| 9. | Apply long-term security fixes and patches. | |
| 10. | Conduct security awareness training for employees. | |
| 11. | Conduct a forensic investigation to determine attack methods | |
| Post-Incident Activity | Post-Incident Activity | Post-Incident Activity |
| 12. | Conduct a “Lessons Learned” meeting | |
| 13. | Conduct a root cause analysis to understand how the breach occurred | |
| 14. | Work with law enforcement or cybersecurity experts if needed | |
| 15. | Create a post incident report – share with relevant parties. |
Contact Us: |
CSIRT: |
|
Heloise: |
|
Kgwadi: |
|
Zoya: |
|
Anele: |
