Published: Jul 21, 2017
Author: John Grim

2017 is here and this means it's Data Breach Digest season. This year, just like last, we released the 2017 Digest at the RSA Conference in San Francisco, CA. What makes this year's Digest different from last year? Stakeholders! So, what do we mean by stakeholders? Well, data breaches are complex affairs often involving some combination of human factors, hardware devices, exploited configurations, or malicious software. Data breach response activities—investigation, containment, eradication, notification, and recovery—are correspondingly complex.

These activities, and the lingering post-breach after-affects, aren't just an IT security problem; they're an enterprise problem involving Legal Counsel, Human Resources, Corporate Communications, and other Incident Response (IR) stakeholders. Each stakeholder brings a different perspective to the breach response effort. To illustrate this complexity, this year’s "Data Breach Digest – Perspective is Reality" (a.k.a. "the IR Stakeholder Edition") presents each breach scenario from a different stakeholders point of view (PoV). Within this PoV, the stakeholder narration looks at critical decision pivot-points, split-second actions-taken, and crucial lessons-learned from cases investigated by us – the Verizon RISK Team.

These IR stakeholders often include top-level leadership (i.e., the "strategic" decision-makers), middle-level managers (i.e., the "tactical" decision-makers), and a variety of technical and non-technical subject matter experts (i.e. “the trusted advisors”) on cyber-security and breach response. If organized by relationship to the victim organization, there are two groups: "internal" stakeholders – those who are part of the victim organization, and "external" stakeholders – those who are outside the victim organization, such as the Verizon RISK Team.

For the 2017 Data Breach Digest, 16 different stakeholders present a data breach scenario from their respective PoV. Within this group, ten internal (a.k.a. victim) stakeholder PoVs are represented: CIO, CISO, Legal Counsel, Human Resources, Corporate Communications, Incident Commander, Internal Investigator, IT Security Manager, SOC Analyst, and Endpoint Detection and Response (EDR) Technician. We round this out with six external (RISK Team) stakeholder PoVs: Lead Investigator, Endpoint Forensics Examiner, Malware Reverse Engineer, Network Forensics Specialist, CIP/CS Specialist, and PFI Investigator. As was the case last year, we organized the data breach scenarios into one of four "Clustered Groupings":

    •    The Human Element – four scenarios highlighting human-related threat actors or targeted victims

    •    Conduit Devices – four scenarios covering device misuse or tampering

    •    Configuration Exploitation – four scenarios focusing on reconfigured or misconfigured settings

    •    Malicious Software – four scenarios centering on sophisticated or special-purposed illicit software

Each breach scenario consists of an "Attack-Defend Card" along with a scenario narrative. Each Attack-Defend Card is specific to the scenario and covers four areas: "breach scenario," "incident pattern," "threat actor," and "targeted victim." We drew this content from the previous three years of RISK Team caseload, as well as VERIS, NAICS, and CIS Critical Security Controls (CSCs). Each scenario is brought to life through a narrative told from a unique stakeholder PoV to walk the reader from initial incident detection (and validation), to response and investigation, and then to lessons-learned. To use the 2017 Data Breach Digest, here are four approaches:

    1.    "The Kitchen Sink" – dive in and read from start to finish

    2.    Scenario – hone in on a specific Clustered Grouping

    3.    Industry or Data Breach Investigation Report (DBIR) Incident or Both – use the Digest’s Usage Matrix to map victim NAICS industry to DBIR incident pattern to the most applicable scenario(s)

    4.    IR Stakeholder – leverage the Attack-Defend Card "Key Stakeholders" sub-category to focus on certain stakeholders

The Data Breach Digest provides a great data breach study reference for not just IT security practitioners, but for nontechnical IR stakeholders as well. We hope you enjoy reading our latest installment of the Data Breach Digest and in doing so, gain that new perspective on data breach response!