Lessons Learned from Capital One’s Incident Response Plan
There were many missteps that led to the Capital One breach, but what’s the one thing that went as planned? From our perspective, Capital One’s incident response plan seemed to function as intended. Incident response is incredibly important following a breach – that’s why having a plan and team in place is required by so many information security frameworks. The data proves the importance of incident response plans as well. IBM’s 2019 Cost of a Data Breach reports that organizations with an incident response team and extensive testing of their plans could save, on average, about $1.2 million on the typical data breach. In Capital One’s case, though, this incident will cost $100 to $150 million in 2019 alone. Is developing and testing an incident response plan worth millions to your organization?
Capital One’s Incident Response Plan
The Justice Department’s Compliant includes the report that was submitted to Capital One’s Responsible Disclosure program on July 17, 2019. By the end of that month, Capital One announced the breach to the public and explained what they knew, the mitigation work they’d already performed, and which customers were impacted.
From Capital One’s announcement, we can determine they took the following steps to validate and mitigate the reported findings:
- Immediately fixing the configuration vulnerability
- Working with the FBI to arrest the person responsible
- Determining exactly what type of information was compromised and how many individuals in the US and Canada were impacted
- Performing an analysis to determine if the information was shared or used for fraud
- Notifying customers
- Answering FAQs like: What was the vulnerability that led to this incident? When did this occur? Was the data encrypted and/or tokenized? Did this vulnerability arise because you operate on the cloud?
- Making information about the incident available on their online and easily accessible
When a household name like Capital One has a major breach, it makes headlines for years. There are major legal and regulatory ramifications for Capital One to answer to, but as far as basic incident response goes, we admit that Capital One seems to have had a thoughtful, tested incident response plan. This was vital in reassuring the public that, even though their AWS configurations had a vulnerability, Capital One knew how to handle the situation.
The key to an incident response plan is testing it in tabletop exercises, employee training, and other scenarios to determine if it will actually work. When organizations go through information security audits, their auditor will have high standards for the plan and the testing of the plan. What would’ve happened if Capital One wasn’t prepared to react to this incident? Would data have been used for fraud or compromised even further?
6 Steps to Incident Response
With today’s threat landscape, it’s not a matter of if your organization will fall victim to a cyberattack or data breach, but when it will happen. We believe basic incident response plans should have six steps:
- Preparation – What are we doing to prevent an incident? How are we limiting the impact of an incident? Have we tested our policies and procedures?
- Detection & Identification – How would we identify and detect malicious activity? How do we report an incident?
- Containment – Has the appropriate personnel been notified? What evidence should be collected? Have we fully assessed the scope of the damage? How can we prevent further damage?
- Remediation – Has a complete forensic analysis been performed? Can we make changes to prevent a repeat incident?
- Recovery – Have we securely restored the system? Do we have continuous monitoring to ensure the problem is resolved?
- Lessons Learned –What gaps can we now identify? Have we regained customer confidence? Have we reviewed controls and processes to prevent future attacks?
It’s not only up to IT to develop an incident response plan – many other areas of your organization will be involved, especially C-levels and boards of directors. In Capital One’s case, the CEO responded the public about the breach.
If your organization was breached, would your team know what to do? What would the headlines say about your incident response plan? Are you confident in your plan?
If you want to ensure that everyone at your organization knows their role in incident response, let’s talk today about how to train and test your incident response plan.
More Incident Response Resources
SOC 2 Academy: Incident Response Best Practices