Security Breach Notifications: Telemetry

When handling a breach-level security incident I draw three circles of a target for potentially impacted:

1. The innermost bullseye is that subset of users/data which has explicit telemetry proving harm to the data; e.g. specific databases, tables, rows, containers, directories within within the infrastructure/server/device.
2. The inner ring is all of the users/data contained within the impacted infrastructure/server/device(s).
3. The outer ring is the total data/user population of the service / product.

Bullseye

If you have the complete records and evidence of exactly who was impacted, when it occurred, where, and what was done and have confidence of containment, you're at the center of the bullseye, can take surgical corrective actions for Containment and Eradication.

• Notifications in this case can be targeted to the explicitly impacted parties, regulators, and Incident Summary to public company blog (depending on your PR/Business Policies)
• Customer Support: Take care to account for a mechanism to provide the impacted parties with copies of the specifically impacted data and/or the need to reset credentials.

Inner Ring

If you have Authentication/Authorization telemetry necessary to confirm the threat actor utilized the authorized credentials/entitlements to access infrastructure but lack the Accounting details of what actions they performed, then you should #AssumeBreach and proceed with remediation steps considering the entire contents of the infrastructure/server/device in question is compromised and potentially exfiltrated.

• Audit, Inventory, & Account for contents such as PII|Personal Data / Trade Secrets / Authentication Material (keys, tokens, passwords, sessions, certificates), etc.
• Plan and execute steps to methodically reset Authentication Material; take care to account for any backup locations, documentation, or other clear text repositories where engineering may automatically store the NEW credentials as these may be re-compromised by the Threat Actor.
• Review Authentication/Authorization telemetry for any other service/system that accepts the compromised Authentication Material - repeat investigation and containment of the attack graph as necessary.
• Notifications in this case should be broader and expand to include any parties who's data resides within the compromised infrastructure/server/device inside this inner ring, in addition to regulators, and Incident Summary to public company blog (depending on your PR/Business Policies)
• Customer Support: The mechanism to provide data owners with copies of the effected data can swell to account for the expanded impact radius; do not underestimate the effort required to facilitate this.

Outer Ring

Sometimes all necessary telemetry has been completely lost or was never properly configured. Depending on the Threat Actor's activity and sensitivity of the data|devices, the outer-ring can be a catastrophic level incident.

If you externally discover evidence of full dataset contents exfiltrated from a breach but the infrastructure/service telemetry and forensics is so opaque or absent that you lack any confidence of accounting for unauthorized activities, then you may likely be looking at a complete and comprehensive rebuild/redeploy of the product or service.

• Notifications for the outer ring can be massive communication campaigns to the total customer populous of the outer ring.
• Customer Support and Regulatory response in these cases can be the most labor intensive and may require considerable effort to manage the workload. Especially when needing to manage product-wide customer level credential resets.