Third-Party Breach Response: 6 Immediate Actions to Take

Six Steps to Take in the First 24 Hours After a Breach

The following steps are a quick list of actions to take should your organization be affected by a third-party breach. The type or the scale of a breach will impact the specific measures you take during each step.

Please note: These steps should not be considered comprehensive incident management guidance. Be sure to engage with your security operations center (SOC) team, auditors, and other internal parties.

1. Communicate

As soon as an incident is detected, immediately establish communication with the third party involved. It's crucial to have a pre-established communication plan as part of your overall incident response program. Begin by understanding the scope and impact of the attack, especially if it involves personal or sensitive data governed by regulatory standards. Discuss any Service Level Agreements (SLAs) or contractual obligations, and focus on maintaining calm, constructive dialogue.

Key Consideration: Incorporate a communication decision tree into your incident response plan, outlining what information should be communicated based on your current knowledge and the timing of your discoveries, including specific timeframes for deliverables.

2. Gather Information

Once contact is made and the breach scope is understood, gather detailed information about the incident. Treat this stage like a post-breach mini-assessment. Ask questions to clarify what happened, what data was accessed, potential exposures, and their recovery plans. Understanding their recovery timeline is essential, especially if the breach caused an outage.

When a third-party breach occurs, asking the right questions will help you to understand and mitigate the impact on your organization efficiently.

Recommended Questions (to be tailored based on the specifics of the incident):

• Has a breach impacted the vendor, or has the vendor used a product/service affected by a breach? (Yes/No)
• What is the nature of the impact on the vendor? (High/Med/Low impact on systems, applications, and/or data)
• Does the incident affect critical services delivered to your organization? (Yes/No)
• Has the vendor taken the following remediation steps? (List recommended steps, such as patching or updating affected systems)
• Has the vendor amended existing controls or implemented new controls to resolve and mitigate the impact of the breach? (Identified and already implemented; identified and in process of implementation; not identified and/or not able to be implemented)
• If controls cannot be implemented, what compensating controls or workaround methods are being implemented?
• Who is the point of contact for additional inquiries?

3. Isolate

Containment strategies will vary based on the type of breach and the vendor’s level of access. For instance, if the vendor has access to your data but not your infrastructure, you may be able to stop using the service or platform until more is known. However, if the vendor has any level of access to your IT environment, quarantine and isolate access immediately.

Where possible, isolate affected systems and access points to prevent further unauthorized access. Implement local host restrictions, network access controls, privilege restrictions, and account removals or locks as necessary. A pre-established isolation playbook for vendors, service providers, and software will streamline this process. Without a comprehensive incident response plan, your team may struggle to respond quickly, increasing the risk of further damage.

4. Remediate

Remediation efforts must be swift and effective. The approach will vary depending on where the breach occurred. If internal systems are compromised, you must patch or mitigate the vulnerabilities to control the "blast radius” as quickly as possible. If the breach is confined to the third party, focus on understanding the affected data, initiating breach notifications, and ensuring compliance with relevant regulations.

5. Monitor Behavior

Monitoring is essential for detecting and understanding the breach's impact and preventing further unauthorized access. Keep an eye on internal behaviors from affected platforms or software. Unusual activities, such as unexpected network connections, should raise alarms. Monitor remote access activities between your organization and the third party to help detect anomalies. Try to stay informed about potential threats or vulnerabilities affecting similar organizations or technologies.

6. Check Threat Intelligence

Leverage threat intelligence to better understand and mitigate the breach’s impact. Organizations using threat intelligence can detect breaches approximately 28 days faster than those that do not. Identify internal indicators of compromise (IOCs) and tactics, techniques, and procedures (TTPs). Assess the type of potentially exposed data to inform how you formulate a targeted response and notify affected parties appropriately. Additionally, monitor for reputational impacts and track public information about the third party involved to gain insight into the breach's broader implications.

A third-party incident can severely impact your organization. Immediate, informed, and decisive actions are essential to mitigate these impacts. These six steps help mitigate the damage and lay the groundwork for a thorough recovery process.

Next Steps to Prepare for Third-Party Breaches

It’s clear that third-party breaches and incidents can have significant downstream implications on your organization’s operations. Be prepared by accounting for third-party risk in your incident response playbook. Know who you will contact, what SLAs are involved, which questions you will ask, and how you will proceed, given the answers. Since incident response programs are reactive by nature, implementing proactive measures as part of your overall third-party risk management program can help stave off threats before they impact your organization.

For more information, watch my on-demand webinar discussing third-party cybersecurity incidents and contact Prevalent for a demonstration of its third-party incident response capabilities today.