7. Before you act, ask yourself:
• What is your primary objective?
• What about the Cyber Security
Incident Response plan?
• Is there a downside to quietly
observing the actions of the
attacker?
8. Types of Cyber Security Incidents
• Application Vulnerabilities
- Word Press
- MySql
- Web Server (IIS or Apache)
• Operating System Attacks
- Linux Kernel
• Malicious Software
- Worm
- Trojan
- Other
• Denial of Service (DoS or DDoS)
• Ransomware
10. Case Study: Tewksbury Police Department
Attack
• Phishing email (package delivered – click this link for details)
• Employee clicked, malware was launched
• Attacker gained access and encrypted data on mapped servers
• Ransom demand of only $500 (if a million people give you $1,
You have $1 million.)
Impact
• Total Police Operations Disruption
• Reverted to broken manual processes
• No access to arrest records/warrants
• Unable to conduct ID verification
Five days with no computing. Public and private security experts unable to decrypt. No technical mitigation.
11. If Ransomware Hits – Haggle!
• Act quickly before they pack up
• Most attackers happy
with smaller pay day
• In larger cases, FBI recommends
professional negotiators be hired
13. Cyber Incident Response
• The Plan is the Thing
- Preparation
- Identification
- Notification
- Mitigation Strategy
- Containment
- Eradication
- Recovery
- Lessons Learned
• Templates
14. Roles and responsibilities
• Incident notification
• Help desk
• Technical team
• Triage team
• Forensics team
• Network Security
• Malware analysis
• Communications
• Executive team
• Legal/Marketing/HR
15. Roles and responsibilities
Incident Notification
• Employees
• Contractors/Consultants
• Vendors
• Customers
• Competitors
• Law Enforcement
Notification Method
• Should be easy
• Have multiple options
16. Roles and responsibilities
• Help desk
• Properly trained
• Escalation
• Pre-triage
• Technical team
• Triage – fix known issues, return system to normal
• Forensics – root cause analysis, chain of custody
• Network and systems – infrastructure assessment
• Malware analysis – reverse engineer, zero days
17. Roles and responsibilities
• Communications
• Within the incident response team
• Internally
• Decision makers
• Externally
• Designated role
• Notes
• Timelines
• Next steps
• Executive team
• Legal/Marketing/HR
18. Cyber Incident Response
• Cloud considerations
- Robust log solution
- Understand your cloud service providers security model
- Understand the shared security responsibility
- Clearly defined resources
- Include when testing the plan
- Have pristine content ready to re-deploy
- Test this capability
19. Test the plan
• Self risk assessment
• Incident response walk through
• Recent breach details
• Team risk assessment
• Entire incident response team
• Confirm roles, timing, talent and tools
• Executive risk assessment
• Focused on process and business impact
• C-level collaboration
• Live exercise risk assessment
• Practice leads to experience
• Experience leads to confidence
• Confidence leads to execution
20. Cyber Incident Response
• Test the plan
• Roles and responsibilities
• Cloud considerations
• The plan is the thing
• Test the plan…again
21. No Substitution for Preparation
• Assume that at some point you will be breached
• Make actionable
• Consider observing the adversary without tipping them off to
understand full extent of the breach and attacker intent
• Use cloud networking tools to isolate compromised infrastructure and
orchestrate recovery efforts
• Run your incident response team through regularly scheduled and
surprise exercises
• Engage cloud provider during exercises
• Utilize hybrid infrastructure
Story of malware that self-destructs if “phone home” unsuccessful after X amount of attempts.
Cambridge University security researcher Sergei Skorobogatov has published a new research paper detailing a technique that would have helped the FBI bypass the iOS passcode limit on the shooter's iPhone 5C
Different attack vectors may need to be handled differently and documented accordingly in your Cyber Incident Response Plan.
An incident could be reported by any of these
Help desk – pre-triage means that help desk analysis should be able to understand enough about the reported incident to prepare the user and their system for next steps. As an example, if a user reports malware, the help desk should be able to know the next step (is your policy to unplug the network cable or shut off the system or keep it up and running for forensics) and communicate that to the user.
C-level collaboration – a chance to discuss each executive’s biggest concerns and priorities. External facilitator - This external source can bring a scenario to work through, ask compelling questions (without corporate knowledge), facilitate discussion and be a source for independent review of your plan
Regarding cyber incident response, Alert Logic can identify the threat and notify our customer with a mitigation strategy. Once the customer knows there is an active threat, they can use our recommendation to contain the threat to keep it from spreading, eradicate the threat from their systems and recover to normal operations. It’s highly recommended that organizations have a prepared cyber incident response plan and document the lessons learned from each incident to enhance their plan as cyber incident handling experience increases.
Preparation
Identification
Notification
Mitigation Strategy
Containment
Eradication
Recovery
Lessons Learned