John Walker gave a presentation at the Global APT Defense Summit in New York on responding to and surviving malware activity and network attacks. He discussed 11 key points for an effective security incident response, including indicating anomalies, using cyber intelligence to discover unknown threats, acquiring forensic artifacts, making timely decisions to mitigate impacts, following standards and guidelines, clear communications, maintaining tools and training, dealing with external stakeholders, conducting a post-incident review, and learning lessons. The presentation emphasized the importance of an evolved security operations capability and cross-team coordination to effectively engage security incidents.

1. Malware Activity & Network
Retaliate - Respond & Survive
John Walker | Cytelligence
Global APT Defense Summit New York
October 22, 2014 – East Rutherford, NJ

2. About the Speaker
John Walker
John is a Visiting Professor at the School of Science and
Technology at Nottingham Trent University [NTU], Visiting
Professor/Lecturer at the University of Slavonia [to 2015], CTO &
Company, Director of CSIRT, Cyber Forensics/Research at
Cytelligence Ltd & is the Architect of the Cytelligence OSINT
Platform. John is also a Practicing Expert Witness, ENISA CEI
Listed Expert, Editorial Member of the Cyber Security Research
Institute (CRSI), Fellow of the British Computer Society (BCS),
Fellow of the Royal Society of the Arts, and has delivered over 100
published paperspresentations to a global audience.
Global APT 2 Defense Summit New York #APTSummit

3. Agenda - Engaging the Security Event - Capabilities
1. Anomaly Indication - Conditions may qualify, or infer some form of anomaly has taken place, or is in progress?
2. Cyber Intelligence - Utilisation of reverse investigations – looking to discover the unknown unknowns
3. Acquisition of Artifacts – The importance of acquiring Artifacts – whilst keeping the operational lights burning
4. Decision Time – When to apply mitigations which will impact the business [e.g. Network Segment Disconnect]
5. Standards & Guides – Have stablished processes when engaging an incident
6. Communications - The importance of internal, and where required external communications
7. Tools & Training – Maintain capabilities and skill-sets
8. Dealing with external factors such as Law Enforcement, and where applicable Third Parties and Associates
9. The Wash-up – when is it safe to stand-down ?
10. Lessons learned
Global APT 3 Defense Summit New York #APTSummit

4. Anomaly Indication
There is a range of conditions which may indicate that some form of anomaly has occurred, or is
in progress – consider:
• Over-active Networks or Segments
• Perimeter Indicators – the usual. F/W, IPS, IDS
• Mail Relays
• Logs – but you have to read them
• Believe it or not – ITIL Process Service Records
• Service Desk Call – user reports
• External Reports – Media – of Client Notifications – [example the Tasmanian Devil]
Global APT 4 Defense Summit New York #APTSummit

5. Cyber Intelligence
Both during, and post a Cyber Attack, Invasion, or Compromise, based on the known
information, it may be possible to identify some unknowns to assist with the First Responder
engagement using:
• OSINT [Open Source Intelligence]
• Tracking – Communications – in particular the headers
• Tracking of IP – but don’t always trust it
• Media Streams – you can learn a lot
• Under-Ground Chatter
• Partner Organizations
• Investigation of end-to-end logging where possible
Global APT 5 Defense Summit New York #APTSummit

6. Acquisition of Artifacts
Experience has proven that there can be a tendency to focus on keeping the lights on, which
can be at the expense of any follow up investigation – this does not have to be the case -
consider:
• Deploying an evolved CSIRT
• Accommodation of the necessary documentation underpin
• Consider establishing Run-Book’s
• Ensure appropriate tools are available in the CSIRT
• Don’t forget training
• Have a capability to track the investigation and to securely
• Remember Business, and Third Party [Cloud] interfaces
Global APT 6 Defense Summit New York #APTSummit

7. Decision Time
Occasions may/will arise in which there is a necessity to make a decision to assure the overall
impact of the event is minimized, mitigated, contained to ensure the business environments are
not impacted by Event Sprawl. For example, taking down a web site, or isolating a network or
segment. It is however important at such times that:
• The Business are involved
• The impact is understood in time and financial terms
• Inter-organization communications
• That the external communications element is in place
• Teams are well briefed to engage – and appreciate the impact of their actions [example]
• Reporting – Managing Expectations
• Recovery and Testing
Global APT 7 Defense Summit New York #APTSummit

8. Standards & Guides
It is important to have a formalized response which meets the
expectations of promulgated and established standards to ensure the
desired protocols are followed and maintained – for example, and as
applicable.
• ISO 27001
• PAS 555
• PCI-DSS
• Government Directives
• Others ITA 2000, SB 1386 etc
Global APT 8 Defense Summit New York #APTSummit

9. Communications
During and post any form of security event, it is essential that the
60/40 Rule of communications is applied, with 60% focusing on the
people, and 40% representing the actual event – here we are in the
business of managing reputations.
Here an example of getting this wrong, with some very realistic
implications.
Global APT 9 Defense Summit New York #APTSummit

10. Tools & Training
The outcome of a security event is very dependent on the capabilities
of the First Response Team, and those who will engage the incident.
Here having the right tool, and training can represent essential
elements:
Basic Technological Skills
Application of Process – keep it secure and legal
Fit-for-Purpose Tools
Cross Team Connection
Global APT 10 Defense Summit New York #APTSummit

11. Final Thoughts
• Logging
• Full-packet capture
Global APT 11 Defense Summit New York #APTSummit

12. Thank you!