ENISA is the EU Agency for Network & Information Security. In this presentation, the Head of Stakeholder Relations shares lessons for CEOs from over 200 cyber simulations and other research conducted by ENISA.

1. 1
unclassified
Dr Paulo Empadinhas
Head of Administration & Stakeholders Relations
European Union Agency for
Network & Information Security
4th November 2016
www.CyberRescue.co.uk
ENISA – lessons for CEOs
on how to respond to attack

2. European Union Agency for Network and Information Security
ENISA - Lessons for CEOs on how to
respond to a cyber attack
Dr Paulo Empadinhas | Head of Administration & Stakeholders Relations
CEOS& CYBER RECOVERY | Athens | 04 November 2016

3. 3
• “Strategies for Incident Response and Cyber
Crisis Cooperation”
- Link to the document:
https://www.enisa.europa.eu/publications/strateg
ies-for-incident-response-and-cyber-crisis-
cooperation
• Prepared by ENISA as input for discussion for
the Network and Information Security (NIS)
Platform
- Link to the platform:
https://resilience.enisa.europa.eu/nis-platform
• Core material developed based on previous
ENISA work in the field of
- CSIRTs
- Critical Information Infrastructure Protection (CIIP)
• Version 1.1 of August 2016 contains some
updates in the light of the NIS Directive
Background information
Presentation Title | Speaker Name ( To edit click Insert/ Header & footer)

4. 4
Basics definitions and
overview of incident
response capabilities
Main topics
Incident response
mechanismsChallenges in incident
response
Ways of enhancing
incident handling
cooperation
Presentation Title | Speaker Name ( To edit click Insert/ Header & footer)
Incident response in
cyber security strategies

5. 5
• Basics definitions, such as:
- Cyber/information security incident
- Computer Security Incident Response Team (CSIRT), including CSIRT
communities (e.g. TF-CSIRT, TI, FIRST, CSIRT network
- Constituency
• Overview of incident response capabilities
- Formal capability (mandate)
- Operational-technical capability
• external services
• internal services
- Operational-organisational capability (e.g. human and technical,
resources, infrastructure)
- Co-operational capability (e.g. cooperation with other stakeholders, also
at international level)
Definitions and incidents response
capabilities
Presentation Title | Speaker Name ( To edit click Insert/ Header & footer)

6. 6
• Human resources at CSIRTs
- Skilled IT security personnel are hard to find
• Processes and procedures
- Need for clear, concise, well-documented incident response plan
• Political and legal framework
- Importance of an adequate political and legal framework that helps to
define roles and responsibilities and enhance the overall cooperation
• Technology: tools and data
- Important decision between self-developed tools or services procured
from vendors
Challenges in incident response
Presentation Title | Speaker Name ( To edit click Insert/ Header & footer)

7. 7Presentation Title | Speaker Name ( To edit click Insert/ Header & footer)
Incident response mechanisms
Typical incident response process retrieved from Good Practice Guide for Incident Management, ENISA, 2010, p. 37 -
https://www.enisa.europa.eu/publications/good-practice-guide-for-incident-management

8. 8
• National cyber security strategy: high-level strategic framework for a nation’s
approach to cyber security
- Key objectives of cyber security strategies (e.g. of Cybersecurity Strategy of the
European Union)
• to develop cyber defence policies and capabilities
• to achieve cyber resilience
• to reduce cyber-crime
• to support industry on cyber security
• to secure critical information infrastructures
- Key components
• setting the vision, scope, objectives and priorities
• identifying and engaging stakeholders
• establishing trusted information-sharing mechanisms
• developing national cyber contingency plans
• organising cyber security exercises
• establishing baseline security requirements
• establishing incident reporting mechanisms
• engaging in international cooperation
- Important role of national cyber security agency/centre but also of national and
governmental CSIRT
Incident response in cyber security strategies
Presentation Title | Speaker Name ( To edit click Insert/ Header & footer)

9. 9
• Cyber crisis cooperation and management
- 3 levels of cyber crisis management
• Strategic
• Operational
• Technical
• Mutual Aid to boost preparedness
- Both the public and private sectors to be involved in the mutual aid
agreements
• Exercises to enhance incident handling cooperation
• CSIRT training to enhance capabilities, such as:
- TRANSIT training
- ENISA training material for CSIRT community
• Link to the ENISA’s Cyber Security Training material:
https://www.enisa.europa.eu/topics/trainings-for-cybersecurity-specialists
Ways of enhancing incident handling
cooperation
Presentation Title | Speaker Name ( To edit click Insert/ Header & footer)

10. Cyber Europe 2016
Cyber Exercises
Presentation Title | Speaker Name ( To edit click Insert/ Header & footer)

11. 11
2010
2012
20152014
2016
2013
2011

12. 12
 Cyber exercise planning training courses
 Support in exercise planning
 European Commission, EEAS, Eurocontrol,
EU Agencies, ..
 Cyber Exercise Platform available for the
organisation of EU Institutions, incl.
Agencies, and Member States exercises
 Technical Playground

13. Cyber Europe 2016
Overview and status update

14. 14
Simulation of large-scale cybersecurity incidents and EU-wide
cyber crises
Business continuity and crisis management situations
Advanced technical cybersecurity incidents
Exciting scenarios, inspired by real-life events
National and international cooperation
Flexible learning experience

15. 15
CE2016 high-level goals:
1. Test EU-level cooperation processes
2. Provide opportunities to test local-level
cooperation processes
3. Train EU- and national-level capabilities

16. 16
Phase 1:
Apr-Oct 2016: focus on technical
knowledge enhancement
Technical ‘challenge of the month’ released
on a regular basis
Build up the crisis, keep participants
interested, train participants
Phase 2:

17. 17
 A united EU cooperated, with the assistance of
ENISA, to mitigate the largest and most sophisticated
attack against Europe
 Companies from the ICT Industry, Financial
Institutions, Hospitals and even the Energy sector
were under threat
 Companies dealt with ransom-ware, cloud service
attacks, DDoS, war-dialing, as well as reputation
attacks
 Response to new attack vectors such as drones, IoT
infections and even attacks on core signaling
systems such as the telecom signaling system SS7
 The cyber security community in EU managed to
solve difficult puzzles, and proved that cyber crisis

18. 18
It is a great opportunity to test internal business continuity and
IT security policies
IT security teams will have hands-on incident handling
opportunities
Can develop working relationships with competent national
authorities and private stakeholders
Find out the actors at national and European level when it comes
to cyber crises

19. 19

20. PO Box 1309, 710 01 Heraklion, Greece
Tel: +30 28 14 40 9710
info@enisa.europa.eu
www.enisa.europa.eu
Thank you

21. 21
unclassified
www.slideshare.net/kevduffey/presentations
Follow us -
www.linkedin.com/company/cyber-rescue-alliance
For other presentations
Practice your Response
in Executive Simulations
Bespoke Commercial
Response Plan
Commercial Coach for
Cyber Attack Response