Date post: | 07-Jan-2017 |
Category: |
Technology |
Upload: | alert-logic |
View: | 152 times |
Download: | 0 times |
Breach Stats
Paul Fletcher – Cyber Security Evangelist@_PaulFletcher
Cyber Resiliency
Breach Stats
Step 1: Cut the cord as soon as possible
well… maybe…
Actually, Give It a Minute or Two
Downside of moving too fast
Downside of moving too fast
Before you act, ask yourself:
• What is your primary objective?
• What about the Cyber Security Incident Response plan?
• Is there a downside to quietly observing the actions of the attacker?
Types of Cyber Security Incidents
• Application Vulnerabilities- Word Press- MySql- Web Server (IIS or Apache)
• Operating System Attacks- Linux Kernel
• Malicious Software- Worm- Trojan- Other
• Denial of Service (DoS or DDoS)• Ransomware
Ransomware Incidents
Ransom demand variation over time.
Case Study: Tewksbury Police Department
Attack• Phishing email (package delivered – click this link for details)• Employee clicked, malware was launched• Attacker gained access and encrypted data on mapped servers• Ransom demand of only $500 (if a million people give you $1, You have $1 million.)
Impact• Total Police Operations Disruption• Reverted to broken manual processes• No access to arrest records/warrants• Unable to conduct ID verification
Five days with no computing. Public and private security experts unable to decrypt. No technical mitigation.
If Ransomware Hits – Haggle!
• Act quickly before they pack up• Most attackers happy with smaller pay day• In larger cases, FBI recommends professional negotiators be hired
Cyber Incident Response Plans
Cyber Incident Response
• The Plan is the Thing- Preparation- Identification- Notification- Mitigation Strategy- Containment- Eradication- Recovery- Lessons Learned
• Templates
Roles and responsibilities
• Incident notification• Help desk• Technical team
• Triage team• Forensics team• Network Security• Malware analysis
• Communications• Executive team• Legal/Marketing/HR
Roles and responsibilities
Incident Notification• Employees• Contractors/Consultants• Vendors• Customers• Competitors• Law Enforcement
Notification Method• Should be easy• Have multiple options
Roles and responsibilities
• Help desk• Properly trained• Escalation• Pre-triage
• Technical team• Triage – fix known issues, return system to normal• Forensics – root cause analysis, chain of custody• Network and systems – infrastructure assessment• Malware analysis – reverse engineer, zero days
Roles and responsibilities
• Communications• Within the incident response team• Internally• Decision makers• Externally• Designated role
• Notes• Timelines• Next steps
• Executive team• Legal/Marketing/HR
Cyber Incident Response
• Cloud considerations- Robust log solution- Understand your cloud service providers security model- Understand the shared security responsibility- Clearly defined resources- Include when testing the plan- Have pristine content ready to re-deploy- Test this capability
Test the plan• Self risk assessment
• Incident response walk through• Recent breach details
• Team risk assessment• Entire incident response team• Confirm roles, timing, talent and tools
• Executive risk assessment• Focused on process and business impact• C-level collaboration
• Live exercise risk assessment• Practice leads to experience• Experience leads to confidence• Confidence leads to execution
Cyber Incident Response
• Test the plan• Roles and responsibilities• Cloud considerations• The plan is the thing• Test the plan…again
No Substitution for Preparation
• Assume that at some point you will be breached• Make actionable
• Consider observing the adversary without tipping them off to understand full extent of the breach and attacker intent
• Use cloud networking tools to isolate compromised infrastructure and orchestrate recovery efforts
• Run your incident response team through regularly scheduled and surprise exercises
• Engage cloud provider during exercises• Utilize hybrid infrastructure
Shared Cyber Incident Response
Preparation
Identification Notification Mitigation Strategy
Containment Eradication Recovery Lessons Learned
Thank you.