Breach Stats

Paul Fletcher – Cyber Security Evangelist@_PaulFletcher

Cyber Resiliency

Breach Stats

Step 1: Cut the cord as soon as possible

well… maybe…

Actually, Give It a Minute or Two

Downside of moving too fast

Downside of moving too fast

Before you act, ask yourself:

• What is your primary objective?

• What about the Cyber Security Incident Response plan?

• Is there a downside to quietly observing the actions of the attacker?

Types of Cyber Security Incidents

• Application Vulnerabilities- Word Press- MySql- Web Server (IIS or Apache)

• Operating System Attacks- Linux Kernel

• Malicious Software- Worm- Trojan- Other

• Denial of Service (DoS or DDoS)• Ransomware

Ransomware Incidents

Ransom demand variation over time.

Case Study: Tewksbury Police Department

Attack• Phishing email (package delivered – click this link for details)• Employee clicked, malware was launched• Attacker gained access and encrypted data on mapped servers• Ransom demand of only $500 (if a million people give you $1, You have $1 million.)

Impact• Total Police Operations Disruption• Reverted to broken manual processes• No access to arrest records/warrants• Unable to conduct ID verification

Five days with no computing. Public and private security experts unable to decrypt. No technical mitigation.

If Ransomware Hits – Haggle!

• Act quickly before they pack up• Most attackers happy with smaller pay day• In larger cases, FBI recommends professional negotiators be hired

Cyber Incident Response Plans

Cyber Incident Response

• The Plan is the Thing- Preparation- Identification- Notification- Mitigation Strategy- Containment- Eradication- Recovery- Lessons Learned

• Templates

Roles and responsibilities

• Incident notification• Help desk• Technical team

• Triage team• Forensics team• Network Security• Malware analysis

• Communications• Executive team• Legal/Marketing/HR

Roles and responsibilities

Incident Notification• Employees• Contractors/Consultants• Vendors• Customers• Competitors• Law Enforcement

Notification Method• Should be easy• Have multiple options

Roles and responsibilities

• Help desk• Properly trained• Escalation• Pre-triage

• Technical team• Triage – fix known issues, return system to normal• Forensics – root cause analysis, chain of custody• Network and systems – infrastructure assessment• Malware analysis – reverse engineer, zero days

Roles and responsibilities

• Communications• Within the incident response team• Internally• Decision makers• Externally• Designated role

• Notes• Timelines• Next steps

• Executive team• Legal/Marketing/HR

Cyber Incident Response

• Cloud considerations- Robust log solution- Understand your cloud service providers security model- Understand the shared security responsibility- Clearly defined resources- Include when testing the plan- Have pristine content ready to re-deploy- Test this capability

Test the plan• Self risk assessment

• Incident response walk through• Recent breach details

• Team risk assessment• Entire incident response team• Confirm roles, timing, talent and tools

• Executive risk assessment• Focused on process and business impact• C-level collaboration

• Live exercise risk assessment• Practice leads to experience• Experience leads to confidence• Confidence leads to execution

Cyber Incident Response

• Test the plan• Roles and responsibilities• Cloud considerations• The plan is the thing• Test the plan…again

No Substitution for Preparation

• Assume that at some point you will be breached• Make actionable

• Consider observing the adversary without tipping them off to understand full extent of the breach and attacker intent

• Use cloud networking tools to isolate compromised infrastructure and orchestrate recovery efforts

• Run your incident response team through regularly scheduled and surprise exercises

• Engage cloud provider during exercises• Utilize hybrid infrastructure

Shared Cyber Incident Response

Preparation

Identification Notification Mitigation Strategy

Containment Eradication Recovery Lessons Learned

Thank you.