#RSAC

SESSION ID:SESSION ID:

Natasha Kohne

Responding to Global Cyber Incidents in a Legally Defensible Manner

SOP-W05

PartnerAkin Gump Strauss Hauer & Feld LLP

Ted TheisenSenior Managing DirectorAnkura Consulting Group

#RSAC

Objectives

Our Backgrounds

Incident Response Best Practices

Legal Considerations

Strategy and Success Milestones

Case Study

Questions/Answers

#RSAC

Backgrounds

Our Backgrounds

#RSAC

Incident Response Best Practices

#RSAC

Definition

Incident – a violation or imminent threat of violation of security policy or practices

Data breach – an incident where unintended or unauthorized exposure, access, or acquisition has or is suspected to have occurred to sensitive information

An incident is not always a data breach!

#RSAC

Incident Response Methodology

NIST (NIST 800-61 rev 2) is the industry best practice recommended guideline for cyber security incident management

These are general guidelines for public and private entities responding on their own without the benefit of a consulting firm

• Preparation• Detection & Analysis• Containment• Eradication• Recovery / Post-Incident

Activity

#RSAC

PREPARATION

Possibly the most important!IR Plans & ProceduresTabletop ExercisesPreparation of system diagrams and data mappingIdentification of the location of pertinent dataUnderstand existing corporate standardsThird party relationships

“In preparing for battle I have always found that plans are

useless, but planning is indispensable”

--General Dwight D. Eisenhower

#RSAC

Incident Response Plan

Include core areas of NIST 800-61 and/or ISO27035-1

Define criticality of incidents

Define specific escalation/communication points

Consider adding “playbooks” to your IR planDocument “plays” for recurring proceduresHighlight process and/or workflows to guide incident response

Include case management templates

#RSAC

DETECTION & ANALYSIS

Conduct effective interviews to triage and scope – this is crucialEliminate panicAscertain the entire threat landscapeIdentify peripheral locations where evidence may reside and ENSURE PROPER PRESERVATION Event Logging &

Correlation

Network

Host

Application

ALERT!

#RSAC

PRESERVE EVERYTHING

Encourage broad preservation – but understand why all evidence is being preservedDo not analyze original evidence – make a copy first

Before running queries against any logs, ensure they cannot be altered by the queries

Consider packet captures of machines before removing them from the networkCapture RAM before shut-down of primary machinesConsider live acquisitionsDocument everything you doDestroy nothing

#RSAC

DETECTION & ANALYSIS

IoC• Indicators of Compromise

PoC• Patterns of Compromise

VoC• Vector of Compromise

#RSAC

DETECTION & ANALYSISImportant best practices of analysis:

Log analysisReview infrastructure diagrams to identify peripherally affected systemsReview data-maps and process flow diagrams to understand points of failureIdentify access and/or acquisition of regulated data (PHI/PII/etc…)

Many of these combined factors will assist with stakeholder legal and risk assessments

#RSAC

DETECTION & ANALYSIS

After identification of attack vectors, attribution, and exposed data – now what?

#RSAC

CONTAINMENT

This is a cyclical process associated with detection and analysis

After understanding the Elements of Compromise, strategies can be implemented to isolate the threat

#RSAC

ERADICATION

Reduce the likelihood of recurrenceUse caution when deleting anything— Ask yourself what you gain by deleting— Loop in counsel and/or 3rd parties (PCI-PFI) with these

decisions— Update malware IDS/IPS signatures— Deploy emergency patches— Black-list identified malicious IP addresses— If malware/malicious IPs are found, consider providing info to

online repositories. Ex. NIST, SANS, etc.— Validate eradication with EDR or similar high visibility

detection mechanisms

#RSAC

RECOVERY & POST BREACHGenerate After Action Reports (AAR)

Review all documented activityDiscuss in roundtable environment, both with clients and internal meetingsIdentify what was done well and what needs improvementUpdate and Improve existing IR plan and procedures

Develop final deliverableInquire with counsel on privilege considerationsArticulate the scale and scope of the incidentPrepare affidavitTrial prepTestimonyNotifications to victims

Clarify legal/contractual obligations

#RSAC

Legal Considerations

#RSAC

Legal Considerations

Why should you engage outside counsel during a cyber incident?The role of general or legal counsel in incident responseThe attorney-client privilege and other communicationsGovernment/regulatory inquiries and litigation

Pre-BreachCompliance/policies and proceduresVendor/third-party managementM&A due diligenceBoard oversightCybersecurity insurance

#RSAC

Role of the General Counsel in Incident Response

Gather team and activate breach response plan

Investigate to determine what happened and work to

contain the breach

Lead fact-finding efforts and hire technical experts (to

preserve privilege)

Determine whether sensitive information has

been accessed

Identify potentially applicable laws and assist

with compliance

Identify and address obligations with respect to

regulators, insurance carriers, customers,

individuals, and third parties

Interface with regulators and law enforcement Interface with third parties

Evaluate obligations under insurance policies

Prepare for potential regulatory investigation and

litigation

Legal concerns surrounding information sharing

Reassess and revisit administrative, physical, and

technical safeguards to prevent recurrence

#RSAC

Legal Considerations

Cyber forensics may be covered by legal privilegeMultiple cases in the U.S. have confirmed that under the proper structure cyber forensics would be covered by the attorney-client privilege or attorney work product doctrine Precedent suggests that risk assessments undertaken for purposes of assisting the lawyers in providing legal advice may be covered by the privilege

Controlling communicationsAlternative methods

Government/regulatory inquiries and litigationMulti-country investigationsHeightened risk of litigation and regulatory fines

#RSAC

Pre-Breach Consulting

Compliance/policies and proceduresWhat is reasonable security?Data mappingFramework

Vendor/third-party managementNegotiating contract provisionsPrioritizing and diligencing vendors

M&A due diligenceBoard oversight/governanceCybersecurity insurance

#RSAC

Incident Response Strategy and Success Milestones

#RSAC

Evolution of Incident Response

#RSAC

Modern Incident Response Methodology

25

Modern IR techniques ensure both best practices and more rapid recovery

Shorten timeline to containment

Ensure availability of ample evidence

Legally defensible

ResponseTime to Incident

Broad Preservation

SoundInvestigativeProtocol

Advanced Endpoint Detection &

Response

User Behavior Analytics

Digital ForensicsNetwork Anomaly Analytics

Emerging Event Correlation

#RSAC

Incident Response Success Milestones

Develop an After Action Report

Take the time to review the entire incident with all members of the team

Ensure all appropriate changes are in place to prevent recurrence of the incident

Define broader remediation plans to shore up other related security weaknesses

#RSAC

Case Study: Intrusion of Medical Device Corporation

Outcome and Findings• Preservation of Evidence requests filed in the US

• Emergency subpoena and search warrant served in the US

• Search Warrant executed at residence of main subject

Lessons Learned• Have an Incident Response plan in place before an

incident occurs

• Engage outside counsel prior to an incident

• Proactively reach out to your local law enforcement

Overview: Criminal Computer Intrusion

• Preparation• No IR Plan

• Detection and Analysis• Hacker communicated directly with system

administrator• Identified vector of compromise – remote access

tool• Identified originating IP address

• Containment, Eradication, and Recovery• Blocked remote access• Obtained search warrant• Arrested main subject

• Post Incident• Scanned infrastructure for similar vulnerabilities• Reviewed needs for remote access tools

#RSAC

Apply What You Have Learned Today

28

Next week you should:Draft or review your cyber incident response planBegin to prepare for the cyber incident that will occur

In the first three months following this presentation you should:Ensure that your cyber incident response plan adequately reflects the elements detailed in this presentation (detection/analysis, containment, eradication, recovery, after action)

Within six months you should:Conduct a tabletop exercise to practice your cyber incident response plan, preferably while including outsiders to provide unbiased feedback

#RSAC

Questions?