Cyber Resiliency
Download as PPTX, PDF1 like297 views
The document outlines key strategies and best practices for cyber incident response, emphasizing the importance of preparation, identification, notification, and effective mitigation strategies. It cites a case study on a ransomware attack affecting the Tewksbury Police Department, illustrating the disruptive impact of such incidents and the need for structured cyber incident response plans. The document highlights various roles and responsibilities within incident response teams and encourages regular testing and training to enhance preparedness and confidence.
Cyber Resiliency
- 1. Breach Stats
- 2. Paul Fletcher – Cyber Security Evangelist @_PaulFletcher Cyber Resiliency
- 3. Breach Stats
- 4. Step 1: Cut the cord as soon as possible well… maybe… Actually, Give It a Minute or Two
- 5. Downside of moving too fast
- 6. Downside of moving too fast
- 7. Before you act, ask yourself: • What is your primary objective? • What about the Cyber Security Incident Response plan? • Is there a downside to quietly observing the actions of the attacker?
- 8. Types of Cyber Security Incidents • Application Vulnerabilities - Word Press - MySql - Web Server (IIS or Apache) • Operating System Attacks - Linux Kernel • Malicious Software - Worm - Trojan - Other • Denial of Service (DoS or DDoS) • Ransomware
- 9. Ransomware Incidents Ransom demand variation over time.
- 10. Case Study: Tewksbury Police Department Attack • Phishing email (package delivered – click this link for details) • Employee clicked, malware was launched • Attacker gained access and encrypted data on mapped servers • Ransom demand of only $500 (if a million people give you $1, You have $1 million.) Impact • Total Police Operations Disruption • Reverted to broken manual processes • No access to arrest records/warrants • Unable to conduct ID verification Five days with no computing. Public and private security experts unable to decrypt. No technical mitigation.
- 11. If Ransomware Hits – Haggle! • Act quickly before they pack up • Most attackers happy with smaller pay day • In larger cases, FBI recommends professional negotiators be hired
- 12. Cyber Incident Response Plans
- 13. Cyber Incident Response • The Plan is the Thing - Preparation - Identification - Notification - Mitigation Strategy - Containment - Eradication - Recovery - Lessons Learned • Templates
- 14. Roles and responsibilities • Incident notification • Help desk • Technical team • Triage team • Forensics team • Network Security • Malware analysis • Communications • Executive team • Legal/Marketing/HR
- 15. Roles and responsibilities Incident Notification • Employees • Contractors/Consultants • Vendors • Customers • Competitors • Law Enforcement Notification Method • Should be easy • Have multiple options
- 16. Roles and responsibilities • Help desk • Properly trained • Escalation • Pre-triage • Technical team • Triage – fix known issues, return system to normal • Forensics – root cause analysis, chain of custody • Network and systems – infrastructure assessment • Malware analysis – reverse engineer, zero days
- 17. Roles and responsibilities • Communications • Within the incident response team • Internally • Decision makers • Externally • Designated role • Notes • Timelines • Next steps • Executive team • Legal/Marketing/HR
- 18. Cyber Incident Response • Cloud considerations - Robust log solution - Understand your cloud service providers security model - Understand the shared security responsibility - Clearly defined resources - Include when testing the plan - Have pristine content ready to re-deploy - Test this capability
- 19. Test the plan • Self risk assessment • Incident response walk through • Recent breach details • Team risk assessment • Entire incident response team • Confirm roles, timing, talent and tools • Executive risk assessment • Focused on process and business impact • C-level collaboration • Live exercise risk assessment • Practice leads to experience • Experience leads to confidence • Confidence leads to execution
- 20. Cyber Incident Response • Test the plan • Roles and responsibilities • Cloud considerations • The plan is the thing • Test the plan…again
- 21. No Substitution for Preparation • Assume that at some point you will be breached • Make actionable • Consider observing the adversary without tipping them off to understand full extent of the breach and attacker intent • Use cloud networking tools to isolate compromised infrastructure and orchestrate recovery efforts • Run your incident response team through regularly scheduled and surprise exercises • Engage cloud provider during exercises • Utilize hybrid infrastructure
- 22. Shared Cyber Incident Response Preparation Identification Notification Mitigation Strategy Containment Eradication Recovery Lessons Learned
- 23. Thank you.
Editor's Notes
- #4: Reasons to be targeted Source: datalossdb.org
- #5: Story of malware that self-destructs if “phone home” unsuccessful after X amount of attempts.
- #7: Cambridge University security researcher Sergei Skorobogatov has published a new research paper detailing a technique that would have helped the FBI bypass the iOS passcode limit on the shooter's iPhone 5C
- #9: Different attack vectors may need to be handled differently and documented accordingly in your Cyber Incident Response Plan.
- #16: An incident could be reported by any of these
- #17: Help desk – pre-triage means that help desk analysis should be able to understand enough about the reported incident to prepare the user and their system for next steps. As an example, if a user reports malware, the help desk should be able to know the next step (is your policy to unplug the network cable or shut off the system or keep it up and running for forensics) and communicate that to the user.
- #20: C-level collaboration – a chance to discuss each executive’s biggest concerns and priorities. External facilitator - This external source can bring a scenario to work through, ask compelling questions (without corporate knowledge), facilitate discussion and be a source for independent review of your plan
- #23: Regarding cyber incident response, Alert Logic can identify the threat and notify our customer with a mitigation strategy. Once the customer knows there is an active threat, they can use our recommendation to contain the threat to keep it from spreading, eradicate the threat from their systems and recover to normal operations. It’s highly recommended that organizations have a prepared cyber incident response plan and document the lessons learned from each incident to enhance their plan as cyber incident handling experience increases. Preparation Identification Notification Mitigation Strategy Containment Eradication Recovery Lessons Learned