This presentation looks at the core component of an Incident Response plan (NIST 800-61) as well as custom practical implementation framework developed by ELYSIUMSECURITY based on NIST and FIRST.
2. 2
• Presentation goal;
• Who am I;
• Who we are;
• Our customers;
• IR framework
benefits;
• Data breach statistics;
• Incident cost;
• Incident readiness;
• Incident response
concept;
• Teams and mandates;
• Registers and
purposes;
• Registers and
reporting synergy;
• IR policy & plan
overview;
• Incident playbook
overview;
• NIST IR lifecycle;
• NIST IR steps;
• Preparation
• Detection & Analysis;
• Containment,
Eradication &
Recovery;
• Post-incident activity;
• Incident Response
Check list
• ELYSIUMSECURITY
Incident Response;
• Overview;
• Rules of Engagement;
• Preparation;
• Detection;
• Categorization;
• Containment;
• Investigation;
• Remediation;
• Reporting;
• Lessons Learnt;
CONTENTS
PUBLIC
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
• Short Term – How to
start?;
• Long Term – IR
Implementation;
• Extra Resources.
3. PRESENTATION GOAL
3
LEARN HOW TO START
3
LEARN HOW TO APPLY AN IR
FRAMEWORK
2
LEARN ABOUT IR CORE
ELEMENTS
1
TO LEARN ABOUT CYBER INCIDENT RESPONSE (IR) MAIN CONCEPTS
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
Icons: from The Noun Project unless stated otherwisePUBLIC
4. WHO AM I
4
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC
LIVED AND WORKED IN FRANCE, UK, USA AND MAURITIUS
CONTRIBUTING AND LEADING VARIOUS OPEN SOURCE CYBER
SECURITY PROJECTS FOR THE LAST 20 YEARS
VETTED, TRAINED AND OVER 20 YEARS OF CYBER SECURITY
EXPERIENCE WORKING FROM LARGE INTERNATIONAL CORPORATIONS
PASSIONATE ABOUT IT FROM VERY EARLY YEARS
FOUNDER AND RUNNING THE MAURITIUS SECURITY CLUB (MU.SCL)
WITH FREE SECURITY AWARENESS PRESENTATIONS EVERY MONTH
5. WHO WE ARE
5
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC
FOUNDED IN 2015 BY SYLVAIN MARTINEZ
INCORPORATED AND OPERATING IN MAURITIUS (2017)
AND IN THE UK/EUROPE (2015)
PROVIDING INDEPENDENT EXPERTISE IN CYBER SECURITY
MULTITUDE OF RECOGNIZED PROFESSIONAL CERTIFICATIONS
20 YEARS OF INTERNATIONAL CYBER SECURITY CORPORATE
EXPERIENCE
OUR BOUTIQUE STYLE APPROACH PROVIDES A DISCREET, TAILORED
AND SPECIALIZED CYBER SECURITY SERVICE THAT FITS YOUR WORKING
ENVIRONMENT
6. CUSTOMERS
6
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC
• HEDGE FUNDS
• GOVERNMENT AGENCY SERVICE SUPPLIER
2016
2019
• 1x BANK
• 1x TELECOMMUNICATION GROUP
• 4x LARGE COMMERCIAL GROUPS;
• 2x BANKS; 3x MANAGEMENT FUNDS;
• 6x HOTELS; 3x TEXTILE; 1x SHOPPING;
• 1x HEALTHCARE;
REFERENCES AVAILABLE ON DEMAND
2018
2017
2019
7. INCIDENT RESPONSE FRAMEWORK BENEFITS
7
• REDUCED OPERATION DOWNTIME
• REDUCED INCIDENT IMPACT
• REDUCED/AVOID FINES
REDUCED IMPACT COST
• IMPROVED RESPONSE TIME
• IMPROVED INCIDENT CONTAINMENT
• IMPROVED INCIDENT VISIBILITY
IMPROVED SECURITY
• CONTRACT REQUIREMENT
• INDUSTRY REQUIREMENT
• LAW REQUIREMENT
BUSINESS ENABLEMENT
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC
8. DATA BREACH STATISTICS
8
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
EVERY DAY
6,313,865
RECORDS
EVERY HOUR
263,078
RECORDS
EVERY MINUTE
4,385
RECORDS
EVERY SECONDS
73
RECORDS
DATA RECORDS ARE LOST OR STOLEN AT THE FOLLOWING FREQUENCY
DATA RECORDS LOST OR STOLEN SINCE 2013
4 7 1 7 6 1 8 2 8 6, ,,1
Source: Breach Level Index - May 2019PUBLIC
9. INCIDENT COST
9
ELYSIUMSECURITY INVESTIGATIONS
MAURITIUS
JANUARY 2018 – JUNE 2019
80% FINANCIAL FRAUD
20% RANSOMWARE
100% PHISHING
JAN 2018
MAY 2018
AUG 2018
APR 2019
MAY 2019
JUNE 2019
$0.5M
$1M
$2M
$0.5M
$1M
$0.5M
AVERAGE COST PER DATA BREACH
AVERAGE COST PER MALWARE INFECTION
AVERAGE DETECTION TIME
FROM OUTSIDERS CRIMINALS
DATA BREACHES FROM HEALTHCARE ORGANISATIONS
$3.86M
$2.4M
197 DAYS
73%
24%
WORLDWIDE
WORLDWIDE STATS FROM SAFEATLAST.CO – APRIL 2019
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC
11. INCIDENT RESPONSE CONCEPT
11
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
INCIDENT RESPONSE STRUCTURE
INCIDENT RESPONSE HANDLINGCOORDINATION
&
INFORMATION
SHARING
TO MINIMISE OPERATIONAL, FINANCIAL & BUSINESS INCIDENT IMPACT
NIST
SP 800-61
PUBLIC
12. INTERNAL
AUDIT TEAM
COMPLIANCE
TEAM
SUBJECT EXPERT
VENDOR
SUPPORT TEAM
IT SUPPORT
TEAM
TEAMS AND MANDATES
12
CYBER SECURITY TEAM
SECURITY OPERATIONS
AND PROJECTS
CYBER RISK TEAM
RISK IDENTIFICATION
AND MANAGEMENT
CYBER INCIDENT
(VIRTUAL) TEAM
INCIDENT MANAGEMENT
AND RESPONSE
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC
13. REGISTERS AND PURPOSES
13
CYBER ISSUE REGISTER
POTENTIAL AND CONFIRMED
SECURITY ISSUES DETAILS
CYBER RISK REGISTER
POTENTIAL AND CONFIRMED RISK
DETAILS
CYBER INCIDENT REGISTER
PAST AND CURRENT INCIDENTS
DETAILS
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
IT OPERATION REGISTER
CURRENT GENERAL IT ISSUES
DETAILS
PUBLIC
14. GLOBAL ISSUE REGISTER
REGISTERS AND REPORTING SYNERGY
14
CYBER SECURITY REGISTER
CYBER ISSUE REGISTER
CYBER RISK REGISTER
CYBER INCIDENT
REGISTER
IT OPERATION REGISTER
IT ISSUE REGISTER
NETWORK ISSUE
REGISTER
PROJECT ISSUE REGISTER
ONE VIEW
ONE PROCESS
DIFFERENT ACCESS
DIFFERENT TEAMS
DIFFERENT VIEWS
DIFFERENT ACCESS
DIFFERENT TEAMS
DIFFERENT VIEWS
DIFFERENT ACCESS
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC
16. INCIDENT PLAYBOOK SCENARIOS
INCIDENT PLAYBOOK OVERVIEW
16
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
CONTAIN INCIDENT
UNDERSTAND CAUSE
OF INCIDENT
ANALYSE SIGNS OF INCIDENT
READY MADE SCENARIOS
PRACTICAL RESPONSE ACTIONS
AVAILABLE AND COMMUNICATED
PUBLIC
19. PREPARATION - OVERVIEW
19
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
1. COMMUNICATION &
FACILITIES
CONTACT DETAILS
PHYSICAL LOGISTICS
COORDINATION SYSTEM
2. HARDWARE & SOFTWARE 3. RESOURCES
GENERAL IT SPARE
EQUIPMENT
FORENSICS SPECIFIC
EQUIPMENT
TRUSTED SOURCED
SOFTWARE
ARCHITECTURE DIAGRAMS
DOCUMENTATION
INCIDENT PLAYBOOK
PUBLIC
20. DETECTION & ANALYSIS - OVERVIEW
20
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC
4. ATTACK VECTORS
IDENTIFICATION
5. SIGN OF AN
INCIDENT
6. SOURCE OF
PRECURSORS &
INDICATORS
7. INCIDENT ANALYSIS
SECURITY ALERTS
SECURITY LOGS
PEOPLE FEEDBACK
NETWORK LOGS
SYSTEM LOGS
EXPLOIT
ANNOUNCEMENT
BASELINES
LOG ANALYSIS
DATA RESULTS
FILTERING
SOURCE OF ATTACK
TYPE OF ATTACK
METHOD OF
ATTACK
21. DETECTION & ANALYSIS - OVERVIEW
21
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC
8. INCIDENT
DOCUMENTATION
9. INCIDENT
PRIORIZATION
10. INCIDENT
NOTIFICATION
UPPER
MANAGEMENT
STAFF
EXTERNAL BODIES
FUNCTIONAL
IMPACT
INFORMATION
IMPACT
RECOVERABILITY
STATUS
WORK DONE
NEXT STEPS
22. CONTAINMENT, ERADICATION & RECOVERY - OVERVIEW
22
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC
11. CONTAINMENT
STRATEGY
12. EVIDENCE
GATHERING &
HANDLING
13. IDENTIFYING THE
ATTACKING HOST
14. ERADICATION &
RECOVERY
SOURCE IP
ATTACKER
RESEARCH
COMMUNICATION
MONITORING
INCIDENT
INFORMATION
TIME AND DATE
LOCATION
REMOVING
IMMEDIATE THREAT
REMEDIATING
VULNERABILITIES
GROUP WIDE
CHANGES
INCIDENT IMPACT
EVIDENCE
REQUIREMENTS
SOLUTION
SUSTAINABILITY
23. POST INCIDENT ACTIVITY - OVERVIEW
23
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC
15. LESSONS LEARNT
16. USING COLLECTED
INCIDENT DATA
17. EVIDENCE
RETENTION
PROSECUTION
DATA RETENTION
COST
INCIDENT
STATISTICS
INCIDENT SLA
INCIDENT
ASSESSMENT
INCIDENT DETAILS
TECHNOLOGY AND
PROCESS GAPS
POSSIBLE
IMPROMENTS
25. ELYSIUMSECURITY INCIDENT RESPONSE - OVERVIEW
25
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PRACTICAL IMPLEMENTATION OF NIST
GUIDED PROCESS
SHORTER PROCESS
USED NIST AND FIRST CORE ELEMENTS
17x STEPS -> 8x STEPS
CLIENTS REQUIREMENTS ELYSIUMSECURITY IR FRAMEWORK
5x ACTIVITIES PER STEPS
PUBLIC
27. {es} INCIDENT RESPONSE - RULES OF ENGAGEMENT
27
DO NOT
MAKE
THINGS
WORSE!
DO NOT ENGAGE OR INTERACT WITH THE
HACKER/THREAT GROUP
1
DO NOT CONNECT TO THE THREAT’S RELATED
NETWORK(S) FROM YOUR ORGANISATION
2
PRESERVE EVIDENCE3
COORDINATE INTERNAL AND EXTERNAL
COMMUNICATION WITH MANAGEMENT
4
ALL INCIDENT DETAILS MUST BE TREATED AS
CONFIDENTIAL
5
PUBLIC
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
28. {es} INCIDENT RESPONSE - PREPARATION
28
INCIDENT RESPONSE PLAN1
TEAM, PROCEDURES, DOCUMENTATION,
APPROVAL, MANAGEMENT COMMITMENT
INCIDENT RESPONSE PLAYBOOK2 PHISHING, RANSOMWARE, KEYLOGGER, DDOS
LOGISITICS3
MEETING ROOMS, LAPTOPS, REMOVABLE
STORAGE, PHONES, STATIONNARY, PRINTERS,
SLEEPING AND CATERING ARRANGEMENTS
CONTACTS4
TEAM, ALTERNATIVE CONTACT METHODS,
ESCALATION, ON CALL, SUPPORT, VENDOR,
SUPPORT5
INCIDENT REGISTER, ARCHITECTURE DIAGRAM,
NETWORK DIAGRAM, DATA FLOWS, APPLICATION
AND SYSTEM DOCUMENTATION
ACTIVITIES EXAMPLE
1. PREPARATION
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC
29. {es} INCIDENT RESPONSE - DETECTION
29
WHO/WHAT DETECTED/REPORTED THE THREAT?1 IT STAFF, SECURITY TOOLS
WHAT IS THE DATE AND TIME OF THE THREAT
DETECTION/REPORT?2
NORMALISE TIME AND DATE ACROSS
REPORTING – RECORD TIME IN GMT
HOW WAS THE THREAT DETECTED/REPORTED?3 EMAIL, TEXT, WARNING POP UP, PHONE CALL
HAS A SIMILAR THREAT ALREADY BEEN
REPORTED?4 PREVIOUS INCIDENT REGISTER LOGS
IS THE THREAT VALID?5 CONFIRMED, FALSE POSITIVE
ACTIVITIES EXAMPLE
2. DETECTION
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC
30. {es} INCIDENT RESPONSE - CATEGORISATION
30
WHO/WHAT IS THE TARGET OF THE THREAT?1 USER, SYSTEM, SPECIFIC DATA
IS THIS AN ON GOING/LIVE THREAT?2 ON GOING, STOPPED, UNKNOWN
WHAT IS THE IMPACT OF THE THREAT?3
FINANCIAL, OPERATIONAL, REPUTATIONAL,
LEGAL
CATEGORISE THE PRIORITY OF THE INCIDENT4 PRIORITY 1, 2 ,3 (P1 > P2 > P3)
CLASSIFY THE INCIDENT COMMUNICATION5 RESTRICTED / UNRESTRICTED
ACTIVITIES EXAMPLE
3. CATEGORISATION
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC
31. {es} INCIDENT RESPONSE - CONTAINMENT
31
COORDINATE INCIDENT MANAGEMENT1 TEAM, COMMS, ACTIVITIES, DOCUMENTATION
LIGHT AND QUICK THREAT ANALYSIS2 NETWORK, SYSTEM, USER
IDENTIFY MAIN ATTACK AND COMPROMISE
VECTORS3 IP, PORTS, SIGNATURES, EMAIL
ISOLATE THE TARGETED ASSET4 REMOVE FROM NETWORK, DISABLE ACCOUNT
IMPLEMENT EMERGENCY CHANGES AS
REQUIRED5 NETWORK, SYSTEM, USER
ACTIVITIES EXAMPLE
4. CONTAINMENT
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC
32. {es} INCIDENT RESPONSE - INVESTIGATION
32
THREAT NETWORK ANALYSIS1
FIREWALL, CLOUD APP LOGS, ASSET LOGS,
INTERCEPTED TRAFFIC, TRAFFIC AND DATA
FLOWS, SIEM
THREAT MALWARE ANALYSIS2
A/V VENDORS, FOOTPRINT, BEHAVIOR, REVERSE
ENGINEERING
THREAT SYSTEM ANALYSIS3
EVENT LOGS, APP/PLUGINS INSTALLED,
AD/EMAIL ACTIVITIES, AUTHENTICATED
VULNERABILITY ASSESSSMENT, SIEM
THREAT USER ANALYSIS4
INTERVIEW TARGETED USER, CONTEXT,
TRIGGERS, RECENT UNUSUAL ACTIVITIES/ALERTS
THREAT RESEARCH ANALYSIS5
ONLINE SEARCH FOR SIMILAR THREATS,
PROFESSIONAL FORUMS, VENDOR
ENGAGEMENT
ACTIVITIES EXAMPLE
5. INVESTIGATION
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC
33. ELYSIUMSECURITY INCIDENT RESPONSE - REMEDIATION
33
THREAT NETWORK REMEDIATION1
BLOCK IP, PORTS, DOMAINS, EMAILS.
UPDATE F/W, IDS, APT AND SIEM RULES
THREAT MALWARE REMEDIATION2
UPDATE SYSTEM AND NETWORK A/V
SIGNATURES. ENGAGE WITH VENDORS
THREAT SYSTEM REMEDIATION3
REMOVE/BAN INFECTED APPS/PLUGINS, CLEAR
INBOX RULES, REMEDIATE ISSUES FOUND WITH
THE VULNERABIULTIY ASSESSMENT
THREAT USER REMEDIATION4
INDIVIDUAL AND GROUP USER AWARENESS
SESSION RELEVANT TO THE THREAT
DECLARE THE INCIDENT REMEDIATED5 FULL, PARTIAL, ACCEPTED
ACTIVITIES EXAMPLE
6. REMEDIATION
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC
34. {es} INCIDENT RESPONSE - REPORTING
34
ON GOING REPORTING1
DOCUMENTATION AND EVIDENCE SHOULD BE
GENERATED AS MUCH AS POSSIBLE DURING THE
PREVIOUS PHASES
EVIDENCE GATHERING2
THREAT ACTORS, ATTACK VECTORS, ATTACK
SURFACE
INCIDENT DOCUMENTATION3
THREAT AND INCIDENT DETAILS, TRIGGERS,
OWNER, FINDINGS, TIMELINE
INCIDENT REGISTER4
CREATE/UPDATE AN OVERALL INCIDENT
REGISTER TO TRACK PROGRESS AND GENERATES
STATISTICS
INCIDENT REPORT COMMUNICATION5
INTERNAL, EXTERNAL, STAFF, MANAGEMENT,
BOARD, VENDORS, CLIENTS, GOVERNMENT,
REGULATORS, LAW ENFORCEMENT
ACTIVITIES EXAMPLE
7. REPORTING
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC
35. {es} INCIDENT RESPONSE – LESSONS LEARNT
35
ROOT CAUSE ANALYSIS1
IDENTIFY AND DOCUMENT INCIDENT TRIGGERS
AND SECURITY GAPS THAT ENABLED THE
INCIDENT TO OCCUR
CONTROLS AND PROCESSES READINESS2
EVALUATE THE EFFICIENCY OF CURRENT
SECURITY CONTROLS AND PROCESSES IN LIGHT
OF THE INCIDENT
INCIDENT TRENDS ANALYSIS3
ARE YOU LEARNING FROM PAST INCIDENTS? IS
YOUR RISK PROFILE CHANGING?
MITIGATION PLAN4
MITIGATE IMPACT OF SIMILAR FUTURE
INCIDENTS
IMPROVEMENTS PLAN5
STOP OCCURRENCE OF SIMILAR FUTURE
INCIDENTS
ACTIVITIES EXAMPLE
8. LESSONS LEARNT
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC
36. SHORT TERM – HOW TO START?
36
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
REVIEW EXISTING INCIDENT PROCESS1
ESTABLISH INCIDENT TEAM2
CONDUCT REGULAR INCIDENT TEAM
MEETING
3
SET GROUND RULES4
DEFINE WHAT IS AN INCIDENT5
INFORM STAFF OF RULES AND
INCIDENT CONTACT
6
CREATE INCIDENT REGISTER7
DOCUMENT RECENT AND FUTURE
INCIDENTS
8
FOLLOW NIST INCIDENT HANDLING
METHODOLOGY
9
CREATE HIGH LEVEL PLAYBOOK TO
COMPLEMENT CHECKLIST
10
PUBLIC
37. LONG TERM – INCIDENT RESPONSE IMPLEMENTATION
37
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
SELECT INCIDENT RESPONSE FRAMEWORK
(NIST SP 800-61 REV 2 RECOMMENDED)
1
IMPLEMENT FULL INCIDENT RESPONSE
FRAMEWORK
2
DEDICATED INCIDENT RESPONSE TEAM AND
TRAINING
3
INCIDENT RESPONSE SIMULATION4
CONTINUOUS IMPROVEMENT5
PUBLIC
38. EXTRA RESOURCES
38
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
FORUM OF INCIDENT RESPONSE AND SECURITY TEAMS (FIRST) FRAMEWORK
(HTTPS://WWW.FIRST.ORG/EDUCATION/FIRST_SIRT_SERVICES_FRAMEWORK_VERSION1.0.PDF)
NATIONAL INSTITUTE OF STANDARDS & TECHNOLOGY (NIST) SPECIAL PROCEDURE (SP) 800-61
(HTTPS://NVLPUBS.NIST.GOV/NISTPUBS/SPECIALPUBLICATIONS/NIST.SP.800-61R2.PDF)
INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (ISO) ISO/IEC 27035-1:2016
(HTTPS://WWW.ISO.ORG/STANDARD/60803.HTML)
INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (ISO) ISO/IEC 27035-2:2016
(HTTPS://WWW.ISO.ORG/STANDARD/62071.HTML?BROWSE=TC)
CONTACT US!
(CONSULTING@ELYSIUMSECURITY.COM)
PUBLIC