2. 2
• IR framework
benefits;
• Data breach statistics;
• Incident readiness;
• Incident response
concept;
• Teams and mandates;
• IR policy & plan
overview;
• Incident playbook
overview;
• NIST IR lifecycle;
• NIST IR steps;
• Incident Response
Check list
• ELYSIUMSECURITY
Incident Response;
• Overview;
• Rules of Engagement;
• Preparation;
• Detection;
• Categorization;
• Containment;
• Investigation;
• Remediation;
• Reporting;
• Lessons Learnt;
CONTENTS
PUBLIC
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
• Short Term – How to
start?;
• Long Term – IR
Implementation;
• Extra Resources.
3. INCIDENT RESPONSE FRAMEWORK BENEFITS
3
• REDUCED OPERATION DOWNTIME
• REDUCED INCIDENT IMPACT
• REDUCED/AVOID FINES
REDUCED IMPACT COST
• IMPROVED RESPONSE TIME
• IMPROVED INCIDENT CONTAINMENT
• IMPROVED INCIDENT VISIBILITY
IMPROVED SECURITY
• CONTRACT REQUIREMENT
• INDUSTRY REQUIREMENT
• LAW REQUIREMENT
BUSINESS ENABLEMENT
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC
4. DATA BREACH STATISTICS
4
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
EVERY DAY
6,313,865
RECORDS
EVERY HOUR
263,078
RECORDS
EVERY MINUTE
4,385
RECORDS
EVERY SECONDS
73
RECORDS
DATA RECORDS ARE LOST OR STOLEN AT THE FOLLOWING FREQUENCY
DATA RECORDS LOST OR STOLEN SINCE 2013
4 7 1 7 6 1 8 2 8 6, ,,1
Source: Breach Level Index - May 2019PUBLIC
6. INCIDENT RESPONSE CONCEPT
6
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
INCIDENT RESPONSE STRUCTURE
INCIDENT RESPONSE HANDLINGCOORDINATION
&
INFORMATION
SHARING
TO MINIMISE OPERATIONAL, FINANCIAL & BUSINESS INCIDENT IMPACT
NIST
SP 800-61
PUBLIC
7. INTERNAL
AUDIT TEAM
COMPLIANCE
TEAM
SUBJECT EXPERT
VENDOR
SUPPORT TEAM
IT SUPPORT
TEAM
TEAMS AND MANDATES
7
CYBER SECURITY TEAM
SECURITY OPERATIONS
AND PROJECTS
CYBER RISK TEAM
RISK IDENTIFICATION
AND MANAGEMENT
CYBER INCIDENT
(VIRTUAL) TEAM
INCIDENT MANAGEMENT
AND RESPONSE
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC
9. INCIDENT PLAYBOOK SCENARIOS
INCIDENT PLAYBOOK OVERVIEW
9
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
CONTAIN INCIDENT
UNDERSTAND CAUSE
OF INCIDENT
ANALYSE SIGNS OF INCIDENT
READY MADE SCENARIOS
PRACTICAL RESPONSE ACTIONS
AVAILABLE AND COMMUNICATED
PUBLIC
13. ELYSIUMSECURITY INCIDENT RESPONSE - OVERVIEW
13
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PRACTICAL IMPLEMENTATION OF NIST
GUIDED PROCESS
SHORTER PROCESS
USED NIST AND FIRST CORE ELEMENTS
17x STEPS -> 8x STEPS
CLIENTS REQUIREMENTS ELYSIUMSECURITY IR FRAMEWORK
5x ACTIVITIES PER STEPS
PUBLIC
15. {es} INCIDENT RESPONSE - RULES OF ENGAGEMENT
15
DO NOT
MAKE
THINGS
WORSE!
DO NOT ENGAGE OR INTERACT WITH THE
HACKER/THREAT GROUP
1
DO NOT CONNECT TO THE THREAT’S RELATED
NETWORK(S) FROM YOUR ORGANISATION
2
PRESERVE EVIDENCE3
COORDINATE INTERNAL AND EXTERNAL
COMMUNICATION WITH MANAGEMENT
4
ALL INCIDENT DETAILS MUST BE TREATED AS
CONFIDENTIAL
5
PUBLIC
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
16. {es} INCIDENT RESPONSE - PREPARATION
16
INCIDENT RESPONSE PLAN1
TEAM, PROCEDURES, DOCUMENTATION,
APPROVAL, MANAGEMENT COMMITMENT
INCIDENT RESPONSE PLAYBOOK2 PHISHING, RANSOMWARE, KEYLOGGER, DDOS
LOGISITICS3
MEETING ROOMS, LAPTOPS, REMOVABLE
STORAGE, PHONES, STATIONNARY, PRINTERS,
SLEEPING AND CATERING ARRANGEMENTS
CONTACTS4
TEAM, ALTERNATIVE CONTACT METHODS,
ESCALATION, ON CALL, SUPPORT, VENDOR,
SUPPORT5
INCIDENT REGISTER, ARCHITECTURE DIAGRAM,
NETWORK DIAGRAM, DATA FLOWS, APPLICATION
AND SYSTEM DOCUMENTATION
ACTIVITIES EXAMPLE
1. PREPARATION
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC
17. {es} INCIDENT RESPONSE - DETECTION
17
WHO/WHAT DETECTED/REPORTED THE THREAT?1 IT STAFF, SECURITY TOOLS
WHAT IS THE DATE AND TIME OF THE THREAT
DETECTION/REPORT?2
NORMALISE TIME AND DATE ACROSS
REPORTING – RECORD TIME IN GMT
HOW WAS THE THREAT DETECTED/REPORTED?3 EMAIL, TEXT, WARNING POP UP, PHONE CALL
HAS A SIMILAR THREAT ALREADY BEEN
REPORTED?4 PREVIOUS INCIDENT REGISTER LOGS
IS THE THREAT VALID?5 CONFIRMED, FALSE POSITIVE
ACTIVITIES EXAMPLE
2. DETECTION
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC
18. {es} INCIDENT RESPONSE - CATEGORISATION
18
WHO/WHAT IS THE TARGET OF THE THREAT?1 USER, SYSTEM, SPECIFIC DATA
IS THIS AN ON GOING/LIVE THREAT?2 ON GOING, STOPPED, UNKNOWN
WHAT IS THE IMPACT OF THE THREAT?3
FINANCIAL, OPERATIONAL, REPUTATIONAL,
LEGAL
CATEGORISE THE PRIORITY OF THE INCIDENT4 PRIORITY 1, 2 ,3 (P1 > P2 > P3)
CLASSIFY THE INCIDENT COMMUNICATION5 RESTRICTED / UNRESTRICTED
ACTIVITIES EXAMPLE
3. CATEGORISATION
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC
19. {es} INCIDENT RESPONSE - CONTAINMENT
19
COORDINATE INCIDENT MANAGEMENT1 TEAM, COMMS, ACTIVITIES, DOCUMENTATION
LIGHT AND QUICK THREAT ANALYSIS2 NETWORK, SYSTEM, USER
IDENTIFY MAIN ATTACK AND COMPROMISE
VECTORS3 IP, PORTS, SIGNATURES, EMAIL
ISOLATE THE TARGETED ASSET4 REMOVE FROM NETWORK, DISABLE ACCOUNT
IMPLEMENT EMERGENCY CHANGES AS
REQUIRED5 NETWORK, SYSTEM, USER
ACTIVITIES EXAMPLE
4. CONTAINMENT
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC
20. {es} INCIDENT RESPONSE - INVESTIGATION
20
THREAT NETWORK ANALYSIS1
FIREWALL, CLOUD APP LOGS, ASSET LOGS,
INTERCEPTED TRAFFIC, TRAFFIC AND DATA
FLOWS, SIEM
THREAT MALWARE ANALYSIS2
A/V VENDORS, FOOTPRINT, BEHAVIOR, REVERSE
ENGINEERING
THREAT SYSTEM ANALYSIS3
EVENT LOGS, APP/PLUGINS INSTALLED,
AD/EMAIL ACTIVITIES, AUTHENTICATED
VULNERABILITY ASSESSSMENT, SIEM
THREAT USER ANALYSIS4
INTERVIEW TARGETED USER, CONTEXT,
TRIGGERS, RECENT UNUSUAL ACTIVITIES/ALERTS
THREAT RESEARCH ANALYSIS5
ONLINE SEARCH FOR SIMILAR THREATS,
PROFESSIONAL FORUMS, VENDOR
ENGAGEMENT
ACTIVITIES EXAMPLE
5. INVESTIGATION
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC
21. ELYSIUMSECURITY INCIDENT RESPONSE - REMEDIATION
21
THREAT NETWORK REMEDIATION1
BLOCK IP, PORTS, DOMAINS, EMAILS.
UPDATE F/W, IDS, APT AND SIEM RULES
THREAT MALWARE REMEDIATION2
UPDATE SYSTEM AND NETWORK A/V
SIGNATURES. ENGAGE WITH VENDORS
THREAT SYSTEM REMEDIATION3
REMOVE/BAN INFECTED APPS/PLUGINS, CLEAR
INBOX RULES, REMEDIATE ISSUES FOUND WITH
THE VULNERABIULTIY ASSESSMENT
THREAT USER REMEDIATION4
INDIVIDUAL AND GROUP USER AWARENESS
SESSION RELEVANT TO THE THREAT
DECLARE THE INCIDENT REMEDIATED5 FULL, PARTIAL, ACCEPTED
ACTIVITIES EXAMPLE
6. REMEDIATION
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC
22. {es} INCIDENT RESPONSE - REPORTING
22
ON GOING REPORTING1
DOCUMENTATION AND EVIDENCE SHOULD BE
GENERATED AS MUCH AS POSSIBLE DURING THE
PREVIOUS PHASES
EVIDENCE GATHERING2
THREAT ACTORS, ATTACK VECTORS, ATTACK
SURFACE
INCIDENT DOCUMENTATION3
THREAT AND INCIDENT DETAILS, TRIGGERS,
OWNER, FINDINGS, TIMELINE
INCIDENT REGISTER4
CREATE/UPDATE AN OVERALL INCIDENT
REGISTER TO TRACK PROGRESS AND GENERATES
STATISTICS
INCIDENT REPORT COMMUNICATION5
INTERNAL, EXTERNAL, STAFF, MANAGEMENT,
BOARD, VENDORS, CLIENTS, GOVERNMENT,
REGULATORS, LAW ENFORCEMENT
ACTIVITIES EXAMPLE
7. REPORTING
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC
23. {es} INCIDENT RESPONSE – LESSONS LEARNT
23
ROOT CAUSE ANALYSIS1
IDENTIFY AND DOCUMENT INCIDENT TRIGGERS
AND SECURITY GAPS THAT ENABLED THE
INCIDENT TO OCCUR
CONTROLS AND PROCESSES READINESS2
EVALUATE THE EFFICIENCY OF CURRENT
SECURITY CONTROLS AND PROCESSES IN LIGHT
OF THE INCIDENT
INCIDENT TRENDS ANALYSIS3
ARE YOU LEARNING FROM PAST INCIDENTS? IS
YOUR RISK PROFILE CHANGING?
MITIGATION PLAN4
MITIGATE IMPACT OF SIMILAR FUTURE
INCIDENTS
IMPROVEMENTS PLAN5
STOP OCCURRENCE OF SIMILAR FUTURE
INCIDENTS
ACTIVITIES EXAMPLE
8. LESSONS LEARNT
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
PUBLIC
24. SHORT TERM – HOW TO START?
24
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
REVIEW EXISTING INCIDENT PROCESS1
ESTABLISH INCIDENT TEAM2
CONDUCT REGULAR INCIDENT TEAM
MEETING
3
SET GROUND RULES4
DEFINE WHAT IS AN INCIDENT5
INFORM STAFF OF RULES AND
INCIDENT CONTACT
6
CREATE INCIDENT REGISTER7
DOCUMENT RECENT AND FUTURE
INCIDENTS
8
FOLLOW NIST INCIDENT HANDLING
METHODOLOGY
9
CREATE HIGH LEVEL PLAYBOOK TO
COMPLEMENT CHECKLIST
10
PUBLIC
25. LONG TERM – INCIDENT RESPONSE IMPLEMENTATION
25
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
SELECT INCIDENT RESPONSE FRAMEWORK
(NIST SP 800-61 REV 2 RECOMMENDED)
1
IMPLEMENT FULL INCIDENT RESPONSE
FRAMEWORK
2
DEDICATED INCIDENT RESPONSE TEAM AND
TRAINING
3
INCIDENT RESPONSE SIMULATION4
CONTINUOUS IMPROVEMENT5
PUBLIC
26. EXTRA RESOURCES
26
CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
FORUM OF INCIDENT RESPONSE AND SECURITY TEAMS (FIRST) FRAMEWORK
(HTTPS://WWW.FIRST.ORG/EDUCATION/FIRST_SIRT_SERVICES_FRAMEWORK_VERSION1.0.PDF)
NATIONAL INSTITUTE OF STANDARDS & TECHNOLOGY (NIST) SPECIAL PROCEDURE (SP) 800-61
(HTTPS://NVLPUBS.NIST.GOV/NISTPUBS/SPECIALPUBLICATIONS/NIST.SP.800-61R2.PDF)
INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (ISO) ISO/IEC 27035-1:2016
(HTTPS://WWW.ISO.ORG/STANDARD/60803.HTML)
INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (ISO) ISO/IEC 27035-2:2016
(HTTPS://WWW.ISO.ORG/STANDARD/62071.HTML?BROWSE=TC)
CONTACT US!
(CONSULTING@ELYSIUMSECURITY.COM)
PUBLIC