SlideShare a Scribd company logo

INCIDENT RESPONSE CONCEPTS

S
Sylvain Martinez

This presentation looks at the core component of an Incident Response plan (NIST 800-61) as well as custom practical implementation framework developed by ELYSIUMSECURITY based on NIST and FIRST.

Related slideshows

Security operations center 5 security controls
Security operations center 5 security controls Security operations center 5 security controls
Security operations center 5 security controls
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
1 of 39
Download to read offline
CYBER SECURITY INCIDENT RESPONSE CONCEPT VERSION: 1.3 DATE: 25/06/2019 AUTHOR: SYLVAIN MARTINEZ REFERENCE: ES-CSIR CLASSIFICATION: PUBLIC
2 • Presentation goal; • Who am I; • Who we are; • Our customers; • IR framework benefits; • Data breach statistics; • Incident cost; • Incident readiness; • Incident response concept; • Teams and mandates; • Registers and purposes; • Registers and reporting synergy; • IR policy & plan overview; • Incident playbook overview; • NIST IR lifecycle; • NIST IR steps; • Preparation • Detection & Analysis; • Containment, Eradication & Recovery; • Post-incident activity; • Incident Response Check list • ELYSIUMSECURITY Incident Response; • Overview; • Rules of Engagement; • Preparation; • Detection; • Categorization; • Containment; • Investigation; • Remediation; • Reporting; • Lessons Learnt; CONTENTS PUBLIC CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT • Short Term – How to start?; • Long Term – IR Implementation; • Extra Resources.
PRESENTATION GOAL 3 LEARN HOW TO START 3 LEARN HOW TO APPLY AN IR FRAMEWORK 2 LEARN ABOUT IR CORE ELEMENTS 1 TO LEARN ABOUT CYBER INCIDENT RESPONSE (IR) MAIN CONCEPTS CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT Icons: from The Noun Project unless stated otherwisePUBLIC
WHO AM I 4 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC LIVED AND WORKED IN FRANCE, UK, USA AND MAURITIUS CONTRIBUTING AND LEADING VARIOUS OPEN SOURCE CYBER SECURITY PROJECTS FOR THE LAST 20 YEARS VETTED, TRAINED AND OVER 20 YEARS OF CYBER SECURITY EXPERIENCE WORKING FROM LARGE INTERNATIONAL CORPORATIONS PASSIONATE ABOUT IT FROM VERY EARLY YEARS FOUNDER AND RUNNING THE MAURITIUS SECURITY CLUB (MU.SCL) WITH FREE SECURITY AWARENESS PRESENTATIONS EVERY MONTH
WHO WE ARE 5 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC FOUNDED IN 2015 BY SYLVAIN MARTINEZ INCORPORATED AND OPERATING IN MAURITIUS (2017) AND IN THE UK/EUROPE (2015) PROVIDING INDEPENDENT EXPERTISE IN CYBER SECURITY MULTITUDE OF RECOGNIZED PROFESSIONAL CERTIFICATIONS 20 YEARS OF INTERNATIONAL CYBER SECURITY CORPORATE EXPERIENCE OUR BOUTIQUE STYLE APPROACH PROVIDES A DISCREET, TAILORED AND SPECIALIZED CYBER SECURITY SERVICE THAT FITS YOUR WORKING ENVIRONMENT
CUSTOMERS 6 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC • HEDGE FUNDS • GOVERNMENT AGENCY SERVICE SUPPLIER 2016 2019 • 1x BANK • 1x TELECOMMUNICATION GROUP • 4x LARGE COMMERCIAL GROUPS; • 2x BANKS; 3x MANAGEMENT FUNDS; • 6x HOTELS; 3x TEXTILE; 1x SHOPPING; • 1x HEALTHCARE; REFERENCES AVAILABLE ON DEMAND 2018 2017 2019
INCIDENT RESPONSE FRAMEWORK BENEFITS 7 • REDUCED OPERATION DOWNTIME • REDUCED INCIDENT IMPACT • REDUCED/AVOID FINES REDUCED IMPACT COST • IMPROVED RESPONSE TIME • IMPROVED INCIDENT CONTAINMENT • IMPROVED INCIDENT VISIBILITY IMPROVED SECURITY • CONTRACT REQUIREMENT • INDUSTRY REQUIREMENT • LAW REQUIREMENT BUSINESS ENABLEMENT CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
DATA BREACH STATISTICS 8 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT EVERY DAY 6,313,865 RECORDS EVERY HOUR 263,078 RECORDS EVERY MINUTE 4,385 RECORDS EVERY SECONDS 73 RECORDS DATA RECORDS ARE LOST OR STOLEN AT THE FOLLOWING FREQUENCY DATA RECORDS LOST OR STOLEN SINCE 2013 4 7 1 7 6 1 8 2 8 6, ,,1 Source: Breach Level Index - May 2019PUBLIC
INCIDENT COST 9 ELYSIUMSECURITY INVESTIGATIONS MAURITIUS JANUARY 2018 – JUNE 2019 80% FINANCIAL FRAUD 20% RANSOMWARE 100% PHISHING JAN 2018 MAY 2018 AUG 2018 APR 2019 MAY 2019 JUNE 2019 $0.5M $1M $2M $0.5M $1M $0.5M AVERAGE COST PER DATA BREACH AVERAGE COST PER MALWARE INFECTION AVERAGE DETECTION TIME FROM OUTSIDERS CRIMINALS DATA BREACHES FROM HEALTHCARE ORGANISATIONS $3.86M $2.4M 197 DAYS 73% 24% WORLDWIDE WORLDWIDE STATS FROM SAFEATLAST.CO – APRIL 2019 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
INCIDENT READINESS 10 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT INCIDENT READINESS PUBLIC
INCIDENT RESPONSE CONCEPT 11 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT INCIDENT RESPONSE STRUCTURE INCIDENT RESPONSE HANDLINGCOORDINATION & INFORMATION SHARING TO MINIMISE OPERATIONAL, FINANCIAL & BUSINESS INCIDENT IMPACT NIST SP 800-61 PUBLIC
INTERNAL AUDIT TEAM COMPLIANCE TEAM SUBJECT EXPERT VENDOR SUPPORT TEAM IT SUPPORT TEAM TEAMS AND MANDATES 12 CYBER SECURITY TEAM SECURITY OPERATIONS AND PROJECTS CYBER RISK TEAM RISK IDENTIFICATION AND MANAGEMENT CYBER INCIDENT (VIRTUAL) TEAM INCIDENT MANAGEMENT AND RESPONSE CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
REGISTERS AND PURPOSES 13 CYBER ISSUE REGISTER POTENTIAL AND CONFIRMED SECURITY ISSUES DETAILS CYBER RISK REGISTER POTENTIAL AND CONFIRMED RISK DETAILS CYBER INCIDENT REGISTER PAST AND CURRENT INCIDENTS DETAILS CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT IT OPERATION REGISTER CURRENT GENERAL IT ISSUES DETAILS PUBLIC
GLOBAL ISSUE REGISTER REGISTERS AND REPORTING SYNERGY 14 CYBER SECURITY REGISTER CYBER ISSUE REGISTER CYBER RISK REGISTER CYBER INCIDENT REGISTER IT OPERATION REGISTER IT ISSUE REGISTER NETWORK ISSUE REGISTER PROJECT ISSUE REGISTER ONE VIEW ONE PROCESS DIFFERENT ACCESS DIFFERENT TEAMS DIFFERENT VIEWS DIFFERENT ACCESS DIFFERENT TEAMS DIFFERENT VIEWS DIFFERENT ACCESS CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
INCIDENT RESPONSE POLICY & PLAN - OVERVIEW 15 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC INCIDENT RESPONSE POLICY INCIDENT SCOPE INCIDENT DEFINITION & PRIORITIZATION INCIDENT REPORTING INCIDENT RESPONSE PLAN INCIDENT HANDLING INCIDENT COORDINATION CONTINUOUS IMPROVEMENT
INCIDENT PLAYBOOK SCENARIOS INCIDENT PLAYBOOK OVERVIEW 16 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT CONTAIN INCIDENT UNDERSTAND CAUSE OF INCIDENT ANALYSE SIGNS OF INCIDENT READY MADE SCENARIOS PRACTICAL RESPONSE ACTIONS AVAILABLE AND COMMUNICATED PUBLIC
NIST INCIDENCE RESPONSE LIFECYCLE 17 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC PREPARATION DETECTION & ANALYSIS CONTAINMENT, ERADICATION & RECOVERY POST-INCIDENT ACTIVITY NIST SP 800-61 REV 2
NIST INCIDENCE RESPONSE - STEPS 18 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC PREPARATION DETECTION & ANALYSIS CONTAINMENT, ERADICATION & RECOVERY POST-INCIDENT ACTIVITY 1. COMMUNICATION & FACILITIES 2. HARDWARE & SOFTWARE 3. RESOURCES 4. ATTACK VECTORS IDENTIFICATION 11 CONTAINMENT STRATEGY 15. LESSONS LEARNT 5. SIGN OF AN INCIDENT 6. SOURCE OF PRECURSORS 7. INCIDENT ANALYSIS 8. INCIDENT DOCUMENTATION 9. INCIDENT PRIORITIZATION 10. INCIDENT NOTIFICATION 12. EVIDENCE GATHERING & HANDLING 13. IDENTIFYING THE ATTACKING HOST 14. ERADICATION & RECOVERY 16. USING COLLECTED INCIDENT DATA 17. EVIDENCE RETENTION
PREPARATION - OVERVIEW 19 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT 1. COMMUNICATION & FACILITIES CONTACT DETAILS PHYSICAL LOGISTICS COORDINATION SYSTEM 2. HARDWARE & SOFTWARE 3. RESOURCES GENERAL IT SPARE EQUIPMENT FORENSICS SPECIFIC EQUIPMENT TRUSTED SOURCED SOFTWARE ARCHITECTURE DIAGRAMS DOCUMENTATION INCIDENT PLAYBOOK PUBLIC
DETECTION & ANALYSIS - OVERVIEW 20 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC 4. ATTACK VECTORS IDENTIFICATION 5. SIGN OF AN INCIDENT 6. SOURCE OF PRECURSORS & INDICATORS 7. INCIDENT ANALYSIS SECURITY ALERTS SECURITY LOGS PEOPLE FEEDBACK NETWORK LOGS SYSTEM LOGS EXPLOIT ANNOUNCEMENT BASELINES LOG ANALYSIS DATA RESULTS FILTERING SOURCE OF ATTACK TYPE OF ATTACK METHOD OF ATTACK
DETECTION & ANALYSIS - OVERVIEW 21 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC 8. INCIDENT DOCUMENTATION 9. INCIDENT PRIORIZATION 10. INCIDENT NOTIFICATION UPPER MANAGEMENT STAFF EXTERNAL BODIES FUNCTIONAL IMPACT INFORMATION IMPACT RECOVERABILITY STATUS WORK DONE NEXT STEPS
CONTAINMENT, ERADICATION & RECOVERY - OVERVIEW 22 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC 11. CONTAINMENT STRATEGY 12. EVIDENCE GATHERING & HANDLING 13. IDENTIFYING THE ATTACKING HOST 14. ERADICATION & RECOVERY SOURCE IP ATTACKER RESEARCH COMMUNICATION MONITORING INCIDENT INFORMATION TIME AND DATE LOCATION REMOVING IMMEDIATE THREAT REMEDIATING VULNERABILITIES GROUP WIDE CHANGES INCIDENT IMPACT EVIDENCE REQUIREMENTS SOLUTION SUSTAINABILITY
POST INCIDENT ACTIVITY - OVERVIEW 23 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC 15. LESSONS LEARNT 16. USING COLLECTED INCIDENT DATA 17. EVIDENCE RETENTION PROSECUTION DATA RETENTION COST INCIDENT STATISTICS INCIDENT SLA INCIDENT ASSESSMENT INCIDENT DETAILS TECHNOLOGY AND PROCESS GAPS POSSIBLE IMPROMENTS
INCIDENCE RESPONSE CHECKLIST 24 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
ELYSIUMSECURITY INCIDENT RESPONSE - OVERVIEW 25 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PRACTICAL IMPLEMENTATION OF NIST GUIDED PROCESS SHORTER PROCESS USED NIST AND FIRST CORE ELEMENTS 17x STEPS -> 8x STEPS CLIENTS REQUIREMENTS ELYSIUMSECURITY IR FRAMEWORK 5x ACTIVITIES PER STEPS PUBLIC
ELYSIUMSECURITY INCIDENT RESPONSE - OVERVIEW 26 {elysiumsecurity} INCIDENT RESPONSE FRAMEWORK 1. PREPARATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
{es} INCIDENT RESPONSE - RULES OF ENGAGEMENT 27 DO NOT MAKE THINGS WORSE! DO NOT ENGAGE OR INTERACT WITH THE HACKER/THREAT GROUP 1 DO NOT CONNECT TO THE THREAT’S RELATED NETWORK(S) FROM YOUR ORGANISATION 2 PRESERVE EVIDENCE3 COORDINATE INTERNAL AND EXTERNAL COMMUNICATION WITH MANAGEMENT 4 ALL INCIDENT DETAILS MUST BE TREATED AS CONFIDENTIAL 5 PUBLIC CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
{es} INCIDENT RESPONSE - PREPARATION 28 INCIDENT RESPONSE PLAN1 TEAM, PROCEDURES, DOCUMENTATION, APPROVAL, MANAGEMENT COMMITMENT INCIDENT RESPONSE PLAYBOOK2 PHISHING, RANSOMWARE, KEYLOGGER, DDOS LOGISITICS3 MEETING ROOMS, LAPTOPS, REMOVABLE STORAGE, PHONES, STATIONNARY, PRINTERS, SLEEPING AND CATERING ARRANGEMENTS CONTACTS4 TEAM, ALTERNATIVE CONTACT METHODS, ESCALATION, ON CALL, SUPPORT, VENDOR, SUPPORT5 INCIDENT REGISTER, ARCHITECTURE DIAGRAM, NETWORK DIAGRAM, DATA FLOWS, APPLICATION AND SYSTEM DOCUMENTATION ACTIVITIES EXAMPLE 1. PREPARATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
{es} INCIDENT RESPONSE - DETECTION 29 WHO/WHAT DETECTED/REPORTED THE THREAT?1 IT STAFF, SECURITY TOOLS WHAT IS THE DATE AND TIME OF THE THREAT DETECTION/REPORT?2 NORMALISE TIME AND DATE ACROSS REPORTING – RECORD TIME IN GMT HOW WAS THE THREAT DETECTED/REPORTED?3 EMAIL, TEXT, WARNING POP UP, PHONE CALL HAS A SIMILAR THREAT ALREADY BEEN REPORTED?4 PREVIOUS INCIDENT REGISTER LOGS IS THE THREAT VALID?5 CONFIRMED, FALSE POSITIVE ACTIVITIES EXAMPLE 2. DETECTION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
{es} INCIDENT RESPONSE - CATEGORISATION 30 WHO/WHAT IS THE TARGET OF THE THREAT?1 USER, SYSTEM, SPECIFIC DATA IS THIS AN ON GOING/LIVE THREAT?2 ON GOING, STOPPED, UNKNOWN WHAT IS THE IMPACT OF THE THREAT?3 FINANCIAL, OPERATIONAL, REPUTATIONAL, LEGAL CATEGORISE THE PRIORITY OF THE INCIDENT4 PRIORITY 1, 2 ,3 (P1 > P2 > P3) CLASSIFY THE INCIDENT COMMUNICATION5 RESTRICTED / UNRESTRICTED ACTIVITIES EXAMPLE 3. CATEGORISATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
{es} INCIDENT RESPONSE - CONTAINMENT 31 COORDINATE INCIDENT MANAGEMENT1 TEAM, COMMS, ACTIVITIES, DOCUMENTATION LIGHT AND QUICK THREAT ANALYSIS2 NETWORK, SYSTEM, USER IDENTIFY MAIN ATTACK AND COMPROMISE VECTORS3 IP, PORTS, SIGNATURES, EMAIL ISOLATE THE TARGETED ASSET4 REMOVE FROM NETWORK, DISABLE ACCOUNT IMPLEMENT EMERGENCY CHANGES AS REQUIRED5 NETWORK, SYSTEM, USER ACTIVITIES EXAMPLE 4. CONTAINMENT CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
{es} INCIDENT RESPONSE - INVESTIGATION 32 THREAT NETWORK ANALYSIS1 FIREWALL, CLOUD APP LOGS, ASSET LOGS, INTERCEPTED TRAFFIC, TRAFFIC AND DATA FLOWS, SIEM THREAT MALWARE ANALYSIS2 A/V VENDORS, FOOTPRINT, BEHAVIOR, REVERSE ENGINEERING THREAT SYSTEM ANALYSIS3 EVENT LOGS, APP/PLUGINS INSTALLED, AD/EMAIL ACTIVITIES, AUTHENTICATED VULNERABILITY ASSESSSMENT, SIEM THREAT USER ANALYSIS4 INTERVIEW TARGETED USER, CONTEXT, TRIGGERS, RECENT UNUSUAL ACTIVITIES/ALERTS THREAT RESEARCH ANALYSIS5 ONLINE SEARCH FOR SIMILAR THREATS, PROFESSIONAL FORUMS, VENDOR ENGAGEMENT ACTIVITIES EXAMPLE 5. INVESTIGATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
ELYSIUMSECURITY INCIDENT RESPONSE - REMEDIATION 33 THREAT NETWORK REMEDIATION1 BLOCK IP, PORTS, DOMAINS, EMAILS. UPDATE F/W, IDS, APT AND SIEM RULES THREAT MALWARE REMEDIATION2 UPDATE SYSTEM AND NETWORK A/V SIGNATURES. ENGAGE WITH VENDORS THREAT SYSTEM REMEDIATION3 REMOVE/BAN INFECTED APPS/PLUGINS, CLEAR INBOX RULES, REMEDIATE ISSUES FOUND WITH THE VULNERABIULTIY ASSESSMENT THREAT USER REMEDIATION4 INDIVIDUAL AND GROUP USER AWARENESS SESSION RELEVANT TO THE THREAT DECLARE THE INCIDENT REMEDIATED5 FULL, PARTIAL, ACCEPTED ACTIVITIES EXAMPLE 6. REMEDIATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
{es} INCIDENT RESPONSE - REPORTING 34 ON GOING REPORTING1 DOCUMENTATION AND EVIDENCE SHOULD BE GENERATED AS MUCH AS POSSIBLE DURING THE PREVIOUS PHASES EVIDENCE GATHERING2 THREAT ACTORS, ATTACK VECTORS, ATTACK SURFACE INCIDENT DOCUMENTATION3 THREAT AND INCIDENT DETAILS, TRIGGERS, OWNER, FINDINGS, TIMELINE INCIDENT REGISTER4 CREATE/UPDATE AN OVERALL INCIDENT REGISTER TO TRACK PROGRESS AND GENERATES STATISTICS INCIDENT REPORT COMMUNICATION5 INTERNAL, EXTERNAL, STAFF, MANAGEMENT, BOARD, VENDORS, CLIENTS, GOVERNMENT, REGULATORS, LAW ENFORCEMENT ACTIVITIES EXAMPLE 7. REPORTING CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
{es} INCIDENT RESPONSE – LESSONS LEARNT 35 ROOT CAUSE ANALYSIS1 IDENTIFY AND DOCUMENT INCIDENT TRIGGERS AND SECURITY GAPS THAT ENABLED THE INCIDENT TO OCCUR CONTROLS AND PROCESSES READINESS2 EVALUATE THE EFFICIENCY OF CURRENT SECURITY CONTROLS AND PROCESSES IN LIGHT OF THE INCIDENT INCIDENT TRENDS ANALYSIS3 ARE YOU LEARNING FROM PAST INCIDENTS? IS YOUR RISK PROFILE CHANGING? MITIGATION PLAN4 MITIGATE IMPACT OF SIMILAR FUTURE INCIDENTS IMPROVEMENTS PLAN5 STOP OCCURRENCE OF SIMILAR FUTURE INCIDENTS ACTIVITIES EXAMPLE 8. LESSONS LEARNT CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
SHORT TERM – HOW TO START? 36 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT REVIEW EXISTING INCIDENT PROCESS1 ESTABLISH INCIDENT TEAM2 CONDUCT REGULAR INCIDENT TEAM MEETING 3 SET GROUND RULES4 DEFINE WHAT IS AN INCIDENT5 INFORM STAFF OF RULES AND INCIDENT CONTACT 6 CREATE INCIDENT REGISTER7 DOCUMENT RECENT AND FUTURE INCIDENTS 8 FOLLOW NIST INCIDENT HANDLING METHODOLOGY 9 CREATE HIGH LEVEL PLAYBOOK TO COMPLEMENT CHECKLIST 10 PUBLIC
LONG TERM – INCIDENT RESPONSE IMPLEMENTATION 37 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT SELECT INCIDENT RESPONSE FRAMEWORK (NIST SP 800-61 REV 2 RECOMMENDED) 1 IMPLEMENT FULL INCIDENT RESPONSE FRAMEWORK 2 DEDICATED INCIDENT RESPONSE TEAM AND TRAINING 3 INCIDENT RESPONSE SIMULATION4 CONTINUOUS IMPROVEMENT5 PUBLIC
EXTRA RESOURCES 38 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT FORUM OF INCIDENT RESPONSE AND SECURITY TEAMS (FIRST) FRAMEWORK (HTTPS://WWW.FIRST.ORG/EDUCATION/FIRST_SIRT_SERVICES_FRAMEWORK_VERSION1.0.PDF) NATIONAL INSTITUTE OF STANDARDS & TECHNOLOGY (NIST) SPECIAL PROCEDURE (SP) 800-61 (HTTPS://NVLPUBS.NIST.GOV/NISTPUBS/SPECIALPUBLICATIONS/NIST.SP.800-61R2.PDF) INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (ISO) ISO/IEC 27035-1:2016 (HTTPS://WWW.ISO.ORG/STANDARD/60803.HTML) INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (ISO) ISO/IEC 27035-2:2016 (HTTPS://WWW.ISO.ORG/STANDARD/62071.HTML?BROWSE=TC) CONTACT US! (CONSULTING@ELYSIUMSECURITY.COM) PUBLIC
© 2015-2019 ELYSIUMSECURITY LTD ALL RIGHTS RESERVED HTTPS://WWW.ELYSIUMSECURITY.COM CONSULTING@ELYSIUMSECURITY.COM ABOUT ELYSIUMSECURITY LTD. ELYSIUMSECURITY PROVIDES PRACTICAL EXPERTISE TO IDENTIFY VULNERABILITIES, ASSESS THEIR RISKS AND IMPACT, REMEDIATE THOSE RISKS, PREPARE AND RESPOND TO INCIDENTS AS WELL AS RAISE SECURITY AWARENESS THROUGH AN ORGANIZATION. ELYSIUMSECURITY PROVIDES HIGH LEVEL EXPERTISE GATHERED THROUGH YEARS OF BEST PRACTICES EXPERIENCE IN LARGE INTERNATIONAL COMPANIES ALLOWING US TO PROVIDE ADVICE BEST SUITED TO YOUR BUSINESS OPERATIONAL MODEL AND PRIORITIES. ELYSIUMSECURITY PROVIDES A PORTFOLIO OF STRATEGIC AND TACTICAL SERVICES TO HELP COMPANIES PROTECT AND RESPOND AGAINST CYBER SECURITY THREATS. WE DIFFERENTIATE OURSELVES BY OFFERING DISCREET, TAILORED AND SPECIALIZED ENGAGEMENTS. ELYSIUMSECURITY OPERATES IN MAURITIUS AND IN EUROPE, A BOUTIQUE STYLE APPROACH MEANS WE CAN EASILY ADAPT TO YOUR BUSINESS OPERATIONAL MODEL AND REQUIREMENTS TO PROVIDE A PERSONALIZED SERVICE THAT FITS YOUR WORKING ENVIRONMENT.

More Related Content

INCIDENT RESPONSE CONCEPTS

  • 1. CYBER SECURITY INCIDENT RESPONSE CONCEPT VERSION: 1.3 DATE: 25/06/2019 AUTHOR: SYLVAIN MARTINEZ REFERENCE: ES-CSIR CLASSIFICATION: PUBLIC
  • 2. 2 • Presentation goal; • Who am I; • Who we are; • Our customers; • IR framework benefits; • Data breach statistics; • Incident cost; • Incident readiness; • Incident response concept; • Teams and mandates; • Registers and purposes; • Registers and reporting synergy; • IR policy & plan overview; • Incident playbook overview; • NIST IR lifecycle; • NIST IR steps; • Preparation • Detection & Analysis; • Containment, Eradication & Recovery; • Post-incident activity; • Incident Response Check list • ELYSIUMSECURITY Incident Response; • Overview; • Rules of Engagement; • Preparation; • Detection; • Categorization; • Containment; • Investigation; • Remediation; • Reporting; • Lessons Learnt; CONTENTS PUBLIC CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT • Short Term – How to start?; • Long Term – IR Implementation; • Extra Resources.
  • 3. PRESENTATION GOAL 3 LEARN HOW TO START 3 LEARN HOW TO APPLY AN IR FRAMEWORK 2 LEARN ABOUT IR CORE ELEMENTS 1 TO LEARN ABOUT CYBER INCIDENT RESPONSE (IR) MAIN CONCEPTS CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT Icons: from The Noun Project unless stated otherwisePUBLIC
  • 4. WHO AM I 4 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC LIVED AND WORKED IN FRANCE, UK, USA AND MAURITIUS CONTRIBUTING AND LEADING VARIOUS OPEN SOURCE CYBER SECURITY PROJECTS FOR THE LAST 20 YEARS VETTED, TRAINED AND OVER 20 YEARS OF CYBER SECURITY EXPERIENCE WORKING FROM LARGE INTERNATIONAL CORPORATIONS PASSIONATE ABOUT IT FROM VERY EARLY YEARS FOUNDER AND RUNNING THE MAURITIUS SECURITY CLUB (MU.SCL) WITH FREE SECURITY AWARENESS PRESENTATIONS EVERY MONTH
  • 5. WHO WE ARE 5 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC FOUNDED IN 2015 BY SYLVAIN MARTINEZ INCORPORATED AND OPERATING IN MAURITIUS (2017) AND IN THE UK/EUROPE (2015) PROVIDING INDEPENDENT EXPERTISE IN CYBER SECURITY MULTITUDE OF RECOGNIZED PROFESSIONAL CERTIFICATIONS 20 YEARS OF INTERNATIONAL CYBER SECURITY CORPORATE EXPERIENCE OUR BOUTIQUE STYLE APPROACH PROVIDES A DISCREET, TAILORED AND SPECIALIZED CYBER SECURITY SERVICE THAT FITS YOUR WORKING ENVIRONMENT
  • 6. CUSTOMERS 6 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC • HEDGE FUNDS • GOVERNMENT AGENCY SERVICE SUPPLIER 2016 2019 • 1x BANK • 1x TELECOMMUNICATION GROUP • 4x LARGE COMMERCIAL GROUPS; • 2x BANKS; 3x MANAGEMENT FUNDS; • 6x HOTELS; 3x TEXTILE; 1x SHOPPING; • 1x HEALTHCARE; REFERENCES AVAILABLE ON DEMAND 2018 2017 2019
  • 7. INCIDENT RESPONSE FRAMEWORK BENEFITS 7 • REDUCED OPERATION DOWNTIME • REDUCED INCIDENT IMPACT • REDUCED/AVOID FINES REDUCED IMPACT COST • IMPROVED RESPONSE TIME • IMPROVED INCIDENT CONTAINMENT • IMPROVED INCIDENT VISIBILITY IMPROVED SECURITY • CONTRACT REQUIREMENT • INDUSTRY REQUIREMENT • LAW REQUIREMENT BUSINESS ENABLEMENT CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 8. DATA BREACH STATISTICS 8 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT EVERY DAY 6,313,865 RECORDS EVERY HOUR 263,078 RECORDS EVERY MINUTE 4,385 RECORDS EVERY SECONDS 73 RECORDS DATA RECORDS ARE LOST OR STOLEN AT THE FOLLOWING FREQUENCY DATA RECORDS LOST OR STOLEN SINCE 2013 4 7 1 7 6 1 8 2 8 6, ,,1 Source: Breach Level Index - May 2019PUBLIC
  • 9. INCIDENT COST 9 ELYSIUMSECURITY INVESTIGATIONS MAURITIUS JANUARY 2018 – JUNE 2019 80% FINANCIAL FRAUD 20% RANSOMWARE 100% PHISHING JAN 2018 MAY 2018 AUG 2018 APR 2019 MAY 2019 JUNE 2019 $0.5M $1M $2M $0.5M $1M $0.5M AVERAGE COST PER DATA BREACH AVERAGE COST PER MALWARE INFECTION AVERAGE DETECTION TIME FROM OUTSIDERS CRIMINALS DATA BREACHES FROM HEALTHCARE ORGANISATIONS $3.86M $2.4M 197 DAYS 73% 24% WORLDWIDE WORLDWIDE STATS FROM SAFEATLAST.CO – APRIL 2019 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 11. INCIDENT RESPONSE CONCEPT 11 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT INCIDENT RESPONSE STRUCTURE INCIDENT RESPONSE HANDLINGCOORDINATION & INFORMATION SHARING TO MINIMISE OPERATIONAL, FINANCIAL & BUSINESS INCIDENT IMPACT NIST SP 800-61 PUBLIC
  • 12. INTERNAL AUDIT TEAM COMPLIANCE TEAM SUBJECT EXPERT VENDOR SUPPORT TEAM IT SUPPORT TEAM TEAMS AND MANDATES 12 CYBER SECURITY TEAM SECURITY OPERATIONS AND PROJECTS CYBER RISK TEAM RISK IDENTIFICATION AND MANAGEMENT CYBER INCIDENT (VIRTUAL) TEAM INCIDENT MANAGEMENT AND RESPONSE CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 13. REGISTERS AND PURPOSES 13 CYBER ISSUE REGISTER POTENTIAL AND CONFIRMED SECURITY ISSUES DETAILS CYBER RISK REGISTER POTENTIAL AND CONFIRMED RISK DETAILS CYBER INCIDENT REGISTER PAST AND CURRENT INCIDENTS DETAILS CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT IT OPERATION REGISTER CURRENT GENERAL IT ISSUES DETAILS PUBLIC
  • 14. GLOBAL ISSUE REGISTER REGISTERS AND REPORTING SYNERGY 14 CYBER SECURITY REGISTER CYBER ISSUE REGISTER CYBER RISK REGISTER CYBER INCIDENT REGISTER IT OPERATION REGISTER IT ISSUE REGISTER NETWORK ISSUE REGISTER PROJECT ISSUE REGISTER ONE VIEW ONE PROCESS DIFFERENT ACCESS DIFFERENT TEAMS DIFFERENT VIEWS DIFFERENT ACCESS DIFFERENT TEAMS DIFFERENT VIEWS DIFFERENT ACCESS CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 15. INCIDENT RESPONSE POLICY & PLAN - OVERVIEW 15 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC INCIDENT RESPONSE POLICY INCIDENT SCOPE INCIDENT DEFINITION & PRIORITIZATION INCIDENT REPORTING INCIDENT RESPONSE PLAN INCIDENT HANDLING INCIDENT COORDINATION CONTINUOUS IMPROVEMENT
  • 16. INCIDENT PLAYBOOK SCENARIOS INCIDENT PLAYBOOK OVERVIEW 16 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT CONTAIN INCIDENT UNDERSTAND CAUSE OF INCIDENT ANALYSE SIGNS OF INCIDENT READY MADE SCENARIOS PRACTICAL RESPONSE ACTIONS AVAILABLE AND COMMUNICATED PUBLIC
  • 17. NIST INCIDENCE RESPONSE LIFECYCLE 17 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC PREPARATION DETECTION & ANALYSIS CONTAINMENT, ERADICATION & RECOVERY POST-INCIDENT ACTIVITY NIST SP 800-61 REV 2
  • 18. NIST INCIDENCE RESPONSE - STEPS 18 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC PREPARATION DETECTION & ANALYSIS CONTAINMENT, ERADICATION & RECOVERY POST-INCIDENT ACTIVITY 1. COMMUNICATION & FACILITIES 2. HARDWARE & SOFTWARE 3. RESOURCES 4. ATTACK VECTORS IDENTIFICATION 11 CONTAINMENT STRATEGY 15. LESSONS LEARNT 5. SIGN OF AN INCIDENT 6. SOURCE OF PRECURSORS 7. INCIDENT ANALYSIS 8. INCIDENT DOCUMENTATION 9. INCIDENT PRIORITIZATION 10. INCIDENT NOTIFICATION 12. EVIDENCE GATHERING & HANDLING 13. IDENTIFYING THE ATTACKING HOST 14. ERADICATION & RECOVERY 16. USING COLLECTED INCIDENT DATA 17. EVIDENCE RETENTION
  • 19. PREPARATION - OVERVIEW 19 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT 1. COMMUNICATION & FACILITIES CONTACT DETAILS PHYSICAL LOGISTICS COORDINATION SYSTEM 2. HARDWARE & SOFTWARE 3. RESOURCES GENERAL IT SPARE EQUIPMENT FORENSICS SPECIFIC EQUIPMENT TRUSTED SOURCED SOFTWARE ARCHITECTURE DIAGRAMS DOCUMENTATION INCIDENT PLAYBOOK PUBLIC
  • 20. DETECTION & ANALYSIS - OVERVIEW 20 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC 4. ATTACK VECTORS IDENTIFICATION 5. SIGN OF AN INCIDENT 6. SOURCE OF PRECURSORS & INDICATORS 7. INCIDENT ANALYSIS SECURITY ALERTS SECURITY LOGS PEOPLE FEEDBACK NETWORK LOGS SYSTEM LOGS EXPLOIT ANNOUNCEMENT BASELINES LOG ANALYSIS DATA RESULTS FILTERING SOURCE OF ATTACK TYPE OF ATTACK METHOD OF ATTACK
  • 21. DETECTION & ANALYSIS - OVERVIEW 21 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC 8. INCIDENT DOCUMENTATION 9. INCIDENT PRIORIZATION 10. INCIDENT NOTIFICATION UPPER MANAGEMENT STAFF EXTERNAL BODIES FUNCTIONAL IMPACT INFORMATION IMPACT RECOVERABILITY STATUS WORK DONE NEXT STEPS
  • 22. CONTAINMENT, ERADICATION & RECOVERY - OVERVIEW 22 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC 11. CONTAINMENT STRATEGY 12. EVIDENCE GATHERING & HANDLING 13. IDENTIFYING THE ATTACKING HOST 14. ERADICATION & RECOVERY SOURCE IP ATTACKER RESEARCH COMMUNICATION MONITORING INCIDENT INFORMATION TIME AND DATE LOCATION REMOVING IMMEDIATE THREAT REMEDIATING VULNERABILITIES GROUP WIDE CHANGES INCIDENT IMPACT EVIDENCE REQUIREMENTS SOLUTION SUSTAINABILITY
  • 23. POST INCIDENT ACTIVITY - OVERVIEW 23 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC 15. LESSONS LEARNT 16. USING COLLECTED INCIDENT DATA 17. EVIDENCE RETENTION PROSECUTION DATA RETENTION COST INCIDENT STATISTICS INCIDENT SLA INCIDENT ASSESSMENT INCIDENT DETAILS TECHNOLOGY AND PROCESS GAPS POSSIBLE IMPROMENTS
  • 24. INCIDENCE RESPONSE CHECKLIST 24 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 25. ELYSIUMSECURITY INCIDENT RESPONSE - OVERVIEW 25 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PRACTICAL IMPLEMENTATION OF NIST GUIDED PROCESS SHORTER PROCESS USED NIST AND FIRST CORE ELEMENTS 17x STEPS -> 8x STEPS CLIENTS REQUIREMENTS ELYSIUMSECURITY IR FRAMEWORK 5x ACTIVITIES PER STEPS PUBLIC
  • 26. ELYSIUMSECURITY INCIDENT RESPONSE - OVERVIEW 26 {elysiumsecurity} INCIDENT RESPONSE FRAMEWORK 1. PREPARATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 27. {es} INCIDENT RESPONSE - RULES OF ENGAGEMENT 27 DO NOT MAKE THINGS WORSE! DO NOT ENGAGE OR INTERACT WITH THE HACKER/THREAT GROUP 1 DO NOT CONNECT TO THE THREAT’S RELATED NETWORK(S) FROM YOUR ORGANISATION 2 PRESERVE EVIDENCE3 COORDINATE INTERNAL AND EXTERNAL COMMUNICATION WITH MANAGEMENT 4 ALL INCIDENT DETAILS MUST BE TREATED AS CONFIDENTIAL 5 PUBLIC CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
  • 28. {es} INCIDENT RESPONSE - PREPARATION 28 INCIDENT RESPONSE PLAN1 TEAM, PROCEDURES, DOCUMENTATION, APPROVAL, MANAGEMENT COMMITMENT INCIDENT RESPONSE PLAYBOOK2 PHISHING, RANSOMWARE, KEYLOGGER, DDOS LOGISITICS3 MEETING ROOMS, LAPTOPS, REMOVABLE STORAGE, PHONES, STATIONNARY, PRINTERS, SLEEPING AND CATERING ARRANGEMENTS CONTACTS4 TEAM, ALTERNATIVE CONTACT METHODS, ESCALATION, ON CALL, SUPPORT, VENDOR, SUPPORT5 INCIDENT REGISTER, ARCHITECTURE DIAGRAM, NETWORK DIAGRAM, DATA FLOWS, APPLICATION AND SYSTEM DOCUMENTATION ACTIVITIES EXAMPLE 1. PREPARATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 29. {es} INCIDENT RESPONSE - DETECTION 29 WHO/WHAT DETECTED/REPORTED THE THREAT?1 IT STAFF, SECURITY TOOLS WHAT IS THE DATE AND TIME OF THE THREAT DETECTION/REPORT?2 NORMALISE TIME AND DATE ACROSS REPORTING – RECORD TIME IN GMT HOW WAS THE THREAT DETECTED/REPORTED?3 EMAIL, TEXT, WARNING POP UP, PHONE CALL HAS A SIMILAR THREAT ALREADY BEEN REPORTED?4 PREVIOUS INCIDENT REGISTER LOGS IS THE THREAT VALID?5 CONFIRMED, FALSE POSITIVE ACTIVITIES EXAMPLE 2. DETECTION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 30. {es} INCIDENT RESPONSE - CATEGORISATION 30 WHO/WHAT IS THE TARGET OF THE THREAT?1 USER, SYSTEM, SPECIFIC DATA IS THIS AN ON GOING/LIVE THREAT?2 ON GOING, STOPPED, UNKNOWN WHAT IS THE IMPACT OF THE THREAT?3 FINANCIAL, OPERATIONAL, REPUTATIONAL, LEGAL CATEGORISE THE PRIORITY OF THE INCIDENT4 PRIORITY 1, 2 ,3 (P1 > P2 > P3) CLASSIFY THE INCIDENT COMMUNICATION5 RESTRICTED / UNRESTRICTED ACTIVITIES EXAMPLE 3. CATEGORISATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 31. {es} INCIDENT RESPONSE - CONTAINMENT 31 COORDINATE INCIDENT MANAGEMENT1 TEAM, COMMS, ACTIVITIES, DOCUMENTATION LIGHT AND QUICK THREAT ANALYSIS2 NETWORK, SYSTEM, USER IDENTIFY MAIN ATTACK AND COMPROMISE VECTORS3 IP, PORTS, SIGNATURES, EMAIL ISOLATE THE TARGETED ASSET4 REMOVE FROM NETWORK, DISABLE ACCOUNT IMPLEMENT EMERGENCY CHANGES AS REQUIRED5 NETWORK, SYSTEM, USER ACTIVITIES EXAMPLE 4. CONTAINMENT CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 32. {es} INCIDENT RESPONSE - INVESTIGATION 32 THREAT NETWORK ANALYSIS1 FIREWALL, CLOUD APP LOGS, ASSET LOGS, INTERCEPTED TRAFFIC, TRAFFIC AND DATA FLOWS, SIEM THREAT MALWARE ANALYSIS2 A/V VENDORS, FOOTPRINT, BEHAVIOR, REVERSE ENGINEERING THREAT SYSTEM ANALYSIS3 EVENT LOGS, APP/PLUGINS INSTALLED, AD/EMAIL ACTIVITIES, AUTHENTICATED VULNERABILITY ASSESSSMENT, SIEM THREAT USER ANALYSIS4 INTERVIEW TARGETED USER, CONTEXT, TRIGGERS, RECENT UNUSUAL ACTIVITIES/ALERTS THREAT RESEARCH ANALYSIS5 ONLINE SEARCH FOR SIMILAR THREATS, PROFESSIONAL FORUMS, VENDOR ENGAGEMENT ACTIVITIES EXAMPLE 5. INVESTIGATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 33. ELYSIUMSECURITY INCIDENT RESPONSE - REMEDIATION 33 THREAT NETWORK REMEDIATION1 BLOCK IP, PORTS, DOMAINS, EMAILS. UPDATE F/W, IDS, APT AND SIEM RULES THREAT MALWARE REMEDIATION2 UPDATE SYSTEM AND NETWORK A/V SIGNATURES. ENGAGE WITH VENDORS THREAT SYSTEM REMEDIATION3 REMOVE/BAN INFECTED APPS/PLUGINS, CLEAR INBOX RULES, REMEDIATE ISSUES FOUND WITH THE VULNERABIULTIY ASSESSMENT THREAT USER REMEDIATION4 INDIVIDUAL AND GROUP USER AWARENESS SESSION RELEVANT TO THE THREAT DECLARE THE INCIDENT REMEDIATED5 FULL, PARTIAL, ACCEPTED ACTIVITIES EXAMPLE 6. REMEDIATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 34. {es} INCIDENT RESPONSE - REPORTING 34 ON GOING REPORTING1 DOCUMENTATION AND EVIDENCE SHOULD BE GENERATED AS MUCH AS POSSIBLE DURING THE PREVIOUS PHASES EVIDENCE GATHERING2 THREAT ACTORS, ATTACK VECTORS, ATTACK SURFACE INCIDENT DOCUMENTATION3 THREAT AND INCIDENT DETAILS, TRIGGERS, OWNER, FINDINGS, TIMELINE INCIDENT REGISTER4 CREATE/UPDATE AN OVERALL INCIDENT REGISTER TO TRACK PROGRESS AND GENERATES STATISTICS INCIDENT REPORT COMMUNICATION5 INTERNAL, EXTERNAL, STAFF, MANAGEMENT, BOARD, VENDORS, CLIENTS, GOVERNMENT, REGULATORS, LAW ENFORCEMENT ACTIVITIES EXAMPLE 7. REPORTING CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 35. {es} INCIDENT RESPONSE – LESSONS LEARNT 35 ROOT CAUSE ANALYSIS1 IDENTIFY AND DOCUMENT INCIDENT TRIGGERS AND SECURITY GAPS THAT ENABLED THE INCIDENT TO OCCUR CONTROLS AND PROCESSES READINESS2 EVALUATE THE EFFICIENCY OF CURRENT SECURITY CONTROLS AND PROCESSES IN LIGHT OF THE INCIDENT INCIDENT TRENDS ANALYSIS3 ARE YOU LEARNING FROM PAST INCIDENTS? IS YOUR RISK PROFILE CHANGING? MITIGATION PLAN4 MITIGATE IMPACT OF SIMILAR FUTURE INCIDENTS IMPROVEMENTS PLAN5 STOP OCCURRENCE OF SIMILAR FUTURE INCIDENTS ACTIVITIES EXAMPLE 8. LESSONS LEARNT CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 36. SHORT TERM – HOW TO START? 36 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT REVIEW EXISTING INCIDENT PROCESS1 ESTABLISH INCIDENT TEAM2 CONDUCT REGULAR INCIDENT TEAM MEETING 3 SET GROUND RULES4 DEFINE WHAT IS AN INCIDENT5 INFORM STAFF OF RULES AND INCIDENT CONTACT 6 CREATE INCIDENT REGISTER7 DOCUMENT RECENT AND FUTURE INCIDENTS 8 FOLLOW NIST INCIDENT HANDLING METHODOLOGY 9 CREATE HIGH LEVEL PLAYBOOK TO COMPLEMENT CHECKLIST 10 PUBLIC
  • 37. LONG TERM – INCIDENT RESPONSE IMPLEMENTATION 37 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT SELECT INCIDENT RESPONSE FRAMEWORK (NIST SP 800-61 REV 2 RECOMMENDED) 1 IMPLEMENT FULL INCIDENT RESPONSE FRAMEWORK 2 DEDICATED INCIDENT RESPONSE TEAM AND TRAINING 3 INCIDENT RESPONSE SIMULATION4 CONTINUOUS IMPROVEMENT5 PUBLIC
  • 38. EXTRA RESOURCES 38 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT FORUM OF INCIDENT RESPONSE AND SECURITY TEAMS (FIRST) FRAMEWORK (HTTPS://WWW.FIRST.ORG/EDUCATION/FIRST_SIRT_SERVICES_FRAMEWORK_VERSION1.0.PDF) NATIONAL INSTITUTE OF STANDARDS & TECHNOLOGY (NIST) SPECIAL PROCEDURE (SP) 800-61 (HTTPS://NVLPUBS.NIST.GOV/NISTPUBS/SPECIALPUBLICATIONS/NIST.SP.800-61R2.PDF) INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (ISO) ISO/IEC 27035-1:2016 (HTTPS://WWW.ISO.ORG/STANDARD/60803.HTML) INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (ISO) ISO/IEC 27035-2:2016 (HTTPS://WWW.ISO.ORG/STANDARD/62071.HTML?BROWSE=TC) CONTACT US! (CONSULTING@ELYSIUMSECURITY.COM) PUBLIC
  • 39. © 2015-2019 ELYSIUMSECURITY LTD ALL RIGHTS RESERVED HTTPS://WWW.ELYSIUMSECURITY.COM CONSULTING@ELYSIUMSECURITY.COM ABOUT ELYSIUMSECURITY LTD. ELYSIUMSECURITY PROVIDES PRACTICAL EXPERTISE TO IDENTIFY VULNERABILITIES, ASSESS THEIR RISKS AND IMPACT, REMEDIATE THOSE RISKS, PREPARE AND RESPOND TO INCIDENTS AS WELL AS RAISE SECURITY AWARENESS THROUGH AN ORGANIZATION. ELYSIUMSECURITY PROVIDES HIGH LEVEL EXPERTISE GATHERED THROUGH YEARS OF BEST PRACTICES EXPERIENCE IN LARGE INTERNATIONAL COMPANIES ALLOWING US TO PROVIDE ADVICE BEST SUITED TO YOUR BUSINESS OPERATIONAL MODEL AND PRIORITIES. ELYSIUMSECURITY PROVIDES A PORTFOLIO OF STRATEGIC AND TACTICAL SERVICES TO HELP COMPANIES PROTECT AND RESPOND AGAINST CYBER SECURITY THREATS. WE DIFFERENTIATE OURSELVES BY OFFERING DISCREET, TAILORED AND SPECIALIZED ENGAGEMENTS. ELYSIUMSECURITY OPERATES IN MAURITIUS AND IN EUROPE, A BOUTIQUE STYLE APPROACH MEANS WE CAN EASILY ADAPT TO YOUR BUSINESS OPERATIONAL MODEL AND REQUIREMENTS TO PROVIDE A PERSONALIZED SERVICE THAT FITS YOUR WORKING ENVIRONMENT.