SlideShare a Scribd company logo

INCIDENT RESPONSE NIST IMPLEMENTATION

S
Sylvain Martinez

The document provides an overview of an incident response concept and framework. It discusses the benefits of incident response, common incident response structures and lifecycles. It also outlines the key steps in an incident response process including preparation, detection, analysis, containment, eradication, recovery, reporting and lessons learned. Specific approaches and activities at each step are also described for a company's incident response implementation.

1 of 27
Download to read offline
CYBER SECURITY INCIDENT RESPONSE CONCEPT VERSION: 1.3 DATE: 25/06/2019 AUTHOR: SYLVAIN MARTINEZ REFERENCE: ES-CSIR CLASSIFICATION: PUBLIC
2 • IR framework benefits; • Data breach statistics; • Incident readiness; • Incident response concept; • Teams and mandates; • IR policy & plan overview; • Incident playbook overview; • NIST IR lifecycle; • NIST IR steps; • Incident Response Check list • ELYSIUMSECURITY Incident Response; • Overview; • Rules of Engagement; • Preparation; • Detection; • Categorization; • Containment; • Investigation; • Remediation; • Reporting; • Lessons Learnt; CONTENTS PUBLIC CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT • Short Term – How to start?; • Long Term – IR Implementation; • Extra Resources.
INCIDENT RESPONSE FRAMEWORK BENEFITS 3 • REDUCED OPERATION DOWNTIME • REDUCED INCIDENT IMPACT • REDUCED/AVOID FINES REDUCED IMPACT COST • IMPROVED RESPONSE TIME • IMPROVED INCIDENT CONTAINMENT • IMPROVED INCIDENT VISIBILITY IMPROVED SECURITY • CONTRACT REQUIREMENT • INDUSTRY REQUIREMENT • LAW REQUIREMENT BUSINESS ENABLEMENT CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
DATA BREACH STATISTICS 4 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT EVERY DAY 6,313,865 RECORDS EVERY HOUR 263,078 RECORDS EVERY MINUTE 4,385 RECORDS EVERY SECONDS 73 RECORDS DATA RECORDS ARE LOST OR STOLEN AT THE FOLLOWING FREQUENCY DATA RECORDS LOST OR STOLEN SINCE 2013 4 7 1 7 6 1 8 2 8 6, ,,1 Source: Breach Level Index - May 2019PUBLIC
INCIDENT READINESS 5 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT INCIDENT READINESS PUBLIC
INCIDENT RESPONSE CONCEPT 6 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT INCIDENT RESPONSE STRUCTURE INCIDENT RESPONSE HANDLINGCOORDINATION & INFORMATION SHARING TO MINIMISE OPERATIONAL, FINANCIAL & BUSINESS INCIDENT IMPACT NIST SP 800-61 PUBLIC
INTERNAL AUDIT TEAM COMPLIANCE TEAM SUBJECT EXPERT VENDOR SUPPORT TEAM IT SUPPORT TEAM TEAMS AND MANDATES 7 CYBER SECURITY TEAM SECURITY OPERATIONS AND PROJECTS CYBER RISK TEAM RISK IDENTIFICATION AND MANAGEMENT CYBER INCIDENT (VIRTUAL) TEAM INCIDENT MANAGEMENT AND RESPONSE CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
INCIDENT RESPONSE POLICY & PLAN - OVERVIEW 8 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC INCIDENT RESPONSE POLICY INCIDENT SCOPE INCIDENT DEFINITION & PRIORITIZATION INCIDENT REPORTING INCIDENT RESPONSE PLAN INCIDENT HANDLING INCIDENT COORDINATION CONTINUOUS IMPROVEMENT
INCIDENT PLAYBOOK SCENARIOS INCIDENT PLAYBOOK OVERVIEW 9 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT CONTAIN INCIDENT UNDERSTAND CAUSE OF INCIDENT ANALYSE SIGNS OF INCIDENT READY MADE SCENARIOS PRACTICAL RESPONSE ACTIONS AVAILABLE AND COMMUNICATED PUBLIC
NIST INCIDENCE RESPONSE LIFECYCLE 10 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC PREPARATION DETECTION & ANALYSIS CONTAINMENT, ERADICATION & RECOVERY POST-INCIDENT ACTIVITY NIST SP 800-61 REV 2
NIST INCIDENCE RESPONSE - STEPS 11 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC PREPARATION DETECTION & ANALYSIS CONTAINMENT, ERADICATION & RECOVERY POST-INCIDENT ACTIVITY 1. COMMUNICATION & FACILITIES 2. HARDWARE & SOFTWARE 3. RESOURCES 4. ATTACK VECTORS IDENTIFICATION 11 CONTAINMENT STRATEGY 15. LESSONS LEARNT 5. SIGN OF AN INCIDENT 6. SOURCE OF PRECURSORS 7. INCIDENT ANALYSIS 8. INCIDENT DOCUMENTATION 9. INCIDENT PRIORITIZATION 10. INCIDENT NOTIFICATION 12. EVIDENCE GATHERING & HANDLING 13. IDENTIFYING THE ATTACKING HOST 14. ERADICATION & RECOVERY 16. USING COLLECTED INCIDENT DATA 17. EVIDENCE RETENTION
INCIDENCE RESPONSE CHECKLIST 12 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
ELYSIUMSECURITY INCIDENT RESPONSE - OVERVIEW 13 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PRACTICAL IMPLEMENTATION OF NIST GUIDED PROCESS SHORTER PROCESS USED NIST AND FIRST CORE ELEMENTS 17x STEPS -> 8x STEPS CLIENTS REQUIREMENTS ELYSIUMSECURITY IR FRAMEWORK 5x ACTIVITIES PER STEPS PUBLIC
ELYSIUMSECURITY INCIDENT RESPONSE - OVERVIEW 14 {elysiumsecurity} INCIDENT RESPONSE FRAMEWORK 1. PREPARATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
{es} INCIDENT RESPONSE - RULES OF ENGAGEMENT 15 DO NOT MAKE THINGS WORSE! DO NOT ENGAGE OR INTERACT WITH THE HACKER/THREAT GROUP 1 DO NOT CONNECT TO THE THREAT’S RELATED NETWORK(S) FROM YOUR ORGANISATION 2 PRESERVE EVIDENCE3 COORDINATE INTERNAL AND EXTERNAL COMMUNICATION WITH MANAGEMENT 4 ALL INCIDENT DETAILS MUST BE TREATED AS CONFIDENTIAL 5 PUBLIC CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
{es} INCIDENT RESPONSE - PREPARATION 16 INCIDENT RESPONSE PLAN1 TEAM, PROCEDURES, DOCUMENTATION, APPROVAL, MANAGEMENT COMMITMENT INCIDENT RESPONSE PLAYBOOK2 PHISHING, RANSOMWARE, KEYLOGGER, DDOS LOGISITICS3 MEETING ROOMS, LAPTOPS, REMOVABLE STORAGE, PHONES, STATIONNARY, PRINTERS, SLEEPING AND CATERING ARRANGEMENTS CONTACTS4 TEAM, ALTERNATIVE CONTACT METHODS, ESCALATION, ON CALL, SUPPORT, VENDOR, SUPPORT5 INCIDENT REGISTER, ARCHITECTURE DIAGRAM, NETWORK DIAGRAM, DATA FLOWS, APPLICATION AND SYSTEM DOCUMENTATION ACTIVITIES EXAMPLE 1. PREPARATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
{es} INCIDENT RESPONSE - DETECTION 17 WHO/WHAT DETECTED/REPORTED THE THREAT?1 IT STAFF, SECURITY TOOLS WHAT IS THE DATE AND TIME OF THE THREAT DETECTION/REPORT?2 NORMALISE TIME AND DATE ACROSS REPORTING – RECORD TIME IN GMT HOW WAS THE THREAT DETECTED/REPORTED?3 EMAIL, TEXT, WARNING POP UP, PHONE CALL HAS A SIMILAR THREAT ALREADY BEEN REPORTED?4 PREVIOUS INCIDENT REGISTER LOGS IS THE THREAT VALID?5 CONFIRMED, FALSE POSITIVE ACTIVITIES EXAMPLE 2. DETECTION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
{es} INCIDENT RESPONSE - CATEGORISATION 18 WHO/WHAT IS THE TARGET OF THE THREAT?1 USER, SYSTEM, SPECIFIC DATA IS THIS AN ON GOING/LIVE THREAT?2 ON GOING, STOPPED, UNKNOWN WHAT IS THE IMPACT OF THE THREAT?3 FINANCIAL, OPERATIONAL, REPUTATIONAL, LEGAL CATEGORISE THE PRIORITY OF THE INCIDENT4 PRIORITY 1, 2 ,3 (P1 > P2 > P3) CLASSIFY THE INCIDENT COMMUNICATION5 RESTRICTED / UNRESTRICTED ACTIVITIES EXAMPLE 3. CATEGORISATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
{es} INCIDENT RESPONSE - CONTAINMENT 19 COORDINATE INCIDENT MANAGEMENT1 TEAM, COMMS, ACTIVITIES, DOCUMENTATION LIGHT AND QUICK THREAT ANALYSIS2 NETWORK, SYSTEM, USER IDENTIFY MAIN ATTACK AND COMPROMISE VECTORS3 IP, PORTS, SIGNATURES, EMAIL ISOLATE THE TARGETED ASSET4 REMOVE FROM NETWORK, DISABLE ACCOUNT IMPLEMENT EMERGENCY CHANGES AS REQUIRED5 NETWORK, SYSTEM, USER ACTIVITIES EXAMPLE 4. CONTAINMENT CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
{es} INCIDENT RESPONSE - INVESTIGATION 20 THREAT NETWORK ANALYSIS1 FIREWALL, CLOUD APP LOGS, ASSET LOGS, INTERCEPTED TRAFFIC, TRAFFIC AND DATA FLOWS, SIEM THREAT MALWARE ANALYSIS2 A/V VENDORS, FOOTPRINT, BEHAVIOR, REVERSE ENGINEERING THREAT SYSTEM ANALYSIS3 EVENT LOGS, APP/PLUGINS INSTALLED, AD/EMAIL ACTIVITIES, AUTHENTICATED VULNERABILITY ASSESSSMENT, SIEM THREAT USER ANALYSIS4 INTERVIEW TARGETED USER, CONTEXT, TRIGGERS, RECENT UNUSUAL ACTIVITIES/ALERTS THREAT RESEARCH ANALYSIS5 ONLINE SEARCH FOR SIMILAR THREATS, PROFESSIONAL FORUMS, VENDOR ENGAGEMENT ACTIVITIES EXAMPLE 5. INVESTIGATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
ELYSIUMSECURITY INCIDENT RESPONSE - REMEDIATION 21 THREAT NETWORK REMEDIATION1 BLOCK IP, PORTS, DOMAINS, EMAILS. UPDATE F/W, IDS, APT AND SIEM RULES THREAT MALWARE REMEDIATION2 UPDATE SYSTEM AND NETWORK A/V SIGNATURES. ENGAGE WITH VENDORS THREAT SYSTEM REMEDIATION3 REMOVE/BAN INFECTED APPS/PLUGINS, CLEAR INBOX RULES, REMEDIATE ISSUES FOUND WITH THE VULNERABIULTIY ASSESSMENT THREAT USER REMEDIATION4 INDIVIDUAL AND GROUP USER AWARENESS SESSION RELEVANT TO THE THREAT DECLARE THE INCIDENT REMEDIATED5 FULL, PARTIAL, ACCEPTED ACTIVITIES EXAMPLE 6. REMEDIATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
{es} INCIDENT RESPONSE - REPORTING 22 ON GOING REPORTING1 DOCUMENTATION AND EVIDENCE SHOULD BE GENERATED AS MUCH AS POSSIBLE DURING THE PREVIOUS PHASES EVIDENCE GATHERING2 THREAT ACTORS, ATTACK VECTORS, ATTACK SURFACE INCIDENT DOCUMENTATION3 THREAT AND INCIDENT DETAILS, TRIGGERS, OWNER, FINDINGS, TIMELINE INCIDENT REGISTER4 CREATE/UPDATE AN OVERALL INCIDENT REGISTER TO TRACK PROGRESS AND GENERATES STATISTICS INCIDENT REPORT COMMUNICATION5 INTERNAL, EXTERNAL, STAFF, MANAGEMENT, BOARD, VENDORS, CLIENTS, GOVERNMENT, REGULATORS, LAW ENFORCEMENT ACTIVITIES EXAMPLE 7. REPORTING CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
{es} INCIDENT RESPONSE – LESSONS LEARNT 23 ROOT CAUSE ANALYSIS1 IDENTIFY AND DOCUMENT INCIDENT TRIGGERS AND SECURITY GAPS THAT ENABLED THE INCIDENT TO OCCUR CONTROLS AND PROCESSES READINESS2 EVALUATE THE EFFICIENCY OF CURRENT SECURITY CONTROLS AND PROCESSES IN LIGHT OF THE INCIDENT INCIDENT TRENDS ANALYSIS3 ARE YOU LEARNING FROM PAST INCIDENTS? IS YOUR RISK PROFILE CHANGING? MITIGATION PLAN4 MITIGATE IMPACT OF SIMILAR FUTURE INCIDENTS IMPROVEMENTS PLAN5 STOP OCCURRENCE OF SIMILAR FUTURE INCIDENTS ACTIVITIES EXAMPLE 8. LESSONS LEARNT CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
SHORT TERM – HOW TO START? 24 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT REVIEW EXISTING INCIDENT PROCESS1 ESTABLISH INCIDENT TEAM2 CONDUCT REGULAR INCIDENT TEAM MEETING 3 SET GROUND RULES4 DEFINE WHAT IS AN INCIDENT5 INFORM STAFF OF RULES AND INCIDENT CONTACT 6 CREATE INCIDENT REGISTER7 DOCUMENT RECENT AND FUTURE INCIDENTS 8 FOLLOW NIST INCIDENT HANDLING METHODOLOGY 9 CREATE HIGH LEVEL PLAYBOOK TO COMPLEMENT CHECKLIST 10 PUBLIC
LONG TERM – INCIDENT RESPONSE IMPLEMENTATION 25 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT SELECT INCIDENT RESPONSE FRAMEWORK (NIST SP 800-61 REV 2 RECOMMENDED) 1 IMPLEMENT FULL INCIDENT RESPONSE FRAMEWORK 2 DEDICATED INCIDENT RESPONSE TEAM AND TRAINING 3 INCIDENT RESPONSE SIMULATION4 CONTINUOUS IMPROVEMENT5 PUBLIC
EXTRA RESOURCES 26 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT FORUM OF INCIDENT RESPONSE AND SECURITY TEAMS (FIRST) FRAMEWORK (HTTPS://WWW.FIRST.ORG/EDUCATION/FIRST_SIRT_SERVICES_FRAMEWORK_VERSION1.0.PDF) NATIONAL INSTITUTE OF STANDARDS & TECHNOLOGY (NIST) SPECIAL PROCEDURE (SP) 800-61 (HTTPS://NVLPUBS.NIST.GOV/NISTPUBS/SPECIALPUBLICATIONS/NIST.SP.800-61R2.PDF) INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (ISO) ISO/IEC 27035-1:2016 (HTTPS://WWW.ISO.ORG/STANDARD/60803.HTML) INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (ISO) ISO/IEC 27035-2:2016 (HTTPS://WWW.ISO.ORG/STANDARD/62071.HTML?BROWSE=TC) CONTACT US! (CONSULTING@ELYSIUMSECURITY.COM) PUBLIC
© 2015-2019 ELYSIUMSECURITY LTD ALL RIGHTS RESERVED HTTPS://WWW.ELYSIUMSECURITY.COM CONSULTING@ELYSIUMSECURITY.COM ABOUT ELYSIUMSECURITY LTD. ELYSIUMSECURITY PROVIDES PRACTICAL EXPERTISE TO IDENTIFY VULNERABILITIES, ASSESS THEIR RISKS AND IMPACT, REMEDIATE THOSE RISKS, PREPARE AND RESPOND TO INCIDENTS AS WELL AS RAISE SECURITY AWARENESS THROUGH AN ORGANIZATION. ELYSIUMSECURITY PROVIDES HIGH LEVEL EXPERTISE GATHERED THROUGH YEARS OF BEST PRACTICES EXPERIENCE IN LARGE INTERNATIONAL COMPANIES ALLOWING US TO PROVIDE ADVICE BEST SUITED TO YOUR BUSINESS OPERATIONAL MODEL AND PRIORITIES. ELYSIUMSECURITY PROVIDES A PORTFOLIO OF STRATEGIC AND TACTICAL SERVICES TO HELP COMPANIES PROTECT AND RESPOND AGAINST CYBER SECURITY THREATS. WE DIFFERENTIATE OURSELVES BY OFFERING DISCREET, TAILORED AND SPECIALIZED ENGAGEMENTS. ELYSIUMSECURITY OPERATES IN MAURITIUS AND IN EUROPE, A BOUTIQUE STYLE APPROACH MEANS WE CAN EASILY ADAPT TO YOUR BUSINESS OPERATIONAL MODEL AND REQUIREMENTS TO PROVIDE A PERSONALIZED SERVICE THAT FITS YOUR WORKING ENVIRONMENT.

More Related Content

INCIDENT RESPONSE NIST IMPLEMENTATION

  • 1. CYBER SECURITY INCIDENT RESPONSE CONCEPT VERSION: 1.3 DATE: 25/06/2019 AUTHOR: SYLVAIN MARTINEZ REFERENCE: ES-CSIR CLASSIFICATION: PUBLIC
  • 2. 2 • IR framework benefits; • Data breach statistics; • Incident readiness; • Incident response concept; • Teams and mandates; • IR policy & plan overview; • Incident playbook overview; • NIST IR lifecycle; • NIST IR steps; • Incident Response Check list • ELYSIUMSECURITY Incident Response; • Overview; • Rules of Engagement; • Preparation; • Detection; • Categorization; • Containment; • Investigation; • Remediation; • Reporting; • Lessons Learnt; CONTENTS PUBLIC CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT • Short Term – How to start?; • Long Term – IR Implementation; • Extra Resources.
  • 3. INCIDENT RESPONSE FRAMEWORK BENEFITS 3 • REDUCED OPERATION DOWNTIME • REDUCED INCIDENT IMPACT • REDUCED/AVOID FINES REDUCED IMPACT COST • IMPROVED RESPONSE TIME • IMPROVED INCIDENT CONTAINMENT • IMPROVED INCIDENT VISIBILITY IMPROVED SECURITY • CONTRACT REQUIREMENT • INDUSTRY REQUIREMENT • LAW REQUIREMENT BUSINESS ENABLEMENT CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 4. DATA BREACH STATISTICS 4 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT EVERY DAY 6,313,865 RECORDS EVERY HOUR 263,078 RECORDS EVERY MINUTE 4,385 RECORDS EVERY SECONDS 73 RECORDS DATA RECORDS ARE LOST OR STOLEN AT THE FOLLOWING FREQUENCY DATA RECORDS LOST OR STOLEN SINCE 2013 4 7 1 7 6 1 8 2 8 6, ,,1 Source: Breach Level Index - May 2019PUBLIC
  • 6. INCIDENT RESPONSE CONCEPT 6 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT INCIDENT RESPONSE STRUCTURE INCIDENT RESPONSE HANDLINGCOORDINATION & INFORMATION SHARING TO MINIMISE OPERATIONAL, FINANCIAL & BUSINESS INCIDENT IMPACT NIST SP 800-61 PUBLIC
  • 7. INTERNAL AUDIT TEAM COMPLIANCE TEAM SUBJECT EXPERT VENDOR SUPPORT TEAM IT SUPPORT TEAM TEAMS AND MANDATES 7 CYBER SECURITY TEAM SECURITY OPERATIONS AND PROJECTS CYBER RISK TEAM RISK IDENTIFICATION AND MANAGEMENT CYBER INCIDENT (VIRTUAL) TEAM INCIDENT MANAGEMENT AND RESPONSE CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 8. INCIDENT RESPONSE POLICY & PLAN - OVERVIEW 8 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC INCIDENT RESPONSE POLICY INCIDENT SCOPE INCIDENT DEFINITION & PRIORITIZATION INCIDENT REPORTING INCIDENT RESPONSE PLAN INCIDENT HANDLING INCIDENT COORDINATION CONTINUOUS IMPROVEMENT
  • 9. INCIDENT PLAYBOOK SCENARIOS INCIDENT PLAYBOOK OVERVIEW 9 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT CONTAIN INCIDENT UNDERSTAND CAUSE OF INCIDENT ANALYSE SIGNS OF INCIDENT READY MADE SCENARIOS PRACTICAL RESPONSE ACTIONS AVAILABLE AND COMMUNICATED PUBLIC
  • 10. NIST INCIDENCE RESPONSE LIFECYCLE 10 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC PREPARATION DETECTION & ANALYSIS CONTAINMENT, ERADICATION & RECOVERY POST-INCIDENT ACTIVITY NIST SP 800-61 REV 2
  • 11. NIST INCIDENCE RESPONSE - STEPS 11 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC PREPARATION DETECTION & ANALYSIS CONTAINMENT, ERADICATION & RECOVERY POST-INCIDENT ACTIVITY 1. COMMUNICATION & FACILITIES 2. HARDWARE & SOFTWARE 3. RESOURCES 4. ATTACK VECTORS IDENTIFICATION 11 CONTAINMENT STRATEGY 15. LESSONS LEARNT 5. SIGN OF AN INCIDENT 6. SOURCE OF PRECURSORS 7. INCIDENT ANALYSIS 8. INCIDENT DOCUMENTATION 9. INCIDENT PRIORITIZATION 10. INCIDENT NOTIFICATION 12. EVIDENCE GATHERING & HANDLING 13. IDENTIFYING THE ATTACKING HOST 14. ERADICATION & RECOVERY 16. USING COLLECTED INCIDENT DATA 17. EVIDENCE RETENTION
  • 12. INCIDENCE RESPONSE CHECKLIST 12 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 13. ELYSIUMSECURITY INCIDENT RESPONSE - OVERVIEW 13 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PRACTICAL IMPLEMENTATION OF NIST GUIDED PROCESS SHORTER PROCESS USED NIST AND FIRST CORE ELEMENTS 17x STEPS -> 8x STEPS CLIENTS REQUIREMENTS ELYSIUMSECURITY IR FRAMEWORK 5x ACTIVITIES PER STEPS PUBLIC
  • 14. ELYSIUMSECURITY INCIDENT RESPONSE - OVERVIEW 14 {elysiumsecurity} INCIDENT RESPONSE FRAMEWORK 1. PREPARATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 15. {es} INCIDENT RESPONSE - RULES OF ENGAGEMENT 15 DO NOT MAKE THINGS WORSE! DO NOT ENGAGE OR INTERACT WITH THE HACKER/THREAT GROUP 1 DO NOT CONNECT TO THE THREAT’S RELATED NETWORK(S) FROM YOUR ORGANISATION 2 PRESERVE EVIDENCE3 COORDINATE INTERNAL AND EXTERNAL COMMUNICATION WITH MANAGEMENT 4 ALL INCIDENT DETAILS MUST BE TREATED AS CONFIDENTIAL 5 PUBLIC CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
  • 16. {es} INCIDENT RESPONSE - PREPARATION 16 INCIDENT RESPONSE PLAN1 TEAM, PROCEDURES, DOCUMENTATION, APPROVAL, MANAGEMENT COMMITMENT INCIDENT RESPONSE PLAYBOOK2 PHISHING, RANSOMWARE, KEYLOGGER, DDOS LOGISITICS3 MEETING ROOMS, LAPTOPS, REMOVABLE STORAGE, PHONES, STATIONNARY, PRINTERS, SLEEPING AND CATERING ARRANGEMENTS CONTACTS4 TEAM, ALTERNATIVE CONTACT METHODS, ESCALATION, ON CALL, SUPPORT, VENDOR, SUPPORT5 INCIDENT REGISTER, ARCHITECTURE DIAGRAM, NETWORK DIAGRAM, DATA FLOWS, APPLICATION AND SYSTEM DOCUMENTATION ACTIVITIES EXAMPLE 1. PREPARATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 17. {es} INCIDENT RESPONSE - DETECTION 17 WHO/WHAT DETECTED/REPORTED THE THREAT?1 IT STAFF, SECURITY TOOLS WHAT IS THE DATE AND TIME OF THE THREAT DETECTION/REPORT?2 NORMALISE TIME AND DATE ACROSS REPORTING – RECORD TIME IN GMT HOW WAS THE THREAT DETECTED/REPORTED?3 EMAIL, TEXT, WARNING POP UP, PHONE CALL HAS A SIMILAR THREAT ALREADY BEEN REPORTED?4 PREVIOUS INCIDENT REGISTER LOGS IS THE THREAT VALID?5 CONFIRMED, FALSE POSITIVE ACTIVITIES EXAMPLE 2. DETECTION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 18. {es} INCIDENT RESPONSE - CATEGORISATION 18 WHO/WHAT IS THE TARGET OF THE THREAT?1 USER, SYSTEM, SPECIFIC DATA IS THIS AN ON GOING/LIVE THREAT?2 ON GOING, STOPPED, UNKNOWN WHAT IS THE IMPACT OF THE THREAT?3 FINANCIAL, OPERATIONAL, REPUTATIONAL, LEGAL CATEGORISE THE PRIORITY OF THE INCIDENT4 PRIORITY 1, 2 ,3 (P1 > P2 > P3) CLASSIFY THE INCIDENT COMMUNICATION5 RESTRICTED / UNRESTRICTED ACTIVITIES EXAMPLE 3. CATEGORISATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 19. {es} INCIDENT RESPONSE - CONTAINMENT 19 COORDINATE INCIDENT MANAGEMENT1 TEAM, COMMS, ACTIVITIES, DOCUMENTATION LIGHT AND QUICK THREAT ANALYSIS2 NETWORK, SYSTEM, USER IDENTIFY MAIN ATTACK AND COMPROMISE VECTORS3 IP, PORTS, SIGNATURES, EMAIL ISOLATE THE TARGETED ASSET4 REMOVE FROM NETWORK, DISABLE ACCOUNT IMPLEMENT EMERGENCY CHANGES AS REQUIRED5 NETWORK, SYSTEM, USER ACTIVITIES EXAMPLE 4. CONTAINMENT CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 20. {es} INCIDENT RESPONSE - INVESTIGATION 20 THREAT NETWORK ANALYSIS1 FIREWALL, CLOUD APP LOGS, ASSET LOGS, INTERCEPTED TRAFFIC, TRAFFIC AND DATA FLOWS, SIEM THREAT MALWARE ANALYSIS2 A/V VENDORS, FOOTPRINT, BEHAVIOR, REVERSE ENGINEERING THREAT SYSTEM ANALYSIS3 EVENT LOGS, APP/PLUGINS INSTALLED, AD/EMAIL ACTIVITIES, AUTHENTICATED VULNERABILITY ASSESSSMENT, SIEM THREAT USER ANALYSIS4 INTERVIEW TARGETED USER, CONTEXT, TRIGGERS, RECENT UNUSUAL ACTIVITIES/ALERTS THREAT RESEARCH ANALYSIS5 ONLINE SEARCH FOR SIMILAR THREATS, PROFESSIONAL FORUMS, VENDOR ENGAGEMENT ACTIVITIES EXAMPLE 5. INVESTIGATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 21. ELYSIUMSECURITY INCIDENT RESPONSE - REMEDIATION 21 THREAT NETWORK REMEDIATION1 BLOCK IP, PORTS, DOMAINS, EMAILS. UPDATE F/W, IDS, APT AND SIEM RULES THREAT MALWARE REMEDIATION2 UPDATE SYSTEM AND NETWORK A/V SIGNATURES. ENGAGE WITH VENDORS THREAT SYSTEM REMEDIATION3 REMOVE/BAN INFECTED APPS/PLUGINS, CLEAR INBOX RULES, REMEDIATE ISSUES FOUND WITH THE VULNERABIULTIY ASSESSMENT THREAT USER REMEDIATION4 INDIVIDUAL AND GROUP USER AWARENESS SESSION RELEVANT TO THE THREAT DECLARE THE INCIDENT REMEDIATED5 FULL, PARTIAL, ACCEPTED ACTIVITIES EXAMPLE 6. REMEDIATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 22. {es} INCIDENT RESPONSE - REPORTING 22 ON GOING REPORTING1 DOCUMENTATION AND EVIDENCE SHOULD BE GENERATED AS MUCH AS POSSIBLE DURING THE PREVIOUS PHASES EVIDENCE GATHERING2 THREAT ACTORS, ATTACK VECTORS, ATTACK SURFACE INCIDENT DOCUMENTATION3 THREAT AND INCIDENT DETAILS, TRIGGERS, OWNER, FINDINGS, TIMELINE INCIDENT REGISTER4 CREATE/UPDATE AN OVERALL INCIDENT REGISTER TO TRACK PROGRESS AND GENERATES STATISTICS INCIDENT REPORT COMMUNICATION5 INTERNAL, EXTERNAL, STAFF, MANAGEMENT, BOARD, VENDORS, CLIENTS, GOVERNMENT, REGULATORS, LAW ENFORCEMENT ACTIVITIES EXAMPLE 7. REPORTING CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 23. {es} INCIDENT RESPONSE – LESSONS LEARNT 23 ROOT CAUSE ANALYSIS1 IDENTIFY AND DOCUMENT INCIDENT TRIGGERS AND SECURITY GAPS THAT ENABLED THE INCIDENT TO OCCUR CONTROLS AND PROCESSES READINESS2 EVALUATE THE EFFICIENCY OF CURRENT SECURITY CONTROLS AND PROCESSES IN LIGHT OF THE INCIDENT INCIDENT TRENDS ANALYSIS3 ARE YOU LEARNING FROM PAST INCIDENTS? IS YOUR RISK PROFILE CHANGING? MITIGATION PLAN4 MITIGATE IMPACT OF SIMILAR FUTURE INCIDENTS IMPROVEMENTS PLAN5 STOP OCCURRENCE OF SIMILAR FUTURE INCIDENTS ACTIVITIES EXAMPLE 8. LESSONS LEARNT CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 24. SHORT TERM – HOW TO START? 24 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT REVIEW EXISTING INCIDENT PROCESS1 ESTABLISH INCIDENT TEAM2 CONDUCT REGULAR INCIDENT TEAM MEETING 3 SET GROUND RULES4 DEFINE WHAT IS AN INCIDENT5 INFORM STAFF OF RULES AND INCIDENT CONTACT 6 CREATE INCIDENT REGISTER7 DOCUMENT RECENT AND FUTURE INCIDENTS 8 FOLLOW NIST INCIDENT HANDLING METHODOLOGY 9 CREATE HIGH LEVEL PLAYBOOK TO COMPLEMENT CHECKLIST 10 PUBLIC
  • 25. LONG TERM – INCIDENT RESPONSE IMPLEMENTATION 25 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT SELECT INCIDENT RESPONSE FRAMEWORK (NIST SP 800-61 REV 2 RECOMMENDED) 1 IMPLEMENT FULL INCIDENT RESPONSE FRAMEWORK 2 DEDICATED INCIDENT RESPONSE TEAM AND TRAINING 3 INCIDENT RESPONSE SIMULATION4 CONTINUOUS IMPROVEMENT5 PUBLIC
  • 26. EXTRA RESOURCES 26 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT FORUM OF INCIDENT RESPONSE AND SECURITY TEAMS (FIRST) FRAMEWORK (HTTPS://WWW.FIRST.ORG/EDUCATION/FIRST_SIRT_SERVICES_FRAMEWORK_VERSION1.0.PDF) NATIONAL INSTITUTE OF STANDARDS & TECHNOLOGY (NIST) SPECIAL PROCEDURE (SP) 800-61 (HTTPS://NVLPUBS.NIST.GOV/NISTPUBS/SPECIALPUBLICATIONS/NIST.SP.800-61R2.PDF) INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (ISO) ISO/IEC 27035-1:2016 (HTTPS://WWW.ISO.ORG/STANDARD/60803.HTML) INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (ISO) ISO/IEC 27035-2:2016 (HTTPS://WWW.ISO.ORG/STANDARD/62071.HTML?BROWSE=TC) CONTACT US! (CONSULTING@ELYSIUMSECURITY.COM) PUBLIC
  • 27. © 2015-2019 ELYSIUMSECURITY LTD ALL RIGHTS RESERVED HTTPS://WWW.ELYSIUMSECURITY.COM CONSULTING@ELYSIUMSECURITY.COM ABOUT ELYSIUMSECURITY LTD. ELYSIUMSECURITY PROVIDES PRACTICAL EXPERTISE TO IDENTIFY VULNERABILITIES, ASSESS THEIR RISKS AND IMPACT, REMEDIATE THOSE RISKS, PREPARE AND RESPOND TO INCIDENTS AS WELL AS RAISE SECURITY AWARENESS THROUGH AN ORGANIZATION. ELYSIUMSECURITY PROVIDES HIGH LEVEL EXPERTISE GATHERED THROUGH YEARS OF BEST PRACTICES EXPERIENCE IN LARGE INTERNATIONAL COMPANIES ALLOWING US TO PROVIDE ADVICE BEST SUITED TO YOUR BUSINESS OPERATIONAL MODEL AND PRIORITIES. ELYSIUMSECURITY PROVIDES A PORTFOLIO OF STRATEGIC AND TACTICAL SERVICES TO HELP COMPANIES PROTECT AND RESPOND AGAINST CYBER SECURITY THREATS. WE DIFFERENTIATE OURSELVES BY OFFERING DISCREET, TAILORED AND SPECIALIZED ENGAGEMENTS. ELYSIUMSECURITY OPERATES IN MAURITIUS AND IN EUROPE, A BOUTIQUE STYLE APPROACH MEANS WE CAN EASILY ADAPT TO YOUR BUSINESS OPERATIONAL MODEL AND REQUIREMENTS TO PROVIDE A PERSONALIZED SERVICE THAT FITS YOUR WORKING ENVIRONMENT.