A lecture given by Naor Penso to emergency & disaster management masters students @ Tel-Aviv University to educate them on cybersecurity crisis management.
3. Incident Response
3
2. The chronical of flaws1. The third industrialEvolution
4. The risk / value equation3. From nationsto bob
Introduction to cyber
6. Incident Response
6
You have Ransomware!!
2 seniormanagersgot infected byransomware,
The attackersarenow requesting10 Bitcointoreleasethemachine
100,000,000 Credit cards leaked!
Someonehackedthe websiteandstolea lotofdata,he isnow selling it onthe
darknet
7. Incident Response
7
Our website is overloaded
Nothinghashappenedyet,butthe serversarestartingtostress,soontheymight
causedelays
People got to work and
they cannot log-in
It seems thatsomethingerased theiremployment recordswhichcaused theirusers
tobedisabled
9. Events
An event is any observable occurrence in a system or
network. Events are mostly generated automatically by
organizational systems and can be collected for further
inspection by different systems such as a security information
and event management system.
Examples:
• user connecting to a file share
• a server receiving a request for a web page
• a user sending email
• firewall blocking a connection attempt
Events
10. Notable Events / Correlation
A notable event is an event that has an indicator that
something might be wrong (in example, failed logon to a
system, user lockout etc.)
A correlation is comprised of several events or notable
events. Correlation can create a “story” of events which
happened in time
Example:
a user failed to log-on 5 times, following which he successfully logged on
and downloaded 5,000 documents)
Events
Notable Event /
Correlation
11. Security Alert
Some notable events / correlations might trigger an alert.
When an alert is triggered, it requires some active
measures to mitigate (automatic or manual).
Example:
A virus has been identified on an machine.
Action: scan the PC for other viruses and collect data from the workstation
to identify origin.
Security Alert
Events
Notable Event /
Correlation
12. Incident
An incident is the escalation of a security alert in case the alert is
repetitive, expanding or actions taken do not mitigate the issue.
An incident will mostly be handled manually by the security
operations center and other technical teams.
Example:
The website is flooded due to a DDOS attack, and several server
operations has been halted.
incident
Security Alert
Events
Notable Event /
Correlation
13. incident
Security Alert
Cyber Crisis
Every organization has a different threshold and guidelines for
initiating in Crisis mode.
On most occasions, when the incident was not / could not have
been confined or involving assets deemed by the organization as
highly sensitive (e.g. personal information) than a crisis shall be
announced
Example:
It started with 2 machines with Ransomware, and now the entire company
is in lockdown – no one can work, support and operations have ceased
Events
Notable Event /
Correlation
15. The Crisis Room
Forensics TeamSecurity Operations Center
Risk Management Lead
Security & IT Mitigation Team - Account Management
- Legal Team
- Public Relations
Human Resources
Crisis
Leader
On Call / Periodical Check-in: Executive Management Representative, IT Leadership & Engineering
16. Personnel Title / Team Name Responsibility Main Activities
Crisis Management Leader
(on most occasions the CISO)
Manage the Crisis operations and take active decisions on the
response team activities and mitigations
• Align resources, activities & mitigation plans
• Define if and when to notify the stakeholders
• Align Cooperation from different BU’s
Crisis Technical Leader Correlate and manage the technical teams and forensic operations
• Collect and analyze data from all technical teams
• Decide on technical mitigation approach
• Define which technical resources are needed
Security Operations Center Keep eyes open for new issues / abnormalities
• Identify new infections / alerts
• Monitor the organization for abnormalities
• Alert the forensics team if anything rises
Forensics Team Investigate & define mitigation activities
• Identify the source of the breach
• Assess what was stolen / breached
• Assess who (if possible) is responsible
CIO & IT Directors Ensure IT resources allocation for the mitigation
• Assign more IT resources if needed
• Enable critical changes to IT infrastructure if and when
needed
Risk Management Lead Assess potential damages and identify critical assets
• Identify if critical assets are targeted or abused
• Identify the potential damages to the company
Business Continuity & Disaster Recovery Lead Assess potential damages to the business
• Assess potential business operation damages
• Identify consequences of mitigation activities
The Core Response Team
17. Extended Crisis Management Personnel
Personnel Title / Team Name Responsibility Main Activities
PR & Marketing Team Manage customer interactions
• Draft the PR
• Communicate with the customers if needed
Legal Team Provide legal assistance
• Manage interactions with law enforcement
• Advise on applicable laws & regulations
• Approve “invasive” activities
Human Resources Internal employee engagement
• Update employees on the activities
• Mitigate any employee concern
• Approve forensic activities on employee machines
Executive Manager Take the hardest decisions
• Approve / Deny mitigation activities with company-wide
impact
• Define whether escalation to the board is required
Account Executives Brief customers on the incident if needed
• Approach customers and deliver assurance
• Convey the PR message to the customer
External Law Enforcement
Optional, not used often
Assist in forensics and investigation of the breach
• Work with the forensics teams
• Leverage intelligence to identify the attacker
• Arrest and interrogate the attacker if known
18. Main Activities
C R E A T E A W A R R O O M E N G A G E S T A K E H O L D E R S C O N T A I N T H E B R E A C H
M E A S U R E L O S S E SL E A R N A L E S S O NP R E P A R E F O R T H E
N E X T O N E
20. Communications and facilities
Definition of all applicable contacts in case of
emergency, facilities to be utilized for the war
room, alternative communication channels and
ticket management solutions
Incident analysis resources
Technical toolkit for forensics, list of all
applicable systems and owners in case of
need, business impact analysis for system
takeover and takedown and business
processes
Engagement procedures
Procedures depicting what to do in case of
emergency, whom to contact and when.
The football Policy
Doomsday is arriving, who will click the button
and what it will do? (take down a production
system, cut off an entire office network, stop
internet access)