When a cyber security incident occurs, you need to understand exactly how the attack happened, so you can plan the best way to respond. Earlier this week, we hosted a webinar where our cyber security expert, Janne Kauhanen, talked about incident response.
Article URL: https://business.f-secure.com/got-hacked-cyber-security-webinar4
2. 360° OFCYBER SECURITY
2
MINIMIZE ATTACK
SURFACE
PREVENT
INCIDENTS
UNDERSTAND YOUR RISK,
KNOW YOUR ATTACK SURFACE,
UNCOVER WEAK SPOTS
REACT TO BREACHES,
MITIGATE THE DAMAGE,
ANALYZE AND LEARN
RECOGNIZE INCIDENTS
AND THREATS, ISOLATE
AND CONTAIN THEM
3. AGENDA
3
Definitions
Threat detection, a short summary
Why do you get hacked?
What to do when you get hacked?
Incident Response process
Forensics
Incident Response capabilities you should (and shouldn’t) have
Crisis management
21. FORENSICINVESTIGATION
1. HOW WAS THE DEVICE BREACHED?
‒ WHAT WAS THE ROOT CAUSE?
2. HOW DID THE ATTACKER COMMUNICATE WITH THE DEVICE?
‒ IS THE ATTACKER STILL ABLE TO COMMUNICATE WITH THE DEVICE?
3. WAS THE ATTACKER ABLE TO MOVE BEYOND THIS DEVICE?
‒ IS THERE A WAY TO DETECT INFECTED DEVICES?
4. WAS DATA EXFILTRATED FROM THE DEVICE?
‒ HOW MUCH DATA, WHAT KIND OF DATA, AND WHERE DID IT GO?
21
22. FORENSICINVESTIGATION
1. HOW WAS THE DEVICE BREACHED?
‒ WHAT WAS THE ROOT CAUSE?
2. HOW DID THE ATTACKER COMMUNICATE WITH THE DEVICE?
‒ IS THE ATTACKER STILL ABLE TO COMMUNICATE WITH THE DEVICE?
3. WAS THE ATTACKER ABLE TO MOVE BEYOND THIS DEVICE?
‒ IS THERE A WAY TO DETECT INFECTED DEVICES?
4. WAS DATA EXFILTRATED FROM THE DEVICE?
‒ HOW MUCH DATA, WHAT KIND OF DATA, AND WHERE DID IT GO?
22
23. FORENSICINVESTIGATION
1. HOW WAS THE DEVICE BREACHED?
‒ WHAT WAS THE ROOT CAUSE?
2. HOW DID THE ATTACKER COMMUNICATE WITH THE DEVICE?
‒ IS THE ATTACKER STILL ABLE TO COMMUNICATE WITH THE DEVICE?
3. WAS THE ATTACKER ABLE TO MOVE BEYOND THIS DEVICE?
‒ IS THERE A WAY TO DETECT INFECTED DEVICES?
4. WAS DATA EXFILTRATED FROM THE DEVICE?
‒ HOW MUCH DATA, WHAT KIND OF DATA, AND WHERE DID IT GO?
23
24. FORENSICINVESTIGATION
1. HOW WAS THE DEVICE BREACHED?
‒ WHAT WAS THE ROOT CAUSE?
2. HOW DID THE ATTACKER COMMUNICATE WITH THE DEVICE?
‒ IS THE ATTACKER STILL ABLE TO COMMUNICATE WITH THE DEVICE?
3. WAS THE ATTACKER ABLE TO MOVE BEYOND THIS DEVICE?
‒ IS THERE A WAY TO DETECT INFECTED DEVICES?
4. WAS DATA EXFILTRATED FROM THE DEVICE?
‒ HOW MUCH DATA, WHAT KIND OF DATA, AND WHERE DID IT GO?
24
25. FORENSICINVESTIGATION
1. HOW WAS THE DEVICE BREACHED?
‒ WHAT WAS THE ROOT CAUSE?
2. HOW DID THE ATTACKER COMMUNICATE WITH THE DEVICE?
‒ IS THE ATTACKER STILL ABLE TO COMMUNICATE WITH THE DEVICE?
3. WAS THE ATTACKER ABLE TO MOVE BEYOND THIS DEVICE?
‒ IS THERE A WAY TO DETECT INFECTED DEVICES?
4. WAS DATA EXFILTRATED FROM THE DEVICE?
‒ HOW MUCH DATA, WHAT KIND OF DATA, AND WHERE DID IT GO?
25
28. Scenarios based on real life,
adjusted to target organization
GameMaster monitors actions
and generates additional
inputs
28
CRISIS MANAGEMENT
EXERCISE
29. THERE ARETWO TYPES OF
COMPANIES:
THOSE WHOHAVE BEEN
BREACHED, AND THOSE WHO
DON’T KNOW IT YET.
29