• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Incident Response in the age of Nation State Cyber Attacks

Incident Response in the age of Nation State Cyber Attacks



One of the most important and yet least discussed aspects of any corporate structure is the incident response framework. As recent events have highlighted, the risk of intellectual property and ...

One of the most important and yet least discussed aspects of any corporate structure is the incident response framework. As recent events have highlighted, the risk of intellectual property and critical infrastructure being the target of a cyber-attack is quite real. More than ever before, corporate preparation and response plans are necessary for any entity operating in the digital age.

This webinar will examine how an organization's incident response framework can help limit the exposure of intellectual property and critical infrastructure to outside, malicious parties. Our presenters will review how to construct corporate response plans that yield best-of-breed preparedness.

Our featured speakers for this timely webinar are:

-Mike Gibbons, Managing Director, Alvarez and Marsal, former FBI Special Agent as Unit Chief, overseeing all cyber crime investigations

-Art Ehuan, Managing Director, Alvarez and Marsal, former FBI Supervisory Special Agent assigned to the Computer Crimes Investigations Program

-Gant Redmon, Esq. CIPP/US General Counsel and Vice President of Business Development at Co3



Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • Adapted from the standard Emergency Response Process of : Prepare Respond Recover Mitigate

Incident Response in the age of Nation State Cyber Attacks Incident Response in the age of Nation State Cyber Attacks Presentation Transcript

  • Incident Response InThe Age Of NationState Cyber Attacks
  • Agenda• Introduction• Incident Response Framework• Construction of Corporate IR Plans• Corporate Preparedness Page 2
  • Introductions: Today’s Speakers• Art Ehuan, Managing Director, Alvarez and Marsal• Michael Gibbons, Managing Director, Alvarez and Marsal• Gant Redmon, General Counsel, Co3 Systems Page 3
  • Co3 Automates Incident ResponsePREPARE ASSESSImprove Organizational Identify and EvaluateReadiness Incidents• Invite team members • Engage appropriate team members• Fine-tune response policies and • Evaluate precursors and indicators procedures • Track incidents, maintain logbook• Run simulations (firedrills / table • Automatically prioritize activities tops) based on criticality • Log evidence • Generate assessment summariesREPORT MANAGEDocument Results & Contain, Eradicate, andImprove Performance Recover• Generate reports for • Generate real-time IR plan management, auditors, and authorities • Coordinate team response• Document results • Choose appropriate containment• Conduct post-mortem strategy• Update policies and procedures • Isolate and remediate cause• Track evidence • Instruct evidence gathering and• Evaluate historical performance handling Page 4
  • Supporting Strength For Investigations Including BreachOur global firm and its professionals bring creditability to investigationsand presentations in regulatory, criminal, civil and other proceedings.Alvarez & Marsal (A&M) is a global professional services firm specializing in turnaround and interimmanagement, performance improvement and business advisory services. A&M delivers specialistoperational, consulting and industry expertise to management and investors seeking to accelerateperformance, overcome challenges and maximize value across the corporate and investment lifecycles.Founded in 1983, the firm is known for its distinctive restructuring heritage, hands-on approach andrelentless focus on execution and results.Our experts have worked for Big Four accounting firms, the Securities and Exchange Commission andother regulatory bodies, and some of the world’s leading corporations. In addition, our professionals holdadvanced degrees and designations, including: • Certified Public Accountants (CPA), JDs, MBAs, and PhDs • Accredited Valuation Analysts (AVA) • Certified Computer, Forensic, and EnCase Examiners (CCE, CFCE, EnCE) • Certified Information System Security Professionals (CISSP) • Certified Information Privacy Professionals (CIPP) • Chartered Financial Analysts (CFA) • Certified Fraud Examiners (CFE) • Certified Management Accountants (CMA) • CPAs Certified in Financial Forensics (CFF) and Business Valuation (ABV) Page 5
  • Who Are A&M Clients? 98 of AmLaw 100 firms 20% of the Fortune Global 500 19 of the FTSE 100 300+ Mid- and Large-Cap Private Equity Firms 50% of all Fortune 100 companies 18 out of 20 of the largest banks in the United States Page 6
  • Cyber Crime Is Mainstream• The consensus from both government and business is that cyber attacks against organizations will continue to increase for the foreseeable future• It is estimated that the global cost of cyber crime is in the hundreds of millions to billions of dollars• The costs are either direct or indirect due to revenue that organizations must spend to prepare, contain during a breach or remediation after the event Page 7
  • Cyber Crime Is Mainstream (cont.)• Corporations have myriad cyber criminals to contend with• In particular, the financial sector will continue to see expanded attacks from Organized Crime groups that have extensive resources to target small, medium and large financial institutions• Regardless of the size of the business, there are no organizations that are immune from cyber attack, Organized Crime groups are interested in the data that are stored/maintained or access to systems Page 8
  • Cyber Crime Is Mainstream (cont.)• Nation-States are increasingly aggressive in their compromise of corporate and government systems for intellectual property, research and development information and other data• It is estimated that there are currently dozens of countries with cyber warfare capability around the globe with many more building capacity in the coming years Page 9
  • Cyber Crime Is Mainstream (cont.)• The Nation-State threat is the most difficult to identify and defeat due to the sophisticated nature of the adversary• Nation-State actors are tenacious, deliberate and methodical in their approach to breaching an organization Page 10
  • POLL
  • Types Of Compromise Source: Ponemon Research Institute, “Post Breach Boom 2013” 3,529 IT and IT Security respondents Page 12
  • Timeframe for Corporate Incident DiscoveryThe discovery of malicious breaches averages 80 days for corporations: Source: Ponemon Research Institute, “Post Breach Boom 2013” 3,529 IT and IT Security respondents Page 13
  • The Advanced Persistent Threat (APT) APT is a cyber threat that is considered: • Intelligent and sophisticated • Dynamic and flexible • Extremely patient • Difficult to attribute • Not identified, detected, or prevented by traditional security tools Page 14
  • Corporate Information Loss Internal / Malicious Lost / Stolen Third-Party Employee Cyber-Attacks Assets Leaks Actions Hackers stole Laptops with Digital marketing Employee sent customer patient data agency exposes CD-ROM with data, including stolen by former customer data of personal data on credit card employee dozens of clients registered advisors information 100 208,000 records Millions of records 139,000 records million records Information Loss: The exposure / loss of consumer or employee Personal Information, as well as trade secrets and intellectual property from a compromise. Page 15
  • Incident Response Corporate Awareness Can you answer these questions? Preparation Is your organization adequately prepared for an incident? When the incident occurs, is management actively engaged and can respond Engaged to the Board and customers? Prevention Will management know how the incident occurred and how to prevent breach from reoccurring? Data Loss Will management know what IP or data wascompromised? Market Impact Page 16
  • Incident Response Cycle• Prepare the Incident Response Plan• Detection the Incident• Analysis of Incident Impact• Recover from the Incident• After-Action and Lessons Learned Preparation Detection Analysis Recovery After-Action Page 17
  • Incident Response Plan Development • Develop the Incident Response Plan • Identify Gaps in Required Technical Controls, Processes, and People • Identify All Stakeholders and Vendors (change management) • Prepare for Legal and Regulatory Obligations in case of Breach • Conduct Training, (may include a table top exercise) • Test and improve plans on a periodic schedule or after incidents to improve the plan Page 18
  • Documented Procedures for Every Step in the ProcessDetailed, Step-by-Step Instructions for Staff Page 19
  • IR Plan is Strategic Document for Entire Corporation Incident Response Initiation • Purposes, types Initial steps to take: • Forms (meetings, teleconferences, email, IM, online • Invoke incident response plan postings to site) • If logging not enabled, enable it immediately • Risks with forms • Assemble incident response team • Documentation and preservation • Document incident Business Units • Preserve evidence • Owner of systems and data • Notify internal personnel • Identifying operational impacts and risks • Notify external entities • Interfacing with response team • Interfacing with communications staff CIO Employees • Follow Company Crisis Management Plan • PR – Media inquiries handled by central authority • Update Business Continuity, and Disaster Recovery Plan to • Information about event Reflect IR Plan • Who provides • What to say to them Forensic Experts – Directed by CSO / CISO • Postings or mass distribution -- Matching skills to event • Policies regarding what employees say to press, • Supervision of and instructions to forensic experts Twitter, social media, etc. • Interaction with other experts C-Suite and Board General Counsel • Informing senior management and board Professional ethics / obligations • Form of communication • Ongoing (war room, meetings, teleconferences, etc.) Preservation of privilege • attorney-client • Auditors – Financial Regulators • attorney work product • actions that can waive privilege Communications Planning • Notifications Page 20
  • Continual Improvement at all Levels of IR Plan• Prepare and Customize the Incident Response Plan• Develop Industry Specific Scenarios for Testing• Identify List of Stakeholders• Conduct Internal Plan Walkthrough• Conduct Table Top Exercise With Stakeholders• Improve and Implement Plan Bring Walkthroughs Create Draft Prepare Risk Iterative Plan Scenarios Together and Improvement READY STATE Stakeholders Table Tops Page 21
  • POLL
  • Incident Response Case Study Page 23
  • Incident Response Case Study• Victim company was the subject of an intrusion whereby extremely sensitive information “PII” was stolen over a 1.5 year period• The initial attack vector was an MS SQL server on the network• Initial internal response and analysis by the company determined that the attack had been contained and eliminated• The compromise of the MS SQL server created a staging area for deeper penetration of the network over a 1 1/2 year period• Penetration and compromise of over 80% (hosts and network) of the systems was identified• The company would occasionally find traces of unusual activity, block the intruder and the intruder would always return Page 24
  • Incident Response Case StudyIntruder Approach:• The intruder exploited a known vulnerability in an MS SQL Server• Wiped and altered network and system logs• Created numerous back doors throughout the network• “Sniffed” network traffic for user id’s and passwords• Used valid user credential to navigate throughout the network unmolested• Encrypted, zipped, RAR’d data for exfiltration Page 25
  • Incident Response Case StudyIntruder Identification:• Identification did not occur from firewall, IPS / IDS monitoring or employee monitoring observations• Anomalous activity was identified by a third-party company that notified victim of possible intrusion• Victim company initiated their own internal investigation and overwrote critical digital evidence due to outdated processes and tools• Outside assistance was sought when the victim company realized that they were not in a position to properly investigate due to the sophistication of attack Page 26
  • Incident Response Case StudyIncident Response Mechanism: Network Traffic• Immediate containment of known or Analysis suspect systems• Extrusion monitoring of inbound/outbound traffic• RAM forensic imaging and analysis RAM System Analysis Forensics• System forensic imaging and analysis• Identification and analysis of malware Log• Log identification, capture and Analysis analysis Page 27
  • Incident Response Case Study Issues Identified and Lessons Learned • No centralized log analysis capability • Flat network with little segmentation • No policy or experience in properly securing sensitive Information systems • No policy or experience in incident response • No monitoring of outbound network traffic • IT and security personnel did not have any training or experience on identifying anomalous or unusual behavior on the network Page 28
  • “Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.” PC MAGAZINE, EDITOR’S CHOICE One Alewife Center, Suite 450 “Co3…defines what software packages Cambridge, MA 02140 for privacy look like.” PHONE 617.206.3900 GARTNER WWW.CO3SYS.COM “Platform is comprehensive, user friendly, and very well designed.” PONEMON INSTITUTEArt EhuanManaging Director, Alvarez and MarsalEmail: aehuan@alvarezandmarsal.comMichael GibbonsManaging Director, Alvarez and MarsalEmail: mgibbons@alvarezandmarsal.com
  • Art Ehuan Managing Director San Antonio, TX• Art Ehuan has extensive, high-profile industry and law enforcement experience in the field of information security. Mr. Ehuan has a specialization in nation-state strategic advisory services, including incident response, digital investigations, data protection and e-discovery, for corporate and government agencies, and provides domestic and global thought leadership on these topics. Mr. Ehuan also serves as a senior lecturer on cyber crime for the U.S. State Department, Diplomatic Security Service, Anti-Terrorism Assistance Program.• Prior to becoming a Managing Director at A&M, Mr. Ehuan led the firm Forward Discovery for five years. Mr. Ehuan also served as Assistant VP and Director of the Corporate Information Security Department for USAA, a Fortune 200 financial services company. In this role, he was responsible for worldwide enterprise and strategic guidance on the protection of USAA information and established their digital forensic capability and Advanced Data Security and Incident reporting programs.• Among Mr. Ehuan’s high-profile corporate positions was Deputy Chief Information Security Officer for the Northrop Grumman Corporation. He was responsible for protecting data from internal and external cyber threats, developing and managing security operations and implementing a corporate digital investigative unit. Mr. Ehuan was also a Federal Information Security Team Manager for BearingPoint (formerly KPMG Consulting), where he established information security initiatives and solutions for government and corporate organizations, as well as developing BearingPoint’s corporate incident response and digital forensic services. In addition, Mr. Ehuan served as the Program Manager for Cisco Systems Information Security, where he was responsible for securing corporate networks, managing risk assessments, protecting source code and developing Cisco’s worldwide digital forensic capability.• As a law enforcement officer, Mr. Ehuan has worldwide experience working on cases involving computer crimes. His extensive background conducting and managing computer intrusion and forensic investigations with the Federal Bureau of Investigation (FBI) led to his assignment as a Supervisory Special Agent assigned to the Computer Crimes Investigations Program at FBI Headquarters in Washington, D.C. In addition, he served as a Computer Analysis Response Team Certified Examiner, where he developed and conducted training for law enforcement globally. Mr. Ehuan served as a computer crime Special Agent for the Air Force Office of Special Investigations, where he investigated cyber crime against the network systems of the U.S. Department of Defense. Mr. Ehuan has also testified in Federal, State and Military courts in cases involving digital forensics.• Mr. Ehuan has received industry credentials including: EnCase® Certified Examiner (EnCE®), Certified Information Systems Security Professional (CISSP), Cisco Certified Network Professional (CCNP), Cisco Certified Design Professional (CCDP) and Certified Forensics Computer Examiner (CFCE). He also maintains the Infosec Assessment Methodology (IAM) credentials with the National Security Agency (NSA).• Mr. Ehuan was previously an Adjunct Professor/Lecturer at George Washington University, Georgetown University and Duke University where he taught courses on cyber crime, incident response, digital investigations and computer forensics. He is a contributing author of Techno-Security’s Guide to E-Discovery & Digital Forensics and CyberForensics: Understanding Information Security Investigations. Page 31
  • J. Michael Gibbons Managing Director Washington, D.C.• J. Michael Gibbons is a Managing Director with Alvarez & Marsal’s Global Forensic and Dispute Services industry and a strategic information security specialist with over 25 years of experience on a global scale. Mr. Gibbons’ expertise focuses on service delivery, information protection, privacy, risk management, incident response, advisory services and governance, including compliance management.• Mr. Gibbons offers a proven record of improving processes, reducing costs and mitigating risks by developing and implementing technical solutions that enable secure, reliable information sharing and computing. He expertly identifies and resolves security weaknesses to ensure regulatory compliance, and demonstrates confident leadership while working under high-stress, within tight deadlines, and for such major organizations such as Marriott, JPMorgan Chase, FDIC, DOS, ING, Freddie Mac, USAA, Department of Homeland Security, and F.B.I..• Prior to joining A&M, Mr. Gibbons was a Principal at Deloitte & Touche, LLP, where he directly managed security services delivery at a major financial services client and three US federal agencies. Mr. Gibbons worked directly with the chief information security officer (CISO) and external audit staff to remove audit findings at a financial services regulator, and prepared a long term strategic vision for security for a large US Agency.• For more than five years, Mr. Gibbons was a Managing Director at BearingPoint, where he oversaw all Security Services across the company and developed a security practice there growing a team to 65+ professionals. Mr. Gibbons led the development of new security services and implementation of information security products including intrusion detection and application security controls. He additionally was a Vice President for Security Services for Unisys for three years where he implemented a Security Operations Center that monitored the network security of three major U.S. Agencies including the TSA.• Mr. Gibbons served a 15-year tenure at the Federal Bureau of Investigation (FBI), most recently as Special Agent, Chief of the Computer Investigations Unit, where key highlights included overseeing all cyber crime investigations for the FBI, nationally and internationally. In 1995 he established and led the largest Federal Health Care Fraud Task Force in the nation, still in operation today. The most notable investigation led by Mr. Gibbons was documented in the New York Times Bestselling book titled “The Cuckoo’s Egg”, which resulted in three convictions for cyber espionage in German Federal Court.• Mr. Gibbons earned a B.S. in Communications and Administration of Justice from Southern Illinois University, and Special Agent, Security Officer, and advanced investigative training from the F.B.I. Academy at Quantico, VA. He graduated with Distinction from the National Defense University Advanced Management Program.• Mr. Gibbons is a Certified Information System Security Professional (CISSP #20644), and a Certified Information Privacy Professional (CIPP # 867251). He also maintains the InfoSec Assessment Methodology (IAM) credentials with the National Security Agency (NSA). Page 32