This document provides information about preparing for and responding to a data breach as a small to medium sized business. It discusses the importance of preparation, including forming an incident response team, defining important assets, establishing policies and procedures, and testing plans. When a breach occurs, the response should follow the PICERL framework - preparation, identification, containment, eradication, recovery and lessons learned. Effective preparation is key to limiting liability and damage from a breach. Resources for creating response plans and training are provided.

1. YOU’VE BEEN BREACHED
NOW WHAT?
ARE YOU PREPARED?
MIKE SAUNDERS – CISSP, GCIH, GWAPT, GPEN
HARDWATER INFORMATION SECURITY, LLC

2. About Mike
In IT full-time since 1998
Entered IT Security in 2007
Certifications: CISSP, GCIH, GPEN, GWAPT

3. Agenda
Definition of a breach
Background statistics on breaches
Preparing your response plan
Putting your plan into action
Links to resources

4. Key Assumptions
Small to medium-sized business (SMB)
◦ Typically fewer than 500 employees
Few IT resources, few or none dedicated to IT security

5. What Is a Breach?
Breach means an intrusion into a computer system, i.e. hacking, or
exposure of sensitive data
Causes of a breach:
◦ mistakes
◦ crimes of opportunity
◦ targeted attacks
◦ viruses
◦ web-delivered malware
◦ malicious insiders
◦ unintentional disclosures
◦ Loss/theft of laptop or media

6. High Profile Breaches
Anthem BCBS Premera Montana DPHHS
Target Home Depot Staples
Michaels eBAY Snapchat
SendGrid White Lodging (2x) Dairy Queen
Jimmy Johns Goodwill P.F. Chang’s
California DMV Sony Did I mention Sony?

7. Closer to Home
Hornbachers (SUPERVALU)
ND University System

8. We’re Too Small to be a Target
Verizon 2015 DBIR – 2,122 incidents of confirmed data loss
◦ 573 in small business
2015 Symantec ISTR – 34% of spear phishing attacks directed at
companies with fewer than 250 employees
44% of small businesses reported a breach
◦ 2013 National Small Business Association Technology Survey
60% of all attacks targeted small and medium businesses
◦ 2015 Symantec ISTR

9. Costs of a Breach
Verizon estimates between $52k -
$87k costs for 1000 records lost
Fines
Possible jail terms under HIPAA
Loss of customer and business
partner confidence

10. Incident Response Framework
P – Preparation
I – Identification
C – Containment
E – Eradication
R – Recovery
L – Lessons Learned

11. Preparation
There are no secrets to success. It is the result of preparation, hard
work, and learning from failure. – Colin Powell

12. Preparation: Getting Started
Get management support and executive sponsor!
Define your incident handling team members
◦ Not just IT! IT, Security, Legal, HR, PR, Management, external IT vendor
◦ Designate an incident leader. This person needs to be calm under fire

13. Preparation: The Crown Jewels
Define what’s important to your organization
◦ Email
◦ Online sales
◦ Data
◦ Proprietary information / trade secrets
Need to define to guide protection and monitoring efforts
http://de.wikipedia.org/wiki/Benutzer:MatthiasKabel

14. Preparation: Basics
Charter
◦ Executive level authorization to perform IR duties
Policies
◦ Strong policies help enforce compliance and define roles and responsibilities
◦ Incident Handling policies provide legal authority to investigate, “sniff”
network traffic, monitor activities
Procedures
◦ Clear, thorough, tested procedures help reduce confusion when tensions are
high
◦ Checklists
◦ Notification procedures – legal, PR, law enforcement

15. Preparation: Communications
Define a communications plan
◦ Email and phone may be down or compromised; make sure you have cell
numbers
◦ Identify alternate contacts
◦ Don’t forget to include IT vendor, network provider, etc.
◦ Law enforcement
◦ Test your calling tree at least annually
◦ Keep paper copies and keep them up to date

16. Preparation: Testing and
Practice
Perform incident handling
tabletop exercises
◦ When problems are identified,
be sure to update procedures
Perform live response exercise annually

17. Identification: Sources
Logs / SIEM
◦ When in doubt, err on excessive logging
◦ NSA – Spotting the adversary document
◦ Firewalls
◦ Authentication success & fail
◦ AV / IDS
◦ DHCP
◦ DNS
◦ Web servers
Helpdesk
3rd parties & business partners

18. Identification: Assessment
First priority is to determine if a security incident occurred
Document the following
◦ Affected machine(s)
◦ Logged on users
◦ Open network connections
◦ Running processes
◦ How incident was identified
◦ Who reported it
◦ When it was reported
◦ What was happening

19. Containment
Focus is stopping the spread
Follow documented containment procedures
Isolate affected host(s)
◦ Pull network cable / power down / firewall off
◦ Use attack signatures to build rules
◦ email / web filtering / IPS
Image affected machines, store offline
◦ Tested forensics procedures are essential
Continue documenting all activities
tumblr

20. Containment: Notification
Follow communications plan, notify internal parties as appropriate
If you’re going to contact law enforcement, now is the time
Contact legal counsel

21. Eradication
Focus is removal and restoration of affected systems
Wipe / Rebuild / Restore
Apply missing patches
Scan for indicators of compromise
Apply mitigations – firewall / WAF / IDS / update AV
Change passwords

22. Recovery
Goal is to bring systems back online without causing another incident
Verify issue is resolved
Increase monitoring
◦ Determine duration of increased monitoring

23. Mistakes Happen
Success does not consist in never making mistakes, but in never making
the same one a second time.
– George Bernard Shaw

24. Lessons Learned
Be sure to hold a lessons learned session after breach
◦ Hold within two weeks
◦ Identify what failed and why
◦ Implement fixes and update documentation

25. Execution
Document all steps in a notebook
◦ Helps to have one person working, another keeping notes
Measure twice, cut once… First, do no harm…
◦ In other words, don’t be too hasty
Step back to see the forest
for the trees

26. Summary
All sizes of organizations are being attacked
Effective incident response is about preparation and practice, not about
tools!
Incident response plans are key to recovery and limiting liability
There is a vast array of resources available to help you build your plan

27. Resources
Local law enforcement, including FBI
Professional Security Organizations
◦ ISSA
◦ https://sites.google.com/site/northdakotaissa/
◦ InfraGard
◦ http://infragard-nd.org
SANS
◦ https://www.sans.org/
NOREX
◦ https://www.norex.net/

28. Resources
Creating a Computer Security Incident Response Team (CSIRT)
◦ http://www.cert.org/csirts/Creating-A-CSIRT.html
NIST SP800-61 Rev. 2: Computer Security Incident Handling Guide
◦ http://crsc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
SANS Incident Handling Forms
◦ http://www.sans.org/score/incidentforms/
Incident Handler’s Handbook
◦ https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-
handbook-33901
Incident Handling Annual Testing and Training
◦ https://www.sans.org/reading-room/whitepapers/incident/incident-handling-
annual-testing-training-34565

29. Resources
SANS Policy Templates
◦ https://www.sans.org/security-resources/policies/
SANS Reading Room
◦ http://www.sans.org/reading_room/
An Incident Handling Process for Small and Medium Businesses
◦ http://www.sans.org/reading_room/whitepapers/incident/incident-handling-
process-small-medium-businesses_1791
Blue Team Handbook: Incident Response Edition
◦ ISBN-13: 978-1500734756
◦ http://www.amazon.com/Blue-Team-Handbook-condensed-
Responder/dp/1500734756/

30. Resources
NSA – Spotting the Adversary With Windows Event Log Monitoring
◦ https://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Lo
g_Monitoring.pdf
U.S. D.O.J Best Practices for Victim Response and Reporting
◦ http://www.justice.gov/sites/default/files/opa/speeches/attachments/2015/04/29/cri
minal_division_guidance_on_best_practices_for_victim_response_and_reporting_cyb
er_incidents.pdf
Table Top Exercises for Incident Response
◦ http://seanmason.com/2015/04/20/table-top-exercises-ttx/
When Breaches Happen: Top Five Questions to Prepare For
◦ https://www.sans.org/reading-room/whitepapers/analyst/breaches-happen-top-
questions-prepare-35220
Corporate Incident Response – Why You Can’t Afford to Ignore It
◦ http://www.mcafee.com/us/resources/white-papers/foundstone/wp-corp-incident-
response.pdf

31. References
Verizon 2015 Data Breach Investigations Report
◦ http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-
report-2015_en_xg.pdf
Symantec 2015 Internet Security Threat Report
◦ https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932_GA-internet-
security-threat-report-volume-20-2015-social_v2.pdf
2013 National Small Business Association Technology Survey
◦ http://www.nsba.biz/wp-content/uploads/2013/09/Technology-Survey-2013.pdf

32. Contact Me
mike.saunders@hardwaterinformationsecurity.com
@hardwaterhacker
http://hardwatersec.blogspot.com/

33. Questions?