Your organization will be breached. It's a matter of when, not if. How you respond may be the difference between recovering and closing your doors. This talk is designed to help small businesses or businesses with small IT organizations to develop a viable incident response program.

1. YOU WILL BE BREACHED
ARE YOU PREPARED?
MIKE SAUNDERS – CISSP, GCIH, GWAPT, GPEN
HARDWATER INFORMATION SECURITY, LLC

2. About Mike
In IT full-time since 1998
Entered IT Security in 2007

3. Agenda
Definition of a breach
Background statistics on breaches
Preparing your response plan
Putting your plan into action
Links to resources

4. Key Assumptions
Small to medium-sized business (SMB)
◦ Typically fewer than 500 employees
Few IT resources, few or none dedicated to IT security
Incident Response IS NOT about tools!

5. What Is a Breach?
Breach means an intrusion into a computer system, i.e. hacking, or
exposure of sensitive data
Causes of a breach:
◦ crimes of opportunity
◦ targeted attacks
◦ viruses
◦ web-delivered malware
◦ malicious insiders
◦ mistakes / unintentional disclosure
◦ Loss/theft of laptop or media

6. Lots of Breaches
Anthem BCBS Premera CareFirst
OPM Target Home Depot
Staples eBAY Snapchat
SendGrid White Lodging (2x) Dairy Queen
Jimmy Johns Goodwill SUPERVALU
California DMV Sony Did I mention Sony?
The list goes on, and on, and on…

7. We’re Too Small to be a Target
Verizon 2015 DBIR – 2,122 incidents of confirmed data loss
◦ 573 in small business
2015 Symantec ISTR – 34% of spear phishing attacks directed at
companies with fewer than 250 employees
60% of all attacks targeted small and medium businesses
◦ 2015 Symantec ISTR
44% of small businesses reported a breach
◦ 2013 National Small Business Association Technology Survey

8. Costs of a Breach
Verizon estimates between $52k -
$87k costs for 1000 records lost
Fines
Possible jail terms under HIPAA
Loss of customer and business
partner confidence

9. Incident Response Framework
P – Preparation
I – Identification
C – Containment
E – Eradication
R – Recovery
L – Lessons Learned

10. Preparation
There are no secrets to success. It is the result of preparation, hard
work, and learning from failure. – Colin Powell

11. Preparation: Getting Started
Get management support and executive sponsor!
Define your incident handling team members
◦ Not just IT! IT, Security, Legal, HR, PR, Management, external IT vendor
◦ Designate an incident leader. This person needs to be calm under fire

12. Preparation: The Crown Jewels
Need to define what’s important to your organization to guide
protection / monitoring
◦ Email
◦ Online sales
◦ Data
◦ Proprietary information / trade secrets

13. Preparation: Basics
Charter
◦ Executive level authorization to perform IR duties
Policies
◦ Strong policies help enforce compliance and define roles and responsibilities
◦ Incident Handling policies provide legal authority to investigate, “sniff”
network traffic, monitor activities
Procedures
◦ Clear, thorough, tested procedures help reduce confusion when tensions are
high
◦ Checklists
◦ Notification procedures – legal, PR, law enforcement

14. Preparation: Communications
Define a communications plan
◦ Email and phone may be down or compromised; make sure you have cell
numbers
◦ Identify alternate contacts
◦ Don’t forget to include IT vendor, network provider, etc.
◦ Law enforcement
◦ Test your calling tree at least annually
◦ Keep paper copies and keep them up to date

15. Preparation: Testing and
Practice
Perform incident handling
tabletop exercises
◦ When problems are identified,
be sure to update procedures
Perform live response exercise annually

16. Identification: Sources
Logs / SIEM
◦ When in doubt, err on excessive logging
◦ NSA – Spotting the adversary document
◦ Firewalls
◦ Authentication success & fail
◦ AV / IDS
◦ DHCP
◦ DNS
◦ Web servers
Helpdesk
3rd parties & business partners

17. Identification: Assessment
First priority is to determine if a security incident occurred
Document the following
◦ Affected machine(s)
◦ Logged on users
◦ Open network connections
◦ Running processes
◦ How incident was identified
◦ Who reported it
◦ When it was reported
◦ What was happening

18. Containment
Focus is stopping the spread
Follow documented containment procedures
Isolate affected host(s)
◦ Pull network cable / power down / firewall off
◦ Use attack signatures to build rules
◦ email / web filtering / IPS
Image affected machines, store offline
◦ Tested forensics procedures are essential
Continue documenting all activities
tumblr

19. Containment: Notification
Now is the time to activate the incident response team
Follow communications plan, notify internal parties as appropriate
If you’re going to contact law enforcement, now is the time
Contact legal counsel

20. Eradication
Focus is removal and restoration of affected systems
Wipe / Rebuild / Restore
Apply missing patches
Scan for indicators of compromise
Apply mitigations – firewall / WAF / IDS / update AV
Change passwords

21. Recovery
Goal is to bring systems back online without causing another incident
Verify issue is resolved
Increase monitoring
◦ Determine duration of increased monitoring

22. Mistakes Happen
Success does not consist in never making mistakes, but in never making
the same one a second time.
– George Bernard Shaw

23. Lessons Learned
Be sure to hold a lessons learned session after breach
◦ Hold within two weeks
◦ Identify what failed and why
◦ Implement fixes and update documentation

24. Execution
Document all steps in a notebook
◦ Helps to have one person working, another keeping notes
Measure twice, cut once… First, do no harm…
◦ In other words, don’t be too hasty
Step back to see the forest
for the trees

25. Summary
All sizes of organizations are being attacked
Effective incident response is about preparation and practice, not about
tools!
Incident response plans are key to recovery and limiting lossses
There is a vast array of resources available to help you build your plan

26. Resources
Local law enforcement, including FBI
Professional Security Organizations
◦ ISSA
◦ InfraGard
SANS
◦ https://www.sans.org/
NOREX
◦ https://www.norex.net/

27. Resources
Creating a Computer Security Incident Response Team (CSIRT)
◦ http://www.cert.org/csirts/Creating-A-CSIRT.html
NIST SP800-61 Rev. 2: Computer Security Incident Handling Guide
◦ http://crsc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
SANS Incident Handling Forms
◦ http://www.sans.org/score/incidentforms/
Incident Handler’s Handbook
◦ https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-
handbook-33901
Incident Handling Annual Testing and Training
◦ https://www.sans.org/reading-room/whitepapers/incident/incident-handling-
annual-testing-training-34565

28. Resources
SANS Policy Templates
◦ https://www.sans.org/security-resources/policies/
SANS Reading Room
◦ http://www.sans.org/reading_room/
An Incident Handling Process for Small and Medium Businesses
◦ http://www.sans.org/reading_room/whitepapers/incident/incident-handling-
process-small-medium-businesses_1791
Blue Team Handbook: Incident Response Edition
◦ ISBN-13: 978-1500734756
◦ http://www.amazon.com/Blue-Team-Handbook-condensed-
Responder/dp/1500734756/

29. Resources
NSA – Spotting the Adversary With Windows Event Log Monitoring
◦ https://www.nsa.gov/ia/_files/app/Spotting_the_Adversary_with_Windows_Event_Lo
g_Monitoring.pdf
U.S. D.O.J Best Practices for Victim Response and Reporting
◦ http://www.justice.gov/sites/default/files/opa/speeches/attachments/2015/04/29/cri
minal_division_guidance_on_best_practices_for_victim_response_and_reporting_cyb
er_incidents.pdf
Table Top Exercises for Incident Response
◦ http://seanmason.com/2015/04/20/table-top-exercises-ttx/
When Breaches Happen: Top Five Questions to Prepare For
◦ https://www.sans.org/reading-room/whitepapers/analyst/breaches-happen-top-
questions-prepare-35220
Corporate Incident Response – Why You Can’t Afford to Ignore It
◦ http://www.mcafee.com/us/resources/white-papers/foundstone/wp-corp-incident-
response.pdf

30. References
Verizon 2015 Data Breach Investigations Report
◦ http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-
report-2015_en_xg.pdf
Symantec 2015 Internet Security Threat Report
◦ https://www4.symantec.com/mktginfo/whitepaper/ISTR/21347932_GA-internet-
security-threat-report-volume-20-2015-social_v2.pdf
2013 National Small Business Association Technology Survey
◦ http://www.nsba.biz/wp-content/uploads/2013/09/Technology-Survey-2013.pdf

31. Contact Me
mike.saunders@hardwaterinformationsecurity.com
@hardwaterhacker
http://hardwatersec.blogspot.com/

32. Questions?