SlideShare a Scribd company logo

24 Hours After a Breach

Download as PPTX, PDF
LIFARS
LIFARS

The document summarizes the key steps that occur in the first 24 hours after a data breach is detected: 1) Getting the call - The breach is detected either internally or externally, causing a state of panic as the organization tries to contain the attack. External emergency response assistance is required due to limited internal resources. 2) Arrival on scene - The emergency response team arrives to begin investigation and remediation. They assess compromised systems and secure digital evidence while involving key stakeholders. Damage assessment reveals the attacker's penetration depth. 3) Crisis management - The executive team follows a breach plan, preparing PR, legal, and regulatory responses while ensuring an coherent message that does not trigger further issues. A breach tests

Technology
1 of 26
The First 24 Hours After a Breach By Ondrej KREHEL Paul Kubler 2
3 ONDREJ KREHEL CISSP, CEH, CEI FOUNDER & CEO DIGITAL FORENSICS LEAD LIFARS, LLC Twitter: @LIFARSLLC LIFARS is a NYC-based Digital Forensics, Incident Response, and Cybersecurity Intelligence firm.
4 PAUL KUBLER CISSP, EnCE, CCNA, Sec+, ACE Digital Forensics Examiner LIFARS, LLC Twitter: @LIFARSLLC LIFARS is a NYC-based Digital Forensics, Incident Response, and Cybersecurity Intelligence firm.
6
Agenda 1 Getting the Call 2 Arrival on the Scene 3 Crisis Management 4 Evidence Collection & Remediation 5 Q&A
Ever Wonder What Happened Before You Saw These in the News?
Getting the Call » Detection of a Breach • By the internal IT/security team • By an outside organization » State of Panic • Unprepared to deal with a breach • Try to contain the attack internally
Getting the Call (continued) » Internal IT team is heavily utilized • External assistance required » Race against time • High pressure to stop “cyberbleeding” and minimize the impact • Effectively engage a third party emergency response team
Arrival on the Scene » Emergency response team arrives • Investigation and remediation begins » Primary objectives • Understand attacker profile and motives • Assess compromised systems state • Secure digital evidence • Involve key decision tenants
IT’S ABOUT TIME FOR SOME… “INVESTIGATION”
Arrival on the Scene » Damage Assessment • Of business and technological areas • Reveals how deeply the attacker was able to penetrate the network • Examination of lateral movement of the attacker
Crisis Management Executive table follows a data breach plan and prepares: » PR/Privacy/Legal actions needed to cover the enterprise responses to: • The public • The regulators • The partners » Wrong message can trigger an avalanche
Crisis Management » Data Breach: • Is a C-Suite exercise that tests: - Coherence and conciseness of the incident response preparedness - Ability of the enterprise to function in crisis mode • Unfortunately is a live exercise (and comes at a high price)
Evidence Collection & Remediation » Forensic team collects available evidence • Performs initial analysis • Preserves additional evidence » Informs the board of initial findings • Actions need to be weighted carefully • Aggressive moves can have negative effects (attackers still inside the network)
Evidence Collection & Remediation » With hackers in the system • Each blocking action needs to be closely monitored • Remediation can detected by attacker and evidence and data put at risk » Securing the environment can take years • Scheduling necessary changes with key internal tenants is a difficult task
Q&A
THANK YOU

Recommended

APT in the Financial Sector
APT in the Financial SectorAPT in the Financial Sector
APT in the Financial SectorLIFARS
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To PrepareResilient Systems
 
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...CODE BLUE
 
Ransomware ly
Ransomware lyRansomware ly
Ransomware lyLisa Young
 
Community IT Webinar - IT Security for Nonprofits
Community IT Webinar - IT Security for NonprofitsCommunity IT Webinar - IT Security for Nonprofits
Community IT Webinar - IT Security for NonprofitsCommunity IT Innovators
 
Symantec_2-4-5 nov 2010
Symantec_2-4-5 nov 2010Symantec_2-4-5 nov 2010
Symantec_2-4-5 nov 2010Agora Group
 
How to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramHow to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramResilient Systems
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...APNIC
 

Recommended

APT in the Financial Sector
APT in the Financial SectorAPT in the Financial Sector
APT in the Financial SectorLIFARS
 
Incident Response: How To Prepare
Incident Response: How To PrepareIncident Response: How To Prepare
Incident Response: How To PrepareResilient Systems
 
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...
Lessons learned from hundreds of cyber espionage breaches by TT and Ashley - ...CODE BLUE
 
Ransomware ly
Ransomware lyRansomware ly
Ransomware lyLisa Young
 
Community IT Webinar - IT Security for Nonprofits
Community IT Webinar - IT Security for NonprofitsCommunity IT Webinar - IT Security for Nonprofits
Community IT Webinar - IT Security for NonprofitsCommunity IT Innovators
 
Symantec_2-4-5 nov 2010
Symantec_2-4-5 nov 2010Symantec_2-4-5 nov 2010
Symantec_2-4-5 nov 2010Agora Group
 
How to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramHow to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramResilient Systems
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...APNIC
 
Hunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsHunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsFidelis Cybersecurity
 
Part 1: Identifying Insider Threats with Fidelis EDR Technology
Part 1: Identifying Insider Threats with Fidelis EDR Technology Part 1: Identifying Insider Threats with Fidelis EDR Technology
Part 1: Identifying Insider Threats with Fidelis EDR Technology Fidelis Cybersecurity
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItResilient Systems
 
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeMeet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeDragos, Inc.
 
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk Advisory
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk AdvisoryHow COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk Advisory
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk AdvisoryCR Group
 
It and-cyber-module-2
It and-cyber-module-2It and-cyber-module-2
It and-cyber-module-2Marneil Sanchez
 
The Best Just Got Better, Intercept X Now With EDR
The Best Just Got Better, Intercept X Now With EDRThe Best Just Got Better, Intercept X Now With EDR
The Best Just Got Better, Intercept X Now With EDRNetpluz Asia Pte Ltd
 
Why Risk Management is Impossible
Why Risk Management is ImpossibleWhy Risk Management is Impossible
Why Risk Management is ImpossibleRichard Stiennon
 
Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.marketingunitrends
 
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis ElevateInsider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis ElevateFidelis Cybersecurity
 
Welcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat IntelligenceWelcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat IntelligenceAndreas Sfakianakis
 
The Sweet Spot of Cyber Intelligence
The Sweet Spot of Cyber IntelligenceThe Sweet Spot of Cyber Intelligence
The Sweet Spot of Cyber IntelligenceTieu Luu
 
The State of Threat Detection 2019
The State of Threat Detection 2019The State of Threat Detection 2019
The State of Threat Detection 2019Fidelis Cybersecurity
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligencemohamed nasri
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyb coatesworth
 
To see things others can't - APTs, Incident Response, DDoS
To see things others can't - APTs, Incident Response, DDoSTo see things others can't - APTs, Incident Response, DDoS
To see things others can't - APTs, Incident Response, DDoSMarco Gioanola
 
Personal Digital Hygiene
Personal Digital HygienePersonal Digital Hygiene
Personal Digital HygieneLars Hilse Global Thought Leader in #CyberSecurity, #CyberTerrorism, #CyberDefence, #CyberCrime
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsSpyglass Security
 
Using Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber SecurityUsing Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber SecurityStephen Cobb
 
LIFARS - Social Media Dangers to Children
LIFARS - Social Media Dangers to ChildrenLIFARS - Social Media Dangers to Children
LIFARS - Social Media Dangers to ChildrenLIFARS
 
Hacking-as-a-Service - Hacking Is Now Accessible to Everyone - Are We Prepared?
Hacking-as-a-Service - Hacking Is Now Accessible to Everyone - Are We Prepared? Hacking-as-a-Service - Hacking Is Now Accessible to Everyone - Are We Prepared?
Hacking-as-a-Service - Hacking Is Now Accessible to Everyone - Are We Prepared? LIFARS
 

More Related Content

What's hot

Hunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsHunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsFidelis Cybersecurity
 
Part 1: Identifying Insider Threats with Fidelis EDR Technology
Part 1: Identifying Insider Threats with Fidelis EDR Technology Part 1: Identifying Insider Threats with Fidelis EDR Technology
Part 1: Identifying Insider Threats with Fidelis EDR Technology Fidelis Cybersecurity
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItResilient Systems
 
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeMeet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeDragos, Inc.
 
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk Advisory
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk AdvisoryHow COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk Advisory
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk AdvisoryCR Group
 
The Best Just Got Better, Intercept X Now With EDR
The Best Just Got Better, Intercept X Now With EDRThe Best Just Got Better, Intercept X Now With EDR
The Best Just Got Better, Intercept X Now With EDRNetpluz Asia Pte Ltd
 
Why Risk Management is Impossible
Why Risk Management is ImpossibleWhy Risk Management is Impossible
Why Risk Management is ImpossibleRichard Stiennon
 
Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.marketingunitrends
 
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis ElevateInsider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis ElevateFidelis Cybersecurity
 
Welcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat IntelligenceWelcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat IntelligenceAndreas Sfakianakis
 
The Sweet Spot of Cyber Intelligence
The Sweet Spot of Cyber IntelligenceThe Sweet Spot of Cyber Intelligence
The Sweet Spot of Cyber IntelligenceTieu Luu
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionGreg Foss
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligencemohamed nasri
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyb coatesworth
 
To see things others can't - APTs, Incident Response, DDoS
To see things others can't - APTs, Incident Response, DDoSTo see things others can't - APTs, Incident Response, DDoS
To see things others can't - APTs, Incident Response, DDoSMarco Gioanola
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsSpyglass Security
 
Using Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber SecurityUsing Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber SecurityStephen Cobb
 

What's hot (20)

Hunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systemsHunting for cyber threats targeting weapon systems
Hunting for cyber threats targeting weapon systems
 
Part 1: Identifying Insider Threats with Fidelis EDR Technology
Part 1: Identifying Insider Threats with Fidelis EDR Technology Part 1: Identifying Insider Threats with Fidelis EDR Technology
Part 1: Identifying Insider Threats with Fidelis EDR Technology
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About It
 
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and PracticeMeet Me in the Middle: Threat Indications and Warning in Principle and Practice
Meet Me in the Middle: Threat Indications and Warning in Principle and Practice
 
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk Advisory
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk AdvisoryHow COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk Advisory
How COVID-19 Changed The Cyber Security Worldwide? — Cyberroot Risk Advisory
 
It and-cyber-module-2
It and-cyber-module-2It and-cyber-module-2
It and-cyber-module-2
 
The Best Just Got Better, Intercept X Now With EDR
The Best Just Got Better, Intercept X Now With EDRThe Best Just Got Better, Intercept X Now With EDR
The Best Just Got Better, Intercept X Now With EDR
 
Why Risk Management is Impossible
Why Risk Management is ImpossibleWhy Risk Management is Impossible
Why Risk Management is Impossible
 
Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.Ransomware Detection: Don’t Pay Up. Backup.
Ransomware Detection: Don’t Pay Up. Backup.
 
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis ElevateInsider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
 
Welcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat IntelligenceWelcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat Intelligence
 
The Sweet Spot of Cyber Intelligence
The Sweet Spot of Cyber IntelligenceThe Sweet Spot of Cyber Intelligence
The Sweet Spot of Cyber Intelligence
 
The State of Threat Detection 2019
The State of Threat Detection 2019The State of Threat Detection 2019
The State of Threat Detection 2019
 
Advanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement DetectionAdvanced Threats and Lateral Movement Detection
Advanced Threats and Lateral Movement Detection
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Cyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spyCyber espionage - Tinker, taylor, soldier, spy
Cyber espionage - Tinker, taylor, soldier, spy
 
To see things others can't - APTs, Incident Response, DDoS
To see things others can't - APTs, Incident Response, DDoSTo see things others can't - APTs, Incident Response, DDoS
To see things others can't - APTs, Incident Response, DDoS
 
Personal Digital Hygiene
Personal Digital HygienePersonal Digital Hygiene
Personal Digital Hygiene
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark Arts
 
Using Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber SecurityUsing Technology and People to Improve your Threat Resistance and Cyber Security
Using Technology and People to Improve your Threat Resistance and Cyber Security
 

Viewers also liked

LIFARS - Social Media Dangers to Children
LIFARS - Social Media Dangers to ChildrenLIFARS - Social Media Dangers to Children
LIFARS - Social Media Dangers to ChildrenLIFARS
 
Hacking-as-a-Service - Hacking Is Now Accessible to Everyone - Are We Prepared?
Hacking-as-a-Service - Hacking Is Now Accessible to Everyone - Are We Prepared? Hacking-as-a-Service - Hacking Is Now Accessible to Everyone - Are We Prepared?
Hacking-as-a-Service - Hacking Is Now Accessible to Everyone - Are We Prepared? LIFARS
 
Host Analytics & Inside Info's Unflagging Commitment To Australia With New Da...
Host Analytics & Inside Info's Unflagging Commitment To Australia With New Da...Host Analytics & Inside Info's Unflagging Commitment To Australia With New Da...
Host Analytics & Inside Info's Unflagging Commitment To Australia With New Da...Inside Info Pty Ltd
 
CA - AT&T Agreement driven by IPM (Phill Glass)
CA - AT&T Agreement driven by IPM (Phill Glass)CA - AT&T Agreement driven by IPM (Phill Glass)
CA - AT&T Agreement driven by IPM (Phill Glass)Phil Glass
 
CDA of Benazir Bhutto's Selected Speeches
CDA of Benazir Bhutto's Selected SpeechesCDA of Benazir Bhutto's Selected Speeches
CDA of Benazir Bhutto's Selected SpeechesMuhammad Munir
 

Viewers also liked (7)

LIFARS - Social Media Dangers to Children
LIFARS - Social Media Dangers to ChildrenLIFARS - Social Media Dangers to Children
LIFARS - Social Media Dangers to Children
 
Hacking-as-a-Service - Hacking Is Now Accessible to Everyone - Are We Prepared?
Hacking-as-a-Service - Hacking Is Now Accessible to Everyone - Are We Prepared? Hacking-as-a-Service - Hacking Is Now Accessible to Everyone - Are We Prepared?
Hacking-as-a-Service - Hacking Is Now Accessible to Everyone - Are We Prepared?
 
Host Analytics & Inside Info's Unflagging Commitment To Australia With New Da...
Host Analytics & Inside Info's Unflagging Commitment To Australia With New Da...Host Analytics & Inside Info's Unflagging Commitment To Australia With New Da...
Host Analytics & Inside Info's Unflagging Commitment To Australia With New Da...
 
CA - AT&T Agreement driven by IPM (Phill Glass)
CA - AT&T Agreement driven by IPM (Phill Glass)CA - AT&T Agreement driven by IPM (Phill Glass)
CA - AT&T Agreement driven by IPM (Phill Glass)
 
CDA of Benazir Bhutto's Selected Speeches
CDA of Benazir Bhutto's Selected SpeechesCDA of Benazir Bhutto's Selected Speeches
CDA of Benazir Bhutto's Selected Speeches
 
Entrepreneurship and development
Entrepreneurship and developmentEntrepreneurship and development
Entrepreneurship and development
 
Advertisement
AdvertisementAdvertisement
Advertisement
 

Similar to 24 Hours After a Breach

CNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookCNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookSam Bowne
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessNicholas Davis
 
Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022PECB
 
CNIT 50: 9. NSM Operations
CNIT 50: 9. NSM OperationsCNIT 50: 9. NSM Operations
CNIT 50: 9. NSM OperationsSam Bowne
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinarEmpired
 
Getting Started with Business Continuity
Getting Started with Business ContinuityGetting Started with Business Continuity
Getting Started with Business ContinuityStephen Cobb
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinarIntergen
 
Today's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your BusinessToday's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your BusinessJoAnna Cheshire
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial EmulationScott Sutherland
 
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian RainsburghEndpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian RainsburghNapier University
 
My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)Andrew Case
 
Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...
Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...
Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...Resilient Systems
 
CNIT 121: 17 Remediation Introduction (Part 1)
CNIT 121: 17 Remediation Introduction (Part 1)CNIT 121: 17 Remediation Introduction (Part 1)
CNIT 121: 17 Remediation Introduction (Part 1)Sam Bowne
 
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...TruShield Security Solutions
 
Cyber forensic readiness cybercon2012 adv j fick
Cyber forensic readiness cybercon2012 adv j fickCyber forensic readiness cybercon2012 adv j fick
Cyber forensic readiness cybercon2012 adv j fickJacqueline Fick
 

Similar to 24 Hours After a Breach (20)

Incident Response
Incident ResponseIncident Response
Incident Response
 
Incident response
Incident responseIncident response
Incident response
 
Cyber Resiliency
Cyber ResiliencyCyber Resiliency
Cyber Resiliency
 
CNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management HandbookCNIT 121: 2 IR Management Handbook
CNIT 121: 2 IR Management Handbook
 
Top Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your BusinessTop Cybersecurity Challenges Facing Your Business
Top Cybersecurity Challenges Facing Your Business
 
Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022
 
What to do when get hacked or suffer a cyber breach
What to do when get hacked or suffer a cyber breachWhat to do when get hacked or suffer a cyber breach
What to do when get hacked or suffer a cyber breach
 
CNIT 50: 9. NSM Operations
CNIT 50: 9. NSM OperationsCNIT 50: 9. NSM Operations
CNIT 50: 9. NSM Operations
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
 
Getting Started with Business Continuity
Getting Started with Business ContinuityGetting Started with Business Continuity
Getting Started with Business Continuity
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
 
Security.ppt
Security.pptSecurity.ppt
Security.ppt
 
Today's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your BusinessToday's Cyber Challenges: Methodology to Secure Your Business
Today's Cyber Challenges: Methodology to Secure Your Business
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
 
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian RainsburghEndpoint (big) Data In The Age of Compromise, Ian Rainsburgh
Endpoint (big) Data In The Age of Compromise, Ian Rainsburgh
 
My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)
 
Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...
Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...
Industrial Control Systems 101 - Why Hack The Network If You Can Shut Down Th...
 
CNIT 121: 17 Remediation Introduction (Part 1)
CNIT 121: 17 Remediation Introduction (Part 1)CNIT 121: 17 Remediation Introduction (Part 1)
CNIT 121: 17 Remediation Introduction (Part 1)
 
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
Penetration Testing and Vulnerability Assessments: Examining the SEC and FINR...
 
Cyber forensic readiness cybercon2012 adv j fick
Cyber forensic readiness cybercon2012 adv j fickCyber forensic readiness cybercon2012 adv j fick
Cyber forensic readiness cybercon2012 adv j fick
 

Recently uploaded

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 

Recently uploaded (20)

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 

24 Hours After a Breach

  • 1.
  • 2. The First 24 Hours After a Breach By Ondrej KREHEL Paul Kubler 2
  • 3. 3 ONDREJ KREHEL CISSP, CEH, CEI FOUNDER & CEO DIGITAL FORENSICS LEAD LIFARS, LLC Twitter: @LIFARSLLC LIFARS is a NYC-based Digital Forensics, Incident Response, and Cybersecurity Intelligence firm.
  • 4. 4 PAUL KUBLER CISSP, EnCE, CCNA, Sec+, ACE Digital Forensics Examiner LIFARS, LLC Twitter: @LIFARSLLC LIFARS is a NYC-based Digital Forensics, Incident Response, and Cybersecurity Intelligence firm.
  • 5.
  • 6. 6
  • 7. Agenda 1 Getting the Call 2 Arrival on the Scene 3 Crisis Management 4 Evidence Collection & Remediation 5 Q&A
  • 8. Ever Wonder What Happened Before You Saw These in the News?
  • 9.
  • 10. Getting the Call » Detection of a Breach • By the internal IT/security team • By an outside organization » State of Panic • Unprepared to deal with a breach • Try to contain the attack internally
  • 11.
  • 12. Getting the Call (continued) » Internal IT team is heavily utilized • External assistance required » Race against time • High pressure to stop “cyberbleeding” and minimize the impact • Effectively engage a third party emergency response team
  • 13.
  • 14. Arrival on the Scene » Emergency response team arrives • Investigation and remediation begins » Primary objectives • Understand attacker profile and motives • Assess compromised systems state • Secure digital evidence • Involve key decision tenants
  • 15. IT’S ABOUT TIME FOR SOME… “INVESTIGATION”
  • 16. Arrival on the Scene » Damage Assessment • Of business and technological areas • Reveals how deeply the attacker was able to penetrate the network • Examination of lateral movement of the attacker
  • 17.
  • 18. Crisis Management Executive table follows a data breach plan and prepares: » PR/Privacy/Legal actions needed to cover the enterprise responses to: • The public • The regulators • The partners » Wrong message can trigger an avalanche
  • 19.
  • 20. Crisis Management » Data Breach: • Is a C-Suite exercise that tests: - Coherence and conciseness of the incident response preparedness - Ability of the enterprise to function in crisis mode • Unfortunately is a live exercise (and comes at a high price)
  • 21.
  • 22. Evidence Collection & Remediation » Forensic team collects available evidence • Performs initial analysis • Preserves additional evidence » Informs the board of initial findings • Actions need to be weighted carefully • Aggressive moves can have negative effects (attackers still inside the network)
  • 23.
  • 24. Evidence Collection & Remediation » With hackers in the system • Each blocking action needs to be closely monitored • Remediation can detected by attacker and evidence and data put at risk » Securing the environment can take years • Scheduling necessary changes with key internal tenants is a difficult task
  • 25. Q&A