SlideShare a Scribd company logo

Cyber Threat 2019 NCSC-SANS London Conference - Mandiant IR Practitioners Guide

M
MitchellClarke14

Slides presented by Tom Hall and Mitchell Clarke from Mandiant at the CyberThreat19 conference in London, UK.

Technology
1 of 23
Download to read offline
Tom Hall & Mitch Clarke Incident Response Practitioner’s Guide:
©2019 FireEye Mandiant©2019 FireEye Mandiant § Principal Consultant – FireEye Mandiant, Incident Response – 4 years – thall_sec Tom Hall 2 § Senior Consultant – FireEye Mandiant, Incident Response – 2 years – snozberries_au Mitch Clarke
©2019 FireEye Mandiant©2019 FireEye Mandiant Case studies and examples are drawn from our experiences and activities working for a variety of customers, and do not represent our work for any one customer or set of customers. In many cases, facts have been changed to obscure the identity of our customers and individuals associated with our customers. Disclosure Statement 3
©2019 FireEye Mandiant©2019 FireEye Mandiant § We’re sharing: – Experiences from real-world incidents – Lessons we’ve learnt – Mistakes we’ve seen organisations make – Our approach to enterprise incident response Topics 4
©2019 FireEye Mandiant©2019 FireEye Mandiant5 § Complex intrusions: – Nation-state affiliated APT groups – Financial crime groups § Where attackers are: – Entrenched – Privileged – Motivated Context
©2019 FireEye Mandiant©2019 FireEye Mandiant § Most organisations are not experienced in APT intrusions § Organisations vary in their maturity and ability § BAU IR can be counterproductive in an APT intrusion BAU IR vs Complex Intrusions 6
Engagement Setup
©2019 FireEye Mandiant©2019 FireEye Mandiant § Good engagement setup is the most critical phase of a successful IR: Make or Break 8
©2019 FireEye Mandiant©2019 FireEye Mandiant § Determine the maturity of the organisation § Understand complexity of their network § Consider current lead/known malicious activity § Grasp the organisational structure and politics § Tailor the response approach for the organisation Setup Considerations 9
Strategies and Advice
©2019 FireEye Mandiant©2019 FireEye Mandiant § Explain the attacker lifecycle and motivations § Intrusions (typically): – Are larger than victims expect – First alert doesn’t mean first activity § If data-theft is the goal, it’s usually already happened § The attackers are real people who can solve problems Walk Through a Typical APT/FIN Intrusion 11
©2019 FireEye Mandiant©2019 FireEye Mandiant Describe the IR and Remediation Journey 12 § It’s a marathon, not a sprint § No organisation can go from initial tip off/discovery to effective eradication without: – Understanding what access the attacker retains – Improving the security posture of the network to eradicate and survive immediate re-compromise
©2019 FireEye Mandiant©2019 FireEye Mandiant § Remediation efforts should begin at the same time as the IR § As the IR progresses, we’ll learn about attacker tradecraft and extent of the breach – Remediation efforts can begin to be targeted – Eradication planning can begin § Once we understand access, it’s time to eradicate § Remediation must continue after eradication: – Medium and long term security architecture and culture changes Describe the IR and Remediation Journey 13
©2019 FireEye Mandiant©2019 FireEye Mandiant § Poorly scoped or insufficient tooling deployment can create blind-spots in the investigation and safe-harbours for attackers to retain access – Can render an eradication completely ineffective Do IR Once, do it Right 14
©2019 FireEye Mandiant©2019 FireEye Mandiant § “We cannot allow you to investigate our <Special/Sensitive/Critical> networks because they’re <Special/Sensitive/Critical> to our business” § If it’s critical to the business, it’s critical to the attacker § Attackers will learn how your admins maintain the environment § Be sure to understand what the business does and why an attacker might be there Why are the attackers here? 15
©2019 FireEye Mandiant©2019 FireEye Mandiant § The organisation will typically need to establish an incident response team, which can consist of: – Lead – Project manager – IT/technical lead – Legal, Privacy, Risk, and/or Governance – Communications § Remediation team is also required § Teams are most successful when leader has enough business knowledge and political capital to move fast and be far-reaching Dedicated Teams are Required 16
©2019 FireEye Mandiant©2019 FireEye Mandiant § Buy-in and support of IT is essential for success of incident response § You need to protect IT resources from burnout – Learn the client culture § Large networks will always have issues § Save-face for IT – Always under-funded – Lack of human resources – Motivated attackers will always keep trying until they’re successful Build Trust with IT 17
©2019 FireEye Mandiant©2019 FireEye Mandiant § Frequency § Seniority § Number of stakeholders Communications Rhythm 18
©2019 FireEye Mandiant©2019 FireEye Mandiant § Historical activity § Impactful findings – Data theft – Targeting of specific systems § An active attacker – What can we do? – What is effective? – Where should we spend our resources? How to Handle Investigation Findings 19
©2019 FireEye Mandiant©2019 FireEye Mandiant § Enterprise networks typically convoluted and systems interdependent § Real/effective containment will usually: – Break your application – Prevent users from doing business § Doesn’t stop the attacker from accessing victim network § Burns resources of IT § Containment is effective for hours, that’s all. Containment 20
Final Thoughts 21
©2019 FireEye Mandiant©2019 FireEye Mandiant § Not a science § No one size fits all § There’s a balance in everything Always Tailor for your Victim Organisation 22
Thank You

Recommended

Cyber Threat 2019 NCSC-SANS London Conference - Mandiant Grab Bag of Attacker...
Cyber Threat 2019 NCSC-SANS London Conference - Mandiant Grab Bag of Attacker...Cyber Threat 2019 NCSC-SANS London Conference - Mandiant Grab Bag of Attacker...
Cyber Threat 2019 NCSC-SANS London Conference - Mandiant Grab Bag of Attacker...MitchellClarke14
 
Email Security – Everyone is a Target
Email Security – Everyone is a TargetEmail Security – Everyone is a Target
Email Security – Everyone is a TargetPrime Infoserv
 
Case Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information SecurityCase Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information SecurityPECB
 
M-Trends® 2013: Attack the Security Gap
M-Trends® 2013: Attack the Security GapM-Trends® 2013: Attack the Security Gap
M-Trends® 2013: Attack the Security GapFireEye, Inc.
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligenceseadeloitte
 
Beating Sophisticated Attackers at Their Game Using AWS
Beating Sophisticated Attackers at Their Game Using AWSBeating Sophisticated Attackers at Their Game Using AWS
Beating Sophisticated Attackers at Their Game Using AWSAmazon Web Services
 
Think Cyber Think Resilience | William Barker | March 2016
Think Cyber Think Resilience | William Barker | March 2016Think Cyber Think Resilience | William Barker | March 2016
Think Cyber Think Resilience | William Barker | March 2016Anna Fenston
 
Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesAlex Rudie
 

Recommended

Cyber Threat 2019 NCSC-SANS London Conference - Mandiant Grab Bag of Attacker...
Cyber Threat 2019 NCSC-SANS London Conference - Mandiant Grab Bag of Attacker...Cyber Threat 2019 NCSC-SANS London Conference - Mandiant Grab Bag of Attacker...
Cyber Threat 2019 NCSC-SANS London Conference - Mandiant Grab Bag of Attacker...MitchellClarke14
 
Email Security – Everyone is a Target
Email Security – Everyone is a TargetEmail Security – Everyone is a Target
Email Security – Everyone is a TargetPrime Infoserv
 
Case Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information SecurityCase Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information SecurityPECB
 
M-Trends® 2013: Attack the Security Gap
M-Trends® 2013: Attack the Security GapM-Trends® 2013: Attack the Security Gap
M-Trends® 2013: Attack the Security GapFireEye, Inc.
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligenceseadeloitte
 
Beating Sophisticated Attackers at Their Game Using AWS
Beating Sophisticated Attackers at Their Game Using AWSBeating Sophisticated Attackers at Their Game Using AWS
Beating Sophisticated Attackers at Their Game Using AWSAmazon Web Services
 
Think Cyber Think Resilience | William Barker | March 2016
Think Cyber Think Resilience | William Barker | March 2016Think Cyber Think Resilience | William Barker | March 2016
Think Cyber Think Resilience | William Barker | March 2016Anna Fenston
 
Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesAlex Rudie
 
How to Build a Successful Cybersecurity Program?
How to Build a Successful Cybersecurity Program?How to Build a Successful Cybersecurity Program?
How to Build a Successful Cybersecurity Program?PECB
 
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Albert Hui
 
FireEye investis case study
FireEye investis case studyFireEye investis case study
FireEye investis case studycnnetwork
 
Cyber 101: An introduction to privileged access management
Cyber 101: An introduction to privileged access managementCyber 101: An introduction to privileged access management
Cyber 101: An introduction to privileged access managementseadeloitte
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber ResilienceIan-Edward Stafrace
 
A Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveA Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveDawn Yankeelov
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountImperva
 
Cyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial IndustryCyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial IndustryWilliam McBorrough
 
The VOHO Campaign: An In Depth Analysis
The VOHO Campaign: An In Depth AnalysisThe VOHO Campaign: An In Depth Analysis
The VOHO Campaign: An In Depth AnalysisEMC
 
Shift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceShift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceDarren Argyle
 
Establishment of Threat Intel into Incident Response
Establishment of Threat Intel into Incident ResponseEstablishment of Threat Intel into Incident Response
Establishment of Threat Intel into Incident ResponseAPNIC
 
Netpluz DDoS Mitigation - Managed Cyber Security
Netpluz DDoS Mitigation - Managed Cyber Security Netpluz DDoS Mitigation - Managed Cyber Security
Netpluz DDoS Mitigation - Managed Cyber Security Netpluz Asia Pte Ltd
 
Flipping the Economics of Attacks
Flipping the Economics of AttacksFlipping the Economics of Attacks
Flipping the Economics of AttacksPaloAltoNetworks
 
A CISO's Guide to Cyber Liability Insurance
A CISO's Guide to Cyber Liability InsuranceA CISO's Guide to Cyber Liability Insurance
A CISO's Guide to Cyber Liability InsuranceSecureAuth
 
Cyber security resilience ESRM Conference Amsterdam 2016
Cyber security resilience ESRM Conference Amsterdam 2016Cyber security resilience ESRM Conference Amsterdam 2016
Cyber security resilience ESRM Conference Amsterdam 2016Niran Seriki, CCISO, CISM
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsUlf Mattsson
 
Cyber Security Conference 2017
Cyber Security Conference 2017Cyber Security Conference 2017
Cyber Security Conference 2017Norfolk Chamber of Commerce
 
Data security 2016 trends and questions
Data security 2016 trends and questionsData security 2016 trends and questions
Data security 2016 trends and questionsBill McCabe
 
DHS Cybersecurity Services for Building Cyber Resilience
DHS Cybersecurity Services for Building Cyber ResilienceDHS Cybersecurity Services for Building Cyber Resilience
DHS Cybersecurity Services for Building Cyber ResilienceDawn Yankeelov
 
Endpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyePrime Infoserv
 
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]TrustArc
 
ICSA CPD - Cyber breaches
ICSA CPD - Cyber breachesICSA CPD - Cyber breaches
ICSA CPD - Cyber breachesInstitute of Chartered Secretaries and Administrators
 

More Related Content

What's hot

How to Build a Successful Cybersecurity Program?
How to Build a Successful Cybersecurity Program?How to Build a Successful Cybersecurity Program?
How to Build a Successful Cybersecurity Program?PECB
 
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Albert Hui
 
FireEye investis case study
FireEye investis case studyFireEye investis case study
FireEye investis case studycnnetwork
 
Cyber 101: An introduction to privileged access management
Cyber 101: An introduction to privileged access managementCyber 101: An introduction to privileged access management
Cyber 101: An introduction to privileged access managementseadeloitte
 
A Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveA Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveDawn Yankeelov
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountImperva
 
Cyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial IndustryCyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial IndustryWilliam McBorrough
 
The VOHO Campaign: An In Depth Analysis
The VOHO Campaign: An In Depth AnalysisThe VOHO Campaign: An In Depth Analysis
The VOHO Campaign: An In Depth AnalysisEMC
 
Shift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceShift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceDarren Argyle
 
Establishment of Threat Intel into Incident Response
Establishment of Threat Intel into Incident ResponseEstablishment of Threat Intel into Incident Response
Establishment of Threat Intel into Incident ResponseAPNIC
 
Netpluz DDoS Mitigation - Managed Cyber Security
Netpluz DDoS Mitigation - Managed Cyber Security Netpluz DDoS Mitigation - Managed Cyber Security
Netpluz DDoS Mitigation - Managed Cyber Security Netpluz Asia Pte Ltd
 
Flipping the Economics of Attacks
Flipping the Economics of AttacksFlipping the Economics of Attacks
Flipping the Economics of AttacksPaloAltoNetworks
 
A CISO's Guide to Cyber Liability Insurance
A CISO's Guide to Cyber Liability InsuranceA CISO's Guide to Cyber Liability Insurance
A CISO's Guide to Cyber Liability InsuranceSecureAuth
 
Cyber security resilience ESRM Conference Amsterdam 2016
Cyber security resilience ESRM Conference Amsterdam 2016Cyber security resilience ESRM Conference Amsterdam 2016
Cyber security resilience ESRM Conference Amsterdam 2016Niran Seriki, CCISO, CISM
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsUlf Mattsson
 
Data security 2016 trends and questions
Data security 2016 trends and questionsData security 2016 trends and questions
Data security 2016 trends and questionsBill McCabe
 
DHS Cybersecurity Services for Building Cyber Resilience
DHS Cybersecurity Services for Building Cyber ResilienceDHS Cybersecurity Services for Building Cyber Resilience
DHS Cybersecurity Services for Building Cyber ResilienceDawn Yankeelov
 

What's hot (19)

How to Build a Successful Cybersecurity Program?
How to Build a Successful Cybersecurity Program?How to Build a Successful Cybersecurity Program?
How to Build a Successful Cybersecurity Program?
 
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
 
FireEye investis case study
FireEye investis case studyFireEye investis case study
FireEye investis case study
 
Cyber 101: An introduction to privileged access management
Cyber 101: An introduction to privileged access managementCyber 101: An introduction to privileged access management
Cyber 101: An introduction to privileged access management
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
 
A Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveA Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate Perspective
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked account
 
Cyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial IndustryCyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial Industry
 
The VOHO Campaign: An In Depth Analysis
The VOHO Campaign: An In Depth AnalysisThe VOHO Campaign: An In Depth Analysis
The VOHO Campaign: An In Depth Analysis
 
Shift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceShift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber Resilience
 
Establishment of Threat Intel into Incident Response
Establishment of Threat Intel into Incident ResponseEstablishment of Threat Intel into Incident Response
Establishment of Threat Intel into Incident Response
 
Netpluz DDoS Mitigation - Managed Cyber Security
Netpluz DDoS Mitigation - Managed Cyber Security Netpluz DDoS Mitigation - Managed Cyber Security
Netpluz DDoS Mitigation - Managed Cyber Security
 
Flipping the Economics of Attacks
Flipping the Economics of AttacksFlipping the Economics of Attacks
Flipping the Economics of Attacks
 
A CISO's Guide to Cyber Liability Insurance
A CISO's Guide to Cyber Liability InsuranceA CISO's Guide to Cyber Liability Insurance
A CISO's Guide to Cyber Liability Insurance
 
Cyber security resilience ESRM Conference Amsterdam 2016
Cyber security resilience ESRM Conference Amsterdam 2016Cyber security resilience ESRM Conference Amsterdam 2016
Cyber security resilience ESRM Conference Amsterdam 2016
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
Cyber Security Conference 2017
Cyber Security Conference 2017Cyber Security Conference 2017
Cyber Security Conference 2017
 
Data security 2016 trends and questions
Data security 2016 trends and questionsData security 2016 trends and questions
Data security 2016 trends and questions
 
DHS Cybersecurity Services for Building Cyber Resilience
DHS Cybersecurity Services for Building Cyber ResilienceDHS Cybersecurity Services for Building Cyber Resilience
DHS Cybersecurity Services for Building Cyber Resilience
 

Similar to Cyber Threat 2019 NCSC-SANS London Conference - Mandiant IR Practitioners Guide

Endpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyePrime Infoserv
 
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]TrustArc
 
How to Protect Your Business from Cyber Threats | The Entrepreneur Review
How to Protect Your Business from Cyber Threats | The Entrepreneur ReviewHow to Protect Your Business from Cyber Threats | The Entrepreneur Review
How to Protect Your Business from Cyber Threats | The Entrepreneur ReviewTheEntrepreneurRevie
 
Security Awareness: The Best Defence
Security Awareness: The Best DefenceSecurity Awareness: The Best Defence
Security Awareness: The Best DefenceShawn Brown
 
Feb20 Webinar - Managing Risk and Pain of Vendor Management
Feb20 Webinar - Managing Risk and Pain of Vendor ManagementFeb20 Webinar - Managing Risk and Pain of Vendor Management
Feb20 Webinar - Managing Risk and Pain of Vendor ManagementTrustArc
 
Managing Third-Party Risk Effectively
Managing Third-Party Risk EffectivelyManaging Third-Party Risk Effectively
Managing Third-Party Risk EffectivelyEvan Francen
 
Approaches to Cyber Resilience and Supply Chain Assurance
Approaches to Cyber Resilience and Supply Chain AssuranceApproaches to Cyber Resilience and Supply Chain Assurance
Approaches to Cyber Resilience and Supply Chain AssuranceLeonardo
 
Addressing cyber risk managment from SME perspective
Addressing cyber risk managment from SME perspectiveAddressing cyber risk managment from SME perspective
Addressing cyber risk managment from SME perspectiveCyber Watching
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centersBrencil Kaimba
 
Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...
Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...
Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...Financial Poise
 
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Accenture Technology
 
Healthcare Payers: 2018 State of Cyber Resilience
Healthcare Payers: 2018 State of Cyber ResilienceHealthcare Payers: 2018 State of Cyber Resilience
Healthcare Payers: 2018 State of Cyber Resilienceaccenture
 
Cyber Security - Things you need to know
Cyber Security - Things you need to knowCyber Security - Things you need to know
Cyber Security - Things you need to knowNathan Desfontaines
 
Healthcare Providers: 2018 State of Cyber Resilience
Healthcare Providers: 2018 State of Cyber ResilienceHealthcare Providers: 2018 State of Cyber Resilience
Healthcare Providers: 2018 State of Cyber Resilienceaccenture
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Next Dimension Inc.
 
Cyber Security Planning 101
Cyber Security Planning 101Cyber Security Planning 101
Cyber Security Planning 101Welch LLP
 
Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...
Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...
Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...NoNameCon
 

Similar to Cyber Threat 2019 NCSC-SANS London Conference - Mandiant IR Practitioners Guide (20)

Endpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEye
 
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
 
ICSA CPD - Cyber breaches
ICSA CPD - Cyber breachesICSA CPD - Cyber breaches
ICSA CPD - Cyber breaches
 
How to Protect Your Business from Cyber Threats | The Entrepreneur Review
How to Protect Your Business from Cyber Threats | The Entrepreneur ReviewHow to Protect Your Business from Cyber Threats | The Entrepreneur Review
How to Protect Your Business from Cyber Threats | The Entrepreneur Review
 
Security Awareness: The Best Defence
Security Awareness: The Best DefenceSecurity Awareness: The Best Defence
Security Awareness: The Best Defence
 
Feb20 Webinar - Managing Risk and Pain of Vendor Management
Feb20 Webinar - Managing Risk and Pain of Vendor ManagementFeb20 Webinar - Managing Risk and Pain of Vendor Management
Feb20 Webinar - Managing Risk and Pain of Vendor Management
 
Managing Third-Party Risk Effectively
Managing Third-Party Risk EffectivelyManaging Third-Party Risk Effectively
Managing Third-Party Risk Effectively
 
Approaches to Cyber Resilience and Supply Chain Assurance
Approaches to Cyber Resilience and Supply Chain AssuranceApproaches to Cyber Resilience and Supply Chain Assurance
Approaches to Cyber Resilience and Supply Chain Assurance
 
Addressing cyber risk managment from SME perspective
Addressing cyber risk managment from SME perspectiveAddressing cyber risk managment from SME perspective
Addressing cyber risk managment from SME perspective
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
 
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
 
Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...
Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...
Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...
 
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
 
Cyber Risk in the Energy Industry
Cyber Risk in the Energy IndustryCyber Risk in the Energy Industry
Cyber Risk in the Energy Industry
 
Healthcare Payers: 2018 State of Cyber Resilience
Healthcare Payers: 2018 State of Cyber ResilienceHealthcare Payers: 2018 State of Cyber Resilience
Healthcare Payers: 2018 State of Cyber Resilience
 
Cyber Security - Things you need to know
Cyber Security - Things you need to knowCyber Security - Things you need to know
Cyber Security - Things you need to know
 
Healthcare Providers: 2018 State of Cyber Resilience
Healthcare Providers: 2018 State of Cyber ResilienceHealthcare Providers: 2018 State of Cyber Resilience
Healthcare Providers: 2018 State of Cyber Resilience
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?
 
Cyber Security Planning 101
Cyber Security Planning 101Cyber Security Planning 101
Cyber Security Planning 101
 
Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...
Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...
Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...
 

Recently uploaded

Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentationphoebematthew05
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 

Recently uploaded (20)

Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
costume and set research powerpoint presentation
costume and set research powerpoint presentationcostume and set research powerpoint presentation
costume and set research powerpoint presentation
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 

Cyber Threat 2019 NCSC-SANS London Conference - Mandiant IR Practitioners Guide

  • 1. Tom Hall & Mitch Clarke Incident Response Practitioner’s Guide:
  • 2. ©2019 FireEye Mandiant©2019 FireEye Mandiant § Principal Consultant – FireEye Mandiant, Incident Response – 4 years – thall_sec Tom Hall 2 § Senior Consultant – FireEye Mandiant, Incident Response – 2 years – snozberries_au Mitch Clarke
  • 3. ©2019 FireEye Mandiant©2019 FireEye Mandiant Case studies and examples are drawn from our experiences and activities working for a variety of customers, and do not represent our work for any one customer or set of customers. In many cases, facts have been changed to obscure the identity of our customers and individuals associated with our customers. Disclosure Statement 3
  • 4. ©2019 FireEye Mandiant©2019 FireEye Mandiant § We’re sharing: – Experiences from real-world incidents – Lessons we’ve learnt – Mistakes we’ve seen organisations make – Our approach to enterprise incident response Topics 4
  • 5. ©2019 FireEye Mandiant©2019 FireEye Mandiant5 § Complex intrusions: – Nation-state affiliated APT groups – Financial crime groups § Where attackers are: – Entrenched – Privileged – Motivated Context
  • 6. ©2019 FireEye Mandiant©2019 FireEye Mandiant § Most organisations are not experienced in APT intrusions § Organisations vary in their maturity and ability § BAU IR can be counterproductive in an APT intrusion BAU IR vs Complex Intrusions 6
  • 8. ©2019 FireEye Mandiant©2019 FireEye Mandiant § Good engagement setup is the most critical phase of a successful IR: Make or Break 8
  • 9. ©2019 FireEye Mandiant©2019 FireEye Mandiant § Determine the maturity of the organisation § Understand complexity of their network § Consider current lead/known malicious activity § Grasp the organisational structure and politics § Tailor the response approach for the organisation Setup Considerations 9
  • 11. ©2019 FireEye Mandiant©2019 FireEye Mandiant § Explain the attacker lifecycle and motivations § Intrusions (typically): – Are larger than victims expect – First alert doesn’t mean first activity § If data-theft is the goal, it’s usually already happened § The attackers are real people who can solve problems Walk Through a Typical APT/FIN Intrusion 11
  • 12. ©2019 FireEye Mandiant©2019 FireEye Mandiant Describe the IR and Remediation Journey 12 § It’s a marathon, not a sprint § No organisation can go from initial tip off/discovery to effective eradication without: – Understanding what access the attacker retains – Improving the security posture of the network to eradicate and survive immediate re-compromise
  • 13. ©2019 FireEye Mandiant©2019 FireEye Mandiant § Remediation efforts should begin at the same time as the IR § As the IR progresses, we’ll learn about attacker tradecraft and extent of the breach – Remediation efforts can begin to be targeted – Eradication planning can begin § Once we understand access, it’s time to eradicate § Remediation must continue after eradication: – Medium and long term security architecture and culture changes Describe the IR and Remediation Journey 13
  • 14. ©2019 FireEye Mandiant©2019 FireEye Mandiant § Poorly scoped or insufficient tooling deployment can create blind-spots in the investigation and safe-harbours for attackers to retain access – Can render an eradication completely ineffective Do IR Once, do it Right 14
  • 15. ©2019 FireEye Mandiant©2019 FireEye Mandiant § “We cannot allow you to investigate our <Special/Sensitive/Critical> networks because they’re <Special/Sensitive/Critical> to our business” § If it’s critical to the business, it’s critical to the attacker § Attackers will learn how your admins maintain the environment § Be sure to understand what the business does and why an attacker might be there Why are the attackers here? 15
  • 16. ©2019 FireEye Mandiant©2019 FireEye Mandiant § The organisation will typically need to establish an incident response team, which can consist of: – Lead – Project manager – IT/technical lead – Legal, Privacy, Risk, and/or Governance – Communications § Remediation team is also required § Teams are most successful when leader has enough business knowledge and political capital to move fast and be far-reaching Dedicated Teams are Required 16
  • 17. ©2019 FireEye Mandiant©2019 FireEye Mandiant § Buy-in and support of IT is essential for success of incident response § You need to protect IT resources from burnout – Learn the client culture § Large networks will always have issues § Save-face for IT – Always under-funded – Lack of human resources – Motivated attackers will always keep trying until they’re successful Build Trust with IT 17
  • 18. ©2019 FireEye Mandiant©2019 FireEye Mandiant § Frequency § Seniority § Number of stakeholders Communications Rhythm 18
  • 19. ©2019 FireEye Mandiant©2019 FireEye Mandiant § Historical activity § Impactful findings – Data theft – Targeting of specific systems § An active attacker – What can we do? – What is effective? – Where should we spend our resources? How to Handle Investigation Findings 19
  • 20. ©2019 FireEye Mandiant©2019 FireEye Mandiant § Enterprise networks typically convoluted and systems interdependent § Real/effective containment will usually: – Break your application – Prevent users from doing business § Doesn’t stop the attacker from accessing victim network § Burns resources of IT § Containment is effective for hours, that’s all. Containment 20
  • 22. ©2019 FireEye Mandiant©2019 FireEye Mandiant § Not a science § No one size fits all § There’s a balance in everything Always Tailor for your Victim Organisation 22