Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Incident Response
1
Cyber Security
Incident Management
Naor Penso | www.hitit.co.il
Incident Response
2
AGENDA
• Introduction
• Cyberattack
• From event to incident
• Were at war! nowwhat?
• Preparing for d...
Incident Response
3
2. The chronical of flaws1. The third industrialEvolution
4. The risk / value equation3. From nationst...
Incident Response
4
Why hack?
Incident Response
5
Justlike in real-life,notevery caseis consideredacrisis, andnotevery caserequires
crisis management
Incident Response
6
You have Ransomware!!
2 seniormanagersgot infected byransomware,
The attackersarenow requesting10 Bitc...
Incident Response
7
Our website is overloaded
Nothinghashappenedyet,butthe serversarestartingtostress,soontheymight
caused...
Incident Response
8
From Event to Crisis
Events
An event is any observable occurrence in a system or
network. Events are mostly generated automatically by
organiza...
Notable Events / Correlation
A notable event is an event that has an indicator that
something might be wrong (in example, ...
Security Alert
Some notable events / correlations might trigger an alert.
When an alert is triggered, it requires some act...
Incident
An incident is the escalation of a security alert in case the alert is
repetitive, expanding or actions taken do ...
incident
Security Alert
Cyber Crisis
Every organization has a different threshold and guidelines for
initiating in Crisis ...
We’re at War!
Now What?
The Crisis Room
Forensics TeamSecurity Operations Center
Risk Management Lead
Security & IT Mitigation Team - Account Mana...
Personnel Title / Team Name Responsibility Main Activities
Crisis Management Leader
(on most occasions the CISO)
Manage th...
Extended Crisis Management Personnel
Personnel Title / Team Name Responsibility Main Activities
PR & Marketing Team Manage...
Main Activities
C R E A T E A W A R R O O M E N G A G E S T A K E H O L D E R S C O N T A I N T H E B R E A C H
M E A S U ...
Preparing for Doomsday
Communications and facilities
Definition of all applicable contacts in case of
emergency, facilities to be utilized for th...
Incident Response
21
thank you.
Upcoming SlideShare
Loading in …5
×

Cybersecurity Crisis Management Introduction

A lecture given by Naor Penso to emergency & disaster management masters students @ Tel-Aviv University to educate them on cybersecurity crisis management.

  • Be the first to comment

  • Be the first to like this

Cybersecurity Crisis Management Introduction

  1. 1. Incident Response 1 Cyber Security Incident Management Naor Penso | www.hitit.co.il
  2. 2. Incident Response 2 AGENDA • Introduction • Cyberattack • From event to incident • Were at war! nowwhat? • Preparing for doomsday
  3. 3. Incident Response 3 2. The chronical of flaws1. The third industrialEvolution 4. The risk / value equation3. From nationsto bob Introduction to cyber
  4. 4. Incident Response 4 Why hack?
  5. 5. Incident Response 5 Justlike in real-life,notevery caseis consideredacrisis, andnotevery caserequires crisis management
  6. 6. Incident Response 6 You have Ransomware!! 2 seniormanagersgot infected byransomware, The attackersarenow requesting10 Bitcointoreleasethemachine 100,000,000 Credit cards leaked! Someonehackedthe websiteandstolea lotofdata,he isnow selling it onthe darknet
  7. 7. Incident Response 7 Our website is overloaded Nothinghashappenedyet,butthe serversarestartingtostress,soontheymight causedelays People got to work and they cannot log-in It seems thatsomethingerased theiremployment recordswhichcaused theirusers tobedisabled
  8. 8. Incident Response 8 From Event to Crisis
  9. 9. Events An event is any observable occurrence in a system or network. Events are mostly generated automatically by organizational systems and can be collected for further inspection by different systems such as a security information and event management system. Examples: • user connecting to a file share • a server receiving a request for a web page • a user sending email • firewall blocking a connection attempt Events
  10. 10. Notable Events / Correlation A notable event is an event that has an indicator that something might be wrong (in example, failed logon to a system, user lockout etc.) A correlation is comprised of several events or notable events. Correlation can create a “story” of events which happened in time Example: a user failed to log-on 5 times, following which he successfully logged on and downloaded 5,000 documents) Events Notable Event / Correlation
  11. 11. Security Alert Some notable events / correlations might trigger an alert. When an alert is triggered, it requires some active measures to mitigate (automatic or manual). Example: A virus has been identified on an machine. Action: scan the PC for other viruses and collect data from the workstation to identify origin. Security Alert Events Notable Event / Correlation
  12. 12. Incident An incident is the escalation of a security alert in case the alert is repetitive, expanding or actions taken do not mitigate the issue. An incident will mostly be handled manually by the security operations center and other technical teams. Example: The website is flooded due to a DDOS attack, and several server operations has been halted. incident Security Alert Events Notable Event / Correlation
  13. 13. incident Security Alert Cyber Crisis Every organization has a different threshold and guidelines for initiating in Crisis mode. On most occasions, when the incident was not / could not have been confined or involving assets deemed by the organization as highly sensitive (e.g. personal information) than a crisis shall be announced Example: It started with 2 machines with Ransomware, and now the entire company is in lockdown – no one can work, support and operations have ceased Events Notable Event / Correlation
  14. 14. We’re at War! Now What?
  15. 15. The Crisis Room Forensics TeamSecurity Operations Center Risk Management Lead Security & IT Mitigation Team - Account Management - Legal Team - Public Relations Human Resources Crisis Leader On Call / Periodical Check-in: Executive Management Representative, IT Leadership & Engineering
  16. 16. Personnel Title / Team Name Responsibility Main Activities Crisis Management Leader (on most occasions the CISO) Manage the Crisis operations and take active decisions on the response team activities and mitigations • Align resources, activities & mitigation plans • Define if and when to notify the stakeholders • Align Cooperation from different BU’s Crisis Technical Leader Correlate and manage the technical teams and forensic operations • Collect and analyze data from all technical teams • Decide on technical mitigation approach • Define which technical resources are needed Security Operations Center Keep eyes open for new issues / abnormalities • Identify new infections / alerts • Monitor the organization for abnormalities • Alert the forensics team if anything rises Forensics Team Investigate & define mitigation activities • Identify the source of the breach • Assess what was stolen / breached • Assess who (if possible) is responsible CIO & IT Directors Ensure IT resources allocation for the mitigation • Assign more IT resources if needed • Enable critical changes to IT infrastructure if and when needed Risk Management Lead Assess potential damages and identify critical assets • Identify if critical assets are targeted or abused • Identify the potential damages to the company Business Continuity & Disaster Recovery Lead Assess potential damages to the business • Assess potential business operation damages • Identify consequences of mitigation activities The Core Response Team
  17. 17. Extended Crisis Management Personnel Personnel Title / Team Name Responsibility Main Activities PR & Marketing Team Manage customer interactions • Draft the PR • Communicate with the customers if needed Legal Team Provide legal assistance • Manage interactions with law enforcement • Advise on applicable laws & regulations • Approve “invasive” activities Human Resources Internal employee engagement • Update employees on the activities • Mitigate any employee concern • Approve forensic activities on employee machines Executive Manager Take the hardest decisions • Approve / Deny mitigation activities with company-wide impact • Define whether escalation to the board is required Account Executives Brief customers on the incident if needed • Approach customers and deliver assurance • Convey the PR message to the customer External Law Enforcement Optional, not used often Assist in forensics and investigation of the breach • Work with the forensics teams • Leverage intelligence to identify the attacker • Arrest and interrogate the attacker if known
  18. 18. Main Activities C R E A T E A W A R R O O M E N G A G E S T A K E H O L D E R S C O N T A I N T H E B R E A C H M E A S U R E L O S S E SL E A R N A L E S S O NP R E P A R E F O R T H E N E X T O N E
  19. 19. Preparing for Doomsday
  20. 20. Communications and facilities Definition of all applicable contacts in case of emergency, facilities to be utilized for the war room, alternative communication channels and ticket management solutions Incident analysis resources Technical toolkit for forensics, list of all applicable systems and owners in case of need, business impact analysis for system takeover and takedown and business processes Engagement procedures Procedures depicting what to do in case of emergency, whom to contact and when. The football Policy Doomsday is arriving, who will click the button and what it will do? (take down a production system, cut off an entire office network, stop internet access)
  21. 21. Incident Response 21 thank you.

×