INCIDENT RESPONSE CONCEPTS

S
Sylvain Martinez
CYBER SECURITY INCIDENT RESPONSE CONCEPT VERSION: 1.3 DATE: 25/06/2019 AUTHOR: SYLVAIN MARTINEZ REFERENCE: ES-CSIR CLASSIFICATION: PUBLIC
2 • Presentation goal; • Who am I; • Who we are; • Our customers; • IR framework benefits; • Data breach statistics; • Incident cost; • Incident readiness; • Incident response concept; • Teams and mandates; • Registers and purposes; • Registers and reporting synergy; • IR policy & plan overview; • Incident playbook overview; • NIST IR lifecycle; • NIST IR steps; • Preparation • Detection & Analysis; • Containment, Eradication & Recovery; • Post-incident activity; • Incident Response Check list • ELYSIUMSECURITY Incident Response; • Overview; • Rules of Engagement; • Preparation; • Detection; • Categorization; • Containment; • Investigation; • Remediation; • Reporting; • Lessons Learnt; CONTENTS PUBLIC CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT • Short Term – How to start?; • Long Term – IR Implementation; • Extra Resources.
PRESENTATION GOAL 3 LEARN HOW TO START 3 LEARN HOW TO APPLY AN IR FRAMEWORK 2 LEARN ABOUT IR CORE ELEMENTS 1 TO LEARN ABOUT CYBER INCIDENT RESPONSE (IR) MAIN CONCEPTS CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT Icons: from The Noun Project unless stated otherwisePUBLIC
WHO AM I 4 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC LIVED AND WORKED IN FRANCE, UK, USA AND MAURITIUS CONTRIBUTING AND LEADING VARIOUS OPEN SOURCE CYBER SECURITY PROJECTS FOR THE LAST 20 YEARS VETTED, TRAINED AND OVER 20 YEARS OF CYBER SECURITY EXPERIENCE WORKING FROM LARGE INTERNATIONAL CORPORATIONS PASSIONATE ABOUT IT FROM VERY EARLY YEARS FOUNDER AND RUNNING THE MAURITIUS SECURITY CLUB (MU.SCL) WITH FREE SECURITY AWARENESS PRESENTATIONS EVERY MONTH
WHO WE ARE 5 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC FOUNDED IN 2015 BY SYLVAIN MARTINEZ INCORPORATED AND OPERATING IN MAURITIUS (2017) AND IN THE UK/EUROPE (2015) PROVIDING INDEPENDENT EXPERTISE IN CYBER SECURITY MULTITUDE OF RECOGNIZED PROFESSIONAL CERTIFICATIONS 20 YEARS OF INTERNATIONAL CYBER SECURITY CORPORATE EXPERIENCE OUR BOUTIQUE STYLE APPROACH PROVIDES A DISCREET, TAILORED AND SPECIALIZED CYBER SECURITY SERVICE THAT FITS YOUR WORKING ENVIRONMENT
CUSTOMERS 6 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC • HEDGE FUNDS • GOVERNMENT AGENCY SERVICE SUPPLIER 2016 2019 • 1x BANK • 1x TELECOMMUNICATION GROUP • 4x LARGE COMMERCIAL GROUPS; • 2x BANKS; 3x MANAGEMENT FUNDS; • 6x HOTELS; 3x TEXTILE; 1x SHOPPING; • 1x HEALTHCARE; REFERENCES AVAILABLE ON DEMAND 2018 2017 2019
INCIDENT RESPONSE FRAMEWORK BENEFITS 7 • REDUCED OPERATION DOWNTIME • REDUCED INCIDENT IMPACT • REDUCED/AVOID FINES REDUCED IMPACT COST • IMPROVED RESPONSE TIME • IMPROVED INCIDENT CONTAINMENT • IMPROVED INCIDENT VISIBILITY IMPROVED SECURITY • CONTRACT REQUIREMENT • INDUSTRY REQUIREMENT • LAW REQUIREMENT BUSINESS ENABLEMENT CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
DATA BREACH STATISTICS 8 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT EVERY DAY 6,313,865 RECORDS EVERY HOUR 263,078 RECORDS EVERY MINUTE 4,385 RECORDS EVERY SECONDS 73 RECORDS DATA RECORDS ARE LOST OR STOLEN AT THE FOLLOWING FREQUENCY DATA RECORDS LOST OR STOLEN SINCE 2013 4 7 1 7 6 1 8 2 8 6, ,,1 Source: Breach Level Index - May 2019PUBLIC
INCIDENT COST 9 ELYSIUMSECURITY INVESTIGATIONS MAURITIUS JANUARY 2018 – JUNE 2019 80% FINANCIAL FRAUD 20% RANSOMWARE 100% PHISHING JAN 2018 MAY 2018 AUG 2018 APR 2019 MAY 2019 JUNE 2019 $0.5M $1M $2M $0.5M $1M $0.5M AVERAGE COST PER DATA BREACH AVERAGE COST PER MALWARE INFECTION AVERAGE DETECTION TIME FROM OUTSIDERS CRIMINALS DATA BREACHES FROM HEALTHCARE ORGANISATIONS $3.86M $2.4M 197 DAYS 73% 24% WORLDWIDE WORLDWIDE STATS FROM SAFEATLAST.CO – APRIL 2019 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
INCIDENT READINESS 10 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT INCIDENT READINESS PUBLIC
INCIDENT RESPONSE CONCEPT 11 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT INCIDENT RESPONSE STRUCTURE INCIDENT RESPONSE HANDLINGCOORDINATION & INFORMATION SHARING TO MINIMISE OPERATIONAL, FINANCIAL & BUSINESS INCIDENT IMPACT NIST SP 800-61 PUBLIC
INTERNAL AUDIT TEAM COMPLIANCE TEAM SUBJECT EXPERT VENDOR SUPPORT TEAM IT SUPPORT TEAM TEAMS AND MANDATES 12 CYBER SECURITY TEAM SECURITY OPERATIONS AND PROJECTS CYBER RISK TEAM RISK IDENTIFICATION AND MANAGEMENT CYBER INCIDENT (VIRTUAL) TEAM INCIDENT MANAGEMENT AND RESPONSE CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
REGISTERS AND PURPOSES 13 CYBER ISSUE REGISTER POTENTIAL AND CONFIRMED SECURITY ISSUES DETAILS CYBER RISK REGISTER POTENTIAL AND CONFIRMED RISK DETAILS CYBER INCIDENT REGISTER PAST AND CURRENT INCIDENTS DETAILS CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT IT OPERATION REGISTER CURRENT GENERAL IT ISSUES DETAILS PUBLIC
GLOBAL ISSUE REGISTER REGISTERS AND REPORTING SYNERGY 14 CYBER SECURITY REGISTER CYBER ISSUE REGISTER CYBER RISK REGISTER CYBER INCIDENT REGISTER IT OPERATION REGISTER IT ISSUE REGISTER NETWORK ISSUE REGISTER PROJECT ISSUE REGISTER ONE VIEW ONE PROCESS DIFFERENT ACCESS DIFFERENT TEAMS DIFFERENT VIEWS DIFFERENT ACCESS DIFFERENT TEAMS DIFFERENT VIEWS DIFFERENT ACCESS CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
INCIDENT RESPONSE POLICY & PLAN - OVERVIEW 15 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC INCIDENT RESPONSE POLICY INCIDENT SCOPE INCIDENT DEFINITION & PRIORITIZATION INCIDENT REPORTING INCIDENT RESPONSE PLAN INCIDENT HANDLING INCIDENT COORDINATION CONTINUOUS IMPROVEMENT
INCIDENT PLAYBOOK SCENARIOS INCIDENT PLAYBOOK OVERVIEW 16 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT CONTAIN INCIDENT UNDERSTAND CAUSE OF INCIDENT ANALYSE SIGNS OF INCIDENT READY MADE SCENARIOS PRACTICAL RESPONSE ACTIONS AVAILABLE AND COMMUNICATED PUBLIC
NIST INCIDENCE RESPONSE LIFECYCLE 17 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC PREPARATION DETECTION & ANALYSIS CONTAINMENT, ERADICATION & RECOVERY POST-INCIDENT ACTIVITY NIST SP 800-61 REV 2
NIST INCIDENCE RESPONSE - STEPS 18 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC PREPARATION DETECTION & ANALYSIS CONTAINMENT, ERADICATION & RECOVERY POST-INCIDENT ACTIVITY 1. COMMUNICATION & FACILITIES 2. HARDWARE & SOFTWARE 3. RESOURCES 4. ATTACK VECTORS IDENTIFICATION 11 CONTAINMENT STRATEGY 15. LESSONS LEARNT 5. SIGN OF AN INCIDENT 6. SOURCE OF PRECURSORS 7. INCIDENT ANALYSIS 8. INCIDENT DOCUMENTATION 9. INCIDENT PRIORITIZATION 10. INCIDENT NOTIFICATION 12. EVIDENCE GATHERING & HANDLING 13. IDENTIFYING THE ATTACKING HOST 14. ERADICATION & RECOVERY 16. USING COLLECTED INCIDENT DATA 17. EVIDENCE RETENTION
PREPARATION - OVERVIEW 19 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT 1. COMMUNICATION & FACILITIES CONTACT DETAILS PHYSICAL LOGISTICS COORDINATION SYSTEM 2. HARDWARE & SOFTWARE 3. RESOURCES GENERAL IT SPARE EQUIPMENT FORENSICS SPECIFIC EQUIPMENT TRUSTED SOURCED SOFTWARE ARCHITECTURE DIAGRAMS DOCUMENTATION INCIDENT PLAYBOOK PUBLIC
DETECTION & ANALYSIS - OVERVIEW 20 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC 4. ATTACK VECTORS IDENTIFICATION 5. SIGN OF AN INCIDENT 6. SOURCE OF PRECURSORS & INDICATORS 7. INCIDENT ANALYSIS SECURITY ALERTS SECURITY LOGS PEOPLE FEEDBACK NETWORK LOGS SYSTEM LOGS EXPLOIT ANNOUNCEMENT BASELINES LOG ANALYSIS DATA RESULTS FILTERING SOURCE OF ATTACK TYPE OF ATTACK METHOD OF ATTACK
DETECTION & ANALYSIS - OVERVIEW 21 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC 8. INCIDENT DOCUMENTATION 9. INCIDENT PRIORIZATION 10. INCIDENT NOTIFICATION UPPER MANAGEMENT STAFF EXTERNAL BODIES FUNCTIONAL IMPACT INFORMATION IMPACT RECOVERABILITY STATUS WORK DONE NEXT STEPS
CONTAINMENT, ERADICATION & RECOVERY - OVERVIEW 22 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC 11. CONTAINMENT STRATEGY 12. EVIDENCE GATHERING & HANDLING 13. IDENTIFYING THE ATTACKING HOST 14. ERADICATION & RECOVERY SOURCE IP ATTACKER RESEARCH COMMUNICATION MONITORING INCIDENT INFORMATION TIME AND DATE LOCATION REMOVING IMMEDIATE THREAT REMEDIATING VULNERABILITIES GROUP WIDE CHANGES INCIDENT IMPACT EVIDENCE REQUIREMENTS SOLUTION SUSTAINABILITY
POST INCIDENT ACTIVITY - OVERVIEW 23 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC 15. LESSONS LEARNT 16. USING COLLECTED INCIDENT DATA 17. EVIDENCE RETENTION PROSECUTION DATA RETENTION COST INCIDENT STATISTICS INCIDENT SLA INCIDENT ASSESSMENT INCIDENT DETAILS TECHNOLOGY AND PROCESS GAPS POSSIBLE IMPROMENTS
INCIDENCE RESPONSE CHECKLIST 24 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
ELYSIUMSECURITY INCIDENT RESPONSE - OVERVIEW 25 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PRACTICAL IMPLEMENTATION OF NIST GUIDED PROCESS SHORTER PROCESS USED NIST AND FIRST CORE ELEMENTS 17x STEPS -> 8x STEPS CLIENTS REQUIREMENTS ELYSIUMSECURITY IR FRAMEWORK 5x ACTIVITIES PER STEPS PUBLIC
ELYSIUMSECURITY INCIDENT RESPONSE - OVERVIEW 26 {elysiumsecurity} INCIDENT RESPONSE FRAMEWORK 1. PREPARATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
{es} INCIDENT RESPONSE - RULES OF ENGAGEMENT 27 DO NOT MAKE THINGS WORSE! DO NOT ENGAGE OR INTERACT WITH THE HACKER/THREAT GROUP 1 DO NOT CONNECT TO THE THREAT’S RELATED NETWORK(S) FROM YOUR ORGANISATION 2 PRESERVE EVIDENCE3 COORDINATE INTERNAL AND EXTERNAL COMMUNICATION WITH MANAGEMENT 4 ALL INCIDENT DETAILS MUST BE TREATED AS CONFIDENTIAL 5 PUBLIC CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
{es} INCIDENT RESPONSE - PREPARATION 28 INCIDENT RESPONSE PLAN1 TEAM, PROCEDURES, DOCUMENTATION, APPROVAL, MANAGEMENT COMMITMENT INCIDENT RESPONSE PLAYBOOK2 PHISHING, RANSOMWARE, KEYLOGGER, DDOS LOGISITICS3 MEETING ROOMS, LAPTOPS, REMOVABLE STORAGE, PHONES, STATIONNARY, PRINTERS, SLEEPING AND CATERING ARRANGEMENTS CONTACTS4 TEAM, ALTERNATIVE CONTACT METHODS, ESCALATION, ON CALL, SUPPORT, VENDOR, SUPPORT5 INCIDENT REGISTER, ARCHITECTURE DIAGRAM, NETWORK DIAGRAM, DATA FLOWS, APPLICATION AND SYSTEM DOCUMENTATION ACTIVITIES EXAMPLE 1. PREPARATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
{es} INCIDENT RESPONSE - DETECTION 29 WHO/WHAT DETECTED/REPORTED THE THREAT?1 IT STAFF, SECURITY TOOLS WHAT IS THE DATE AND TIME OF THE THREAT DETECTION/REPORT?2 NORMALISE TIME AND DATE ACROSS REPORTING – RECORD TIME IN GMT HOW WAS THE THREAT DETECTED/REPORTED?3 EMAIL, TEXT, WARNING POP UP, PHONE CALL HAS A SIMILAR THREAT ALREADY BEEN REPORTED?4 PREVIOUS INCIDENT REGISTER LOGS IS THE THREAT VALID?5 CONFIRMED, FALSE POSITIVE ACTIVITIES EXAMPLE 2. DETECTION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
{es} INCIDENT RESPONSE - CATEGORISATION 30 WHO/WHAT IS THE TARGET OF THE THREAT?1 USER, SYSTEM, SPECIFIC DATA IS THIS AN ON GOING/LIVE THREAT?2 ON GOING, STOPPED, UNKNOWN WHAT IS THE IMPACT OF THE THREAT?3 FINANCIAL, OPERATIONAL, REPUTATIONAL, LEGAL CATEGORISE THE PRIORITY OF THE INCIDENT4 PRIORITY 1, 2 ,3 (P1 > P2 > P3) CLASSIFY THE INCIDENT COMMUNICATION5 RESTRICTED / UNRESTRICTED ACTIVITIES EXAMPLE 3. CATEGORISATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
{es} INCIDENT RESPONSE - CONTAINMENT 31 COORDINATE INCIDENT MANAGEMENT1 TEAM, COMMS, ACTIVITIES, DOCUMENTATION LIGHT AND QUICK THREAT ANALYSIS2 NETWORK, SYSTEM, USER IDENTIFY MAIN ATTACK AND COMPROMISE VECTORS3 IP, PORTS, SIGNATURES, EMAIL ISOLATE THE TARGETED ASSET4 REMOVE FROM NETWORK, DISABLE ACCOUNT IMPLEMENT EMERGENCY CHANGES AS REQUIRED5 NETWORK, SYSTEM, USER ACTIVITIES EXAMPLE 4. CONTAINMENT CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
{es} INCIDENT RESPONSE - INVESTIGATION 32 THREAT NETWORK ANALYSIS1 FIREWALL, CLOUD APP LOGS, ASSET LOGS, INTERCEPTED TRAFFIC, TRAFFIC AND DATA FLOWS, SIEM THREAT MALWARE ANALYSIS2 A/V VENDORS, FOOTPRINT, BEHAVIOR, REVERSE ENGINEERING THREAT SYSTEM ANALYSIS3 EVENT LOGS, APP/PLUGINS INSTALLED, AD/EMAIL ACTIVITIES, AUTHENTICATED VULNERABILITY ASSESSSMENT, SIEM THREAT USER ANALYSIS4 INTERVIEW TARGETED USER, CONTEXT, TRIGGERS, RECENT UNUSUAL ACTIVITIES/ALERTS THREAT RESEARCH ANALYSIS5 ONLINE SEARCH FOR SIMILAR THREATS, PROFESSIONAL FORUMS, VENDOR ENGAGEMENT ACTIVITIES EXAMPLE 5. INVESTIGATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
ELYSIUMSECURITY INCIDENT RESPONSE - REMEDIATION 33 THREAT NETWORK REMEDIATION1 BLOCK IP, PORTS, DOMAINS, EMAILS. UPDATE F/W, IDS, APT AND SIEM RULES THREAT MALWARE REMEDIATION2 UPDATE SYSTEM AND NETWORK A/V SIGNATURES. ENGAGE WITH VENDORS THREAT SYSTEM REMEDIATION3 REMOVE/BAN INFECTED APPS/PLUGINS, CLEAR INBOX RULES, REMEDIATE ISSUES FOUND WITH THE VULNERABIULTIY ASSESSMENT THREAT USER REMEDIATION4 INDIVIDUAL AND GROUP USER AWARENESS SESSION RELEVANT TO THE THREAT DECLARE THE INCIDENT REMEDIATED5 FULL, PARTIAL, ACCEPTED ACTIVITIES EXAMPLE 6. REMEDIATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
{es} INCIDENT RESPONSE - REPORTING 34 ON GOING REPORTING1 DOCUMENTATION AND EVIDENCE SHOULD BE GENERATED AS MUCH AS POSSIBLE DURING THE PREVIOUS PHASES EVIDENCE GATHERING2 THREAT ACTORS, ATTACK VECTORS, ATTACK SURFACE INCIDENT DOCUMENTATION3 THREAT AND INCIDENT DETAILS, TRIGGERS, OWNER, FINDINGS, TIMELINE INCIDENT REGISTER4 CREATE/UPDATE AN OVERALL INCIDENT REGISTER TO TRACK PROGRESS AND GENERATES STATISTICS INCIDENT REPORT COMMUNICATION5 INTERNAL, EXTERNAL, STAFF, MANAGEMENT, BOARD, VENDORS, CLIENTS, GOVERNMENT, REGULATORS, LAW ENFORCEMENT ACTIVITIES EXAMPLE 7. REPORTING CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
{es} INCIDENT RESPONSE – LESSONS LEARNT 35 ROOT CAUSE ANALYSIS1 IDENTIFY AND DOCUMENT INCIDENT TRIGGERS AND SECURITY GAPS THAT ENABLED THE INCIDENT TO OCCUR CONTROLS AND PROCESSES READINESS2 EVALUATE THE EFFICIENCY OF CURRENT SECURITY CONTROLS AND PROCESSES IN LIGHT OF THE INCIDENT INCIDENT TRENDS ANALYSIS3 ARE YOU LEARNING FROM PAST INCIDENTS? IS YOUR RISK PROFILE CHANGING? MITIGATION PLAN4 MITIGATE IMPACT OF SIMILAR FUTURE INCIDENTS IMPROVEMENTS PLAN5 STOP OCCURRENCE OF SIMILAR FUTURE INCIDENTS ACTIVITIES EXAMPLE 8. LESSONS LEARNT CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
SHORT TERM – HOW TO START? 36 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT REVIEW EXISTING INCIDENT PROCESS1 ESTABLISH INCIDENT TEAM2 CONDUCT REGULAR INCIDENT TEAM MEETING 3 SET GROUND RULES4 DEFINE WHAT IS AN INCIDENT5 INFORM STAFF OF RULES AND INCIDENT CONTACT 6 CREATE INCIDENT REGISTER7 DOCUMENT RECENT AND FUTURE INCIDENTS 8 FOLLOW NIST INCIDENT HANDLING METHODOLOGY 9 CREATE HIGH LEVEL PLAYBOOK TO COMPLEMENT CHECKLIST 10 PUBLIC
LONG TERM – INCIDENT RESPONSE IMPLEMENTATION 37 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT SELECT INCIDENT RESPONSE FRAMEWORK (NIST SP 800-61 REV 2 RECOMMENDED) 1 IMPLEMENT FULL INCIDENT RESPONSE FRAMEWORK 2 DEDICATED INCIDENT RESPONSE TEAM AND TRAINING 3 INCIDENT RESPONSE SIMULATION4 CONTINUOUS IMPROVEMENT5 PUBLIC
EXTRA RESOURCES 38 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT FORUM OF INCIDENT RESPONSE AND SECURITY TEAMS (FIRST) FRAMEWORK (HTTPS://WWW.FIRST.ORG/EDUCATION/FIRST_SIRT_SERVICES_FRAMEWORK_VERSION1.0.PDF) NATIONAL INSTITUTE OF STANDARDS & TECHNOLOGY (NIST) SPECIAL PROCEDURE (SP) 800-61 (HTTPS://NVLPUBS.NIST.GOV/NISTPUBS/SPECIALPUBLICATIONS/NIST.SP.800-61R2.PDF) INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (ISO) ISO/IEC 27035-1:2016 (HTTPS://WWW.ISO.ORG/STANDARD/60803.HTML) INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (ISO) ISO/IEC 27035-2:2016 (HTTPS://WWW.ISO.ORG/STANDARD/62071.HTML?BROWSE=TC) CONTACT US! (CONSULTING@ELYSIUMSECURITY.COM) PUBLIC
© 2015-2019 ELYSIUMSECURITY LTD ALL RIGHTS RESERVED HTTPS://WWW.ELYSIUMSECURITY.COM CONSULTING@ELYSIUMSECURITY.COM ABOUT ELYSIUMSECURITY LTD. ELYSIUMSECURITY PROVIDES PRACTICAL EXPERTISE TO IDENTIFY VULNERABILITIES, ASSESS THEIR RISKS AND IMPACT, REMEDIATE THOSE RISKS, PREPARE AND RESPOND TO INCIDENTS AS WELL AS RAISE SECURITY AWARENESS THROUGH AN ORGANIZATION. ELYSIUMSECURITY PROVIDES HIGH LEVEL EXPERTISE GATHERED THROUGH YEARS OF BEST PRACTICES EXPERIENCE IN LARGE INTERNATIONAL COMPANIES ALLOWING US TO PROVIDE ADVICE BEST SUITED TO YOUR BUSINESS OPERATIONAL MODEL AND PRIORITIES. ELYSIUMSECURITY PROVIDES A PORTFOLIO OF STRATEGIC AND TACTICAL SERVICES TO HELP COMPANIES PROTECT AND RESPOND AGAINST CYBER SECURITY THREATS. WE DIFFERENTIATE OURSELVES BY OFFERING DISCREET, TAILORED AND SPECIALIZED ENGAGEMENTS. ELYSIUMSECURITY OPERATES IN MAURITIUS AND IN EUROPE, A BOUTIQUE STYLE APPROACH MEANS WE CAN EASILY ADAPT TO YOUR BUSINESS OPERATIONAL MODEL AND REQUIREMENTS TO PROVIDE A PERSONALIZED SERVICE THAT FITS YOUR WORKING ENVIRONMENT.
1 of 39

INCIDENT RESPONSE CONCEPTS

Download to read offline
Technology

This presentation looks at the core component of an Incident Response plan (NIST 800-61) as well as custom practical implementation framework developed by ELYSIUMSECURITY based on NIST and FIRST.

S
Sylvain Martinez

Recommended

INCIDENT RESPONSE NIST IMPLEMENTATION by
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONSylvain Martinez
5.5K views27 slides
Phishing Incident Response Playbook by
Phishing Incident Response PlaybookPhishing Incident Response Playbook
Phishing Incident Response PlaybookNaushad CEH, CHFI, MTA, ITIL
4.1K views74 slides
INCIDENT RESPONSE OVERVIEW by
INCIDENT RESPONSE OVERVIEWINCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWSylvain Martinez
624 views15 slides
Next-Gen security operation center by
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation centerMuhammad Sahputra
1.3K views20 slides
DTS Solution - Building a SOC (Security Operations Center) by
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
46.7K views97 slides
Introduction to Risk Management via the NIST Cyber Security Framework by
Introduction to Risk Management via the NIST Cyber Security FrameworkIntroduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security FrameworkPECB
5.5K views20 slides

More Related Content

What's hot

Cyber Security Governance by
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
2.4K views60 slides
Global Cyber Threat Intelligence by
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat IntelligenceNTT Innovation Institute Inc.
2.4K views25 slides
The Next Generation of Security Operations Centre (SOC) by
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
4.7K views26 slides
Cybersecurity roadmap : Global healthcare security architecture by
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecturePriyanka Aash
8.5K views22 slides
NIST Cybersecurity Framework 101 by
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101 Erick Kish, U.S. Commercial Service
4.9K views28 slides
Endpoint Detection & Response - FireEye by
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyePrime Infoserv
827 views74 slides

What's hot(20)

Cyber Security Governance by Priyanka Aash
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
Priyanka Aash2.4K views
Global Cyber Threat Intelligence by NTT Innovation Institute Inc.
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
NTT Innovation Institute Inc.2.4K views
The Next Generation of Security Operations Centre (SOC) by PECB
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
PECB 4.7K views
Cybersecurity roadmap : Global healthcare security architecture by Priyanka Aash
Cybersecurity roadmap : Global healthcare security architectureCybersecurity roadmap : Global healthcare security architecture
Cybersecurity roadmap : Global healthcare security architecture
Priyanka Aash8.5K views
NIST Cybersecurity Framework 101 by Erick Kish, U.S. Commercial Service
NIST Cybersecurity Framework 101 NIST Cybersecurity Framework 101
NIST Cybersecurity Framework 101
Erick Kish, U.S. Commercial Service4.9K views
Endpoint Detection & Response - FireEye by Prime Infoserv
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEye
Prime Infoserv827 views
Zero Trust Model by Yash
Zero Trust ModelZero Trust Model
Zero Trust Model
Yash 1K views
Learn how to use an Analytics-Driven SIEM for your Security Operations by Splunk
Learn how to use an Analytics-Driven SIEM for your Security OperationsLearn how to use an Analytics-Driven SIEM for your Security Operations
Learn how to use an Analytics-Driven SIEM for your Security Operations
Splunk1.7K views
WHY SOC Services needed? by manoharparakh
WHY SOC Services needed?WHY SOC Services needed?
WHY SOC Services needed?
manoharparakh187 views
SOC Architecture - Building the NextGen SOC by Priyanka Aash
SOC Architecture - Building the NextGen SOCSOC Architecture - Building the NextGen SOC
SOC Architecture - Building the NextGen SOC
Priyanka Aash4.6K views
SOC presentation- Building a Security Operations Center by Michael Nickle
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
Michael Nickle49.3K views
Security operation center (SOC) by Ahmed Ayman
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman1.3K views
IBM Security QRadar by Virginia Fernandez
IBM Security QRadar IBM Security QRadar
IBM Security QRadar
Virginia Fernandez7.5K views
Building Security Operation Center by S.E. CTS CERT-GOV-MD
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
S.E. CTS CERT-GOV-MD28.7K views
Threat Hunting with Splunk by Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk9.2K views
Bulding Soc In Changing Threat Landscapefinal by Mahmoud Yassin
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat Landscapefinal
Mahmoud Yassin1.1K views
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule by EnterpriseGRC Solutions, Inc.
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 ruleWalk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
Walk This Way: CIS CSC and NIST CSF is the 80 in the 80/20 rule
EnterpriseGRC Solutions, Inc.6.9K views
Soc by Mukesh Chaudhari
SocSoc
Soc
Mukesh Chaudhari717 views
Effective Security Operation Center - present by Reza Adineh by ReZa AdineH
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH438 views
NIST cybersecurity framework by Shriya Rai
NIST cybersecurity frameworkNIST cybersecurity framework
NIST cybersecurity framework
Shriya Rai1K views

Similar to INCIDENT RESPONSE CONCEPTS

INTRODUCTION TO CYBER FORENSICS by
INTRODUCTION TO CYBER FORENSICSINTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICSSylvain Martinez
1.1K views18 slides
CyberOps.pptx by
CyberOps.pptxCyberOps.pptx
CyberOps.pptxAhmedRobaid1
397 views45 slides
NIST CyberSecurity Framework: An Overview by
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An OverviewTandhy Simanjuntak
49.7K views39 slides
Effective cybersecurity for small and midsize businesses by
Effective cybersecurity for small and midsize businessesEffective cybersecurity for small and midsize businesses
Effective cybersecurity for small and midsize businessesShawn Tuma
275 views35 slides
PHISHING PROTECTION by
PHISHING PROTECTIONPHISHING PROTECTION
PHISHING PROTECTIONSylvain Martinez
2.3K views30 slides
DATA LOSS PREVENTION OVERVIEW by
DATA LOSS PREVENTION OVERVIEWDATA LOSS PREVENTION OVERVIEW
DATA LOSS PREVENTION OVERVIEWSylvain Martinez
599 views21 slides

Similar to INCIDENT RESPONSE CONCEPTS(20)

INTRODUCTION TO CYBER FORENSICS by Sylvain Martinez
INTRODUCTION TO CYBER FORENSICSINTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICS
Sylvain Martinez1.1K views
CyberOps.pptx by AhmedRobaid1
CyberOps.pptxCyberOps.pptx
CyberOps.pptx
AhmedRobaid1397 views
NIST CyberSecurity Framework: An Overview by Tandhy Simanjuntak
NIST CyberSecurity Framework: An OverviewNIST CyberSecurity Framework: An Overview
NIST CyberSecurity Framework: An Overview
Tandhy Simanjuntak49.7K views
Effective cybersecurity for small and midsize businesses by Shawn Tuma
Effective cybersecurity for small and midsize businessesEffective cybersecurity for small and midsize businesses
Effective cybersecurity for small and midsize businesses
Shawn Tuma275 views
PHISHING PROTECTION by Sylvain Martinez
PHISHING PROTECTIONPHISHING PROTECTION
PHISHING PROTECTION
Sylvain Martinez2.3K views
DATA LOSS PREVENTION OVERVIEW by Sylvain Martinez
DATA LOSS PREVENTION OVERVIEWDATA LOSS PREVENTION OVERVIEW
DATA LOSS PREVENTION OVERVIEW
Sylvain Martinez599 views
ACEDS Dallas - Back to School Lessons on the EDRM by PatrickBilgere
ACEDS Dallas - Back to School Lessons on the EDRMACEDS Dallas - Back to School Lessons on the EDRM
ACEDS Dallas - Back to School Lessons on the EDRM
PatrickBilgere145 views
Incident Response: Security's Special Teams by Resilient Systems
Incident Response: Security's Special TeamsIncident Response: Security's Special Teams
Incident Response: Security's Special Teams
Resilient Systems1.5K views
Final Presentation by Mackenzie Starcevich
Final PresentationFinal Presentation
Final Presentation
Mackenzie Starcevich135 views
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit by Shawn Tuma
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitThe Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
Shawn Tuma186 views
Herklotz - Information Operations and Security - Spring Review 2013 by The Air Force Office of Scientific Research
Herklotz - Information Operations and Security - Spring Review 2013Herklotz - Information Operations and Security - Spring Review 2013
Herklotz - Information Operations and Security - Spring Review 2013
The Air Force Office of Scientific Research1K views
Industrial Control Security USA Sacramento California Oct 6/7 by James Nesbitt
Industrial Control Security USA Sacramento California Oct 6/7Industrial Control Security USA Sacramento California Oct 6/7
Industrial Control Security USA Sacramento California Oct 6/7
James Nesbitt394 views
Are We Breached How to Effectively Assess and Manage Incidents by Resilient Systems
Are We Breached How to Effectively Assess and Manage Incidents Are We Breached How to Effectively Assess and Manage Incidents
Are We Breached How to Effectively Assess and Manage Incidents
Resilient Systems709 views
ID IGF 2016 - Infrastruktur 3 - Towards National Cyber Security Framework by IGF Indonesia
ID IGF 2016 - Infrastruktur 3 - Towards National Cyber Security FrameworkID IGF 2016 - Infrastruktur 3 - Towards National Cyber Security Framework
ID IGF 2016 - Infrastruktur 3 - Towards National Cyber Security Framework
IGF Indonesia294 views
CSIRT_16_Jun by Candan BOLUKBAS
CSIRT_16_JunCSIRT_16_Jun
CSIRT_16_Jun
Candan BOLUKBAS1.4K views
Improve Situational Awareness for Federal Government with AlienVault USM by AlienVault
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USM
AlienVault1.1K views
Ics2016 scidmark-27oct2016 by Bob Radvanovsky
Ics2016 scidmark-27oct2016Ics2016 scidmark-27oct2016
Ics2016 scidmark-27oct2016
Bob Radvanovsky433 views
CV-SMB-infographic-small by Jeff Geissler
CV-SMB-infographic-smallCV-SMB-infographic-small
CV-SMB-infographic-small
Jeff Geissler115 views
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins by 44CON
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON 2014 - Security Analytics Beyond Cyber, Phil Huggins
44CON1.1K views
Security Analytics Beyond Cyber by Phil Huggins FBCS CITP
Security Analytics Beyond CyberSecurity Analytics Beyond Cyber
Security Analytics Beyond Cyber
Phil Huggins FBCS CITP2.8K views

More from Sylvain Martinez

PROGRAMMING AND CYBER SECURITY by
PROGRAMMING AND CYBER SECURITYPROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITYSylvain Martinez
235 views23 slides
INTRODUCTION TO CRYPTOGRAPHY by
INTRODUCTION TO CRYPTOGRAPHYINTRODUCTION TO CRYPTOGRAPHY
INTRODUCTION TO CRYPTOGRAPHYSylvain Martinez
1.2K views21 slides
2019 CYBER SECURITY TRENDS REPORT REVIEW by
2019 CYBER SECURITY TRENDS REPORT REVIEW2019 CYBER SECURITY TRENDS REPORT REVIEW
2019 CYBER SECURITY TRENDS REPORT REVIEWSylvain Martinez
1.8K views18 slides
VIRTUAL CISO AND OTHER KEY CYBER ROLES by
VIRTUAL CISO AND OTHER KEY CYBER ROLESVIRTUAL CISO AND OTHER KEY CYBER ROLES
VIRTUAL CISO AND OTHER KEY CYBER ROLESSylvain Martinez
418 views10 slides
OFFENSIVE IDS by
OFFENSIVE IDSOFFENSIVE IDS
OFFENSIVE IDSSylvain Martinez
286 views17 slides
IOT Security by
IOT SecurityIOT Security
IOT SecuritySylvain Martinez
900 views27 slides

More from Sylvain Martinez(20)

PROGRAMMING AND CYBER SECURITY by Sylvain Martinez
PROGRAMMING AND CYBER SECURITYPROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITY
Sylvain Martinez235 views
INTRODUCTION TO CRYPTOGRAPHY by Sylvain Martinez
INTRODUCTION TO CRYPTOGRAPHYINTRODUCTION TO CRYPTOGRAPHY
INTRODUCTION TO CRYPTOGRAPHY
Sylvain Martinez1.2K views
2019 CYBER SECURITY TRENDS REPORT REVIEW by Sylvain Martinez
2019 CYBER SECURITY TRENDS REPORT REVIEW2019 CYBER SECURITY TRENDS REPORT REVIEW
2019 CYBER SECURITY TRENDS REPORT REVIEW
Sylvain Martinez1.8K views
VIRTUAL CISO AND OTHER KEY CYBER ROLES by Sylvain Martinez
VIRTUAL CISO AND OTHER KEY CYBER ROLESVIRTUAL CISO AND OTHER KEY CYBER ROLES
VIRTUAL CISO AND OTHER KEY CYBER ROLES
Sylvain Martinez418 views
OFFENSIVE IDS by Sylvain Martinez
OFFENSIVE IDSOFFENSIVE IDS
OFFENSIVE IDS
Sylvain Martinez286 views
IOT Security by Sylvain Martinez
IOT SecurityIOT Security
IOT Security
Sylvain Martinez900 views
ARE YOU RED TEAM READY? by Sylvain Martinez
ARE YOU RED TEAM READY?ARE YOU RED TEAM READY?
ARE YOU RED TEAM READY?
Sylvain Martinez255 views
GDPR SECURITY ISSUES by Sylvain Martinez
GDPR SECURITY ISSUESGDPR SECURITY ISSUES
GDPR SECURITY ISSUES
Sylvain Martinez180 views
Mobile Security Assessment by Sylvain Martinez
Mobile Security AssessmentMobile Security Assessment
Mobile Security Assessment
Sylvain Martinez206 views
The Art of CTF by Sylvain Martinez
The Art of CTFThe Art of CTF
The Art of CTF
Sylvain Martinez223 views
OFFICE 365 SECURITY by Sylvain Martinez
OFFICE 365 SECURITYOFFICE 365 SECURITY
OFFICE 365 SECURITY
Sylvain Martinez457 views
Risk on Crypto Currencies by Sylvain Martinez
Risk on Crypto CurrenciesRisk on Crypto Currencies
Risk on Crypto Currencies
Sylvain Martinez664 views
Talk1 esc7 muscl-gdpr_debate_v1_2 by Sylvain Martinez
Talk1 esc7 muscl-gdpr_debate_v1_2Talk1 esc7 muscl-gdpr_debate_v1_2
Talk1 esc7 muscl-gdpr_debate_v1_2
Sylvain Martinez195 views
Talk1 esc7 muscl-dataprotection_v1_2 by Sylvain Martinez
Talk1 esc7 muscl-dataprotection_v1_2Talk1 esc7 muscl-dataprotection_v1_2
Talk1 esc7 muscl-dataprotection_v1_2
Sylvain Martinez183 views
Ethical Hacking by Sylvain Martinez
Ethical HackingEthical Hacking
Ethical Hacking
Sylvain Martinez249 views
INCIDENT HANDLING IN ORGANISATIONS by Sylvain Martinez
INCIDENT HANDLING IN ORGANISATIONSINCIDENT HANDLING IN ORGANISATIONS
INCIDENT HANDLING IN ORGANISATIONS
Sylvain Martinez158 views
SOCIAL MEDIA AS A CYBER WEAPON by Sylvain Martinez
SOCIAL MEDIA AS A CYBER WEAPONSOCIAL MEDIA AS A CYBER WEAPON
SOCIAL MEDIA AS A CYBER WEAPON
Sylvain Martinez278 views
Talk2 esc4 muscl-ids_v1_2 by Sylvain Martinez
Talk2 esc4 muscl-ids_v1_2Talk2 esc4 muscl-ids_v1_2
Talk2 esc4 muscl-ids_v1_2
Sylvain Martinez766 views
Talk1 esc3 muscl-standards and regulation_v1_1 by Sylvain Martinez
Talk1 esc3 muscl-standards and regulation_v1_1Talk1 esc3 muscl-standards and regulation_v1_1
Talk1 esc3 muscl-standards and regulation_v1_1
Sylvain Martinez196 views
Talk2 esc2 muscl-wifi_v1_2b by Sylvain Martinez
Talk2 esc2 muscl-wifi_v1_2bTalk2 esc2 muscl-wifi_v1_2b
Talk2 esc2 muscl-wifi_v1_2b
Sylvain Martinez285 views

Recently uploaded

VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue by
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlueVNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlueShapeBlue
163 views54 slides
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT by
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBITUpdates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBITShapeBlue
166 views8 slides
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R... by
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...ShapeBlue
132 views15 slides
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ... by
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...ShapeBlue
123 views28 slides
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda... by
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...ShapeBlue
120 views13 slides
Declarative Kubernetes Cluster Deployment with Cloudstack and Cluster API - O... by
Declarative Kubernetes Cluster Deployment with Cloudstack and Cluster API - O...Declarative Kubernetes Cluster Deployment with Cloudstack and Cluster API - O...
Declarative Kubernetes Cluster Deployment with Cloudstack and Cluster API - O...ShapeBlue
88 views13 slides

Recently uploaded(20)

VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue by ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlueVNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
VNF Integration and Support in CloudStack - Wei Zhou - ShapeBlue
ShapeBlue163 views
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT by ShapeBlue
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBITUpdates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
Updates on the LINSTOR Driver for CloudStack - Rene Peinthor - LINBIT
ShapeBlue166 views
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R... by ShapeBlue
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
Setting Up Your First CloudStack Environment with Beginners Challenges - MD R...
ShapeBlue132 views
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ... by ShapeBlue
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...
How to Re-use Old Hardware with CloudStack. Saving Money and the Environment ...
ShapeBlue123 views
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda... by ShapeBlue
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...
Hypervisor Agnostic DRS in CloudStack - Brief overview & demo - Vishesh Jinda...
ShapeBlue120 views
Declarative Kubernetes Cluster Deployment with Cloudstack and Cluster API - O... by ShapeBlue
Declarative Kubernetes Cluster Deployment with Cloudstack and Cluster API - O...Declarative Kubernetes Cluster Deployment with Cloudstack and Cluster API - O...
Declarative Kubernetes Cluster Deployment with Cloudstack and Cluster API - O...
ShapeBlue88 views
Network Source of Truth and Infrastructure as Code revisited by Network Automation Forum
Network Source of Truth and Infrastructure as Code revisitedNetwork Source of Truth and Infrastructure as Code revisited
Network Source of Truth and Infrastructure as Code revisited
Network Automation Forum52 views
Confidence in CloudStack - Aron Wagner, Nathan Gleason - Americ by ShapeBlue
Confidence in CloudStack - Aron Wagner, Nathan Gleason - AmericConfidence in CloudStack - Aron Wagner, Nathan Gleason - Americ
Confidence in CloudStack - Aron Wagner, Nathan Gleason - Americ
ShapeBlue88 views
The Power of Heat Decarbonisation Plans in the Built Environment by IES VE
The Power of Heat Decarbonisation Plans in the Built EnvironmentThe Power of Heat Decarbonisation Plans in the Built Environment
The Power of Heat Decarbonisation Plans in the Built Environment
IES VE69 views
Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P... by ShapeBlue
Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P...Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P...
Developments to CloudStack’s SDN ecosystem: Integration with VMWare NSX 4 - P...
ShapeBlue154 views
NTGapps NTG LowCode Platform by Mustafa Kuğu
NTGapps NTG LowCode Platform NTGapps NTG LowCode Platform
NTGapps NTG LowCode Platform
Mustafa Kuğu365 views
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue by ShapeBlue
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue
2FA and OAuth2 in CloudStack - Andrija Panić - ShapeBlue
ShapeBlue103 views
Ransomware is Knocking your Door_Final.pdf by Security Bootcamp
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdf
Security Bootcamp90 views
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ... by ShapeBlue
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...
Backup and Disaster Recovery with CloudStack and StorPool - Workshop - Venko ...
ShapeBlue144 views
The Role of Patterns in the Era of Large Language Models by Yunyao Li
The Role of Patterns in the Era of Large Language ModelsThe Role of Patterns in the Era of Large Language Models
The Role of Patterns in the Era of Large Language Models
Yunyao Li80 views
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit... by ShapeBlue
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...
Transitioning from VMware vCloud to Apache CloudStack: A Path to Profitabilit...
ShapeBlue117 views
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or... by ShapeBlue
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
Zero to Cloud Hero: Crafting a Private Cloud from Scratch with XCP-ng, Xen Or...
ShapeBlue158 views
Extending KVM Host HA for Non-NFS Storage - Alex Ivanov - StorPool by ShapeBlue
Extending KVM Host HA for Non-NFS Storage - Alex Ivanov - StorPoolExtending KVM Host HA for Non-NFS Storage - Alex Ivanov - StorPool
Extending KVM Host HA for Non-NFS Storage - Alex Ivanov - StorPool
ShapeBlue84 views
Microsoft Power Platform.pptx by Uni Systems S.M.S.A.
Microsoft Power Platform.pptxMicrosoft Power Platform.pptx
Microsoft Power Platform.pptx
Uni Systems S.M.S.A.80 views
Igniting Next Level Productivity with AI-Infused Data Integration Workflows by Safe Software
Igniting Next Level Productivity with AI-Infused Data Integration Workflows Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Igniting Next Level Productivity with AI-Infused Data Integration Workflows
Safe Software385 views

INCIDENT RESPONSE CONCEPTS

  • 1. CYBER SECURITY INCIDENT RESPONSE CONCEPT VERSION: 1.3 DATE: 25/06/2019 AUTHOR: SYLVAIN MARTINEZ REFERENCE: ES-CSIR CLASSIFICATION: PUBLIC
  • 2. 2 • Presentation goal; • Who am I; • Who we are; • Our customers; • IR framework benefits; • Data breach statistics; • Incident cost; • Incident readiness; • Incident response concept; • Teams and mandates; • Registers and purposes; • Registers and reporting synergy; • IR policy & plan overview; • Incident playbook overview; • NIST IR lifecycle; • NIST IR steps; • Preparation • Detection & Analysis; • Containment, Eradication & Recovery; • Post-incident activity; • Incident Response Check list • ELYSIUMSECURITY Incident Response; • Overview; • Rules of Engagement; • Preparation; • Detection; • Categorization; • Containment; • Investigation; • Remediation; • Reporting; • Lessons Learnt; CONTENTS PUBLIC CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT • Short Term – How to start?; • Long Term – IR Implementation; • Extra Resources.
  • 3. PRESENTATION GOAL 3 LEARN HOW TO START 3 LEARN HOW TO APPLY AN IR FRAMEWORK 2 LEARN ABOUT IR CORE ELEMENTS 1 TO LEARN ABOUT CYBER INCIDENT RESPONSE (IR) MAIN CONCEPTS CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT Icons: from The Noun Project unless stated otherwisePUBLIC
  • 4. WHO AM I 4 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC LIVED AND WORKED IN FRANCE, UK, USA AND MAURITIUS CONTRIBUTING AND LEADING VARIOUS OPEN SOURCE CYBER SECURITY PROJECTS FOR THE LAST 20 YEARS VETTED, TRAINED AND OVER 20 YEARS OF CYBER SECURITY EXPERIENCE WORKING FROM LARGE INTERNATIONAL CORPORATIONS PASSIONATE ABOUT IT FROM VERY EARLY YEARS FOUNDER AND RUNNING THE MAURITIUS SECURITY CLUB (MU.SCL) WITH FREE SECURITY AWARENESS PRESENTATIONS EVERY MONTH
  • 5. WHO WE ARE 5 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC FOUNDED IN 2015 BY SYLVAIN MARTINEZ INCORPORATED AND OPERATING IN MAURITIUS (2017) AND IN THE UK/EUROPE (2015) PROVIDING INDEPENDENT EXPERTISE IN CYBER SECURITY MULTITUDE OF RECOGNIZED PROFESSIONAL CERTIFICATIONS 20 YEARS OF INTERNATIONAL CYBER SECURITY CORPORATE EXPERIENCE OUR BOUTIQUE STYLE APPROACH PROVIDES A DISCREET, TAILORED AND SPECIALIZED CYBER SECURITY SERVICE THAT FITS YOUR WORKING ENVIRONMENT
  • 6. CUSTOMERS 6 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC • HEDGE FUNDS • GOVERNMENT AGENCY SERVICE SUPPLIER 2016 2019 • 1x BANK • 1x TELECOMMUNICATION GROUP • 4x LARGE COMMERCIAL GROUPS; • 2x BANKS; 3x MANAGEMENT FUNDS; • 6x HOTELS; 3x TEXTILE; 1x SHOPPING; • 1x HEALTHCARE; REFERENCES AVAILABLE ON DEMAND 2018 2017 2019
  • 7. INCIDENT RESPONSE FRAMEWORK BENEFITS 7 • REDUCED OPERATION DOWNTIME • REDUCED INCIDENT IMPACT • REDUCED/AVOID FINES REDUCED IMPACT COST • IMPROVED RESPONSE TIME • IMPROVED INCIDENT CONTAINMENT • IMPROVED INCIDENT VISIBILITY IMPROVED SECURITY • CONTRACT REQUIREMENT • INDUSTRY REQUIREMENT • LAW REQUIREMENT BUSINESS ENABLEMENT CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 8. DATA BREACH STATISTICS 8 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT EVERY DAY 6,313,865 RECORDS EVERY HOUR 263,078 RECORDS EVERY MINUTE 4,385 RECORDS EVERY SECONDS 73 RECORDS DATA RECORDS ARE LOST OR STOLEN AT THE FOLLOWING FREQUENCY DATA RECORDS LOST OR STOLEN SINCE 2013 4 7 1 7 6 1 8 2 8 6, ,,1 Source: Breach Level Index - May 2019PUBLIC
  • 9. INCIDENT COST 9 ELYSIUMSECURITY INVESTIGATIONS MAURITIUS JANUARY 2018 – JUNE 2019 80% FINANCIAL FRAUD 20% RANSOMWARE 100% PHISHING JAN 2018 MAY 2018 AUG 2018 APR 2019 MAY 2019 JUNE 2019 $0.5M $1M $2M $0.5M $1M $0.5M AVERAGE COST PER DATA BREACH AVERAGE COST PER MALWARE INFECTION AVERAGE DETECTION TIME FROM OUTSIDERS CRIMINALS DATA BREACHES FROM HEALTHCARE ORGANISATIONS $3.86M $2.4M 197 DAYS 73% 24% WORLDWIDE WORLDWIDE STATS FROM SAFEATLAST.CO – APRIL 2019 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 11. INCIDENT RESPONSE CONCEPT 11 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT INCIDENT RESPONSE STRUCTURE INCIDENT RESPONSE HANDLINGCOORDINATION & INFORMATION SHARING TO MINIMISE OPERATIONAL, FINANCIAL & BUSINESS INCIDENT IMPACT NIST SP 800-61 PUBLIC
  • 12. INTERNAL AUDIT TEAM COMPLIANCE TEAM SUBJECT EXPERT VENDOR SUPPORT TEAM IT SUPPORT TEAM TEAMS AND MANDATES 12 CYBER SECURITY TEAM SECURITY OPERATIONS AND PROJECTS CYBER RISK TEAM RISK IDENTIFICATION AND MANAGEMENT CYBER INCIDENT (VIRTUAL) TEAM INCIDENT MANAGEMENT AND RESPONSE CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 13. REGISTERS AND PURPOSES 13 CYBER ISSUE REGISTER POTENTIAL AND CONFIRMED SECURITY ISSUES DETAILS CYBER RISK REGISTER POTENTIAL AND CONFIRMED RISK DETAILS CYBER INCIDENT REGISTER PAST AND CURRENT INCIDENTS DETAILS CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT IT OPERATION REGISTER CURRENT GENERAL IT ISSUES DETAILS PUBLIC
  • 14. GLOBAL ISSUE REGISTER REGISTERS AND REPORTING SYNERGY 14 CYBER SECURITY REGISTER CYBER ISSUE REGISTER CYBER RISK REGISTER CYBER INCIDENT REGISTER IT OPERATION REGISTER IT ISSUE REGISTER NETWORK ISSUE REGISTER PROJECT ISSUE REGISTER ONE VIEW ONE PROCESS DIFFERENT ACCESS DIFFERENT TEAMS DIFFERENT VIEWS DIFFERENT ACCESS DIFFERENT TEAMS DIFFERENT VIEWS DIFFERENT ACCESS CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 15. INCIDENT RESPONSE POLICY & PLAN - OVERVIEW 15 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC INCIDENT RESPONSE POLICY INCIDENT SCOPE INCIDENT DEFINITION & PRIORITIZATION INCIDENT REPORTING INCIDENT RESPONSE PLAN INCIDENT HANDLING INCIDENT COORDINATION CONTINUOUS IMPROVEMENT
  • 16. INCIDENT PLAYBOOK SCENARIOS INCIDENT PLAYBOOK OVERVIEW 16 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT CONTAIN INCIDENT UNDERSTAND CAUSE OF INCIDENT ANALYSE SIGNS OF INCIDENT READY MADE SCENARIOS PRACTICAL RESPONSE ACTIONS AVAILABLE AND COMMUNICATED PUBLIC
  • 17. NIST INCIDENCE RESPONSE LIFECYCLE 17 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC PREPARATION DETECTION & ANALYSIS CONTAINMENT, ERADICATION & RECOVERY POST-INCIDENT ACTIVITY NIST SP 800-61 REV 2
  • 18. NIST INCIDENCE RESPONSE - STEPS 18 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC PREPARATION DETECTION & ANALYSIS CONTAINMENT, ERADICATION & RECOVERY POST-INCIDENT ACTIVITY 1. COMMUNICATION & FACILITIES 2. HARDWARE & SOFTWARE 3. RESOURCES 4. ATTACK VECTORS IDENTIFICATION 11 CONTAINMENT STRATEGY 15. LESSONS LEARNT 5. SIGN OF AN INCIDENT 6. SOURCE OF PRECURSORS 7. INCIDENT ANALYSIS 8. INCIDENT DOCUMENTATION 9. INCIDENT PRIORITIZATION 10. INCIDENT NOTIFICATION 12. EVIDENCE GATHERING & HANDLING 13. IDENTIFYING THE ATTACKING HOST 14. ERADICATION & RECOVERY 16. USING COLLECTED INCIDENT DATA 17. EVIDENCE RETENTION
  • 19. PREPARATION - OVERVIEW 19 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT 1. COMMUNICATION & FACILITIES CONTACT DETAILS PHYSICAL LOGISTICS COORDINATION SYSTEM 2. HARDWARE & SOFTWARE 3. RESOURCES GENERAL IT SPARE EQUIPMENT FORENSICS SPECIFIC EQUIPMENT TRUSTED SOURCED SOFTWARE ARCHITECTURE DIAGRAMS DOCUMENTATION INCIDENT PLAYBOOK PUBLIC
  • 20. DETECTION & ANALYSIS - OVERVIEW 20 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC 4. ATTACK VECTORS IDENTIFICATION 5. SIGN OF AN INCIDENT 6. SOURCE OF PRECURSORS & INDICATORS 7. INCIDENT ANALYSIS SECURITY ALERTS SECURITY LOGS PEOPLE FEEDBACK NETWORK LOGS SYSTEM LOGS EXPLOIT ANNOUNCEMENT BASELINES LOG ANALYSIS DATA RESULTS FILTERING SOURCE OF ATTACK TYPE OF ATTACK METHOD OF ATTACK
  • 21. DETECTION & ANALYSIS - OVERVIEW 21 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC 8. INCIDENT DOCUMENTATION 9. INCIDENT PRIORIZATION 10. INCIDENT NOTIFICATION UPPER MANAGEMENT STAFF EXTERNAL BODIES FUNCTIONAL IMPACT INFORMATION IMPACT RECOVERABILITY STATUS WORK DONE NEXT STEPS
  • 22. CONTAINMENT, ERADICATION & RECOVERY - OVERVIEW 22 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC 11. CONTAINMENT STRATEGY 12. EVIDENCE GATHERING & HANDLING 13. IDENTIFYING THE ATTACKING HOST 14. ERADICATION & RECOVERY SOURCE IP ATTACKER RESEARCH COMMUNICATION MONITORING INCIDENT INFORMATION TIME AND DATE LOCATION REMOVING IMMEDIATE THREAT REMEDIATING VULNERABILITIES GROUP WIDE CHANGES INCIDENT IMPACT EVIDENCE REQUIREMENTS SOLUTION SUSTAINABILITY
  • 23. POST INCIDENT ACTIVITY - OVERVIEW 23 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC 15. LESSONS LEARNT 16. USING COLLECTED INCIDENT DATA 17. EVIDENCE RETENTION PROSECUTION DATA RETENTION COST INCIDENT STATISTICS INCIDENT SLA INCIDENT ASSESSMENT INCIDENT DETAILS TECHNOLOGY AND PROCESS GAPS POSSIBLE IMPROMENTS
  • 24. INCIDENCE RESPONSE CHECKLIST 24 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 25. ELYSIUMSECURITY INCIDENT RESPONSE - OVERVIEW 25 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PRACTICAL IMPLEMENTATION OF NIST GUIDED PROCESS SHORTER PROCESS USED NIST AND FIRST CORE ELEMENTS 17x STEPS -> 8x STEPS CLIENTS REQUIREMENTS ELYSIUMSECURITY IR FRAMEWORK 5x ACTIVITIES PER STEPS PUBLIC
  • 26. ELYSIUMSECURITY INCIDENT RESPONSE - OVERVIEW 26 {elysiumsecurity} INCIDENT RESPONSE FRAMEWORK 1. PREPARATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 27. {es} INCIDENT RESPONSE - RULES OF ENGAGEMENT 27 DO NOT MAKE THINGS WORSE! DO NOT ENGAGE OR INTERACT WITH THE HACKER/THREAT GROUP 1 DO NOT CONNECT TO THE THREAT’S RELATED NETWORK(S) FROM YOUR ORGANISATION 2 PRESERVE EVIDENCE3 COORDINATE INTERNAL AND EXTERNAL COMMUNICATION WITH MANAGEMENT 4 ALL INCIDENT DETAILS MUST BE TREATED AS CONFIDENTIAL 5 PUBLIC CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
  • 28. {es} INCIDENT RESPONSE - PREPARATION 28 INCIDENT RESPONSE PLAN1 TEAM, PROCEDURES, DOCUMENTATION, APPROVAL, MANAGEMENT COMMITMENT INCIDENT RESPONSE PLAYBOOK2 PHISHING, RANSOMWARE, KEYLOGGER, DDOS LOGISITICS3 MEETING ROOMS, LAPTOPS, REMOVABLE STORAGE, PHONES, STATIONNARY, PRINTERS, SLEEPING AND CATERING ARRANGEMENTS CONTACTS4 TEAM, ALTERNATIVE CONTACT METHODS, ESCALATION, ON CALL, SUPPORT, VENDOR, SUPPORT5 INCIDENT REGISTER, ARCHITECTURE DIAGRAM, NETWORK DIAGRAM, DATA FLOWS, APPLICATION AND SYSTEM DOCUMENTATION ACTIVITIES EXAMPLE 1. PREPARATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 29. {es} INCIDENT RESPONSE - DETECTION 29 WHO/WHAT DETECTED/REPORTED THE THREAT?1 IT STAFF, SECURITY TOOLS WHAT IS THE DATE AND TIME OF THE THREAT DETECTION/REPORT?2 NORMALISE TIME AND DATE ACROSS REPORTING – RECORD TIME IN GMT HOW WAS THE THREAT DETECTED/REPORTED?3 EMAIL, TEXT, WARNING POP UP, PHONE CALL HAS A SIMILAR THREAT ALREADY BEEN REPORTED?4 PREVIOUS INCIDENT REGISTER LOGS IS THE THREAT VALID?5 CONFIRMED, FALSE POSITIVE ACTIVITIES EXAMPLE 2. DETECTION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 30. {es} INCIDENT RESPONSE - CATEGORISATION 30 WHO/WHAT IS THE TARGET OF THE THREAT?1 USER, SYSTEM, SPECIFIC DATA IS THIS AN ON GOING/LIVE THREAT?2 ON GOING, STOPPED, UNKNOWN WHAT IS THE IMPACT OF THE THREAT?3 FINANCIAL, OPERATIONAL, REPUTATIONAL, LEGAL CATEGORISE THE PRIORITY OF THE INCIDENT4 PRIORITY 1, 2 ,3 (P1 > P2 > P3) CLASSIFY THE INCIDENT COMMUNICATION5 RESTRICTED / UNRESTRICTED ACTIVITIES EXAMPLE 3. CATEGORISATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 31. {es} INCIDENT RESPONSE - CONTAINMENT 31 COORDINATE INCIDENT MANAGEMENT1 TEAM, COMMS, ACTIVITIES, DOCUMENTATION LIGHT AND QUICK THREAT ANALYSIS2 NETWORK, SYSTEM, USER IDENTIFY MAIN ATTACK AND COMPROMISE VECTORS3 IP, PORTS, SIGNATURES, EMAIL ISOLATE THE TARGETED ASSET4 REMOVE FROM NETWORK, DISABLE ACCOUNT IMPLEMENT EMERGENCY CHANGES AS REQUIRED5 NETWORK, SYSTEM, USER ACTIVITIES EXAMPLE 4. CONTAINMENT CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 32. {es} INCIDENT RESPONSE - INVESTIGATION 32 THREAT NETWORK ANALYSIS1 FIREWALL, CLOUD APP LOGS, ASSET LOGS, INTERCEPTED TRAFFIC, TRAFFIC AND DATA FLOWS, SIEM THREAT MALWARE ANALYSIS2 A/V VENDORS, FOOTPRINT, BEHAVIOR, REVERSE ENGINEERING THREAT SYSTEM ANALYSIS3 EVENT LOGS, APP/PLUGINS INSTALLED, AD/EMAIL ACTIVITIES, AUTHENTICATED VULNERABILITY ASSESSSMENT, SIEM THREAT USER ANALYSIS4 INTERVIEW TARGETED USER, CONTEXT, TRIGGERS, RECENT UNUSUAL ACTIVITIES/ALERTS THREAT RESEARCH ANALYSIS5 ONLINE SEARCH FOR SIMILAR THREATS, PROFESSIONAL FORUMS, VENDOR ENGAGEMENT ACTIVITIES EXAMPLE 5. INVESTIGATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 33. ELYSIUMSECURITY INCIDENT RESPONSE - REMEDIATION 33 THREAT NETWORK REMEDIATION1 BLOCK IP, PORTS, DOMAINS, EMAILS. UPDATE F/W, IDS, APT AND SIEM RULES THREAT MALWARE REMEDIATION2 UPDATE SYSTEM AND NETWORK A/V SIGNATURES. ENGAGE WITH VENDORS THREAT SYSTEM REMEDIATION3 REMOVE/BAN INFECTED APPS/PLUGINS, CLEAR INBOX RULES, REMEDIATE ISSUES FOUND WITH THE VULNERABIULTIY ASSESSMENT THREAT USER REMEDIATION4 INDIVIDUAL AND GROUP USER AWARENESS SESSION RELEVANT TO THE THREAT DECLARE THE INCIDENT REMEDIATED5 FULL, PARTIAL, ACCEPTED ACTIVITIES EXAMPLE 6. REMEDIATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 34. {es} INCIDENT RESPONSE - REPORTING 34 ON GOING REPORTING1 DOCUMENTATION AND EVIDENCE SHOULD BE GENERATED AS MUCH AS POSSIBLE DURING THE PREVIOUS PHASES EVIDENCE GATHERING2 THREAT ACTORS, ATTACK VECTORS, ATTACK SURFACE INCIDENT DOCUMENTATION3 THREAT AND INCIDENT DETAILS, TRIGGERS, OWNER, FINDINGS, TIMELINE INCIDENT REGISTER4 CREATE/UPDATE AN OVERALL INCIDENT REGISTER TO TRACK PROGRESS AND GENERATES STATISTICS INCIDENT REPORT COMMUNICATION5 INTERNAL, EXTERNAL, STAFF, MANAGEMENT, BOARD, VENDORS, CLIENTS, GOVERNMENT, REGULATORS, LAW ENFORCEMENT ACTIVITIES EXAMPLE 7. REPORTING CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 35. {es} INCIDENT RESPONSE – LESSONS LEARNT 35 ROOT CAUSE ANALYSIS1 IDENTIFY AND DOCUMENT INCIDENT TRIGGERS AND SECURITY GAPS THAT ENABLED THE INCIDENT TO OCCUR CONTROLS AND PROCESSES READINESS2 EVALUATE THE EFFICIENCY OF CURRENT SECURITY CONTROLS AND PROCESSES IN LIGHT OF THE INCIDENT INCIDENT TRENDS ANALYSIS3 ARE YOU LEARNING FROM PAST INCIDENTS? IS YOUR RISK PROFILE CHANGING? MITIGATION PLAN4 MITIGATE IMPACT OF SIMILAR FUTURE INCIDENTS IMPROVEMENTS PLAN5 STOP OCCURRENCE OF SIMILAR FUTURE INCIDENTS ACTIVITIES EXAMPLE 8. LESSONS LEARNT CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 36. SHORT TERM – HOW TO START? 36 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT REVIEW EXISTING INCIDENT PROCESS1 ESTABLISH INCIDENT TEAM2 CONDUCT REGULAR INCIDENT TEAM MEETING 3 SET GROUND RULES4 DEFINE WHAT IS AN INCIDENT5 INFORM STAFF OF RULES AND INCIDENT CONTACT 6 CREATE INCIDENT REGISTER7 DOCUMENT RECENT AND FUTURE INCIDENTS 8 FOLLOW NIST INCIDENT HANDLING METHODOLOGY 9 CREATE HIGH LEVEL PLAYBOOK TO COMPLEMENT CHECKLIST 10 PUBLIC
  • 37. LONG TERM – INCIDENT RESPONSE IMPLEMENTATION 37 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT SELECT INCIDENT RESPONSE FRAMEWORK (NIST SP 800-61 REV 2 RECOMMENDED) 1 IMPLEMENT FULL INCIDENT RESPONSE FRAMEWORK 2 DEDICATED INCIDENT RESPONSE TEAM AND TRAINING 3 INCIDENT RESPONSE SIMULATION4 CONTINUOUS IMPROVEMENT5 PUBLIC
  • 38. EXTRA RESOURCES 38 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT FORUM OF INCIDENT RESPONSE AND SECURITY TEAMS (FIRST) FRAMEWORK (HTTPS://WWW.FIRST.ORG/EDUCATION/FIRST_SIRT_SERVICES_FRAMEWORK_VERSION1.0.PDF) NATIONAL INSTITUTE OF STANDARDS & TECHNOLOGY (NIST) SPECIAL PROCEDURE (SP) 800-61 (HTTPS://NVLPUBS.NIST.GOV/NISTPUBS/SPECIALPUBLICATIONS/NIST.SP.800-61R2.PDF) INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (ISO) ISO/IEC 27035-1:2016 (HTTPS://WWW.ISO.ORG/STANDARD/60803.HTML) INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (ISO) ISO/IEC 27035-2:2016 (HTTPS://WWW.ISO.ORG/STANDARD/62071.HTML?BROWSE=TC) CONTACT US! (CONSULTING@ELYSIUMSECURITY.COM) PUBLIC
  • 39. © 2015-2019 ELYSIUMSECURITY LTD ALL RIGHTS RESERVED HTTPS://WWW.ELYSIUMSECURITY.COM CONSULTING@ELYSIUMSECURITY.COM ABOUT ELYSIUMSECURITY LTD. ELYSIUMSECURITY PROVIDES PRACTICAL EXPERTISE TO IDENTIFY VULNERABILITIES, ASSESS THEIR RISKS AND IMPACT, REMEDIATE THOSE RISKS, PREPARE AND RESPOND TO INCIDENTS AS WELL AS RAISE SECURITY AWARENESS THROUGH AN ORGANIZATION. ELYSIUMSECURITY PROVIDES HIGH LEVEL EXPERTISE GATHERED THROUGH YEARS OF BEST PRACTICES EXPERIENCE IN LARGE INTERNATIONAL COMPANIES ALLOWING US TO PROVIDE ADVICE BEST SUITED TO YOUR BUSINESS OPERATIONAL MODEL AND PRIORITIES. ELYSIUMSECURITY PROVIDES A PORTFOLIO OF STRATEGIC AND TACTICAL SERVICES TO HELP COMPANIES PROTECT AND RESPOND AGAINST CYBER SECURITY THREATS. WE DIFFERENTIATE OURSELVES BY OFFERING DISCREET, TAILORED AND SPECIALIZED ENGAGEMENTS. ELYSIUMSECURITY OPERATES IN MAURITIUS AND IN EUROPE, A BOUTIQUE STYLE APPROACH MEANS WE CAN EASILY ADAPT TO YOUR BUSINESS OPERATIONAL MODEL AND REQUIREMENTS TO PROVIDE A PERSONALIZED SERVICE THAT FITS YOUR WORKING ENVIRONMENT.