INCIDENT RESPONSE NIST IMPLEMENTATION

S
Sylvain Martinez
CYBER SECURITY INCIDENT RESPONSE CONCEPT VERSION: 1.3 DATE: 25/06/2019 AUTHOR: SYLVAIN MARTINEZ REFERENCE: ES-CSIR CLASSIFICATION: PUBLIC
2 • IR framework benefits; • Data breach statistics; • Incident readiness; • Incident response concept; • Teams and mandates; • IR policy & plan overview; • Incident playbook overview; • NIST IR lifecycle; • NIST IR steps; • Incident Response Check list • ELYSIUMSECURITY Incident Response; • Overview; • Rules of Engagement; • Preparation; • Detection; • Categorization; • Containment; • Investigation; • Remediation; • Reporting; • Lessons Learnt; CONTENTS PUBLIC CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT • Short Term – How to start?; • Long Term – IR Implementation; • Extra Resources.
INCIDENT RESPONSE FRAMEWORK BENEFITS 3 • REDUCED OPERATION DOWNTIME • REDUCED INCIDENT IMPACT • REDUCED/AVOID FINES REDUCED IMPACT COST • IMPROVED RESPONSE TIME • IMPROVED INCIDENT CONTAINMENT • IMPROVED INCIDENT VISIBILITY IMPROVED SECURITY • CONTRACT REQUIREMENT • INDUSTRY REQUIREMENT • LAW REQUIREMENT BUSINESS ENABLEMENT CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
DATA BREACH STATISTICS 4 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT EVERY DAY 6,313,865 RECORDS EVERY HOUR 263,078 RECORDS EVERY MINUTE 4,385 RECORDS EVERY SECONDS 73 RECORDS DATA RECORDS ARE LOST OR STOLEN AT THE FOLLOWING FREQUENCY DATA RECORDS LOST OR STOLEN SINCE 2013 4 7 1 7 6 1 8 2 8 6, ,,1 Source: Breach Level Index - May 2019PUBLIC
INCIDENT READINESS 5 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT INCIDENT READINESS PUBLIC
INCIDENT RESPONSE CONCEPT 6 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT INCIDENT RESPONSE STRUCTURE INCIDENT RESPONSE HANDLINGCOORDINATION & INFORMATION SHARING TO MINIMISE OPERATIONAL, FINANCIAL & BUSINESS INCIDENT IMPACT NIST SP 800-61 PUBLIC
INTERNAL AUDIT TEAM COMPLIANCE TEAM SUBJECT EXPERT VENDOR SUPPORT TEAM IT SUPPORT TEAM TEAMS AND MANDATES 7 CYBER SECURITY TEAM SECURITY OPERATIONS AND PROJECTS CYBER RISK TEAM RISK IDENTIFICATION AND MANAGEMENT CYBER INCIDENT (VIRTUAL) TEAM INCIDENT MANAGEMENT AND RESPONSE CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
INCIDENT RESPONSE POLICY & PLAN - OVERVIEW 8 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC INCIDENT RESPONSE POLICY INCIDENT SCOPE INCIDENT DEFINITION & PRIORITIZATION INCIDENT REPORTING INCIDENT RESPONSE PLAN INCIDENT HANDLING INCIDENT COORDINATION CONTINUOUS IMPROVEMENT
INCIDENT PLAYBOOK SCENARIOS INCIDENT PLAYBOOK OVERVIEW 9 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT CONTAIN INCIDENT UNDERSTAND CAUSE OF INCIDENT ANALYSE SIGNS OF INCIDENT READY MADE SCENARIOS PRACTICAL RESPONSE ACTIONS AVAILABLE AND COMMUNICATED PUBLIC
NIST INCIDENCE RESPONSE LIFECYCLE 10 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC PREPARATION DETECTION & ANALYSIS CONTAINMENT, ERADICATION & RECOVERY POST-INCIDENT ACTIVITY NIST SP 800-61 REV 2
NIST INCIDENCE RESPONSE - STEPS 11 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC PREPARATION DETECTION & ANALYSIS CONTAINMENT, ERADICATION & RECOVERY POST-INCIDENT ACTIVITY 1. COMMUNICATION & FACILITIES 2. HARDWARE & SOFTWARE 3. RESOURCES 4. ATTACK VECTORS IDENTIFICATION 11 CONTAINMENT STRATEGY 15. LESSONS LEARNT 5. SIGN OF AN INCIDENT 6. SOURCE OF PRECURSORS 7. INCIDENT ANALYSIS 8. INCIDENT DOCUMENTATION 9. INCIDENT PRIORITIZATION 10. INCIDENT NOTIFICATION 12. EVIDENCE GATHERING & HANDLING 13. IDENTIFYING THE ATTACKING HOST 14. ERADICATION & RECOVERY 16. USING COLLECTED INCIDENT DATA 17. EVIDENCE RETENTION
INCIDENCE RESPONSE CHECKLIST 12 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
ELYSIUMSECURITY INCIDENT RESPONSE - OVERVIEW 13 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PRACTICAL IMPLEMENTATION OF NIST GUIDED PROCESS SHORTER PROCESS USED NIST AND FIRST CORE ELEMENTS 17x STEPS -> 8x STEPS CLIENTS REQUIREMENTS ELYSIUMSECURITY IR FRAMEWORK 5x ACTIVITIES PER STEPS PUBLIC
ELYSIUMSECURITY INCIDENT RESPONSE - OVERVIEW 14 {elysiumsecurity} INCIDENT RESPONSE FRAMEWORK 1. PREPARATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
{es} INCIDENT RESPONSE - RULES OF ENGAGEMENT 15 DO NOT MAKE THINGS WORSE! DO NOT ENGAGE OR INTERACT WITH THE HACKER/THREAT GROUP 1 DO NOT CONNECT TO THE THREAT’S RELATED NETWORK(S) FROM YOUR ORGANISATION 2 PRESERVE EVIDENCE3 COORDINATE INTERNAL AND EXTERNAL COMMUNICATION WITH MANAGEMENT 4 ALL INCIDENT DETAILS MUST BE TREATED AS CONFIDENTIAL 5 PUBLIC CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
{es} INCIDENT RESPONSE - PREPARATION 16 INCIDENT RESPONSE PLAN1 TEAM, PROCEDURES, DOCUMENTATION, APPROVAL, MANAGEMENT COMMITMENT INCIDENT RESPONSE PLAYBOOK2 PHISHING, RANSOMWARE, KEYLOGGER, DDOS LOGISITICS3 MEETING ROOMS, LAPTOPS, REMOVABLE STORAGE, PHONES, STATIONNARY, PRINTERS, SLEEPING AND CATERING ARRANGEMENTS CONTACTS4 TEAM, ALTERNATIVE CONTACT METHODS, ESCALATION, ON CALL, SUPPORT, VENDOR, SUPPORT5 INCIDENT REGISTER, ARCHITECTURE DIAGRAM, NETWORK DIAGRAM, DATA FLOWS, APPLICATION AND SYSTEM DOCUMENTATION ACTIVITIES EXAMPLE 1. PREPARATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
{es} INCIDENT RESPONSE - DETECTION 17 WHO/WHAT DETECTED/REPORTED THE THREAT?1 IT STAFF, SECURITY TOOLS WHAT IS THE DATE AND TIME OF THE THREAT DETECTION/REPORT?2 NORMALISE TIME AND DATE ACROSS REPORTING – RECORD TIME IN GMT HOW WAS THE THREAT DETECTED/REPORTED?3 EMAIL, TEXT, WARNING POP UP, PHONE CALL HAS A SIMILAR THREAT ALREADY BEEN REPORTED?4 PREVIOUS INCIDENT REGISTER LOGS IS THE THREAT VALID?5 CONFIRMED, FALSE POSITIVE ACTIVITIES EXAMPLE 2. DETECTION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
{es} INCIDENT RESPONSE - CATEGORISATION 18 WHO/WHAT IS THE TARGET OF THE THREAT?1 USER, SYSTEM, SPECIFIC DATA IS THIS AN ON GOING/LIVE THREAT?2 ON GOING, STOPPED, UNKNOWN WHAT IS THE IMPACT OF THE THREAT?3 FINANCIAL, OPERATIONAL, REPUTATIONAL, LEGAL CATEGORISE THE PRIORITY OF THE INCIDENT4 PRIORITY 1, 2 ,3 (P1 > P2 > P3) CLASSIFY THE INCIDENT COMMUNICATION5 RESTRICTED / UNRESTRICTED ACTIVITIES EXAMPLE 3. CATEGORISATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
{es} INCIDENT RESPONSE - CONTAINMENT 19 COORDINATE INCIDENT MANAGEMENT1 TEAM, COMMS, ACTIVITIES, DOCUMENTATION LIGHT AND QUICK THREAT ANALYSIS2 NETWORK, SYSTEM, USER IDENTIFY MAIN ATTACK AND COMPROMISE VECTORS3 IP, PORTS, SIGNATURES, EMAIL ISOLATE THE TARGETED ASSET4 REMOVE FROM NETWORK, DISABLE ACCOUNT IMPLEMENT EMERGENCY CHANGES AS REQUIRED5 NETWORK, SYSTEM, USER ACTIVITIES EXAMPLE 4. CONTAINMENT CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
{es} INCIDENT RESPONSE - INVESTIGATION 20 THREAT NETWORK ANALYSIS1 FIREWALL, CLOUD APP LOGS, ASSET LOGS, INTERCEPTED TRAFFIC, TRAFFIC AND DATA FLOWS, SIEM THREAT MALWARE ANALYSIS2 A/V VENDORS, FOOTPRINT, BEHAVIOR, REVERSE ENGINEERING THREAT SYSTEM ANALYSIS3 EVENT LOGS, APP/PLUGINS INSTALLED, AD/EMAIL ACTIVITIES, AUTHENTICATED VULNERABILITY ASSESSSMENT, SIEM THREAT USER ANALYSIS4 INTERVIEW TARGETED USER, CONTEXT, TRIGGERS, RECENT UNUSUAL ACTIVITIES/ALERTS THREAT RESEARCH ANALYSIS5 ONLINE SEARCH FOR SIMILAR THREATS, PROFESSIONAL FORUMS, VENDOR ENGAGEMENT ACTIVITIES EXAMPLE 5. INVESTIGATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
ELYSIUMSECURITY INCIDENT RESPONSE - REMEDIATION 21 THREAT NETWORK REMEDIATION1 BLOCK IP, PORTS, DOMAINS, EMAILS. UPDATE F/W, IDS, APT AND SIEM RULES THREAT MALWARE REMEDIATION2 UPDATE SYSTEM AND NETWORK A/V SIGNATURES. ENGAGE WITH VENDORS THREAT SYSTEM REMEDIATION3 REMOVE/BAN INFECTED APPS/PLUGINS, CLEAR INBOX RULES, REMEDIATE ISSUES FOUND WITH THE VULNERABIULTIY ASSESSMENT THREAT USER REMEDIATION4 INDIVIDUAL AND GROUP USER AWARENESS SESSION RELEVANT TO THE THREAT DECLARE THE INCIDENT REMEDIATED5 FULL, PARTIAL, ACCEPTED ACTIVITIES EXAMPLE 6. REMEDIATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
{es} INCIDENT RESPONSE - REPORTING 22 ON GOING REPORTING1 DOCUMENTATION AND EVIDENCE SHOULD BE GENERATED AS MUCH AS POSSIBLE DURING THE PREVIOUS PHASES EVIDENCE GATHERING2 THREAT ACTORS, ATTACK VECTORS, ATTACK SURFACE INCIDENT DOCUMENTATION3 THREAT AND INCIDENT DETAILS, TRIGGERS, OWNER, FINDINGS, TIMELINE INCIDENT REGISTER4 CREATE/UPDATE AN OVERALL INCIDENT REGISTER TO TRACK PROGRESS AND GENERATES STATISTICS INCIDENT REPORT COMMUNICATION5 INTERNAL, EXTERNAL, STAFF, MANAGEMENT, BOARD, VENDORS, CLIENTS, GOVERNMENT, REGULATORS, LAW ENFORCEMENT ACTIVITIES EXAMPLE 7. REPORTING CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
{es} INCIDENT RESPONSE – LESSONS LEARNT 23 ROOT CAUSE ANALYSIS1 IDENTIFY AND DOCUMENT INCIDENT TRIGGERS AND SECURITY GAPS THAT ENABLED THE INCIDENT TO OCCUR CONTROLS AND PROCESSES READINESS2 EVALUATE THE EFFICIENCY OF CURRENT SECURITY CONTROLS AND PROCESSES IN LIGHT OF THE INCIDENT INCIDENT TRENDS ANALYSIS3 ARE YOU LEARNING FROM PAST INCIDENTS? IS YOUR RISK PROFILE CHANGING? MITIGATION PLAN4 MITIGATE IMPACT OF SIMILAR FUTURE INCIDENTS IMPROVEMENTS PLAN5 STOP OCCURRENCE OF SIMILAR FUTURE INCIDENTS ACTIVITIES EXAMPLE 8. LESSONS LEARNT CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
SHORT TERM – HOW TO START? 24 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT REVIEW EXISTING INCIDENT PROCESS1 ESTABLISH INCIDENT TEAM2 CONDUCT REGULAR INCIDENT TEAM MEETING 3 SET GROUND RULES4 DEFINE WHAT IS AN INCIDENT5 INFORM STAFF OF RULES AND INCIDENT CONTACT 6 CREATE INCIDENT REGISTER7 DOCUMENT RECENT AND FUTURE INCIDENTS 8 FOLLOW NIST INCIDENT HANDLING METHODOLOGY 9 CREATE HIGH LEVEL PLAYBOOK TO COMPLEMENT CHECKLIST 10 PUBLIC
LONG TERM – INCIDENT RESPONSE IMPLEMENTATION 25 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT SELECT INCIDENT RESPONSE FRAMEWORK (NIST SP 800-61 REV 2 RECOMMENDED) 1 IMPLEMENT FULL INCIDENT RESPONSE FRAMEWORK 2 DEDICATED INCIDENT RESPONSE TEAM AND TRAINING 3 INCIDENT RESPONSE SIMULATION4 CONTINUOUS IMPROVEMENT5 PUBLIC
EXTRA RESOURCES 26 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT FORUM OF INCIDENT RESPONSE AND SECURITY TEAMS (FIRST) FRAMEWORK (HTTPS://WWW.FIRST.ORG/EDUCATION/FIRST_SIRT_SERVICES_FRAMEWORK_VERSION1.0.PDF) NATIONAL INSTITUTE OF STANDARDS & TECHNOLOGY (NIST) SPECIAL PROCEDURE (SP) 800-61 (HTTPS://NVLPUBS.NIST.GOV/NISTPUBS/SPECIALPUBLICATIONS/NIST.SP.800-61R2.PDF) INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (ISO) ISO/IEC 27035-1:2016 (HTTPS://WWW.ISO.ORG/STANDARD/60803.HTML) INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (ISO) ISO/IEC 27035-2:2016 (HTTPS://WWW.ISO.ORG/STANDARD/62071.HTML?BROWSE=TC) CONTACT US! (CONSULTING@ELYSIUMSECURITY.COM) PUBLIC
© 2015-2019 ELYSIUMSECURITY LTD ALL RIGHTS RESERVED HTTPS://WWW.ELYSIUMSECURITY.COM CONSULTING@ELYSIUMSECURITY.COM ABOUT ELYSIUMSECURITY LTD. ELYSIUMSECURITY PROVIDES PRACTICAL EXPERTISE TO IDENTIFY VULNERABILITIES, ASSESS THEIR RISKS AND IMPACT, REMEDIATE THOSE RISKS, PREPARE AND RESPOND TO INCIDENTS AS WELL AS RAISE SECURITY AWARENESS THROUGH AN ORGANIZATION. ELYSIUMSECURITY PROVIDES HIGH LEVEL EXPERTISE GATHERED THROUGH YEARS OF BEST PRACTICES EXPERIENCE IN LARGE INTERNATIONAL COMPANIES ALLOWING US TO PROVIDE ADVICE BEST SUITED TO YOUR BUSINESS OPERATIONAL MODEL AND PRIORITIES. ELYSIUMSECURITY PROVIDES A PORTFOLIO OF STRATEGIC AND TACTICAL SERVICES TO HELP COMPANIES PROTECT AND RESPOND AGAINST CYBER SECURITY THREATS. WE DIFFERENTIATE OURSELVES BY OFFERING DISCREET, TAILORED AND SPECIALIZED ENGAGEMENTS. ELYSIUMSECURITY OPERATES IN MAURITIUS AND IN EUROPE, A BOUTIQUE STYLE APPROACH MEANS WE CAN EASILY ADAPT TO YOUR BUSINESS OPERATIONAL MODEL AND REQUIREMENTS TO PROVIDE A PERSONALIZED SERVICE THAT FITS YOUR WORKING ENVIRONMENT.
1 of 27

INCIDENT RESPONSE NIST IMPLEMENTATION

Download to read offline
Technology

A look at a pratical way to implement the NIST Incident Response through an example

S
Sylvain Martinez

Recommended

INCIDENT RESPONSE OVERVIEW by
INCIDENT RESPONSE OVERVIEWINCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWSylvain Martinez
619 views15 slides
INCIDENT RESPONSE CONCEPTS by
INCIDENT RESPONSE CONCEPTSINCIDENT RESPONSE CONCEPTS
INCIDENT RESPONSE CONCEPTSSylvain Martinez
1.3K views39 slides
Cyber Threat Intelligence by
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligencemohamed nasri
7.4K views32 slides
Understanding cyber resilience by
Understanding cyber resilienceUnderstanding cyber resilience
Understanding cyber resilienceChristophe Foulon, CISSP
1.7K views37 slides
MITRE ATT&CK framework by
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
820 views30 slides
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... by
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...AlienVault
5.5K views23 slides

More Related Content

What's hot

Global Cyber Threat Intelligence by
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat IntelligenceNTT Innovation Institute Inc.
2.4K views25 slides
SIEM Architecture by
SIEM ArchitectureSIEM Architecture
SIEM ArchitectureNishanth Kumar Pathi
23K views19 slides
Overview of the Cyber Kill Chain [TM] by
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
3.5K views16 slides
Cyber threat intelligence ppt by
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
1.9K views4 slides
Threat Hunting - Moving from the ad hoc to the formal by
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formalPriyanka Aash
1K views27 slides
SOC presentation- Building a Security Operations Center by
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations CenterMichael Nickle
49.2K views32 slides

What's hot(20)

Global Cyber Threat Intelligence by NTT Innovation Institute Inc.
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat Intelligence
NTT Innovation Institute Inc.2.4K views
SIEM Architecture by Nishanth Kumar Pathi
SIEM ArchitectureSIEM Architecture
SIEM Architecture
Nishanth Kumar Pathi23K views
Overview of the Cyber Kill Chain [TM] by David Sweigert
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
David Sweigert3.5K views
Cyber threat intelligence ppt by Kumar Gaurav
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence ppt
Kumar Gaurav1.9K views
Threat Hunting - Moving from the ad hoc to the formal by Priyanka Aash
Threat Hunting - Moving from the ad hoc to the formalThreat Hunting - Moving from the ad hoc to the formal
Threat Hunting - Moving from the ad hoc to the formal
Priyanka Aash1K views
SOC presentation- Building a Security Operations Center by Michael Nickle
SOC presentation- Building a Security Operations CenterSOC presentation- Building a Security Operations Center
SOC presentation- Building a Security Operations Center
Michael Nickle49.2K views
Cyber Resilience by Ian-Edward Stafrace
Cyber ResilienceCyber Resilience
Cyber Resilience
Ian-Edward Stafrace3.9K views
Penetration Testing Basics by Rick Wanner
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner12.7K views
Bulding Soc In Changing Threat Landscapefinal by Mahmoud Yassin
Bulding Soc In Changing Threat LandscapefinalBulding Soc In Changing Threat Landscapefinal
Bulding Soc In Changing Threat Landscapefinal
Mahmoud Yassin1.1K views
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe... by MITRE - ATT&CKcon
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE - ATT&CKcon5.2K views
Introduction to MITRE ATT&CK by Arpan Raval
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
Arpan Raval986 views
Threat Hunting by Splunk
Threat HuntingThreat Hunting
Threat Hunting
Splunk4.3K views
Cyber Security Layers - Defense in Depth by Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master
Cyber Security Layers - Defense in DepthCyber Security Layers - Defense in Depth
Cyber Security Layers - Defense in Depth
Muhammad Faisal Naqvi, CISSP, CISA, AMBCI, ITIL, ISMS LA n Master1.9K views
Cyber kill chain by Ankita Ganguly
Cyber kill chainCyber kill chain
Cyber kill chain
Ankita Ganguly3.7K views
Putting MITRE ATT&CK into Action with What You Have, Where You Are by Katie Nickels
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Katie Nickels13.1K views
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter by Tuan Phan
NIST Cybersecurity Framework Intro for ISACA Richmond ChapterNIST Cybersecurity Framework Intro for ISACA Richmond Chapter
NIST Cybersecurity Framework Intro for ISACA Richmond Chapter
Tuan Phan6K views
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da... by MITRE - ATT&CKcon
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE - ATT&CKcon2.6K views
Effective Security Operation Center - present by Reza Adineh by ReZa AdineH
Effective Security Operation Center - present by Reza AdinehEffective Security Operation Center - present by Reza Adineh
Effective Security Operation Center - present by Reza Adineh
ReZa AdineH435 views
Building a Next-Generation Security Operations Center (SOC) by Sqrrl
Building a Next-Generation Security Operations Center (SOC)Building a Next-Generation Security Operations Center (SOC)
Building a Next-Generation Security Operations Center (SOC)
Sqrrl5.1K views
Application Threat Modeling by Marco Morana
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
Marco Morana14.2K views

Similar to INCIDENT RESPONSE NIST IMPLEMENTATION

diploma in industrial safety UNIT-3 by
diploma in industrial safety UNIT-3diploma in industrial safety UNIT-3
diploma in industrial safety UNIT-3National Safety Academy
1K views25 slides
INTRODUCTION TO CYBER FORENSICS by
INTRODUCTION TO CYBER FORENSICSINTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICSSylvain Martinez
1.1K views18 slides
How do you predict the threat landscape? by
How do you predict the threat landscape?How do you predict the threat landscape?
How do you predict the threat landscape?F-Secure Corporation
891 views36 slides
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt by
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.pptabhichowdary16
8 views102 slides
PHISHING PROTECTION by
PHISHING PROTECTIONPHISHING PROTECTION
PHISHING PROTECTIONSylvain Martinez
2.3K views30 slides
Diploma in Occupational Health and Safety UNIT -4 by
Diploma in Occupational Health and Safety UNIT -4Diploma in Occupational Health and Safety UNIT -4
Diploma in Occupational Health and Safety UNIT -4National Safety Academy
604 views14 slides

Similar to INCIDENT RESPONSE NIST IMPLEMENTATION(20)

diploma in industrial safety UNIT-3 by National Safety Academy
diploma in industrial safety UNIT-3diploma in industrial safety UNIT-3
diploma in industrial safety UNIT-3
National Safety Academy1K views
INTRODUCTION TO CYBER FORENSICS by Sylvain Martinez
INTRODUCTION TO CYBER FORENSICSINTRODUCTION TO CYBER FORENSICS
INTRODUCTION TO CYBER FORENSICS
Sylvain Martinez1.1K views
How do you predict the threat landscape? by F-Secure Corporation
How do you predict the threat landscape?How do you predict the threat landscape?
How do you predict the threat landscape?
F-Secure Corporation891 views
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt by abhichowdary16
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
abhichowdary168 views
PHISHING PROTECTION by Sylvain Martinez
PHISHING PROTECTIONPHISHING PROTECTION
PHISHING PROTECTION
Sylvain Martinez2.3K views
Diploma in Occupational Health and Safety UNIT -4 by National Safety Academy
Diploma in Occupational Health and Safety UNIT -4Diploma in Occupational Health and Safety UNIT -4
Diploma in Occupational Health and Safety UNIT -4
National Safety Academy604 views
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA... by Power System Operation
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...
FRAMEWORK FOR EPU OPERATORS TO MANAGE THE RESPONSE TO A CYBER-INITIATED THREA...
Power System Operation98 views
risk analysis by arvind kumar
risk analysisrisk analysis
risk analysis
arvind kumar31 views
Ethical hacking by Saqib Raza
Ethical hackingEthical hacking
Ethical hacking
Saqib Raza2.6K views
85Operations Security, Site Security, and Terrorism In.docx by ShiraPrater50
85Operations Security, Site Security, and Terrorism In.docx 85Operations Security, Site Security, and Terrorism In.docx
85Operations Security, Site Security, and Terrorism In.docx
ShiraPrater501 view
IRJET-Ethical Hacking by IRJET Journal
IRJET-Ethical HackingIRJET-Ethical Hacking
IRJET-Ethical Hacking
IRJET Journal40 views
IT Security and Management - Semi Finals by Mark John Lado by Mark John Lado, MIT
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John Lado
Mark John Lado, MIT425 views
Herklotz - Information Operations and Security - Spring Review 2013 by The Air Force Office of Scientific Research
Herklotz - Information Operations and Security - Spring Review 2013Herklotz - Information Operations and Security - Spring Review 2013
Herklotz - Information Operations and Security - Spring Review 2013
The Air Force Office of Scientific Research1K views
Information On The Data Security by Jenna Welch
Information On The Data SecurityInformation On The Data Security
Information On The Data Security
Jenna Welch3 views
Integration of cyber security incident response with IMS -- an approach for E... by David Sweigert
Integration of cyber security incident response with IMS -- an approach for E...Integration of cyber security incident response with IMS -- an approach for E...
Integration of cyber security incident response with IMS -- an approach for E...
David Sweigert1.1K views
Incident Response in an ICS Environment by David Sweigert
Incident Response in an ICS EnvironmentIncident Response in an ICS Environment
Incident Response in an ICS Environment
David Sweigert1.4K views
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit by Shawn Tuma
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk SummitThe Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
Shawn Tuma186 views
APT Event - New York by Prof John Walker FRSA Purveyor Dark Intelligence
APT Event - New YorkAPT Event - New York
APT Event - New York
Prof John Walker FRSA Purveyor Dark Intelligence373 views
An evaluation of two host based intrusion prevention systems by UltraUploader
An evaluation of two host based intrusion prevention systemsAn evaluation of two host based intrusion prevention systems
An evaluation of two host based intrusion prevention systems
UltraUploader173 views
Effective cybersecurity for small and midsize businesses by Shawn Tuma
Effective cybersecurity for small and midsize businessesEffective cybersecurity for small and midsize businesses
Effective cybersecurity for small and midsize businesses
Shawn Tuma275 views

More from Sylvain Martinez

PROGRAMMING AND CYBER SECURITY by
PROGRAMMING AND CYBER SECURITYPROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITYSylvain Martinez
234 views23 slides
INTRODUCTION TO CRYPTOGRAPHY by
INTRODUCTION TO CRYPTOGRAPHYINTRODUCTION TO CRYPTOGRAPHY
INTRODUCTION TO CRYPTOGRAPHYSylvain Martinez
1.2K views21 slides
DATA LOSS PREVENTION OVERVIEW by
DATA LOSS PREVENTION OVERVIEWDATA LOSS PREVENTION OVERVIEW
DATA LOSS PREVENTION OVERVIEWSylvain Martinez
599 views21 slides
2019 CYBER SECURITY TRENDS REPORT REVIEW by
2019 CYBER SECURITY TRENDS REPORT REVIEW2019 CYBER SECURITY TRENDS REPORT REVIEW
2019 CYBER SECURITY TRENDS REPORT REVIEWSylvain Martinez
1.8K views18 slides
VIRTUAL CISO AND OTHER KEY CYBER ROLES by
VIRTUAL CISO AND OTHER KEY CYBER ROLESVIRTUAL CISO AND OTHER KEY CYBER ROLES
VIRTUAL CISO AND OTHER KEY CYBER ROLESSylvain Martinez
417 views10 slides
OFFENSIVE IDS by
OFFENSIVE IDSOFFENSIVE IDS
OFFENSIVE IDSSylvain Martinez
286 views17 slides

More from Sylvain Martinez(20)

PROGRAMMING AND CYBER SECURITY by Sylvain Martinez
PROGRAMMING AND CYBER SECURITYPROGRAMMING AND CYBER SECURITY
PROGRAMMING AND CYBER SECURITY
Sylvain Martinez234 views
INTRODUCTION TO CRYPTOGRAPHY by Sylvain Martinez
INTRODUCTION TO CRYPTOGRAPHYINTRODUCTION TO CRYPTOGRAPHY
INTRODUCTION TO CRYPTOGRAPHY
Sylvain Martinez1.2K views
DATA LOSS PREVENTION OVERVIEW by Sylvain Martinez
DATA LOSS PREVENTION OVERVIEWDATA LOSS PREVENTION OVERVIEW
DATA LOSS PREVENTION OVERVIEW
Sylvain Martinez599 views
2019 CYBER SECURITY TRENDS REPORT REVIEW by Sylvain Martinez
2019 CYBER SECURITY TRENDS REPORT REVIEW2019 CYBER SECURITY TRENDS REPORT REVIEW
2019 CYBER SECURITY TRENDS REPORT REVIEW
Sylvain Martinez1.8K views
VIRTUAL CISO AND OTHER KEY CYBER ROLES by Sylvain Martinez
VIRTUAL CISO AND OTHER KEY CYBER ROLESVIRTUAL CISO AND OTHER KEY CYBER ROLES
VIRTUAL CISO AND OTHER KEY CYBER ROLES
Sylvain Martinez417 views
OFFENSIVE IDS by Sylvain Martinez
OFFENSIVE IDSOFFENSIVE IDS
OFFENSIVE IDS
Sylvain Martinez286 views
IOT Security by Sylvain Martinez
IOT SecurityIOT Security
IOT Security
Sylvain Martinez893 views
ARE YOU RED TEAM READY? by Sylvain Martinez
ARE YOU RED TEAM READY?ARE YOU RED TEAM READY?
ARE YOU RED TEAM READY?
Sylvain Martinez255 views
GDPR SECURITY ISSUES by Sylvain Martinez
GDPR SECURITY ISSUESGDPR SECURITY ISSUES
GDPR SECURITY ISSUES
Sylvain Martinez180 views
Mobile Security Assessment by Sylvain Martinez
Mobile Security AssessmentMobile Security Assessment
Mobile Security Assessment
Sylvain Martinez206 views
The Art of CTF by Sylvain Martinez
The Art of CTFThe Art of CTF
The Art of CTF
Sylvain Martinez223 views
OFFICE 365 SECURITY by Sylvain Martinez
OFFICE 365 SECURITYOFFICE 365 SECURITY
OFFICE 365 SECURITY
Sylvain Martinez457 views
Risk on Crypto Currencies by Sylvain Martinez
Risk on Crypto CurrenciesRisk on Crypto Currencies
Risk on Crypto Currencies
Sylvain Martinez660 views
Talk1 esc7 muscl-gdpr_debate_v1_2 by Sylvain Martinez
Talk1 esc7 muscl-gdpr_debate_v1_2Talk1 esc7 muscl-gdpr_debate_v1_2
Talk1 esc7 muscl-gdpr_debate_v1_2
Sylvain Martinez195 views
Talk1 esc7 muscl-dataprotection_v1_2 by Sylvain Martinez
Talk1 esc7 muscl-dataprotection_v1_2Talk1 esc7 muscl-dataprotection_v1_2
Talk1 esc7 muscl-dataprotection_v1_2
Sylvain Martinez183 views
Ethical Hacking by Sylvain Martinez
Ethical HackingEthical Hacking
Ethical Hacking
Sylvain Martinez249 views
INCIDENT HANDLING IN ORGANISATIONS by Sylvain Martinez
INCIDENT HANDLING IN ORGANISATIONSINCIDENT HANDLING IN ORGANISATIONS
INCIDENT HANDLING IN ORGANISATIONS
Sylvain Martinez158 views
SOCIAL MEDIA AS A CYBER WEAPON by Sylvain Martinez
SOCIAL MEDIA AS A CYBER WEAPONSOCIAL MEDIA AS A CYBER WEAPON
SOCIAL MEDIA AS A CYBER WEAPON
Sylvain Martinez278 views
Talk2 esc4 muscl-ids_v1_2 by Sylvain Martinez
Talk2 esc4 muscl-ids_v1_2Talk2 esc4 muscl-ids_v1_2
Talk2 esc4 muscl-ids_v1_2
Sylvain Martinez766 views
Talk1 esc3 muscl-standards and regulation_v1_1 by Sylvain Martinez
Talk1 esc3 muscl-standards and regulation_v1_1Talk1 esc3 muscl-standards and regulation_v1_1
Talk1 esc3 muscl-standards and regulation_v1_1
Sylvain Martinez196 views

Recently uploaded

Info Session November 2023.pdf by
Info Session November 2023.pdfInfo Session November 2023.pdf
Info Session November 2023.pdfAleksandraKoprivica4
12 views15 slides
The Research Portal of Catalonia: Growing more (information) & more (services) by
The Research Portal of Catalonia: Growing more (information) & more (services)The Research Portal of Catalonia: Growing more (information) & more (services)
The Research Portal of Catalonia: Growing more (information) & more (services)CSUC - Consorci de Serveis Universitaris de Catalunya
80 views25 slides
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N... by
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...James Anderson
85 views32 slides
Network Source of Truth and Infrastructure as Code revisited by
Network Source of Truth and Infrastructure as Code revisitedNetwork Source of Truth and Infrastructure as Code revisited
Network Source of Truth and Infrastructure as Code revisitedNetwork Automation Forum
26 views45 slides
Design Driven Network Assurance by
Design Driven Network AssuranceDesign Driven Network Assurance
Design Driven Network AssuranceNetwork Automation Forum
15 views42 slides
Kyo - Functional Scala 2023.pdf by
Kyo - Functional Scala 2023.pdfKyo - Functional Scala 2023.pdf
Kyo - Functional Scala 2023.pdfFlavio W. Brasil
368 views92 slides

Recently uploaded(20)

Info Session November 2023.pdf by AleksandraKoprivica4
Info Session November 2023.pdfInfo Session November 2023.pdf
Info Session November 2023.pdf
AleksandraKoprivica412 views
The Research Portal of Catalonia: Growing more (information) & more (services) by CSUC - Consorci de Serveis Universitaris de Catalunya
The Research Portal of Catalonia: Growing more (information) & more (services)The Research Portal of Catalonia: Growing more (information) & more (services)
The Research Portal of Catalonia: Growing more (information) & more (services)
CSUC - Consorci de Serveis Universitaris de Catalunya80 views
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N... by James Anderson
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
GDG Cloud Southlake 28 Brad Taylor and Shawn Augenstein Old Problems in the N...
James Anderson85 views
Network Source of Truth and Infrastructure as Code revisited by Network Automation Forum
Network Source of Truth and Infrastructure as Code revisitedNetwork Source of Truth and Infrastructure as Code revisited
Network Source of Truth and Infrastructure as Code revisited
Network Automation Forum26 views
Design Driven Network Assurance by Network Automation Forum
Design Driven Network AssuranceDesign Driven Network Assurance
Design Driven Network Assurance
Network Automation Forum15 views
Kyo - Functional Scala 2023.pdf by Flavio W. Brasil
Kyo - Functional Scala 2023.pdfKyo - Functional Scala 2023.pdf
Kyo - Functional Scala 2023.pdf
Flavio W. Brasil368 views
Unit 1_Lecture 2_Physical Design of IoT.pdf by StephenTec
Unit 1_Lecture 2_Physical Design of IoT.pdfUnit 1_Lecture 2_Physical Design of IoT.pdf
Unit 1_Lecture 2_Physical Design of IoT.pdf
StephenTec12 views
Microsoft Power Platform.pptx by Uni Systems S.M.S.A.
Microsoft Power Platform.pptxMicrosoft Power Platform.pptx
Microsoft Power Platform.pptx
Uni Systems S.M.S.A.53 views
Tunable Laser (1).pptx by Hajira Mahmood
Tunable Laser (1).pptxTunable Laser (1).pptx
Tunable Laser (1).pptx
Hajira Mahmood24 views
SAP Automation Using Bar Code and FIORI.pdf by Virendra Rai, PMP
SAP Automation Using Bar Code and FIORI.pdfSAP Automation Using Bar Code and FIORI.pdf
SAP Automation Using Bar Code and FIORI.pdf
Virendra Rai, PMP23 views
PRODUCT PRESENTATION.pptx by angelicacueva6
PRODUCT PRESENTATION.pptxPRODUCT PRESENTATION.pptx
PRODUCT PRESENTATION.pptx
angelicacueva614 views
virtual reality.pptx by G036GaikwadSnehal
virtual reality.pptxvirtual reality.pptx
virtual reality.pptx
G036GaikwadSnehal11 views
Serverless computing with Google Cloud (2023-24) by wesley chun
Serverless computing with Google Cloud (2023-24)Serverless computing with Google Cloud (2023-24)
Serverless computing with Google Cloud (2023-24)
wesley chun11 views
Ransomware is Knocking your Door_Final.pdf by Security Bootcamp
Ransomware is Knocking your Door_Final.pdfRansomware is Knocking your Door_Final.pdf
Ransomware is Knocking your Door_Final.pdf
Security Bootcamp55 views
Data Integrity for Banking and Financial Services by Precisely
Data Integrity for Banking and Financial ServicesData Integrity for Banking and Financial Services
Data Integrity for Banking and Financial Services
Precisely21 views
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院 by IttrainingIttraining
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
【USB韌體設計課程】精選講義節錄-USB的列舉過程_艾鍗學院
IttrainingIttraining52 views
Zero to Automated in Under a Year by Network Automation Forum
Zero to Automated in Under a YearZero to Automated in Under a Year
Zero to Automated in Under a Year
Network Automation Forum15 views
20231123_Camunda Meetup Vienna.pdf by Phactum Softwareentwicklung GmbH
20231123_Camunda Meetup Vienna.pdf20231123_Camunda Meetup Vienna.pdf
20231123_Camunda Meetup Vienna.pdf
Phactum Softwareentwicklung GmbH41 views
Voice Logger - Telephony Integration Solution at Aegis by Nirmal Sharma
Voice Logger - Telephony Integration Solution at AegisVoice Logger - Telephony Integration Solution at Aegis
Voice Logger - Telephony Integration Solution at Aegis
Nirmal Sharma39 views
Mini-Track: Challenges to Network Automation Adoption by Network Automation Forum
Mini-Track: Challenges to Network Automation AdoptionMini-Track: Challenges to Network Automation Adoption
Mini-Track: Challenges to Network Automation Adoption
Network Automation Forum12 views

INCIDENT RESPONSE NIST IMPLEMENTATION

  • 1. CYBER SECURITY INCIDENT RESPONSE CONCEPT VERSION: 1.3 DATE: 25/06/2019 AUTHOR: SYLVAIN MARTINEZ REFERENCE: ES-CSIR CLASSIFICATION: PUBLIC
  • 2. 2 • IR framework benefits; • Data breach statistics; • Incident readiness; • Incident response concept; • Teams and mandates; • IR policy & plan overview; • Incident playbook overview; • NIST IR lifecycle; • NIST IR steps; • Incident Response Check list • ELYSIUMSECURITY Incident Response; • Overview; • Rules of Engagement; • Preparation; • Detection; • Categorization; • Containment; • Investigation; • Remediation; • Reporting; • Lessons Learnt; CONTENTS PUBLIC CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT • Short Term – How to start?; • Long Term – IR Implementation; • Extra Resources.
  • 3. INCIDENT RESPONSE FRAMEWORK BENEFITS 3 • REDUCED OPERATION DOWNTIME • REDUCED INCIDENT IMPACT • REDUCED/AVOID FINES REDUCED IMPACT COST • IMPROVED RESPONSE TIME • IMPROVED INCIDENT CONTAINMENT • IMPROVED INCIDENT VISIBILITY IMPROVED SECURITY • CONTRACT REQUIREMENT • INDUSTRY REQUIREMENT • LAW REQUIREMENT BUSINESS ENABLEMENT CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 4. DATA BREACH STATISTICS 4 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT EVERY DAY 6,313,865 RECORDS EVERY HOUR 263,078 RECORDS EVERY MINUTE 4,385 RECORDS EVERY SECONDS 73 RECORDS DATA RECORDS ARE LOST OR STOLEN AT THE FOLLOWING FREQUENCY DATA RECORDS LOST OR STOLEN SINCE 2013 4 7 1 7 6 1 8 2 8 6, ,,1 Source: Breach Level Index - May 2019PUBLIC
  • 6. INCIDENT RESPONSE CONCEPT 6 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT INCIDENT RESPONSE STRUCTURE INCIDENT RESPONSE HANDLINGCOORDINATION & INFORMATION SHARING TO MINIMISE OPERATIONAL, FINANCIAL & BUSINESS INCIDENT IMPACT NIST SP 800-61 PUBLIC
  • 7. INTERNAL AUDIT TEAM COMPLIANCE TEAM SUBJECT EXPERT VENDOR SUPPORT TEAM IT SUPPORT TEAM TEAMS AND MANDATES 7 CYBER SECURITY TEAM SECURITY OPERATIONS AND PROJECTS CYBER RISK TEAM RISK IDENTIFICATION AND MANAGEMENT CYBER INCIDENT (VIRTUAL) TEAM INCIDENT MANAGEMENT AND RESPONSE CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 8. INCIDENT RESPONSE POLICY & PLAN - OVERVIEW 8 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC INCIDENT RESPONSE POLICY INCIDENT SCOPE INCIDENT DEFINITION & PRIORITIZATION INCIDENT REPORTING INCIDENT RESPONSE PLAN INCIDENT HANDLING INCIDENT COORDINATION CONTINUOUS IMPROVEMENT
  • 9. INCIDENT PLAYBOOK SCENARIOS INCIDENT PLAYBOOK OVERVIEW 9 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT CONTAIN INCIDENT UNDERSTAND CAUSE OF INCIDENT ANALYSE SIGNS OF INCIDENT READY MADE SCENARIOS PRACTICAL RESPONSE ACTIONS AVAILABLE AND COMMUNICATED PUBLIC
  • 10. NIST INCIDENCE RESPONSE LIFECYCLE 10 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC PREPARATION DETECTION & ANALYSIS CONTAINMENT, ERADICATION & RECOVERY POST-INCIDENT ACTIVITY NIST SP 800-61 REV 2
  • 11. NIST INCIDENCE RESPONSE - STEPS 11 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC PREPARATION DETECTION & ANALYSIS CONTAINMENT, ERADICATION & RECOVERY POST-INCIDENT ACTIVITY 1. COMMUNICATION & FACILITIES 2. HARDWARE & SOFTWARE 3. RESOURCES 4. ATTACK VECTORS IDENTIFICATION 11 CONTAINMENT STRATEGY 15. LESSONS LEARNT 5. SIGN OF AN INCIDENT 6. SOURCE OF PRECURSORS 7. INCIDENT ANALYSIS 8. INCIDENT DOCUMENTATION 9. INCIDENT PRIORITIZATION 10. INCIDENT NOTIFICATION 12. EVIDENCE GATHERING & HANDLING 13. IDENTIFYING THE ATTACKING HOST 14. ERADICATION & RECOVERY 16. USING COLLECTED INCIDENT DATA 17. EVIDENCE RETENTION
  • 12. INCIDENCE RESPONSE CHECKLIST 12 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 13. ELYSIUMSECURITY INCIDENT RESPONSE - OVERVIEW 13 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PRACTICAL IMPLEMENTATION OF NIST GUIDED PROCESS SHORTER PROCESS USED NIST AND FIRST CORE ELEMENTS 17x STEPS -> 8x STEPS CLIENTS REQUIREMENTS ELYSIUMSECURITY IR FRAMEWORK 5x ACTIVITIES PER STEPS PUBLIC
  • 14. ELYSIUMSECURITY INCIDENT RESPONSE - OVERVIEW 14 {elysiumsecurity} INCIDENT RESPONSE FRAMEWORK 1. PREPARATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 15. {es} INCIDENT RESPONSE - RULES OF ENGAGEMENT 15 DO NOT MAKE THINGS WORSE! DO NOT ENGAGE OR INTERACT WITH THE HACKER/THREAT GROUP 1 DO NOT CONNECT TO THE THREAT’S RELATED NETWORK(S) FROM YOUR ORGANISATION 2 PRESERVE EVIDENCE3 COORDINATE INTERNAL AND EXTERNAL COMMUNICATION WITH MANAGEMENT 4 ALL INCIDENT DETAILS MUST BE TREATED AS CONFIDENTIAL 5 PUBLIC CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT
  • 16. {es} INCIDENT RESPONSE - PREPARATION 16 INCIDENT RESPONSE PLAN1 TEAM, PROCEDURES, DOCUMENTATION, APPROVAL, MANAGEMENT COMMITMENT INCIDENT RESPONSE PLAYBOOK2 PHISHING, RANSOMWARE, KEYLOGGER, DDOS LOGISITICS3 MEETING ROOMS, LAPTOPS, REMOVABLE STORAGE, PHONES, STATIONNARY, PRINTERS, SLEEPING AND CATERING ARRANGEMENTS CONTACTS4 TEAM, ALTERNATIVE CONTACT METHODS, ESCALATION, ON CALL, SUPPORT, VENDOR, SUPPORT5 INCIDENT REGISTER, ARCHITECTURE DIAGRAM, NETWORK DIAGRAM, DATA FLOWS, APPLICATION AND SYSTEM DOCUMENTATION ACTIVITIES EXAMPLE 1. PREPARATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 17. {es} INCIDENT RESPONSE - DETECTION 17 WHO/WHAT DETECTED/REPORTED THE THREAT?1 IT STAFF, SECURITY TOOLS WHAT IS THE DATE AND TIME OF THE THREAT DETECTION/REPORT?2 NORMALISE TIME AND DATE ACROSS REPORTING – RECORD TIME IN GMT HOW WAS THE THREAT DETECTED/REPORTED?3 EMAIL, TEXT, WARNING POP UP, PHONE CALL HAS A SIMILAR THREAT ALREADY BEEN REPORTED?4 PREVIOUS INCIDENT REGISTER LOGS IS THE THREAT VALID?5 CONFIRMED, FALSE POSITIVE ACTIVITIES EXAMPLE 2. DETECTION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 18. {es} INCIDENT RESPONSE - CATEGORISATION 18 WHO/WHAT IS THE TARGET OF THE THREAT?1 USER, SYSTEM, SPECIFIC DATA IS THIS AN ON GOING/LIVE THREAT?2 ON GOING, STOPPED, UNKNOWN WHAT IS THE IMPACT OF THE THREAT?3 FINANCIAL, OPERATIONAL, REPUTATIONAL, LEGAL CATEGORISE THE PRIORITY OF THE INCIDENT4 PRIORITY 1, 2 ,3 (P1 > P2 > P3) CLASSIFY THE INCIDENT COMMUNICATION5 RESTRICTED / UNRESTRICTED ACTIVITIES EXAMPLE 3. CATEGORISATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 19. {es} INCIDENT RESPONSE - CONTAINMENT 19 COORDINATE INCIDENT MANAGEMENT1 TEAM, COMMS, ACTIVITIES, DOCUMENTATION LIGHT AND QUICK THREAT ANALYSIS2 NETWORK, SYSTEM, USER IDENTIFY MAIN ATTACK AND COMPROMISE VECTORS3 IP, PORTS, SIGNATURES, EMAIL ISOLATE THE TARGETED ASSET4 REMOVE FROM NETWORK, DISABLE ACCOUNT IMPLEMENT EMERGENCY CHANGES AS REQUIRED5 NETWORK, SYSTEM, USER ACTIVITIES EXAMPLE 4. CONTAINMENT CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 20. {es} INCIDENT RESPONSE - INVESTIGATION 20 THREAT NETWORK ANALYSIS1 FIREWALL, CLOUD APP LOGS, ASSET LOGS, INTERCEPTED TRAFFIC, TRAFFIC AND DATA FLOWS, SIEM THREAT MALWARE ANALYSIS2 A/V VENDORS, FOOTPRINT, BEHAVIOR, REVERSE ENGINEERING THREAT SYSTEM ANALYSIS3 EVENT LOGS, APP/PLUGINS INSTALLED, AD/EMAIL ACTIVITIES, AUTHENTICATED VULNERABILITY ASSESSSMENT, SIEM THREAT USER ANALYSIS4 INTERVIEW TARGETED USER, CONTEXT, TRIGGERS, RECENT UNUSUAL ACTIVITIES/ALERTS THREAT RESEARCH ANALYSIS5 ONLINE SEARCH FOR SIMILAR THREATS, PROFESSIONAL FORUMS, VENDOR ENGAGEMENT ACTIVITIES EXAMPLE 5. INVESTIGATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 21. ELYSIUMSECURITY INCIDENT RESPONSE - REMEDIATION 21 THREAT NETWORK REMEDIATION1 BLOCK IP, PORTS, DOMAINS, EMAILS. UPDATE F/W, IDS, APT AND SIEM RULES THREAT MALWARE REMEDIATION2 UPDATE SYSTEM AND NETWORK A/V SIGNATURES. ENGAGE WITH VENDORS THREAT SYSTEM REMEDIATION3 REMOVE/BAN INFECTED APPS/PLUGINS, CLEAR INBOX RULES, REMEDIATE ISSUES FOUND WITH THE VULNERABIULTIY ASSESSMENT THREAT USER REMEDIATION4 INDIVIDUAL AND GROUP USER AWARENESS SESSION RELEVANT TO THE THREAT DECLARE THE INCIDENT REMEDIATED5 FULL, PARTIAL, ACCEPTED ACTIVITIES EXAMPLE 6. REMEDIATION CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 22. {es} INCIDENT RESPONSE - REPORTING 22 ON GOING REPORTING1 DOCUMENTATION AND EVIDENCE SHOULD BE GENERATED AS MUCH AS POSSIBLE DURING THE PREVIOUS PHASES EVIDENCE GATHERING2 THREAT ACTORS, ATTACK VECTORS, ATTACK SURFACE INCIDENT DOCUMENTATION3 THREAT AND INCIDENT DETAILS, TRIGGERS, OWNER, FINDINGS, TIMELINE INCIDENT REGISTER4 CREATE/UPDATE AN OVERALL INCIDENT REGISTER TO TRACK PROGRESS AND GENERATES STATISTICS INCIDENT REPORT COMMUNICATION5 INTERNAL, EXTERNAL, STAFF, MANAGEMENT, BOARD, VENDORS, CLIENTS, GOVERNMENT, REGULATORS, LAW ENFORCEMENT ACTIVITIES EXAMPLE 7. REPORTING CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 23. {es} INCIDENT RESPONSE – LESSONS LEARNT 23 ROOT CAUSE ANALYSIS1 IDENTIFY AND DOCUMENT INCIDENT TRIGGERS AND SECURITY GAPS THAT ENABLED THE INCIDENT TO OCCUR CONTROLS AND PROCESSES READINESS2 EVALUATE THE EFFICIENCY OF CURRENT SECURITY CONTROLS AND PROCESSES IN LIGHT OF THE INCIDENT INCIDENT TRENDS ANALYSIS3 ARE YOU LEARNING FROM PAST INCIDENTS? IS YOUR RISK PROFILE CHANGING? MITIGATION PLAN4 MITIGATE IMPACT OF SIMILAR FUTURE INCIDENTS IMPROVEMENTS PLAN5 STOP OCCURRENCE OF SIMILAR FUTURE INCIDENTS ACTIVITIES EXAMPLE 8. LESSONS LEARNT CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT PUBLIC
  • 24. SHORT TERM – HOW TO START? 24 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT REVIEW EXISTING INCIDENT PROCESS1 ESTABLISH INCIDENT TEAM2 CONDUCT REGULAR INCIDENT TEAM MEETING 3 SET GROUND RULES4 DEFINE WHAT IS AN INCIDENT5 INFORM STAFF OF RULES AND INCIDENT CONTACT 6 CREATE INCIDENT REGISTER7 DOCUMENT RECENT AND FUTURE INCIDENTS 8 FOLLOW NIST INCIDENT HANDLING METHODOLOGY 9 CREATE HIGH LEVEL PLAYBOOK TO COMPLEMENT CHECKLIST 10 PUBLIC
  • 25. LONG TERM – INCIDENT RESPONSE IMPLEMENTATION 25 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT SELECT INCIDENT RESPONSE FRAMEWORK (NIST SP 800-61 REV 2 RECOMMENDED) 1 IMPLEMENT FULL INCIDENT RESPONSE FRAMEWORK 2 DEDICATED INCIDENT RESPONSE TEAM AND TRAINING 3 INCIDENT RESPONSE SIMULATION4 CONTINUOUS IMPROVEMENT5 PUBLIC
  • 26. EXTRA RESOURCES 26 CONCLUSIONCASE STUDYHANDLINGSTRUCTURECONTEXT FORUM OF INCIDENT RESPONSE AND SECURITY TEAMS (FIRST) FRAMEWORK (HTTPS://WWW.FIRST.ORG/EDUCATION/FIRST_SIRT_SERVICES_FRAMEWORK_VERSION1.0.PDF) NATIONAL INSTITUTE OF STANDARDS & TECHNOLOGY (NIST) SPECIAL PROCEDURE (SP) 800-61 (HTTPS://NVLPUBS.NIST.GOV/NISTPUBS/SPECIALPUBLICATIONS/NIST.SP.800-61R2.PDF) INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (ISO) ISO/IEC 27035-1:2016 (HTTPS://WWW.ISO.ORG/STANDARD/60803.HTML) INTERNATIONAL ORGANIZATION FOR STANDARDIZATION (ISO) ISO/IEC 27035-2:2016 (HTTPS://WWW.ISO.ORG/STANDARD/62071.HTML?BROWSE=TC) CONTACT US! (CONSULTING@ELYSIUMSECURITY.COM) PUBLIC
  • 27. © 2015-2019 ELYSIUMSECURITY LTD ALL RIGHTS RESERVED HTTPS://WWW.ELYSIUMSECURITY.COM CONSULTING@ELYSIUMSECURITY.COM ABOUT ELYSIUMSECURITY LTD. ELYSIUMSECURITY PROVIDES PRACTICAL EXPERTISE TO IDENTIFY VULNERABILITIES, ASSESS THEIR RISKS AND IMPACT, REMEDIATE THOSE RISKS, PREPARE AND RESPOND TO INCIDENTS AS WELL AS RAISE SECURITY AWARENESS THROUGH AN ORGANIZATION. ELYSIUMSECURITY PROVIDES HIGH LEVEL EXPERTISE GATHERED THROUGH YEARS OF BEST PRACTICES EXPERIENCE IN LARGE INTERNATIONAL COMPANIES ALLOWING US TO PROVIDE ADVICE BEST SUITED TO YOUR BUSINESS OPERATIONAL MODEL AND PRIORITIES. ELYSIUMSECURITY PROVIDES A PORTFOLIO OF STRATEGIC AND TACTICAL SERVICES TO HELP COMPANIES PROTECT AND RESPOND AGAINST CYBER SECURITY THREATS. WE DIFFERENTIATE OURSELVES BY OFFERING DISCREET, TAILORED AND SPECIALIZED ENGAGEMENTS. ELYSIUMSECURITY OPERATES IN MAURITIUS AND IN EUROPE, A BOUTIQUE STYLE APPROACH MEANS WE CAN EASILY ADAPT TO YOUR BUSINESS OPERATIONAL MODEL AND REQUIREMENTS TO PROVIDE A PERSONALIZED SERVICE THAT FITS YOUR WORKING ENVIRONMENT.