Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cyber incident response - the last line of defence


Published on

This presentation was delivered at a BCI Swiss Chapter event in April 2017.

Published in: Business
  • Be the first to comment

  • Be the first to like this

Cyber incident response - the last line of defence

  1. 1. Klaus Julisch, April 2017 Cyber Incident Response The Last Line of Defence
  2. 2. 2 Agenda To change your view on Cyber Incident Response (CIR) as a continuous operational activity, not something that is done “when the phone rings” © 2017 Deloitte AG. All rights reserved. Cyber Incident Response 2 Summary 3 1 Extending the Framework 4 11 3 Page 4 17 Introduction Cyber Incident Response Framework
  3. 3. 3 Introduction Less then 10% of the cost and duration of an incident is incurred during the “hot” phase of incident response Managing the impact on operations, clients, and partners as well as recovering business trust, reputation and relationships – including the deployment of more effective security controls – can take years and very substantial investments. Source: Beneath the surface of a cyberattack, Deloitte, 2016. © 2017 Deloitte AG. All rights reserved. Cyber Incident Response
  4. 4. 4 Section 2 Cyber Incident Response Framework
  5. 5. 5 Cyber Incident Response Framework CIR is a multi-disciplinary discipline that transcends organizational boundaries • Collect and analyse electronic data in a defensible manner that will stand up to scrutiny • Involve legal and compliance if relevant for the case • Fulfil breach notification requirements Technical Incident Response Digital Forensics Crisis Management Effective CIR • Detect, analyse, contain, eradicate, and recover from incidents • Follow a forensic process if “digital evidence” is needed • Analyse malware, log files, network traffic, volatile memory, etc. • Reconfigure systems and controls to eradicate and recover from the incident • Identify when an incident becomes a crisis • Escalate to the C-Suite and Board based on defined criteria • Deliver concise crisis communication • Coordinate with 3rd parties (customers, regulators, law enforcement, etc.) © 2017 Deloitte AG. All rights reserved. Cyber Incident Response
  6. 6. 6 Technical Incident Response Incident Response (in a technical sense) is the organized process to contain the impact of an incident and return to BAU Note: Methodology aligned to the NIST Computer Security Incident Handling guidelines and ISO27035. 1. Determine type and approximate scope of the incident 2. Determine the full scope (= affected data and systems) and plan the response 3. Limit the damage and prevent spread (e.g. disable accounts, change pwds, harden / disconnect systems, etc.) 4. Remove infection and restore data; reduce risk of future incidents; engage law enforcement if appropriate © 2017 Deloitte AG. All rights reserved. Cyber Incident Response
  7. 7. 7 Technical Incident Response The first and last phases (preparation and recovery) are central to successful incident response © 2017 Deloitte AG. All rights reserved. Cyber Incident Response • Identify internal and external contacts by division, geography or system • Understand network architecture, technology landscape, data flows, and security controls (IPS/IDS, firewalls, WAFs, AVs, etc.) • Identify legal and regulatory constraints and requirements • Understand common threat actors and types from dedicated cyber intelligence • Identify common themes and organisational difficulties from historical incidents … and more (see Section 3) Preparation • Perform diagnostics and increased monitoring to validate successful eradication • Validate effectiveness of enhanced security controls • Launch projects to deploy additional security capabilities • Raise user awareness and alertness • Recovering one’s business (the long tail, see slide 5) Recovery
  8. 8. 8 Digital Forensics Digital Forensics is the process of collecting and analysing electronic data in a defensible manner that will stand up to scrutiny Collection Examination Analysis Reporting Identify relevant data sources; collect and preserve digital evidence for these sources maintaining a defensible chain of custody Examine the collected data to extract information relevant to the investigation; search and access files such as compressed, encrypted, deleted, or access-controlled files Analyze extracted information to determine its significance to the case, establish facts, and reconstruct the sequence of events. Production of an evidence package and a report describing the analysis and the findings in understandable terms Unauthorized transfer of a large amount of highly sensitive files just before user left the company Forensics analysis: Time of user login / logout, external devices connected, files accessed, files deleted, restoration of deleted files. Outcome: Provide defensible evidence of data theft, the specific data stolen, and how the theft was executed Example: DLP Alert1 Fraudulent multi-million transaction to an offshore account; complex controls had been bypassed which raised major security concerns Forensics analysis: Employee interviews to narrow down pool of potential suspects; analysis of their access logs, chats, phones, PCs to understand their activities Outcome: Establish facts in a defensible manner; determine which controls require strengthening Example: Fraud2 © 2017 Deloitte AG. All rights reserved. Cyber Incident Response
  9. 9. 9 Technical Incident Response vs. Digital Forensics Fire fighting vs. fire investigations © 2017 Deloitte AG. All rights reserved. Cyber Incident Response
  10. 10. 10 Crisis Management Uncertainty and organizational complexity are two key challenges in effective crisis management Key Questions: • What response options do we want to exercise? • Who has to authorize these options? • Who can execute these options? © 2017 Deloitte AG. All rights reserved. Cyber Incident Response Analyse situation Define objectives Choose response option Determine action Review results Key Questions: • What happened on a technical level? • What are the ramifications / spread? • What is the business impact thereof? Key Questions: • What response options do we have? • Who needs to be involved (e.g. other divisions, HR, PR & communications, legal, regulator, etc.)?
  11. 11. 11 Section 3 Extending the Framework
  12. 12. 12 Extended CIR Framework Being proactive is essential; CIR starts much earlier than “when the phone rings” © 2017 Deloitte AG. All rights reserved. Cyber Incident Response Technical Incident Response Digital Forensics Crisis Management Effective CIR “Compromise assessments” “Red teaming” “Cyber simulations” “Cyber threat intelligence”
  13. 13. 13 Compromise Assessments A proactive approach based on intelligent monitoring to validate or falsify the hypothesis that an incident has happened Compromise assessments are particularly suited to check for evidence of APT infections © 2017 Deloitte AG. All rights reserved. Cyber Incident Response Host-based search of IOCs identifying compromises, anomalies, or malware Network monitoring, typically at egress points, to identify C&C channels, leakages, or anomalous flows Review log files (DNS, AD, VPN) to identify abnormal behaviour Open source intelligence scan for evidence of attacks (planned or actual)
  14. 14. 14 Red Teaming Like real attackers, red teams explore all components in an organization towards the goal of achieving pre-agreed objectives © 2017 Deloitte AG. All rights reserved. Cyber Incident Response Combined attack flow • Physical: Represents the buildings, the desks, the safes and the IT physical infrastructure. • Human: Represents the employees, customers, clients, third parties that binds the cyber and physical world together. • IT: represents the online world, the Internet as well as corporate Intranets and all other computer networks.
  15. 15. 15 Cyber Simulations A simulated cyber crisis helps organizations evaluate moves and counter-moves, as well as to practice and to identify gaps © 2017 Deloitte AG. All rights reserved. Cyber Incident Response SCENARIO GUIDANCE CONTENT / INJECTS INSIDER INFORMATION • Blue team: Incident responders that act on content / injects • Red team: Insiders that counter / respond to Blue Team • White and grey team: Facilitators and observers Different from red teaming, cyber simulations aim to specifically exercise the crisis management team.
  16. 16. 16 Cyber Threat Intelligence (CTI) CTI collects and evaluate information on potential threats so organizations can prepare and respond faster © 2017 Deloitte AG. All rights reserved. Cyber Incident Response Anti Phishing Fake Apps Early Warning Ad-hoc Research Threat Monitoring Information Recovery Brand Abuse • Brand Abuse: Scam, fake job offers & promotions, fake social media profiles, Cybersquatting • Information Recovery: Credentials, corporate documents or other confidential data that should not have leaked • Threat Monitoring: Hacktivism, defacement, cyberattack vectors, targeted malware, chatter of attack plans • Fake Apps: Apps for mobile platforms that despite seeming official, are fraudulent • Anti Phishing: Detection and closure of illegitimate websites stealing users’ sensitive information by impersonating the corporate sites • Early Warning: Information about vulnerabilities in hardware and software • Ad-hoc Research: Digital fingerprinting, social engineering, trends
  17. 17. 17 Section 3 Summary
  18. 18. 18 Summary © 2017 Deloitte AG. All rights reserved. Cyber Incident Response • Digital forensics • Crisis management Understanding one’s environment (data assets, architecture, security capabilities, etc.) “Long tail” of recovering the business; Change project to enhance security capabilities or build new ones • Compromise assessments • Red teaming • Cyber simulations • Cyber threat intelligence • • Technical incident response Proactivity Preparedness Remediation & Recovery The “hot” phase is only the peak in the CIR lifecycle and a holistic approach will make organizations more resilient “Hot” phase“Core” Incident Response
  19. 19. Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited (“DTTL”), a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see for a detailed description of the legal structure of DTTL and its member firms. Deloitte AG is a subsidiary of Deloitte LLP, the United Kingdom member firm of DTTL. Deloitte AG is an audit firm recognised and supervised by the Federal Audit Oversight Authority (FAOA) and the Swiss Financial Market Supervisory Authority (FINMA). This publication has been written in general terms and therefore cannot be relied on to cover specific situations; application of the principles set out will depend upon the particular circumstances involved and we recommend that you obtain professional advice before acting or refraining from acting on any of the contents of this publication. Deloitte AG would be pleased to advise readers on how to apply the principles set out in this publication to their specific circumstances. Deloitte AG accepts no duty of care or liability for any loss occasioned to any person acting or refraining from action as a result of any material in this publication. © 2017 Deloitte AG. All rights reserved.