1. Presented By
When it happens,
will you be ready?
How to excel in
handling your next
cyber incident
Dan Michaluk
March 2, 2020
2. Not just any Saturday
2
You just had sat down with a real page turner when you got the call. Campbell
from IT went into the office after receiving a couple calls from staff who were not
able to access e-mail or files from the file share.
Campbell says that the e-mail server, file server and a number of other key
servers are inaccessible. All he can see is a text file that contains a cryptic note
about e-mailing a protonmail address to get access to the data.
Campbell asks you what to do.
3. Not just any Saturday
3
What do you do:
A. Tell Campbell to send an e-mail to the address and ask what needs to be
done to restore access.
B. Tell Campbell to do what he can to contain the incident, call the privacy
commissioner to report a cyber attack and take their advice.
C. Tell Campbell to do what he can to contain the incident and call the Board
chair to give them a heads up that there’s been an attack.
D. Tell Campbell to do what he can to contain the incident and call your insurer
for a referral to expert help.
4. Agenda
o Events, incidents “and breaches”
o The incident response process
o Incident response tips
o The incident response plan
How to excel in handling your next cyber incident
4
6. o A security event is a possible problem that
should be assessed
o An security incident is a confirmed problem
that needs to be managed through the
incident response process
• Cyber attack
• A misconfiguration
• An errant communication
o A “breach” is a legal concept that relates to
unauthorized access to information or loss,
theft…
Learn and use this helpful nomenclature
Events, incidents and “breaches”
6
8. o Quickly re-establish baseline data security
• Confidentiality (stop leakage and exposure)
• Integrity (get bad actors out)
• Availability (restore services)
o To appropriately manage the legal risks of
the incident, especially those arising out of
data exposure
o To foster leaning and security program
improvement
The objects
The incident response process
8
9. o Stop the incident from getting worse
o May involve
• Disconnecting from the internet
• Fixing a misconfiguration
• Changing a password to a compromised
account
o Steps are taken immediately with available
resources
o Should not entail overwriting data to restore
services, which can cause loss of evidence
Step 1a – Contain (first few hours)
The incident response process
9
10. o Don’t
• Call the police
• Call the privacy commissioner
• Call the board chair
o Do
• Consult a lawyer
• Who will retain one or more experts to help
Step 1b – Get help (first few hours)
The incident response process
10
11. o In a malware event this can become difficult
quickly without expert guidance, with
evidence being destroyed and more
information being stolen
o Can involve
• Negotiating a ransom payment and the
retrieval of decryption keys
• Restoration coaching by expert
• Installation of endpoint mentoring software
tools to watch for signs of persistence
Step 2 – Restore and secure (days two to four)
The incident response process
11
12. o Starts with the gathering of digital evidence
o Evidence is analyzed to answer two key
questions:
• How did this happen?
• What data was exposed and how?
o Not search for things you want to find, but
there will often be a duty to conduct a duly
diligent investigation
o If the expert determines there has been no
exposure, you will rest heavily on that
conclusion in taking no father action
Step 3a – Investigate (days four to…)
The incident response process
12
13. o Mitigate all the harms and potential harms arising
out of the incident, including reputational harms and
harms to people
o We do this primarily by communication
• Media releases
• Notification to affected individuals
• Credit monitoring offerings
• Reporting to law enforcement or sharing threat
information
o Keys to success
• Timing – How fast is your “clock speed”?
• Accuracy – Don’t misrepresent or take risks on making
affirmative statements when you don’t know.
Step 3b – Mitigate (days four to…)
The incident response process
13
14. o Investigation is complete
o Mitigation steps taken
o Final remedial plan developed with an
implementation plan
• Take the “how” from the investigation report…
• …and apply the “5 whys”
• Develop a meaningful list of changes to
address the root and next level causes
o Assess your incident response process too!
Step 4 – Learn and move on
The incident response process
14
16. o Use a small cross-functional team with the
necessary experts who keeps the matter
confidential
o All communications outside the zone of
confidence are approved
o If a lawyer leads, communications to/from the
lawyer will be privileged
• Lawyer instructs experts for well-defined
purpose that links to privilege
• Substantive issues all brought to the lawyer for
consideration
• Communications between team members who
are not lawyers are limited to what is factual and
administrative
Internal communication and privilege
Incident response tips
16
17. o Don’t say “we value your privacy.” Show it.
o Consider apologizing, but not profusely
o Convey the facts that will be meaningful to
those affected
• What was exposed
• For how long
• To whom
o Include a list of meaningful remedial measures
o Beware of legal requirements for what must go
in a notification letter
Notifying and communicating
Incident response tips
17
18. o Notification is generally based on exposure of
personal information, not a security incident alone
• Though an incident alone may lead you to engage in
the sharing of threat information
o There may be a statutory duty to notify (and report)
o Or there may be another reason to notify
• There’s a real potential for significant harm
• The incident is known
• The incident is likely to become known
o Many organizations notify reactively, too quickly and
without good reason
When to notify
Incident response tips
18
20. o An “IRP” applies to all forms of security
incidents
o It is premised on the idea that incidents will
occur and can be anticipated
o It structures the response to save time and
support optimal decision-making
• Identifies the key processes and decisions
• Puts information at hand
• Provides decision-making authority
Your response process should be embedded in a PLAN
The incident response plan
20
21. o Frame out the process
o Identify responsibilities
o Append
• Contact information for 24/7 contact
• Pre-retained experts
• Playbooks for certain expected scenarios
o Create playbooks by running scenario
based exercises
What to put in the plan
The incident response plan
21
Dan Michaluk
Privacy and data security lawyer at BLG
Cyber incident response
…
Important topic now
Not if but when
Readiness is important
…
Not going to make you an IR expert here
Objectives
-know what to do right away
-encourage you to get ready and get help when you need it
-encourage you to learn more
Start with a sceanrio
We’ll address the answer in a moment
Here’s the agenda
I’ve left some cushion for questions so feel free to ask
I’ll watch the timing as we go
Topic 1 of 4
I think language matters
And clients struggle with it
All security problems first present as some vague sign of trouble
I don’t think I sent that e-mail
Why don’t I have access to this service
Some will call it a breach at that point….
Others will be smart enough to call it a potential breach
There is some helpful language endorsed by the National Institute of Science and Technology
Event – many, many events
Incident – these are what get escalated and formally managed
NIST doesn’t use the term “breach”
Developed into a legal term used in Canadian privacy law
Much narrower, typically can’t be discovered without significant investigation
Unauthorized access to personal information
Loss or theft of personal information
Part 2 of 4
Walk you through the incident response process
This is my own
….
-you’ll see different models
-NIST model
-Also SANS Incident
-Those models start with preparation
-I’m going to jump right on
-My interpretation of the process
-It’s similar and valid
Three facets of data security – or attributes of secure data
Get it back to “situation normal”
…
Then clean up the mess
…
Then reflect and learn
Four steps
-contain and get help
-restore and secure
-investigate and mitigate
-learn and move on
STEP 1 – CONTAIN AND GET HELP
-broken into a and b because they can happen simultaneously
-both should happen in the first few hours
…
-contain… IT issue
-most IT teams will have enough knowledge to contain
MOST PEOPLE WILL CALL TO GET HELP
-don’t know who to call
-pitch to call a lawyer experience in cyber response
-or your insurer, who will certainly connect you with a lawyer experienced in cyber response
-will slow you down and stop you from doing things you can’t undue
-delete evidence that you may need
-talk to third-parties too before you know what to say
-talk to third-parties and say things that are damaging
-report to the privacy commissioner is not privileged… can’t never take it back
-now I’m working with that as the starting point
-incident response experts do 100s of these every quarter
-versus your IT staff
WRONG WAY
-people who don’t get help tend to stall out here
-it’s hard to do network restoration – malware is “polymorphic” and persistent
-two risks…..
-destroying evidence
-failing to secure the network
RIGHT WAY
-secure and restore network under watchful eye of an expert
-benefits = safe & speedy
-special options
-paying ransom
-installation of endpoint monitoring
-gather digital evidence at the same time as securing the network
-log data
-some full forensic images of devices
Two questions
-not so much why… why comes at end
-forensics should give you the mechanics of the intrusion
-and hopefully what data was exposed and how
My own view – meet those objectives with the minimal amount of text
Use the process in this slide deck and add a little meat to the bones
Contain and seek help
-who’s responsible for it
-and what if that person isn’t available
-what can they do without seeking approval
-what shouldn’t they do without seeking approval
-who to call – at what number