Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Got hacked? It’s too late to run now!

439 views

Published on

When a cyber security incident occurs, you need to understand exactly how the attack happened, so you can plan the best way to respond. Earlier this week, we hosted a webinar where our cyber security expert, Janne Kauhanen, talked about incident response.

Article URL: https://business.f-secure.com/got-hacked-cyber-security-webinar4

Published in: Software
  • Be the first to comment

  • Be the first to like this

Got hacked? It’s too late to run now!

  1. 1. GOT HACKED? IT’STOO LATE TO RUN NOW. Janne Kauhanen Twitter: @JKauhanen
  2. 2. 360° OFCYBER SECURITY 2 MINIMIZE ATTACK SURFACE PREVENT INCIDENTS UNDERSTAND YOUR RISK, KNOW YOUR ATTACK SURFACE, UNCOVER WEAK SPOTS REACT TO BREACHES, MITIGATE THE DAMAGE, ANALYZE AND LEARN RECOGNIZE INCIDENTS AND THREATS, ISOLATE AND CONTAIN THEM
  3. 3. AGENDA 3  Definitions  Threat detection, a short summary  Why do you get hacked?  What to do when you get hacked?  Incident Response process  Forensics  Incident Response capabilities you should (and shouldn’t) have  Crisis management
  4. 4. SECURITY INCIDENTS Hacker actions 4 Information leak Widespread malware infection Internal misbehavior (unintentional included)
  5. 5. "ASECURITY INCIDENT IS ANYKINDOFACTION THAT RESULTS INACHANGE TOAKNOWN GOOD STATE.“ KURTHAGERMAN,CISO,ARMORDEFENSEINC. 5
  6. 6. THEDOS ANDDON’TS OF THREAT DETECTION RECAPOFWEBINAR#3 6
  7. 7. WHYDIDIGETHACKED? 7 "DRIVE BY" & SCRIPT KIDDIES FOCUS SKILL TARGETED ATTACKS IDENTITY THEFT, 0DAY EXPLOITS ADVANCED PERSISTENT THREATS
  8. 8. INCIDENT RESPONSE PROCESS 16 Briefing Identification Containment Recovery Aftermath
  9. 9. INCIDENT RESPONSE PROCESS 17 Briefing Identification Containment Recovery Aftermath
  10. 10. INCIDENT RESPONSE PROCESS 18 Briefing Identification Containment Recovery Aftermath
  11. 11. INCIDENT RESPONSE PROCESS 19 Briefing Identification Containment Recovery Aftermath
  12. 12. INCIDENT RESPONSE PROCESS 20 Briefing Identification Containment Recovery Aftermath
  13. 13. FORENSICINVESTIGATION 1. HOW WAS THE DEVICE BREACHED? ‒ WHAT WAS THE ROOT CAUSE? 2. HOW DID THE ATTACKER COMMUNICATE WITH THE DEVICE? ‒ IS THE ATTACKER STILL ABLE TO COMMUNICATE WITH THE DEVICE? 3. WAS THE ATTACKER ABLE TO MOVE BEYOND THIS DEVICE? ‒ IS THERE A WAY TO DETECT INFECTED DEVICES? 4. WAS DATA EXFILTRATED FROM THE DEVICE? ‒ HOW MUCH DATA, WHAT KIND OF DATA, AND WHERE DID IT GO? 21
  14. 14. FORENSICINVESTIGATION 1. HOW WAS THE DEVICE BREACHED? ‒ WHAT WAS THE ROOT CAUSE? 2. HOW DID THE ATTACKER COMMUNICATE WITH THE DEVICE? ‒ IS THE ATTACKER STILL ABLE TO COMMUNICATE WITH THE DEVICE? 3. WAS THE ATTACKER ABLE TO MOVE BEYOND THIS DEVICE? ‒ IS THERE A WAY TO DETECT INFECTED DEVICES? 4. WAS DATA EXFILTRATED FROM THE DEVICE? ‒ HOW MUCH DATA, WHAT KIND OF DATA, AND WHERE DID IT GO? 22
  15. 15. FORENSICINVESTIGATION 1. HOW WAS THE DEVICE BREACHED? ‒ WHAT WAS THE ROOT CAUSE? 2. HOW DID THE ATTACKER COMMUNICATE WITH THE DEVICE? ‒ IS THE ATTACKER STILL ABLE TO COMMUNICATE WITH THE DEVICE? 3. WAS THE ATTACKER ABLE TO MOVE BEYOND THIS DEVICE? ‒ IS THERE A WAY TO DETECT INFECTED DEVICES? 4. WAS DATA EXFILTRATED FROM THE DEVICE? ‒ HOW MUCH DATA, WHAT KIND OF DATA, AND WHERE DID IT GO? 23
  16. 16. FORENSICINVESTIGATION 1. HOW WAS THE DEVICE BREACHED? ‒ WHAT WAS THE ROOT CAUSE? 2. HOW DID THE ATTACKER COMMUNICATE WITH THE DEVICE? ‒ IS THE ATTACKER STILL ABLE TO COMMUNICATE WITH THE DEVICE? 3. WAS THE ATTACKER ABLE TO MOVE BEYOND THIS DEVICE? ‒ IS THERE A WAY TO DETECT INFECTED DEVICES? 4. WAS DATA EXFILTRATED FROM THE DEVICE? ‒ HOW MUCH DATA, WHAT KIND OF DATA, AND WHERE DID IT GO? 24
  17. 17. FORENSICINVESTIGATION 1. HOW WAS THE DEVICE BREACHED? ‒ WHAT WAS THE ROOT CAUSE? 2. HOW DID THE ATTACKER COMMUNICATE WITH THE DEVICE? ‒ IS THE ATTACKER STILL ABLE TO COMMUNICATE WITH THE DEVICE? 3. WAS THE ATTACKER ABLE TO MOVE BEYOND THIS DEVICE? ‒ IS THERE A WAY TO DETECT INFECTED DEVICES? 4. WAS DATA EXFILTRATED FROM THE DEVICE? ‒ HOW MUCH DATA, WHAT KIND OF DATA, AND WHERE DID IT GO? 25
  18. 18. IN-HOUSE CAPABILITIES 26 What kind of capabilities should I have in-house? Is there anything I should not try to do myself?
  19. 19. “BYFAILING TOPREPARE YOUARE PREPARING TOFAIL” BENJAMINFRANKLIN 27
  20. 20.  Scenarios based on real life, adjusted to target organization  GameMaster monitors actions and generates additional inputs 28 CRISIS MANAGEMENT EXERCISE
  21. 21. THERE ARETWO TYPES OF COMPANIES: THOSE WHOHAVE BEEN BREACHED, AND THOSE WHO DON’T KNOW IT YET. 29
  22. 22. Q&A 30

×