Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
POST-MORTEMOF
ADATABREACH
Janne Kauhanen @jkauhanen
Jani Kallio @janikallionet
F-Secure Cyber Security Services
2
100+ASSIGNMENTS/
3YEARS
SERVICEPROVIDER”CORPX”
 Listed on several international
stock exchanges
 Provides application services,
e.g. to financia...
SITUATIONONEMORNINGINSEPT2015
 ”7GB of data was sent from one
financial department employees PC
to IP-address xxx.xxx.xxx...
5
Watering
hole
Command
& Control
Data
Exfiltration
RECON
6
Watering
hole
Command
& Control
Data
Exfiltration
EXPLOITATION
7
Watering
hole
Command
& Control
Data
Exfiltration
ATTACKKIT
DELIVERY
8
Watering
hole
Command
& Control
Data
Exfiltration
LATERAL
MOVEMENT
9
Watering
hole
Command
& Control
Data
Exfiltration
DATA
COLLECTION
10
Watering
hole
Command
& Control
Data
Exfiltration
DATA
EXFILTRATION
WHATWASTHEBUSINESSIMPACT
ON”CORPX”?
11
Jani Kallio
F-Secure Cyber Security Services
Professional Services, Management Cons...
SIMPLIFIEDCYBERBREACH’SBUSINESSIMPACT TIMELINE
Stakeholderfocus&attention
Resourcedemand
Discovery
Long-term implications
...
SIMPLIFIEDCYBERBREACH’SBUSINESSIMPACT TIMELINE
Stakeholderfocus&attention
Resourcedemand
Time
IT anomaly
Stakeholderfocus&attention
Resourcedemand
Time
IT
anomaly
Discovery, IRT-
team involved
Escalation to
MIM
Stakeholder
noti...
Stakeholderfocus&attention
Resourcedemand
Time
Client’s FSA’s
information
request
Legal (external), and
internal Sec
resou...
Stakeholderfocus&attention
Resourcedemand
Time
COMMS department
demands info to
prepare statements in
advance
External PR
...
Stakeholderfocus&attention
Resourcedemand
Time
CEO: prepare a
statement to BoD
Escalation to the
Management Team
IRT+MIM+C...
Stakeholderfocus&attention
Resourcedemand
Time
Closed
accounts
hinder internal
operations
Client’s tender
process freezed
...
Stakeholderfocus&attention
Resourcedemand
Time
Improvement
program
scoping Today
Risk
assessments
Major Security
Improveme...
 Succesfull business makes you a potential target
 This case was a textbook example
 Although prepared, the level of bu...
SWITCH ON
FREEDOM
© F-Secure Confidential
Upcoming SlideShare
Loading in …5
×

Post-mortem of a data breach

815 views

Published on

How data breaches happen? What are their business implications? Learn more how to react when an incident does happen and how to get back to business as quickly as possible afterwards.

Article URL: https://business.f-secure.com/webinar-post-mortem-of-a-data-breach

Published in: Software
  • Be the first to comment

  • Be the first to like this

Post-mortem of a data breach

  1. 1. POST-MORTEMOF ADATABREACH Janne Kauhanen @jkauhanen Jani Kallio @janikallionet F-Secure Cyber Security Services
  2. 2. 2 100+ASSIGNMENTS/ 3YEARS
  3. 3. SERVICEPROVIDER”CORPX”  Listed on several international stock exchanges  Provides application services, e.g. to financial sector  Never thought they could be targeted – ”we’re just a regular company” 3
  4. 4. SITUATIONONEMORNINGINSEPT2015  ”7GB of data was sent from one financial department employees PC to IP-address xxx.xxx.xxx.xxx.”  F-Secure Labs confirmed the address as a known data exfiltration server, used in a recently activated campaign 4
  5. 5. 5 Watering hole Command & Control Data Exfiltration RECON
  6. 6. 6 Watering hole Command & Control Data Exfiltration EXPLOITATION
  7. 7. 7 Watering hole Command & Control Data Exfiltration ATTACKKIT DELIVERY
  8. 8. 8 Watering hole Command & Control Data Exfiltration LATERAL MOVEMENT
  9. 9. 9 Watering hole Command & Control Data Exfiltration DATA COLLECTION
  10. 10. 10 Watering hole Command & Control Data Exfiltration DATA EXFILTRATION
  11. 11. WHATWASTHEBUSINESSIMPACT ON”CORPX”? 11 Jani Kallio F-Secure Cyber Security Services Professional Services, Management Consulting
  12. 12. SIMPLIFIEDCYBERBREACH’SBUSINESSIMPACT TIMELINE Stakeholderfocus&attention Resourcedemand Discovery Long-term implications - Loss of revenue - Stock price effect - Brand & Reputation damage - Regulatory fines - Contractual fines - Costs incurred in remediation - 3rd party legal liability Incident Response - IT Forensics - Legal & Regulatory review External areas - Public Relations - Notification management - Stakeholder Communication - Remedial Service Provision Time Short-term implications - Loss of efficiency & delivery - Internal reporting mayhem - Management’s focus on incident, not on business - Costs incurred in response - Customer interface overload
  13. 13. SIMPLIFIEDCYBERBREACH’SBUSINESSIMPACT TIMELINE Stakeholderfocus&attention Resourcedemand Time IT anomaly
  14. 14. Stakeholderfocus&attention Resourcedemand Time IT anomaly Discovery, IRT- team involved Escalation to MIM Stakeholder notification according the process SIMPLIFIEDCYBERBREACH’SBUSINESSIMPACT TIMELINE
  15. 15. Stakeholderfocus&attention Resourcedemand Time Client’s FSA’s information request Legal (external), and internal Sec resources tied to find answers A client demands explanation; Who, why, how, scope, remediation? -> KAMs try to manage National Data Privacy Ombundsman requests information SIMPLIFIEDCYBERBREACH’SBUSINESSIMPACT TIMELINE
  16. 16. Stakeholderfocus&attention Resourcedemand Time COMMS department demands info to prepare statements in advance External PR company involved 1st forensics report: The breach larger than expected SIMPLIFIEDCYBERBREACH’SBUSINESSIMPACT TIMELINE
  17. 17. Stakeholderfocus&attention Resourcedemand Time CEO: prepare a statement to BoD Escalation to the Management Team IRT+MIM+CMT organization in place SIMPLIFIEDCYBERBREACH’SBUSINESSIMPACT TIMELINE
  18. 18. Stakeholderfocus&attention Resourcedemand Time Closed accounts hinder internal operations Client’s tender process freezed CMT decision: To isolate a suspected system. Reporting to client’s FSA Several units require instructions from CMT SIMPLIFIEDCYBERBREACH’SBUSINESSIMPACT TIMELINE
  19. 19. Stakeholderfocus&attention Resourcedemand Time Improvement program scoping Today Risk assessments Major Security Improvement program initiated SIMPLIFIEDCYBERBREACH’SBUSINESSIMPACT TIMELINE
  20. 20.  Succesfull business makes you a potential target  This case was a textbook example  Although prepared, the level of business disruption came as a surprise  You have firedrills – why not cyberdrills ? © F-Secure Confidential SUMMARY
  21. 21. SWITCH ON FREEDOM © F-Secure Confidential

×