3. 3
Who Is Set
Solu<ons,
Inc.?
‣ 20+
years
in
IT
Security
‣ Full
range
of
compliance,
security
and
network
services
‣ Relentless
research
‣ Vendor
agnosCc
‣ We
help
safeguard
several
of
the
largest
companies
in
the
world
‣ Very
happy
customers!
4. 4
Who Am I?
‣ Not
this
guy…
‣ Senior
Engineer
with
Set
SoluCons,
Inc.
‣ 18
years
in
IT
Security,
IT,
and
IT
Audit
‣ Security
experience
in
University,
Healthcare,
Aerospace/Defense/Industrial
industries…
5. 5
What Is This
About?
‣ Things
I
wish
I
knew
before
this
happened
6. 6
What Are Your
Goals?
‣ Clean
up
as
quickly
as
possible
and
move
on.
7. 7
What Are Your
Goals?
‣ IdenCfy…
• TTP’s
• Systems
affected
• What
controls
failed?
‣ Minimize
loss
of
data
or
other
damages
‣ Remove
the
threat
‣ Secure
the
environment
‣ Get
back
to
normal
operaCons
‣ LEARN
FROM
EXPERIENCE!
9. 9
Example IR
Plan
‣ Overview
/
IR
Policy
‣ Roles
and
ResponsibiliCes
/
Incident
Response
Team(s)
‣ Incidents
Requiring
AcCon
‣ Procedures
for
Response
Steps:
• IdenCficaCon
• Containment
• EradicaCon
• Recovery
‣ Call
List
/
CommunicaCons
‣ Current
Network
Infrastructure
DocumentaCon
‣ ExisCng
Security
Controls
DocumentaCon/Procedures
‣ Retainer
for
experts
‣ SLAs
with
exisCng
partners,
vendors,
etc.
‣ Training
and
Awareness
‣ Lessons
Learned
10. 10
IR Team Skills
‣ Technical
‣ Non-‐Technical
11. 11
‣ IR
Team:
• IT
Security
• IT
-‐
Networking,
Server,
Apps,
AD,
Desktop
• Consultant(s)
• Project
Management
‣ Need
an
ExecuCve
Sponsor!
IR Team Members
12. 12
‣ Other
IT
-‐
HelpDesk,
Desktop
Support,
Business
Apps,
Web
Development
‣ 3rd
Party
IT
Providers
‣ Compliance/Privacy
‣ Audit
‣ Legal
‣ HR
‣ Corporate
CommunicaCons
Other Groups to
Keep in the Loop
13. 13
What Are Your Current
Capabili<es?
‣ What
skills
and
tools
do
you
have?
‣ What
is
your
visibility?
At
perimeter
and
internal…
‣ Where
are
your
privileged
accounts?
Do
you
know?
‣ Know
what
and
where
your
gaps
are…
16. 16
Pre-‐Remedia<on /
Posturing Phase
‣ Fire
up
the
IR
Team
and
Processes
‣ Ramp
up
detecCon
/
monitoring
/
logging
‣ Control
Lateral
Movement
‣ Change
Management
‣ SLAs
/
3rd
Party
IT
Providers
17. 17
Remedia<on
Phase
‣ Point
in
Cme
when
an
organizaCon
has…
• IdenCfied
the
threats
in
their
environment
including
relevant
malicious
domain
names,
IP
addresses,
and
URLs
• Compromised
systems
have
been
idenCfied
• Pre-‐remediaCon
controls
have
been
implemented
‣ OrganizaCon
feels
they
are
ready
to
remove
the
current
threats
‣ Usually
a
weekend
or
aner-‐hours
event
18. 18
Post-‐Remedia<on
Phase
‣ Ensure
malicious
acCvity
is
not
ongoing
‣ Make
sure
weaknesses
have
been
miCgated
‣ Short-‐term
and
Long-‐term
addiConal
posturing…
19. 19
Incident Response
Ends
‣ Learn
from
it!
‣ What
worked…what
did
not
work?
‣ People,
Processes,
Tools…
‣ Vendors,
Business
Partners…
‣ Give
kudos
to
members…