SlideShare a Scribd company logo

Cyber Threat 2019 NCSC-SANS London Conference - Mandiant IR Practitioners Guide

M
MitchellClarke14

Slides presented by Tom Hall and Mitchell Clarke from Mandiant at the CyberThreat19 conference in London, UK.

1 of 23
Download to read offline
Tom Hall & Mitch Clarke Incident Response Practitioner’s Guide:
©2019 FireEye Mandiant©2019 FireEye Mandiant § Principal Consultant – FireEye Mandiant, Incident Response – 4 years – thall_sec Tom Hall 2 § Senior Consultant – FireEye Mandiant, Incident Response – 2 years – snozberries_au Mitch Clarke
©2019 FireEye Mandiant©2019 FireEye Mandiant Case studies and examples are drawn from our experiences and activities working for a variety of customers, and do not represent our work for any one customer or set of customers. In many cases, facts have been changed to obscure the identity of our customers and individuals associated with our customers. Disclosure Statement 3
©2019 FireEye Mandiant©2019 FireEye Mandiant § We’re sharing: – Experiences from real-world incidents – Lessons we’ve learnt – Mistakes we’ve seen organisations make – Our approach to enterprise incident response Topics 4
©2019 FireEye Mandiant©2019 FireEye Mandiant5 § Complex intrusions: – Nation-state affiliated APT groups – Financial crime groups § Where attackers are: – Entrenched – Privileged – Motivated Context
©2019 FireEye Mandiant©2019 FireEye Mandiant § Most organisations are not experienced in APT intrusions § Organisations vary in their maturity and ability § BAU IR can be counterproductive in an APT intrusion BAU IR vs Complex Intrusions 6
Engagement Setup
©2019 FireEye Mandiant©2019 FireEye Mandiant § Good engagement setup is the most critical phase of a successful IR: Make or Break 8
©2019 FireEye Mandiant©2019 FireEye Mandiant § Determine the maturity of the organisation § Understand complexity of their network § Consider current lead/known malicious activity § Grasp the organisational structure and politics § Tailor the response approach for the organisation Setup Considerations 9
Strategies and Advice
©2019 FireEye Mandiant©2019 FireEye Mandiant § Explain the attacker lifecycle and motivations § Intrusions (typically): – Are larger than victims expect – First alert doesn’t mean first activity § If data-theft is the goal, it’s usually already happened § The attackers are real people who can solve problems Walk Through a Typical APT/FIN Intrusion 11
©2019 FireEye Mandiant©2019 FireEye Mandiant Describe the IR and Remediation Journey 12 § It’s a marathon, not a sprint § No organisation can go from initial tip off/discovery to effective eradication without: – Understanding what access the attacker retains – Improving the security posture of the network to eradicate and survive immediate re-compromise
©2019 FireEye Mandiant©2019 FireEye Mandiant § Remediation efforts should begin at the same time as the IR § As the IR progresses, we’ll learn about attacker tradecraft and extent of the breach – Remediation efforts can begin to be targeted – Eradication planning can begin § Once we understand access, it’s time to eradicate § Remediation must continue after eradication: – Medium and long term security architecture and culture changes Describe the IR and Remediation Journey 13
©2019 FireEye Mandiant©2019 FireEye Mandiant § Poorly scoped or insufficient tooling deployment can create blind-spots in the investigation and safe-harbours for attackers to retain access – Can render an eradication completely ineffective Do IR Once, do it Right 14
©2019 FireEye Mandiant©2019 FireEye Mandiant § “We cannot allow you to investigate our <Special/Sensitive/Critical> networks because they’re <Special/Sensitive/Critical> to our business” § If it’s critical to the business, it’s critical to the attacker § Attackers will learn how your admins maintain the environment § Be sure to understand what the business does and why an attacker might be there Why are the attackers here? 15
©2019 FireEye Mandiant©2019 FireEye Mandiant § The organisation will typically need to establish an incident response team, which can consist of: – Lead – Project manager – IT/technical lead – Legal, Privacy, Risk, and/or Governance – Communications § Remediation team is also required § Teams are most successful when leader has enough business knowledge and political capital to move fast and be far-reaching Dedicated Teams are Required 16
©2019 FireEye Mandiant©2019 FireEye Mandiant § Buy-in and support of IT is essential for success of incident response § You need to protect IT resources from burnout – Learn the client culture § Large networks will always have issues § Save-face for IT – Always under-funded – Lack of human resources – Motivated attackers will always keep trying until they’re successful Build Trust with IT 17
©2019 FireEye Mandiant©2019 FireEye Mandiant § Frequency § Seniority § Number of stakeholders Communications Rhythm 18
©2019 FireEye Mandiant©2019 FireEye Mandiant § Historical activity § Impactful findings – Data theft – Targeting of specific systems § An active attacker – What can we do? – What is effective? – Where should we spend our resources? How to Handle Investigation Findings 19
©2019 FireEye Mandiant©2019 FireEye Mandiant § Enterprise networks typically convoluted and systems interdependent § Real/effective containment will usually: – Break your application – Prevent users from doing business § Doesn’t stop the attacker from accessing victim network § Burns resources of IT § Containment is effective for hours, that’s all. Containment 20
Final Thoughts 21
©2019 FireEye Mandiant©2019 FireEye Mandiant § Not a science § No one size fits all § There’s a balance in everything Always Tailor for your Victim Organisation 22
Thank You

Recommended

Cyber Threat 2019 NCSC-SANS London Conference - Mandiant Grab Bag of Attacker...
Cyber Threat 2019 NCSC-SANS London Conference - Mandiant Grab Bag of Attacker...Cyber Threat 2019 NCSC-SANS London Conference - Mandiant Grab Bag of Attacker...
Cyber Threat 2019 NCSC-SANS London Conference - Mandiant Grab Bag of Attacker...
MitchellClarke14
 
Email Security – Everyone is a Target
Email Security – Everyone is a TargetEmail Security – Everyone is a Target
Email Security – Everyone is a Target
Prime Infoserv
 
Case Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information SecurityCase Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information Security
PECB
 
M-Trends® 2013: Attack the Security Gap
M-Trends® 2013: Attack the Security GapM-Trends® 2013: Attack the Security Gap
M-Trends® 2013: Attack the Security Gap
FireEye, Inc.
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
seadeloitte
 
Beating Sophisticated Attackers at Their Game Using AWS
Beating Sophisticated Attackers at Their Game Using AWSBeating Sophisticated Attackers at Their Game Using AWS
Beating Sophisticated Attackers at Their Game Using AWS
Amazon Web Services
 
Think Cyber Think Resilience | William Barker | March 2016
Think Cyber Think Resilience | William Barker | March 2016Think Cyber Think Resilience | William Barker | March 2016
Think Cyber Think Resilience | William Barker | March 2016
Anna Fenston
 
Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for Businesses
Alex Rudie
 

Recommended

Cyber Threat 2019 NCSC-SANS London Conference - Mandiant Grab Bag of Attacker...
Cyber Threat 2019 NCSC-SANS London Conference - Mandiant Grab Bag of Attacker...Cyber Threat 2019 NCSC-SANS London Conference - Mandiant Grab Bag of Attacker...
Cyber Threat 2019 NCSC-SANS London Conference - Mandiant Grab Bag of Attacker...
MitchellClarke14
 
Email Security – Everyone is a Target
Email Security – Everyone is a TargetEmail Security – Everyone is a Target
Email Security – Everyone is a Target
Prime Infoserv
 
Case Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information SecurityCase Study: The Role of Human Error in Information Security
Case Study: The Role of Human Error in Information Security
PECB
 
M-Trends® 2013: Attack the Security Gap
M-Trends® 2013: Attack the Security GapM-Trends® 2013: Attack the Security Gap
M-Trends® 2013: Attack the Security Gap
FireEye, Inc.
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
seadeloitte
 
Beating Sophisticated Attackers at Their Game Using AWS
Beating Sophisticated Attackers at Their Game Using AWSBeating Sophisticated Attackers at Their Game Using AWS
Beating Sophisticated Attackers at Their Game Using AWS
Amazon Web Services
 
Think Cyber Think Resilience | William Barker | March 2016
Think Cyber Think Resilience | William Barker | March 2016Think Cyber Think Resilience | William Barker | March 2016
Think Cyber Think Resilience | William Barker | March 2016
Anna Fenston
 
Cybersecurity Risks for Businesses
Cybersecurity Risks for BusinessesCybersecurity Risks for Businesses
Cybersecurity Risks for Businesses
Alex Rudie
 
How to Build a Successful Cybersecurity Program?
How to Build a Successful Cybersecurity Program?How to Build a Successful Cybersecurity Program?
How to Build a Successful Cybersecurity Program?
PECB
 
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Albert Hui
 
FireEye investis case study
FireEye investis case studyFireEye investis case study
FireEye investis case study
cnnetwork
 
Cyber 101: An introduction to privileged access management
Cyber 101: An introduction to privileged access managementCyber 101: An introduction to privileged access management
Cyber 101: An introduction to privileged access management
seadeloitte
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
Ian-Edward Stafrace
 
A Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveA Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate Perspective
Dawn Yankeelov
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked account
Imperva
 
Cyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial IndustryCyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial Industry
William McBorrough
 
The VOHO Campaign: An In Depth Analysis
The VOHO Campaign: An In Depth AnalysisThe VOHO Campaign: An In Depth Analysis
The VOHO Campaign: An In Depth Analysis
EMC
 
Shift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceShift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber Resilience
Darren Argyle
 
Establishment of Threat Intel into Incident Response
Establishment of Threat Intel into Incident ResponseEstablishment of Threat Intel into Incident Response
Establishment of Threat Intel into Incident Response
APNIC
 
Netpluz DDoS Mitigation - Managed Cyber Security
Netpluz DDoS Mitigation - Managed Cyber Security Netpluz DDoS Mitigation - Managed Cyber Security
Netpluz DDoS Mitigation - Managed Cyber Security
Netpluz Asia Pte Ltd
 
Flipping the Economics of Attacks
Flipping the Economics of AttacksFlipping the Economics of Attacks
Flipping the Economics of Attacks
PaloAltoNetworks
 
A CISO's Guide to Cyber Liability Insurance
A CISO's Guide to Cyber Liability InsuranceA CISO's Guide to Cyber Liability Insurance
A CISO's Guide to Cyber Liability Insurance
SecureAuth
 
Cyber security resilience ESRM Conference Amsterdam 2016
Cyber security resilience ESRM Conference Amsterdam 2016Cyber security resilience ESRM Conference Amsterdam 2016
Cyber security resilience ESRM Conference Amsterdam 2016
Niran Seriki, CCISO, CISM
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
Ulf Mattsson
 
Cyber Security Conference 2017
Cyber Security Conference 2017Cyber Security Conference 2017
Cyber Security Conference 2017
Norfolk Chamber of Commerce
 
Data security 2016 trends and questions
Data security 2016 trends and questionsData security 2016 trends and questions
Data security 2016 trends and questions
Bill McCabe
 
DHS Cybersecurity Services for Building Cyber Resilience
DHS Cybersecurity Services for Building Cyber ResilienceDHS Cybersecurity Services for Building Cyber Resilience
DHS Cybersecurity Services for Building Cyber Resilience
Dawn Yankeelov
 
Endpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEye
Prime Infoserv
 
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
TrustArc
 
ICSA CPD - Cyber breaches
ICSA CPD - Cyber breachesICSA CPD - Cyber breaches
ICSA CPD - Cyber breaches
Institute of Chartered Secretaries and Administrators
 

More Related Content

What's hot

How to Build a Successful Cybersecurity Program?
How to Build a Successful Cybersecurity Program?How to Build a Successful Cybersecurity Program?
How to Build a Successful Cybersecurity Program?
PECB
 
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Albert Hui
 
FireEye investis case study
FireEye investis case studyFireEye investis case study
FireEye investis case study
cnnetwork
 
Cyber 101: An introduction to privileged access management
Cyber 101: An introduction to privileged access managementCyber 101: An introduction to privileged access management
Cyber 101: An introduction to privileged access management
seadeloitte
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
Ian-Edward Stafrace
 
A Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveA Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate Perspective
Dawn Yankeelov
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked account
Imperva
 
Cyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial IndustryCyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial Industry
William McBorrough
 
The VOHO Campaign: An In Depth Analysis
The VOHO Campaign: An In Depth AnalysisThe VOHO Campaign: An In Depth Analysis
The VOHO Campaign: An In Depth Analysis
EMC
 
Shift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceShift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber Resilience
Darren Argyle
 
Establishment of Threat Intel into Incident Response
Establishment of Threat Intel into Incident ResponseEstablishment of Threat Intel into Incident Response
Establishment of Threat Intel into Incident Response
APNIC
 
Netpluz DDoS Mitigation - Managed Cyber Security
Netpluz DDoS Mitigation - Managed Cyber Security Netpluz DDoS Mitigation - Managed Cyber Security
Netpluz DDoS Mitigation - Managed Cyber Security
Netpluz Asia Pte Ltd
 
Flipping the Economics of Attacks
Flipping the Economics of AttacksFlipping the Economics of Attacks
Flipping the Economics of Attacks
PaloAltoNetworks
 
A CISO's Guide to Cyber Liability Insurance
A CISO's Guide to Cyber Liability InsuranceA CISO's Guide to Cyber Liability Insurance
A CISO's Guide to Cyber Liability Insurance
SecureAuth
 
Cyber security resilience ESRM Conference Amsterdam 2016
Cyber security resilience ESRM Conference Amsterdam 2016Cyber security resilience ESRM Conference Amsterdam 2016
Cyber security resilience ESRM Conference Amsterdam 2016
Niran Seriki, CCISO, CISM
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
Ulf Mattsson
 
Cyber Security Conference 2017
Cyber Security Conference 2017Cyber Security Conference 2017
Cyber Security Conference 2017
Norfolk Chamber of Commerce
 
Data security 2016 trends and questions
Data security 2016 trends and questionsData security 2016 trends and questions
Data security 2016 trends and questions
Bill McCabe
 
DHS Cybersecurity Services for Building Cyber Resilience
DHS Cybersecurity Services for Building Cyber ResilienceDHS Cybersecurity Services for Building Cyber Resilience
DHS Cybersecurity Services for Building Cyber Resilience
Dawn Yankeelov
 

What's hot (19)

How to Build a Successful Cybersecurity Program?
How to Build a Successful Cybersecurity Program?How to Build a Successful Cybersecurity Program?
How to Build a Successful Cybersecurity Program?
 
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
 
FireEye investis case study
FireEye investis case studyFireEye investis case study
FireEye investis case study
 
Cyber 101: An introduction to privileged access management
Cyber 101: An introduction to privileged access managementCyber 101: An introduction to privileged access management
Cyber 101: An introduction to privileged access management
 
Cyber Resilience
Cyber ResilienceCyber Resilience
Cyber Resilience
 
A Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate PerspectiveA Look at Cyber Insurance -- A Corporate Perspective
A Look at Cyber Insurance -- A Corporate Perspective
 
Beyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked accountBeyond takeover: stories from a hacked account
Beyond takeover: stories from a hacked account
 
Cyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial IndustryCyber Crime Threat Landscape - A Focus on the Financial Industry
Cyber Crime Threat Landscape - A Focus on the Financial Industry
 
The VOHO Campaign: An In Depth Analysis
The VOHO Campaign: An In Depth AnalysisThe VOHO Campaign: An In Depth Analysis
The VOHO Campaign: An In Depth Analysis
 
Shift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber ResilienceShift Toward Dynamic Cyber Resilience
Shift Toward Dynamic Cyber Resilience
 
Establishment of Threat Intel into Incident Response
Establishment of Threat Intel into Incident ResponseEstablishment of Threat Intel into Incident Response
Establishment of Threat Intel into Incident Response
 
Netpluz DDoS Mitigation - Managed Cyber Security
Netpluz DDoS Mitigation - Managed Cyber Security Netpluz DDoS Mitigation - Managed Cyber Security
Netpluz DDoS Mitigation - Managed Cyber Security
 
Flipping the Economics of Attacks
Flipping the Economics of AttacksFlipping the Economics of Attacks
Flipping the Economics of Attacks
 
A CISO's Guide to Cyber Liability Insurance
A CISO's Guide to Cyber Liability InsuranceA CISO's Guide to Cyber Liability Insurance
A CISO's Guide to Cyber Liability Insurance
 
Cyber security resilience ESRM Conference Amsterdam 2016
Cyber security resilience ESRM Conference Amsterdam 2016Cyber security resilience ESRM Conference Amsterdam 2016
Cyber security resilience ESRM Conference Amsterdam 2016
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & Recommendations
 
Cyber Security Conference 2017
Cyber Security Conference 2017Cyber Security Conference 2017
Cyber Security Conference 2017
 
Data security 2016 trends and questions
Data security 2016 trends and questionsData security 2016 trends and questions
Data security 2016 trends and questions
 
DHS Cybersecurity Services for Building Cyber Resilience
DHS Cybersecurity Services for Building Cyber ResilienceDHS Cybersecurity Services for Building Cyber Resilience
DHS Cybersecurity Services for Building Cyber Resilience
 

Similar to Cyber Threat 2019 NCSC-SANS London Conference - Mandiant IR Practitioners Guide

Endpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEye
Prime Infoserv
 
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
TrustArc
 
ICSA CPD - Cyber breaches
ICSA CPD - Cyber breachesICSA CPD - Cyber breaches
ICSA CPD - Cyber breaches
Institute of Chartered Secretaries and Administrators
 
How to Protect Your Business from Cyber Threats | The Entrepreneur Review
How to Protect Your Business from Cyber Threats | The Entrepreneur ReviewHow to Protect Your Business from Cyber Threats | The Entrepreneur Review
How to Protect Your Business from Cyber Threats | The Entrepreneur Review
TheEntrepreneurRevie
 
Security Awareness: The Best Defence
Security Awareness: The Best DefenceSecurity Awareness: The Best Defence
Security Awareness: The Best Defence
Shawn Brown
 
Feb20 Webinar - Managing Risk and Pain of Vendor Management
Feb20 Webinar - Managing Risk and Pain of Vendor ManagementFeb20 Webinar - Managing Risk and Pain of Vendor Management
Feb20 Webinar - Managing Risk and Pain of Vendor Management
TrustArc
 
Managing Third-Party Risk Effectively
Managing Third-Party Risk EffectivelyManaging Third-Party Risk Effectively
Managing Third-Party Risk Effectively
Evan Francen
 
Approaches to Cyber Resilience and Supply Chain Assurance
Approaches to Cyber Resilience and Supply Chain AssuranceApproaches to Cyber Resilience and Supply Chain Assurance
Approaches to Cyber Resilience and Supply Chain Assurance
Leonardo
 
Addressing cyber risk managment from SME perspective
Addressing cyber risk managment from SME perspectiveAddressing cyber risk managment from SME perspective
Addressing cyber risk managment from SME perspective
Cyber Watching
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
Brencil Kaimba
 
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Hewlett Packard Enterprise Business Value Exchange
 
Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...
Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...
Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...
Financial Poise
 
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Accenture Technology
 
Cyber Risk in the Energy Industry
Cyber Risk in the Energy IndustryCyber Risk in the Energy Industry
Cyber Risk in the Energy Industry
Tim Christ Executive Leadership
 
Healthcare Payers: 2018 State of Cyber Resilience
Healthcare Payers: 2018 State of Cyber ResilienceHealthcare Payers: 2018 State of Cyber Resilience
Healthcare Payers: 2018 State of Cyber Resilience
accenture
 
Cyber Security - Things you need to know
Cyber Security - Things you need to knowCyber Security - Things you need to know
Cyber Security - Things you need to know
Nathan Desfontaines
 
Healthcare Providers: 2018 State of Cyber Resilience
Healthcare Providers: 2018 State of Cyber ResilienceHealthcare Providers: 2018 State of Cyber Resilience
Healthcare Providers: 2018 State of Cyber Resilience
accenture
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?
Next Dimension Inc.
 
Cyber Security Planning 101
Cyber Security Planning 101Cyber Security Planning 101
Cyber Security Planning 101
Welch LLP
 
Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...
Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...
Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...
NoNameCon
 

Similar to Cyber Threat 2019 NCSC-SANS London Conference - Mandiant IR Practitioners Guide (20)

Endpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEye
 
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
72 Hours Notice: Incident Response Management under the GDPR [Webinar Slides]
 
ICSA CPD - Cyber breaches
ICSA CPD - Cyber breachesICSA CPD - Cyber breaches
ICSA CPD - Cyber breaches
 
How to Protect Your Business from Cyber Threats | The Entrepreneur Review
How to Protect Your Business from Cyber Threats | The Entrepreneur ReviewHow to Protect Your Business from Cyber Threats | The Entrepreneur Review
How to Protect Your Business from Cyber Threats | The Entrepreneur Review
 
Security Awareness: The Best Defence
Security Awareness: The Best DefenceSecurity Awareness: The Best Defence
Security Awareness: The Best Defence
 
Feb20 Webinar - Managing Risk and Pain of Vendor Management
Feb20 Webinar - Managing Risk and Pain of Vendor ManagementFeb20 Webinar - Managing Risk and Pain of Vendor Management
Feb20 Webinar - Managing Risk and Pain of Vendor Management
 
Managing Third-Party Risk Effectively
Managing Third-Party Risk EffectivelyManaging Third-Party Risk Effectively
Managing Third-Party Risk Effectively
 
Approaches to Cyber Resilience and Supply Chain Assurance
Approaches to Cyber Resilience and Supply Chain AssuranceApproaches to Cyber Resilience and Supply Chain Assurance
Approaches to Cyber Resilience and Supply Chain Assurance
 
Addressing cyber risk managment from SME perspective
Addressing cyber risk managment from SME perspectiveAddressing cyber risk managment from SME perspective
Addressing cyber risk managment from SME perspective
 
Governance of security operation centers
Governance of security operation centersGovernance of security operation centers
Governance of security operation centers
 
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
 
Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...
Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...
Data Breach Response: Before and After the Breach (Series: Cybersecurity & Da...
 
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
Continuous Cyber Attacks: Engaging Business Leaders for the New Normal - Full...
 
Cyber Risk in the Energy Industry
Cyber Risk in the Energy IndustryCyber Risk in the Energy Industry
Cyber Risk in the Energy Industry
 
Healthcare Payers: 2018 State of Cyber Resilience
Healthcare Payers: 2018 State of Cyber ResilienceHealthcare Payers: 2018 State of Cyber Resilience
Healthcare Payers: 2018 State of Cyber Resilience
 
Cyber Security - Things you need to know
Cyber Security - Things you need to knowCyber Security - Things you need to know
Cyber Security - Things you need to know
 
Healthcare Providers: 2018 State of Cyber Resilience
Healthcare Providers: 2018 State of Cyber ResilienceHealthcare Providers: 2018 State of Cyber Resilience
Healthcare Providers: 2018 State of Cyber Resilience
 
Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?Cybersecurity: What does Cyber Insurance Cover?
Cybersecurity: What does Cyber Insurance Cover?
 
Cyber Security Planning 101
Cyber Security Planning 101Cyber Security Planning 101
Cyber Security Planning 101
 
Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...
Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...
Oleg Bondarenko - Threat Intelligence particularities world-wide. Real life u...
 

Recently uploaded

Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
Zilliz
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
panagenda
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
Zilliz
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
Neo4j
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 

Recently uploaded (20)

Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Full-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalizationFull-RAG: A modern architecture for hyper-personalization
Full-RAG: A modern architecture for hyper-personalization
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
HCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAUHCL Notes and Domino License Cost Reduction in the World of DLAU
HCL Notes and Domino License Cost Reduction in the World of DLAU
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Infrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI modelsInfrastructure Challenges in Scaling RAG with Custom AI models
Infrastructure Challenges in Scaling RAG with Custom AI models
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 

Cyber Threat 2019 NCSC-SANS London Conference - Mandiant IR Practitioners Guide

  • 1. Tom Hall & Mitch Clarke Incident Response Practitioner’s Guide:
  • 2. ©2019 FireEye Mandiant©2019 FireEye Mandiant § Principal Consultant – FireEye Mandiant, Incident Response – 4 years – thall_sec Tom Hall 2 § Senior Consultant – FireEye Mandiant, Incident Response – 2 years – snozberries_au Mitch Clarke
  • 3. ©2019 FireEye Mandiant©2019 FireEye Mandiant Case studies and examples are drawn from our experiences and activities working for a variety of customers, and do not represent our work for any one customer or set of customers. In many cases, facts have been changed to obscure the identity of our customers and individuals associated with our customers. Disclosure Statement 3
  • 4. ©2019 FireEye Mandiant©2019 FireEye Mandiant § We’re sharing: – Experiences from real-world incidents – Lessons we’ve learnt – Mistakes we’ve seen organisations make – Our approach to enterprise incident response Topics 4
  • 5. ©2019 FireEye Mandiant©2019 FireEye Mandiant5 § Complex intrusions: – Nation-state affiliated APT groups – Financial crime groups § Where attackers are: – Entrenched – Privileged – Motivated Context
  • 6. ©2019 FireEye Mandiant©2019 FireEye Mandiant § Most organisations are not experienced in APT intrusions § Organisations vary in their maturity and ability § BAU IR can be counterproductive in an APT intrusion BAU IR vs Complex Intrusions 6
  • 8. ©2019 FireEye Mandiant©2019 FireEye Mandiant § Good engagement setup is the most critical phase of a successful IR: Make or Break 8
  • 9. ©2019 FireEye Mandiant©2019 FireEye Mandiant § Determine the maturity of the organisation § Understand complexity of their network § Consider current lead/known malicious activity § Grasp the organisational structure and politics § Tailor the response approach for the organisation Setup Considerations 9
  • 11. ©2019 FireEye Mandiant©2019 FireEye Mandiant § Explain the attacker lifecycle and motivations § Intrusions (typically): – Are larger than victims expect – First alert doesn’t mean first activity § If data-theft is the goal, it’s usually already happened § The attackers are real people who can solve problems Walk Through a Typical APT/FIN Intrusion 11
  • 12. ©2019 FireEye Mandiant©2019 FireEye Mandiant Describe the IR and Remediation Journey 12 § It’s a marathon, not a sprint § No organisation can go from initial tip off/discovery to effective eradication without: – Understanding what access the attacker retains – Improving the security posture of the network to eradicate and survive immediate re-compromise
  • 13. ©2019 FireEye Mandiant©2019 FireEye Mandiant § Remediation efforts should begin at the same time as the IR § As the IR progresses, we’ll learn about attacker tradecraft and extent of the breach – Remediation efforts can begin to be targeted – Eradication planning can begin § Once we understand access, it’s time to eradicate § Remediation must continue after eradication: – Medium and long term security architecture and culture changes Describe the IR and Remediation Journey 13
  • 14. ©2019 FireEye Mandiant©2019 FireEye Mandiant § Poorly scoped or insufficient tooling deployment can create blind-spots in the investigation and safe-harbours for attackers to retain access – Can render an eradication completely ineffective Do IR Once, do it Right 14
  • 15. ©2019 FireEye Mandiant©2019 FireEye Mandiant § “We cannot allow you to investigate our <Special/Sensitive/Critical> networks because they’re <Special/Sensitive/Critical> to our business” § If it’s critical to the business, it’s critical to the attacker § Attackers will learn how your admins maintain the environment § Be sure to understand what the business does and why an attacker might be there Why are the attackers here? 15
  • 16. ©2019 FireEye Mandiant©2019 FireEye Mandiant § The organisation will typically need to establish an incident response team, which can consist of: – Lead – Project manager – IT/technical lead – Legal, Privacy, Risk, and/or Governance – Communications § Remediation team is also required § Teams are most successful when leader has enough business knowledge and political capital to move fast and be far-reaching Dedicated Teams are Required 16
  • 17. ©2019 FireEye Mandiant©2019 FireEye Mandiant § Buy-in and support of IT is essential for success of incident response § You need to protect IT resources from burnout – Learn the client culture § Large networks will always have issues § Save-face for IT – Always under-funded – Lack of human resources – Motivated attackers will always keep trying until they’re successful Build Trust with IT 17
  • 18. ©2019 FireEye Mandiant©2019 FireEye Mandiant § Frequency § Seniority § Number of stakeholders Communications Rhythm 18
  • 19. ©2019 FireEye Mandiant©2019 FireEye Mandiant § Historical activity § Impactful findings – Data theft – Targeting of specific systems § An active attacker – What can we do? – What is effective? – Where should we spend our resources? How to Handle Investigation Findings 19
  • 20. ©2019 FireEye Mandiant©2019 FireEye Mandiant § Enterprise networks typically convoluted and systems interdependent § Real/effective containment will usually: – Break your application – Prevent users from doing business § Doesn’t stop the attacker from accessing victim network § Burns resources of IT § Containment is effective for hours, that’s all. Containment 20
  • 22. ©2019 FireEye Mandiant©2019 FireEye Mandiant § Not a science § No one size fits all § There’s a balance in everything Always Tailor for your Victim Organisation 22