SlideShare a Scribd company logo
1 of 21
Incident Response
1
Cyber Security
Incident Management
Naor Penso | www.hitit.co.il
Incident Response
2
AGENDA
• Introduction
• Cyberattack
• From event to incident
• Were at war! nowwhat?
• Preparing for doomsday
Incident Response
3
2. The chronical of flaws1. The third industrialEvolution
4. The risk / value equation3. From nationsto bob
Introduction to cyber
Incident Response
4
Why hack?
Incident Response
5
Justlike in real-life,notevery caseis consideredacrisis, andnotevery caserequires
crisis management
Incident Response
6
You have Ransomware!!
2 seniormanagersgot infected byransomware,
The attackersarenow requesting10 Bitcointoreleasethemachine
100,000,000 Credit cards leaked!
Someonehackedthe websiteandstolea lotofdata,he isnow selling it onthe
darknet
Incident Response
7
Our website is overloaded
Nothinghashappenedyet,butthe serversarestartingtostress,soontheymight
causedelays
People got to work and
they cannot log-in
It seems thatsomethingerased theiremployment recordswhichcaused theirusers
tobedisabled
Incident Response
8
From Event to Crisis
Events
An event is any observable occurrence in a system or
network. Events are mostly generated automatically by
organizational systems and can be collected for further
inspection by different systems such as a security information
and event management system.
Examples:
• user connecting to a file share
• a server receiving a request for a web page
• a user sending email
• firewall blocking a connection attempt
Events
Notable Events / Correlation
A notable event is an event that has an indicator that
something might be wrong (in example, failed logon to a
system, user lockout etc.)
A correlation is comprised of several events or notable
events. Correlation can create a “story” of events which
happened in time
Example:
a user failed to log-on 5 times, following which he successfully logged on
and downloaded 5,000 documents)
Events
Notable Event /
Correlation
Security Alert
Some notable events / correlations might trigger an alert.
When an alert is triggered, it requires some active
measures to mitigate (automatic or manual).
Example:
A virus has been identified on an machine.
Action: scan the PC for other viruses and collect data from the workstation
to identify origin.
Security Alert
Events
Notable Event /
Correlation
Incident
An incident is the escalation of a security alert in case the alert is
repetitive, expanding or actions taken do not mitigate the issue.
An incident will mostly be handled manually by the security
operations center and other technical teams.
Example:
The website is flooded due to a DDOS attack, and several server
operations has been halted.
incident
Security Alert
Events
Notable Event /
Correlation
incident
Security Alert
Cyber Crisis
Every organization has a different threshold and guidelines for
initiating in Crisis mode.
On most occasions, when the incident was not / could not have
been confined or involving assets deemed by the organization as
highly sensitive (e.g. personal information) than a crisis shall be
announced
Example:
It started with 2 machines with Ransomware, and now the entire company
is in lockdown – no one can work, support and operations have ceased
Events
Notable Event /
Correlation
We’re at War!
Now What?
The Crisis Room
Forensics TeamSecurity Operations Center
Risk Management Lead
Security & IT Mitigation Team - Account Management
- Legal Team
- Public Relations
Human Resources
Crisis
Leader
On Call / Periodical Check-in: Executive Management Representative, IT Leadership & Engineering
Personnel Title / Team Name Responsibility Main Activities
Crisis Management Leader
(on most occasions the CISO)
Manage the Crisis operations and take active decisions on the
response team activities and mitigations
• Align resources, activities & mitigation plans
• Define if and when to notify the stakeholders
• Align Cooperation from different BU’s
Crisis Technical Leader Correlate and manage the technical teams and forensic operations
• Collect and analyze data from all technical teams
• Decide on technical mitigation approach
• Define which technical resources are needed
Security Operations Center Keep eyes open for new issues / abnormalities
• Identify new infections / alerts
• Monitor the organization for abnormalities
• Alert the forensics team if anything rises
Forensics Team Investigate & define mitigation activities
• Identify the source of the breach
• Assess what was stolen / breached
• Assess who (if possible) is responsible
CIO & IT Directors Ensure IT resources allocation for the mitigation
• Assign more IT resources if needed
• Enable critical changes to IT infrastructure if and when
needed
Risk Management Lead Assess potential damages and identify critical assets
• Identify if critical assets are targeted or abused
• Identify the potential damages to the company
Business Continuity & Disaster Recovery Lead Assess potential damages to the business
• Assess potential business operation damages
• Identify consequences of mitigation activities
The Core Response Team
Extended Crisis Management Personnel
Personnel Title / Team Name Responsibility Main Activities
PR & Marketing Team Manage customer interactions
• Draft the PR
• Communicate with the customers if needed
Legal Team Provide legal assistance
• Manage interactions with law enforcement
• Advise on applicable laws & regulations
• Approve “invasive” activities
Human Resources Internal employee engagement
• Update employees on the activities
• Mitigate any employee concern
• Approve forensic activities on employee machines
Executive Manager Take the hardest decisions
• Approve / Deny mitigation activities with company-wide
impact
• Define whether escalation to the board is required
Account Executives Brief customers on the incident if needed
• Approach customers and deliver assurance
• Convey the PR message to the customer
External Law Enforcement
Optional, not used often
Assist in forensics and investigation of the breach
• Work with the forensics teams
• Leverage intelligence to identify the attacker
• Arrest and interrogate the attacker if known
Main Activities
C R E A T E A W A R R O O M E N G A G E S T A K E H O L D E R S C O N T A I N T H E B R E A C H
M E A S U R E L O S S E SL E A R N A L E S S O NP R E P A R E F O R T H E
N E X T O N E
Preparing for Doomsday
Communications and facilities
Definition of all applicable contacts in case of
emergency, facilities to be utilized for the war
room, alternative communication channels and
ticket management solutions
Incident analysis resources
Technical toolkit for forensics, list of all
applicable systems and owners in case of
need, business impact analysis for system
takeover and takedown and business
processes
Engagement procedures
Procedures depicting what to do in case of
emergency, whom to contact and when.
The football Policy
Doomsday is arriving, who will click the button
and what it will do? (take down a production
system, cut off an entire office network, stop
internet access)
Incident Response
21
thank you.

More Related Content

What's hot

Incident Response
Incident Response Incident Response
Incident Response InnoTech
 
Cybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesCybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesJohn Rapa
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Mitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security AttacksMitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security AttacksTripwire
 
Improve Your Threat Intelligence Strategy With These Ideas
Improve Your Threat Intelligence Strategy With These IdeasImprove Your Threat Intelligence Strategy With These Ideas
Improve Your Threat Intelligence Strategy With These IdeasRecorded Future
 
Cyber Rangers S1 E2
Cyber Rangers S1 E2Cyber Rangers S1 E2
Cyber Rangers S1 E2JudyEvans8
 
7 Habits of Smart Threat Intelligence Analysts
7 Habits of Smart Threat Intelligence Analysts7 Habits of Smart Threat Intelligence Analysts
7 Habits of Smart Threat Intelligence AnalystsRecorded Future
 
Using automation to improve the effectiveness of security operations
Using automation to improve the effectiveness of security operationsUsing automation to improve the effectiveness of security operations
Using automation to improve the effectiveness of security operationsHuntsman Security
 
CISSP week 26
CISSP week 26CISSP week 26
CISSP week 26jemtallon
 
Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6Chinatu Uzuegbu
 
Threat Intelligence Tweaks That'll Take Your Security to the Next Level
Threat Intelligence Tweaks That'll Take Your Security to the Next LevelThreat Intelligence Tweaks That'll Take Your Security to the Next Level
Threat Intelligence Tweaks That'll Take Your Security to the Next LevelRecorded Future
 
CISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsCISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsKarthikeyan Dhayalan
 
Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2FRSecure
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations centerCMR WORLD TECH
 
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...Brian Andrzejewski
 

What's hot (20)

Insider threat kill chain
Insider threat   kill chainInsider threat   kill chain
Insider threat kill chain
 
Incident Response
Incident Response Incident Response
Incident Response
 
Cybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesCybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial Services
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
 
Mitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security AttacksMitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security Attacks
 
Improve Your Threat Intelligence Strategy With These Ideas
Improve Your Threat Intelligence Strategy With These IdeasImprove Your Threat Intelligence Strategy With These Ideas
Improve Your Threat Intelligence Strategy With These Ideas
 
Cyber Rangers S1 E2
Cyber Rangers S1 E2Cyber Rangers S1 E2
Cyber Rangers S1 E2
 
7 Habits of Smart Threat Intelligence Analysts
7 Habits of Smart Threat Intelligence Analysts7 Habits of Smart Threat Intelligence Analysts
7 Habits of Smart Threat Intelligence Analysts
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response Plan
 
What to do when get hacked or suffer a cyber breach
What to do when get hacked or suffer a cyber breachWhat to do when get hacked or suffer a cyber breach
What to do when get hacked or suffer a cyber breach
 
Using automation to improve the effectiveness of security operations
Using automation to improve the effectiveness of security operationsUsing automation to improve the effectiveness of security operations
Using automation to improve the effectiveness of security operations
 
CISSP week 26
CISSP week 26CISSP week 26
CISSP week 26
 
Incident handling.final
Incident handling.finalIncident handling.final
Incident handling.final
 
Incident Response
Incident ResponseIncident Response
Incident Response
 
Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6
 
Threat Intelligence Tweaks That'll Take Your Security to the Next Level
Threat Intelligence Tweaks That'll Take Your Security to the Next LevelThreat Intelligence Tweaks That'll Take Your Security to the Next Level
Threat Intelligence Tweaks That'll Take Your Security to the Next Level
 
CISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsCISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security Operations
 
Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations center
 
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
 

Similar to Cybersecurity Crisis Management Introduction

LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptxLogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptxCNSHacking
 
Recover your files from Ransomware - Ransomware Incident Response by Tictac
Recover your files from Ransomware - Ransomware Incident Response by TictacRecover your files from Ransomware - Ransomware Incident Response by Tictac
Recover your files from Ransomware - Ransomware Incident Response by TictacTicTac Data Recovery
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoMark John Lado, MIT
 
Netwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital worldNetwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital worldnetwealthInvest
 
CNIT 50: 9. NSM Operations
CNIT 50: 9. NSM OperationsCNIT 50: 9. NSM Operations
CNIT 50: 9. NSM OperationsSam Bowne
 
What to Do After a Cyberattack: A Cybersecurity Incident Response Plan presen...
What to Do After a Cyberattack: A Cybersecurity Incident Response Plan presen...What to Do After a Cyberattack: A Cybersecurity Incident Response Plan presen...
What to Do After a Cyberattack: A Cybersecurity Incident Response Plan presen...Accellis Technology Group
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodologyPiyush Jain
 
Cyber security do your part be the resistance
Cyber security do your part be the resistanceCyber security do your part be the resistance
Cyber security do your part be the resistancePaul-Charife Allen
 
Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)
Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)
Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)Paul C. Van Slyke
 
Cyber Security for the Small Business Experience
Cyber Security for the Small Business ExperienceCyber Security for the Small Business Experience
Cyber Security for the Small Business ExperienceNational Retail Federation
 
You Will Be Breached
You Will Be BreachedYou Will Be Breached
You Will Be BreachedMike Saunders
 
Incident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksIncident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksResilient Systems
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeAaron White
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItResilient Systems
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
 
C-Suite Snacks Webinar Series : Under Attack - Preparing Your Company in the ...
C-Suite Snacks Webinar Series : Under Attack - Preparing Your Company in the ...C-Suite Snacks Webinar Series : Under Attack - Preparing Your Company in the ...
C-Suite Snacks Webinar Series : Under Attack - Preparing Your Company in the ...Citrin Cooperman
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinarIntergen
 

Similar to Cybersecurity Crisis Management Introduction (20)

LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptxLogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
 
Recover your files from Ransomware - Ransomware Incident Response by Tictac
Recover your files from Ransomware - Ransomware Incident Response by TictacRecover your files from Ransomware - Ransomware Incident Response by Tictac
Recover your files from Ransomware - Ransomware Incident Response by Tictac
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John Lado
 
Netwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital worldNetwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital world
 
CNIT 50: 9. NSM Operations
CNIT 50: 9. NSM OperationsCNIT 50: 9. NSM Operations
CNIT 50: 9. NSM Operations
 
What to Do After a Cyberattack: A Cybersecurity Incident Response Plan presen...
What to Do After a Cyberattack: A Cybersecurity Incident Response Plan presen...What to Do After a Cyberattack: A Cybersecurity Incident Response Plan presen...
What to Do After a Cyberattack: A Cybersecurity Incident Response Plan presen...
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodology
 
Cyber security do your part be the resistance
Cyber security do your part be the resistanceCyber security do your part be the resistance
Cyber security do your part be the resistance
 
File000119
File000119File000119
File000119
 
Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)
Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)
Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)
 
Cyber Security for the Small Business Experience
Cyber Security for the Small Business ExperienceCyber Security for the Small Business Experience
Cyber Security for the Small Business Experience
 
You Will Be Breached
You Will Be BreachedYou Will Be Breached
You Will Be Breached
 
Incident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksIncident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber Attacks
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat Landscape
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About It
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
 
C-Suite Snacks Webinar Series : Under Attack - Preparing Your Company in the ...
C-Suite Snacks Webinar Series : Under Attack - Preparing Your Company in the ...C-Suite Snacks Webinar Series : Under Attack - Preparing Your Company in the ...
C-Suite Snacks Webinar Series : Under Attack - Preparing Your Company in the ...
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
 
Incident response
Incident responseIncident response
Incident response
 
Irm 8-blackmail
Irm 8-blackmailIrm 8-blackmail
Irm 8-blackmail
 

Recently uploaded

A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dashnarutouzumaki53779
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate AgentsRyan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate AgentsRyan Mahoney
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterMydbops
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 

Recently uploaded (20)

A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Visualising and forecasting stocks using Dash
Visualising and forecasting stocks using DashVisualising and forecasting stocks using Dash
Visualising and forecasting stocks using Dash
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate AgentsRyan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
Ryan Mahoney - Will Artificial Intelligence Replace Real Estate Agents
 
Scale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL RouterScale your database traffic with Read & Write split using MySQL Router
Scale your database traffic with Read & Write split using MySQL Router
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 

Cybersecurity Crisis Management Introduction

  • 1. Incident Response 1 Cyber Security Incident Management Naor Penso | www.hitit.co.il
  • 2. Incident Response 2 AGENDA • Introduction • Cyberattack • From event to incident • Were at war! nowwhat? • Preparing for doomsday
  • 3. Incident Response 3 2. The chronical of flaws1. The third industrialEvolution 4. The risk / value equation3. From nationsto bob Introduction to cyber
  • 5. Incident Response 5 Justlike in real-life,notevery caseis consideredacrisis, andnotevery caserequires crisis management
  • 6. Incident Response 6 You have Ransomware!! 2 seniormanagersgot infected byransomware, The attackersarenow requesting10 Bitcointoreleasethemachine 100,000,000 Credit cards leaked! Someonehackedthe websiteandstolea lotofdata,he isnow selling it onthe darknet
  • 7. Incident Response 7 Our website is overloaded Nothinghashappenedyet,butthe serversarestartingtostress,soontheymight causedelays People got to work and they cannot log-in It seems thatsomethingerased theiremployment recordswhichcaused theirusers tobedisabled
  • 9. Events An event is any observable occurrence in a system or network. Events are mostly generated automatically by organizational systems and can be collected for further inspection by different systems such as a security information and event management system. Examples: • user connecting to a file share • a server receiving a request for a web page • a user sending email • firewall blocking a connection attempt Events
  • 10. Notable Events / Correlation A notable event is an event that has an indicator that something might be wrong (in example, failed logon to a system, user lockout etc.) A correlation is comprised of several events or notable events. Correlation can create a “story” of events which happened in time Example: a user failed to log-on 5 times, following which he successfully logged on and downloaded 5,000 documents) Events Notable Event / Correlation
  • 11. Security Alert Some notable events / correlations might trigger an alert. When an alert is triggered, it requires some active measures to mitigate (automatic or manual). Example: A virus has been identified on an machine. Action: scan the PC for other viruses and collect data from the workstation to identify origin. Security Alert Events Notable Event / Correlation
  • 12. Incident An incident is the escalation of a security alert in case the alert is repetitive, expanding or actions taken do not mitigate the issue. An incident will mostly be handled manually by the security operations center and other technical teams. Example: The website is flooded due to a DDOS attack, and several server operations has been halted. incident Security Alert Events Notable Event / Correlation
  • 13. incident Security Alert Cyber Crisis Every organization has a different threshold and guidelines for initiating in Crisis mode. On most occasions, when the incident was not / could not have been confined or involving assets deemed by the organization as highly sensitive (e.g. personal information) than a crisis shall be announced Example: It started with 2 machines with Ransomware, and now the entire company is in lockdown – no one can work, support and operations have ceased Events Notable Event / Correlation
  • 15. The Crisis Room Forensics TeamSecurity Operations Center Risk Management Lead Security & IT Mitigation Team - Account Management - Legal Team - Public Relations Human Resources Crisis Leader On Call / Periodical Check-in: Executive Management Representative, IT Leadership & Engineering
  • 16. Personnel Title / Team Name Responsibility Main Activities Crisis Management Leader (on most occasions the CISO) Manage the Crisis operations and take active decisions on the response team activities and mitigations • Align resources, activities & mitigation plans • Define if and when to notify the stakeholders • Align Cooperation from different BU’s Crisis Technical Leader Correlate and manage the technical teams and forensic operations • Collect and analyze data from all technical teams • Decide on technical mitigation approach • Define which technical resources are needed Security Operations Center Keep eyes open for new issues / abnormalities • Identify new infections / alerts • Monitor the organization for abnormalities • Alert the forensics team if anything rises Forensics Team Investigate & define mitigation activities • Identify the source of the breach • Assess what was stolen / breached • Assess who (if possible) is responsible CIO & IT Directors Ensure IT resources allocation for the mitigation • Assign more IT resources if needed • Enable critical changes to IT infrastructure if and when needed Risk Management Lead Assess potential damages and identify critical assets • Identify if critical assets are targeted or abused • Identify the potential damages to the company Business Continuity & Disaster Recovery Lead Assess potential damages to the business • Assess potential business operation damages • Identify consequences of mitigation activities The Core Response Team
  • 17. Extended Crisis Management Personnel Personnel Title / Team Name Responsibility Main Activities PR & Marketing Team Manage customer interactions • Draft the PR • Communicate with the customers if needed Legal Team Provide legal assistance • Manage interactions with law enforcement • Advise on applicable laws & regulations • Approve “invasive” activities Human Resources Internal employee engagement • Update employees on the activities • Mitigate any employee concern • Approve forensic activities on employee machines Executive Manager Take the hardest decisions • Approve / Deny mitigation activities with company-wide impact • Define whether escalation to the board is required Account Executives Brief customers on the incident if needed • Approach customers and deliver assurance • Convey the PR message to the customer External Law Enforcement Optional, not used often Assist in forensics and investigation of the breach • Work with the forensics teams • Leverage intelligence to identify the attacker • Arrest and interrogate the attacker if known
  • 18. Main Activities C R E A T E A W A R R O O M E N G A G E S T A K E H O L D E R S C O N T A I N T H E B R E A C H M E A S U R E L O S S E SL E A R N A L E S S O NP R E P A R E F O R T H E N E X T O N E
  • 20. Communications and facilities Definition of all applicable contacts in case of emergency, facilities to be utilized for the war room, alternative communication channels and ticket management solutions Incident analysis resources Technical toolkit for forensics, list of all applicable systems and owners in case of need, business impact analysis for system takeover and takedown and business processes Engagement procedures Procedures depicting what to do in case of emergency, whom to contact and when. The football Policy Doomsday is arriving, who will click the button and what it will do? (take down a production system, cut off an entire office network, stop internet access)