SlideShare a Scribd company logo

Cybersecurity Crisis Management Introduction

N
Naor Penso

A lecture given by Naor Penso to emergency & disaster management masters students @ Tel-Aviv University to educate them on cybersecurity crisis management.

Technology
1 of 21
Incident Response 1 Cyber Security Incident Management Naor Penso | www.hitit.co.il
Incident Response 2 AGENDA • Introduction • Cyberattack • From event to incident • Were at war! nowwhat? • Preparing for doomsday
Incident Response 3 2. The chronical of flaws1. The third industrialEvolution 4. The risk / value equation3. From nationsto bob Introduction to cyber
Incident Response 4 Why hack?
Incident Response 5 Justlike in real-life,notevery caseis consideredacrisis, andnotevery caserequires crisis management
Incident Response 6 You have Ransomware!! 2 seniormanagersgot infected byransomware, The attackersarenow requesting10 Bitcointoreleasethemachine 100,000,000 Credit cards leaked! Someonehackedthe websiteandstolea lotofdata,he isnow selling it onthe darknet
Incident Response 7 Our website is overloaded Nothinghashappenedyet,butthe serversarestartingtostress,soontheymight causedelays People got to work and they cannot log-in It seems thatsomethingerased theiremployment recordswhichcaused theirusers tobedisabled
Incident Response 8 From Event to Crisis
Events An event is any observable occurrence in a system or network. Events are mostly generated automatically by organizational systems and can be collected for further inspection by different systems such as a security information and event management system. Examples: • user connecting to a file share • a server receiving a request for a web page • a user sending email • firewall blocking a connection attempt Events
Notable Events / Correlation A notable event is an event that has an indicator that something might be wrong (in example, failed logon to a system, user lockout etc.) A correlation is comprised of several events or notable events. Correlation can create a “story” of events which happened in time Example: a user failed to log-on 5 times, following which he successfully logged on and downloaded 5,000 documents) Events Notable Event / Correlation
Security Alert Some notable events / correlations might trigger an alert. When an alert is triggered, it requires some active measures to mitigate (automatic or manual). Example: A virus has been identified on an machine. Action: scan the PC for other viruses and collect data from the workstation to identify origin. Security Alert Events Notable Event / Correlation
Incident An incident is the escalation of a security alert in case the alert is repetitive, expanding or actions taken do not mitigate the issue. An incident will mostly be handled manually by the security operations center and other technical teams. Example: The website is flooded due to a DDOS attack, and several server operations has been halted. incident Security Alert Events Notable Event / Correlation
incident Security Alert Cyber Crisis Every organization has a different threshold and guidelines for initiating in Crisis mode. On most occasions, when the incident was not / could not have been confined or involving assets deemed by the organization as highly sensitive (e.g. personal information) than a crisis shall be announced Example: It started with 2 machines with Ransomware, and now the entire company is in lockdown – no one can work, support and operations have ceased Events Notable Event / Correlation
We’re at War! Now What?
The Crisis Room Forensics TeamSecurity Operations Center Risk Management Lead Security & IT Mitigation Team - Account Management - Legal Team - Public Relations Human Resources Crisis Leader On Call / Periodical Check-in: Executive Management Representative, IT Leadership & Engineering
Personnel Title / Team Name Responsibility Main Activities Crisis Management Leader (on most occasions the CISO) Manage the Crisis operations and take active decisions on the response team activities and mitigations • Align resources, activities & mitigation plans • Define if and when to notify the stakeholders • Align Cooperation from different BU’s Crisis Technical Leader Correlate and manage the technical teams and forensic operations • Collect and analyze data from all technical teams • Decide on technical mitigation approach • Define which technical resources are needed Security Operations Center Keep eyes open for new issues / abnormalities • Identify new infections / alerts • Monitor the organization for abnormalities • Alert the forensics team if anything rises Forensics Team Investigate & define mitigation activities • Identify the source of the breach • Assess what was stolen / breached • Assess who (if possible) is responsible CIO & IT Directors Ensure IT resources allocation for the mitigation • Assign more IT resources if needed • Enable critical changes to IT infrastructure if and when needed Risk Management Lead Assess potential damages and identify critical assets • Identify if critical assets are targeted or abused • Identify the potential damages to the company Business Continuity & Disaster Recovery Lead Assess potential damages to the business • Assess potential business operation damages • Identify consequences of mitigation activities The Core Response Team
Extended Crisis Management Personnel Personnel Title / Team Name Responsibility Main Activities PR & Marketing Team Manage customer interactions • Draft the PR • Communicate with the customers if needed Legal Team Provide legal assistance • Manage interactions with law enforcement • Advise on applicable laws & regulations • Approve “invasive” activities Human Resources Internal employee engagement • Update employees on the activities • Mitigate any employee concern • Approve forensic activities on employee machines Executive Manager Take the hardest decisions • Approve / Deny mitigation activities with company-wide impact • Define whether escalation to the board is required Account Executives Brief customers on the incident if needed • Approach customers and deliver assurance • Convey the PR message to the customer External Law Enforcement Optional, not used often Assist in forensics and investigation of the breach • Work with the forensics teams • Leverage intelligence to identify the attacker • Arrest and interrogate the attacker if known
Main Activities C R E A T E A W A R R O O M E N G A G E S T A K E H O L D E R S C O N T A I N T H E B R E A C H M E A S U R E L O S S E SL E A R N A L E S S O NP R E P A R E F O R T H E N E X T O N E
Preparing for Doomsday
Communications and facilities Definition of all applicable contacts in case of emergency, facilities to be utilized for the war room, alternative communication channels and ticket management solutions Incident analysis resources Technical toolkit for forensics, list of all applicable systems and owners in case of need, business impact analysis for system takeover and takedown and business processes Engagement procedures Procedures depicting what to do in case of emergency, whom to contact and when. The football Policy Doomsday is arriving, who will click the button and what it will do? (take down a production system, cut off an entire office network, stop internet access)
Incident Response 21 thank you.

Recommended

SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...AlienVault
 
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...SurfWatch Labs
 
Irm 12-insiderabuse
Irm 12-insiderabuseIrm 12-insiderabuse
Irm 12-insiderabuseKasper de Waard
 
Incident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It RightIncident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It RightResilient Systems
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016Ashley Deuble
 
Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3Chinatu Uzuegbu
 
Cyber Security Awareness Month 2017- Nugget2
Cyber Security Awareness Month 2017- Nugget2Cyber Security Awareness Month 2017- Nugget2
Cyber Security Awareness Month 2017- Nugget2Chinatu Uzuegbu
 
INFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityINFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityJoel Cardella
 

Recommended

SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera... SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...
SANS Ask the Expert: An Incident Response Playbook: From Monitoring to Opera...AlienVault
 
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...
Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business ...SurfWatch Labs
 
Irm 12-insiderabuse
Irm 12-insiderabuseIrm 12-insiderabuse
Irm 12-insiderabuseKasper de Waard
 
Incident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It RightIncident Response: Don't Mess It Up, Here's How To Get It Right
Incident Response: Don't Mess It Up, Here's How To Get It RightResilient Systems
 
The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016The Six Stages of Incident Response - Auscert 2016
The Six Stages of Incident Response - Auscert 2016Ashley Deuble
 
Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3Cyber Security Awareness Month 2017-Nugget 3
Cyber Security Awareness Month 2017-Nugget 3Chinatu Uzuegbu
 
Cyber Security Awareness Month 2017- Nugget2
Cyber Security Awareness Month 2017- Nugget2Cyber Security Awareness Month 2017- Nugget2
Cyber Security Awareness Month 2017- Nugget2Chinatu Uzuegbu
 
INFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityINFRAGARD 2014: Back to basics security
INFRAGARD 2014: Back to basics securityJoel Cardella
 
Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chainTarun Gupta,CRISC CISSP CISM CISA BCCE
 
Incident Response
Incident Response Incident Response
Incident Response InnoTech
 
Cybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesCybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesJohn Rapa
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Mitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security AttacksMitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security AttacksTripwire
 
Improve Your Threat Intelligence Strategy With These Ideas
Improve Your Threat Intelligence Strategy With These IdeasImprove Your Threat Intelligence Strategy With These Ideas
Improve Your Threat Intelligence Strategy With These IdeasRecorded Future
 
Cyber Rangers S1 E2
Cyber Rangers S1 E2Cyber Rangers S1 E2
Cyber Rangers S1 E2JudyEvans8
 
7 Habits of Smart Threat Intelligence Analysts
7 Habits of Smart Threat Intelligence Analysts7 Habits of Smart Threat Intelligence Analysts
7 Habits of Smart Threat Intelligence AnalystsRecorded Future
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response PlanThomas Christopher Ty
 
What to do when get hacked or suffer a cyber breach
What to do when get hacked or suffer a cyber breachWhat to do when get hacked or suffer a cyber breach
What to do when get hacked or suffer a cyber breachEast Midlands Cyber Security Forum
 
Using automation to improve the effectiveness of security operations
Using automation to improve the effectiveness of security operationsUsing automation to improve the effectiveness of security operations
Using automation to improve the effectiveness of security operationsHuntsman Security
 
CISSP week 26
CISSP week 26CISSP week 26
CISSP week 26jemtallon
 
Incident handling.final
Incident handling.finalIncident handling.final
Incident handling.finalahmad abdelhafeez
 
Incident Response
Incident ResponseIncident Response
Incident Responseprimeteacher32
 
Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6Chinatu Uzuegbu
 
Threat Intelligence Tweaks That'll Take Your Security to the Next Level
Threat Intelligence Tweaks That'll Take Your Security to the Next LevelThreat Intelligence Tweaks That'll Take Your Security to the Next Level
Threat Intelligence Tweaks That'll Take Your Security to the Next LevelRecorded Future
 
CISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsCISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsKarthikeyan Dhayalan
 
Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2FRSecure
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations centerCMR WORLD TECH
 
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...Brian Andrzejewski
 
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptxLogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptxCNSHacking
 
Recover your files from Ransomware - Ransomware Incident Response by Tictac
Recover your files from Ransomware - Ransomware Incident Response by TictacRecover your files from Ransomware - Ransomware Incident Response by Tictac
Recover your files from Ransomware - Ransomware Incident Response by TictacTicTac Data Recovery
 

More Related Content

What's hot

Incident Response
Incident Response Incident Response
Incident Response InnoTech
 
Cybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesCybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesJohn Rapa
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessmentCAS
 
Mitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security AttacksMitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security AttacksTripwire
 
Improve Your Threat Intelligence Strategy With These Ideas
Improve Your Threat Intelligence Strategy With These IdeasImprove Your Threat Intelligence Strategy With These Ideas
Improve Your Threat Intelligence Strategy With These IdeasRecorded Future
 
Cyber Rangers S1 E2
Cyber Rangers S1 E2Cyber Rangers S1 E2
Cyber Rangers S1 E2JudyEvans8
 
7 Habits of Smart Threat Intelligence Analysts
7 Habits of Smart Threat Intelligence Analysts7 Habits of Smart Threat Intelligence Analysts
7 Habits of Smart Threat Intelligence AnalystsRecorded Future
 
Using automation to improve the effectiveness of security operations
Using automation to improve the effectiveness of security operationsUsing automation to improve the effectiveness of security operations
Using automation to improve the effectiveness of security operationsHuntsman Security
 
CISSP week 26
CISSP week 26CISSP week 26
CISSP week 26jemtallon
 
Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6Chinatu Uzuegbu
 
Threat Intelligence Tweaks That'll Take Your Security to the Next Level
Threat Intelligence Tweaks That'll Take Your Security to the Next LevelThreat Intelligence Tweaks That'll Take Your Security to the Next Level
Threat Intelligence Tweaks That'll Take Your Security to the Next LevelRecorded Future
 
CISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsCISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsKarthikeyan Dhayalan
 
Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2FRSecure
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations centerCMR WORLD TECH
 
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...Brian Andrzejewski
 

What's hot (20)

Insider threat kill chain
Insider threat kill chainInsider threat kill chain
Insider threat kill chain
 
Incident Response
Incident Response Incident Response
Incident Response
 
Cybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial ServicesCybersecurity Best Practices in Financial Services
Cybersecurity Best Practices in Financial Services
 
IT Security management and risk assessment
IT Security management and risk assessmentIT Security management and risk assessment
IT Security management and risk assessment
 
Mitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security AttacksMitigating Risk from Cyber Security Attacks
Mitigating Risk from Cyber Security Attacks
 
Improve Your Threat Intelligence Strategy With These Ideas
Improve Your Threat Intelligence Strategy With These IdeasImprove Your Threat Intelligence Strategy With These Ideas
Improve Your Threat Intelligence Strategy With These Ideas
 
Cyber Rangers S1 E2
Cyber Rangers S1 E2Cyber Rangers S1 E2
Cyber Rangers S1 E2
 
7 Habits of Smart Threat Intelligence Analysts
7 Habits of Smart Threat Intelligence Analysts7 Habits of Smart Threat Intelligence Analysts
7 Habits of Smart Threat Intelligence Analysts
 
SEC440: Incident Response Plan
SEC440: Incident Response PlanSEC440: Incident Response Plan
SEC440: Incident Response Plan
 
What to do when get hacked or suffer a cyber breach
What to do when get hacked or suffer a cyber breachWhat to do when get hacked or suffer a cyber breach
What to do when get hacked or suffer a cyber breach
 
Using automation to improve the effectiveness of security operations
Using automation to improve the effectiveness of security operationsUsing automation to improve the effectiveness of security operations
Using automation to improve the effectiveness of security operations
 
CISSP week 26
CISSP week 26CISSP week 26
CISSP week 26
 
Incident handling.final
Incident handling.finalIncident handling.final
Incident handling.final
 
Incident Response
Incident ResponseIncident Response
Incident Response
 
Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6Cyber Security Awareness Month 2017-Nugget 6
Cyber Security Awareness Month 2017-Nugget 6
 
Threat Intelligence Tweaks That'll Take Your Security to the Next Level
Threat Intelligence Tweaks That'll Take Your Security to the Next LevelThreat Intelligence Tweaks That'll Take Your Security to the Next Level
Threat Intelligence Tweaks That'll Take Your Security to the Next Level
 
CISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security OperationsCISSP Chapter 7 - Security Operations
CISSP Chapter 7 - Security Operations
 
Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2Slide Deck CISSP Class Session 2
Slide Deck CISSP Class Session 2
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations center
 
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
Exercise Your SOC: How to run an effective SOC response simulation (BSidesCha...
 

Similar to Cybersecurity Crisis Management Introduction

LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptxLogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptxCNSHacking
 
Recover your files from Ransomware - Ransomware Incident Response by Tictac
Recover your files from Ransomware - Ransomware Incident Response by TictacRecover your files from Ransomware - Ransomware Incident Response by Tictac
Recover your files from Ransomware - Ransomware Incident Response by TictacTicTac Data Recovery
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoMark John Lado, MIT
 
Netwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital worldNetwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital worldnetwealthInvest
 
CNIT 50: 9. NSM Operations
CNIT 50: 9. NSM OperationsCNIT 50: 9. NSM Operations
CNIT 50: 9. NSM OperationsSam Bowne
 
What to Do After a Cyberattack: A Cybersecurity Incident Response Plan presen...
What to Do After a Cyberattack: A Cybersecurity Incident Response Plan presen...What to Do After a Cyberattack: A Cybersecurity Incident Response Plan presen...
What to Do After a Cyberattack: A Cybersecurity Incident Response Plan presen...Accellis Technology Group
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodologyPiyush Jain
 
Cyber security do your part be the resistance
Cyber security do your part be the resistanceCyber security do your part be the resistance
Cyber security do your part be the resistancePaul-Charife Allen
 
Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)
Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)
Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)Paul C. Van Slyke
 
Cyber Security for the Small Business Experience
Cyber Security for the Small Business ExperienceCyber Security for the Small Business Experience
Cyber Security for the Small Business ExperienceNational Retail Federation
 
You Will Be Breached
You Will Be BreachedYou Will Be Breached
You Will Be BreachedMike Saunders
 
Incident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksIncident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksResilient Systems
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeAaron White
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItResilient Systems
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)PECB
 
C-Suite Snacks Webinar Series : Under Attack - Preparing Your Company in the ...
C-Suite Snacks Webinar Series : Under Attack - Preparing Your Company in the ...C-Suite Snacks Webinar Series : Under Attack - Preparing Your Company in the ...
C-Suite Snacks Webinar Series : Under Attack - Preparing Your Company in the ...Citrin Cooperman
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinarIntergen
 

Similar to Cybersecurity Crisis Management Introduction (20)

LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptxLogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
 
Recover your files from Ransomware - Ransomware Incident Response by Tictac
Recover your files from Ransomware - Ransomware Incident Response by TictacRecover your files from Ransomware - Ransomware Incident Response by Tictac
Recover your files from Ransomware - Ransomware Incident Response by Tictac
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John Lado
 
Netwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital worldNetwealth educational webinar: Peace of mind in a digital world
Netwealth educational webinar: Peace of mind in a digital world
 
CNIT 50: 9. NSM Operations
CNIT 50: 9. NSM OperationsCNIT 50: 9. NSM Operations
CNIT 50: 9. NSM Operations
 
What to Do After a Cyberattack: A Cybersecurity Incident Response Plan presen...
What to Do After a Cyberattack: A Cybersecurity Incident Response Plan presen...What to Do After a Cyberattack: A Cybersecurity Incident Response Plan presen...
What to Do After a Cyberattack: A Cybersecurity Incident Response Plan presen...
 
Incident response methodology
Incident response methodologyIncident response methodology
Incident response methodology
 
Cyber security do your part be the resistance
Cyber security do your part be the resistanceCyber security do your part be the resistance
Cyber security do your part be the resistance
 
File000119
File000119File000119
File000119
 
Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)
Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)
Corporate Data Secruity Best Practices and Legal Compliance (00969538xBF97D)
 
Cyber Security for the Small Business Experience
Cyber Security for the Small Business ExperienceCyber Security for the Small Business Experience
Cyber Security for the Small Business Experience
 
You Will Be Breached
You Will Be BreachedYou Will Be Breached
You Will Be Breached
 
Incident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber AttacksIncident Response in the age of Nation State Cyber Attacks
Incident Response in the age of Nation State Cyber Attacks
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat Landscape
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About It
 
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
 
C-Suite Snacks Webinar Series : Under Attack - Preparing Your Company in the ...
C-Suite Snacks Webinar Series : Under Attack - Preparing Your Company in the ...C-Suite Snacks Webinar Series : Under Attack - Preparing Your Company in the ...
C-Suite Snacks Webinar Series : Under Attack - Preparing Your Company in the ...
 
Your cyber security webinar
Your cyber security webinarYour cyber security webinar
Your cyber security webinar
 
Incident response
Incident responseIncident response
Incident response
 
Irm 8-blackmail
Irm 8-blackmailIrm 8-blackmail
Irm 8-blackmail
 

Recently uploaded

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 

Recently uploaded (20)

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 

Cybersecurity Crisis Management Introduction

  • 1. Incident Response 1 Cyber Security Incident Management Naor Penso | www.hitit.co.il
  • 2. Incident Response 2 AGENDA • Introduction • Cyberattack • From event to incident • Were at war! nowwhat? • Preparing for doomsday
  • 3. Incident Response 3 2. The chronical of flaws1. The third industrialEvolution 4. The risk / value equation3. From nationsto bob Introduction to cyber
  • 5. Incident Response 5 Justlike in real-life,notevery caseis consideredacrisis, andnotevery caserequires crisis management
  • 6. Incident Response 6 You have Ransomware!! 2 seniormanagersgot infected byransomware, The attackersarenow requesting10 Bitcointoreleasethemachine 100,000,000 Credit cards leaked! Someonehackedthe websiteandstolea lotofdata,he isnow selling it onthe darknet
  • 7. Incident Response 7 Our website is overloaded Nothinghashappenedyet,butthe serversarestartingtostress,soontheymight causedelays People got to work and they cannot log-in It seems thatsomethingerased theiremployment recordswhichcaused theirusers tobedisabled
  • 9. Events An event is any observable occurrence in a system or network. Events are mostly generated automatically by organizational systems and can be collected for further inspection by different systems such as a security information and event management system. Examples: • user connecting to a file share • a server receiving a request for a web page • a user sending email • firewall blocking a connection attempt Events
  • 10. Notable Events / Correlation A notable event is an event that has an indicator that something might be wrong (in example, failed logon to a system, user lockout etc.) A correlation is comprised of several events or notable events. Correlation can create a “story” of events which happened in time Example: a user failed to log-on 5 times, following which he successfully logged on and downloaded 5,000 documents) Events Notable Event / Correlation
  • 11. Security Alert Some notable events / correlations might trigger an alert. When an alert is triggered, it requires some active measures to mitigate (automatic or manual). Example: A virus has been identified on an machine. Action: scan the PC for other viruses and collect data from the workstation to identify origin. Security Alert Events Notable Event / Correlation
  • 12. Incident An incident is the escalation of a security alert in case the alert is repetitive, expanding or actions taken do not mitigate the issue. An incident will mostly be handled manually by the security operations center and other technical teams. Example: The website is flooded due to a DDOS attack, and several server operations has been halted. incident Security Alert Events Notable Event / Correlation
  • 13. incident Security Alert Cyber Crisis Every organization has a different threshold and guidelines for initiating in Crisis mode. On most occasions, when the incident was not / could not have been confined or involving assets deemed by the organization as highly sensitive (e.g. personal information) than a crisis shall be announced Example: It started with 2 machines with Ransomware, and now the entire company is in lockdown – no one can work, support and operations have ceased Events Notable Event / Correlation
  • 15. The Crisis Room Forensics TeamSecurity Operations Center Risk Management Lead Security & IT Mitigation Team - Account Management - Legal Team - Public Relations Human Resources Crisis Leader On Call / Periodical Check-in: Executive Management Representative, IT Leadership & Engineering
  • 16. Personnel Title / Team Name Responsibility Main Activities Crisis Management Leader (on most occasions the CISO) Manage the Crisis operations and take active decisions on the response team activities and mitigations • Align resources, activities & mitigation plans • Define if and when to notify the stakeholders • Align Cooperation from different BU’s Crisis Technical Leader Correlate and manage the technical teams and forensic operations • Collect and analyze data from all technical teams • Decide on technical mitigation approach • Define which technical resources are needed Security Operations Center Keep eyes open for new issues / abnormalities • Identify new infections / alerts • Monitor the organization for abnormalities • Alert the forensics team if anything rises Forensics Team Investigate & define mitigation activities • Identify the source of the breach • Assess what was stolen / breached • Assess who (if possible) is responsible CIO & IT Directors Ensure IT resources allocation for the mitigation • Assign more IT resources if needed • Enable critical changes to IT infrastructure if and when needed Risk Management Lead Assess potential damages and identify critical assets • Identify if critical assets are targeted or abused • Identify the potential damages to the company Business Continuity & Disaster Recovery Lead Assess potential damages to the business • Assess potential business operation damages • Identify consequences of mitigation activities The Core Response Team
  • 17. Extended Crisis Management Personnel Personnel Title / Team Name Responsibility Main Activities PR & Marketing Team Manage customer interactions • Draft the PR • Communicate with the customers if needed Legal Team Provide legal assistance • Manage interactions with law enforcement • Advise on applicable laws & regulations • Approve “invasive” activities Human Resources Internal employee engagement • Update employees on the activities • Mitigate any employee concern • Approve forensic activities on employee machines Executive Manager Take the hardest decisions • Approve / Deny mitigation activities with company-wide impact • Define whether escalation to the board is required Account Executives Brief customers on the incident if needed • Approach customers and deliver assurance • Convey the PR message to the customer External Law Enforcement Optional, not used often Assist in forensics and investigation of the breach • Work with the forensics teams • Leverage intelligence to identify the attacker • Arrest and interrogate the attacker if known
  • 18. Main Activities C R E A T E A W A R R O O M E N G A G E S T A K E H O L D E R S C O N T A I N T H E B R E A C H M E A S U R E L O S S E SL E A R N A L E S S O NP R E P A R E F O R T H E N E X T O N E
  • 20. Communications and facilities Definition of all applicable contacts in case of emergency, facilities to be utilized for the war room, alternative communication channels and ticket management solutions Incident analysis resources Technical toolkit for forensics, list of all applicable systems and owners in case of need, business impact analysis for system takeover and takedown and business processes Engagement procedures Procedures depicting what to do in case of emergency, whom to contact and when. The football Policy Doomsday is arriving, who will click the button and what it will do? (take down a production system, cut off an entire office network, stop internet access)