The document outlines the agenda and key components of a cybersecurity bootcamp focused on incident preparedness and response, including preparation, detection, analysis, containment, eradication, and post-incident recovery. It emphasizes the importance of a proactive incident response plan, collaboration among various stakeholders, and compliance with regulatory requirements. Additionally, the bootcamp features hands-on activities and discussions to develop practical skills in addressing cyber incidents, particularly for small and medium enterprises.

1. Incident Preparedness and
Response
Cybersecurity Bootcamp | Module 7

2. Vertical Institute
© 2022 Vertical Institute
Class Pointers
● Please switch on your webcams! Communication is 70% body language.
● This is not a webinar. This is an interactive, hands-on training workshop,
where everyone participates!
● Keep your mic constantly muted (to prevent background noise)
● Unmute your mic to speak up and ask questions
● Always clarify your doubts. Don’t be shy!
● Feel free to ask any questions. This is a safe zone for everyone, no matter
your starting level.

3. Vertical Institute
© 2022 Vertical Institute
Class Pointers
● Use the ‘Raise Hand’ or ‘Thumbs Up’ function!
Step 1:
Step 2:

4. © 2022 Vertical Institute
Agenda
● Tutorial:
○ Incident preparedness and response
○ Preparation
○ Detection and analysis
○ Containment and eradication
○ Post-incident recovery
○ Cyber-Security career tracks
● Activity:
○ Develop an incident response plan
for a recent security incident in
Singapore
○ Capstone project discussion

5. Why prepare for
incidents?

6. © 2022 Vertical Institute
Natural disasters
Negative impact following an actual occurrence of natural hazard in the event
that it significantly harms a community.

7. © 2022 Vertical Institute
Responding to disasters
Fire outbreak
Firefighters
with regularly
training
Understand the
different types of fire
Understand the
use of different
resources to put
out the fire

8. © 2022 Vertical Institute
What Japan’s
Disaster-Proofing
Strategies Can Teach
the World
Architects and engineers are pushing the boundaries
of technology and design to reduce damage. Factors
that set the country’s disaster-proofing industry apart
include its kenchikushi — licensed
architect-engineers who can be held liable for building
defects for a period of 10 years — and its legislative
framework. “By gradually amending building laws in
response to successive earthquakes and
socioeconomic and demographic changes,” a 2018
World Bank report noted, Japan has created a
built environment “that is among the safest and most
disaster resilient in the world.”
https://www.bloomberg.com/news/feature
s/2021-01-13/japan-earthquakes-typhoon
s-disaster-proofing-lessons-for-the-world

9. How you respond to
cyber-attacks matter

10. © 2022 Vertical Institute
Cyber-Attack Impact
https://cybersecurityventures.com/60-perce
nt-of-small-companies-close-within-6-mont
hs-of-being-hacked/

11. © 2022 Vertical Institute
Cybersecurity &
SMEs: Small
businesses are the
big victims
Almost 40 percent of cyberattacks in Singapore target
small and medium enterprises (SMEs), according to
the Cyber Security Agency of Singapore (CSA).
Phishing attempts and ransomware were the most
common methods used. According to the Singapore
Cyber Landscape 2017 publication, some 2,040
website defacements were detected in Singapore.
Majority of them were websites of SMEs with
businesses ranging from interior design to
manufacturing.
https://www.iss.nus.edu.sg/community/newsroom/n
ews-detail/2020/04/03/cybersecurity-smes-small-bu
sinesses-are-the-big-victims

12. © 2022 Vertical Institute
Cybersecurity &
SMEs: Small
businesses are the
big victims
In a survey conducted by Insurance specialist QBE,
491 SMEs across various industries in Singapore
were polled. It was found that although 90 percent
of respondents admitted to being aware of
potential cyber risks, one in four still do not have
any internal processes or policies to protect
themselves. For smaller-sized SMEs, the figure hits
one third.
https://www.iss.nus.edu.sg/community/newsroom/n
ews-detail/2020/04/03/cybersecurity-smes-small-bu
sinesses-are-the-big-victims

13. © 2022 Vertical Institute
Finance startup hacked
https://www.livemint.com/companies/news/ipobound-pine-labs-to-probe-source-of-ransomware-attack-11629294362325.html

14. © 2022 Vertical Institute
Cybersecurity is critical in banking
Prevent
financial
losses
Protect
customer
data
Preserve
bank’s
reputation
Prevent
penalties

15. © 2022 Vertical Institute
It is said that if you know your enemies and know yourself, you will not be
imperiled in a hundred battles; if you do not know your enemies but do
know yourself, you will win one and lose one; if you do not know your
enemies nor yourself, you will be imperiled in every single battle. – Sun Tzu

16. © 2022 Vertical Institute
Assumed
breach
https://www.straitstimes.com/tech/tech-news/singapore-to-work-with-est
onia-on-cyber-security-helping-firms-to-go-digital

17. How to respond to
cyber-attacks?

18. © 2022 Vertical Institute
Incident Preparedness and Response in
financial-services organisation
Preparation
Detection and
analysis
Containment and
eradication
Post-incident
recovery

19. © 2022 Vertical Institute
Preparation
• Codify security policies for incident response plan
• Risk assessment and prioritise security issues
• Identify your most sensitive assets and potential critical security incidents that the team should
focus on
• Team members for Cyber Incident Response Team
• Deliverables
• Communication plan
• Documentation
• Define roles, responsibilities and processes
Preparation Detection and analysis
Containment and
eradication
Post-incident recovery

20. © 2022 Vertical Institute
Successful incident response plan
• Management support
• Consistent testing
• Communication channels
• Stakeholders' involvement
• Keep the plan simple
Preparation Detection and analysis
Containment and
eradication
Post-incident recovery

21. © 2022 Vertical Institute
Successful incident response plan
• Not only about Information Technology
• Involves business owners, investors, customers, employees, government and more
Preparation Detection and analysis
Containment and
eradication
Post-incident recovery

22. © 2022 Vertical Institute
Regulatory requirements for Financial Services
organisations in Singapore
• https://www.mas.gov.sg/regulation/forms-and-templates/instructions-on-incident-n
otification-and-reporting-to-mas
• MAS requires an incident report to be submitted to MAS, within 14 days
or such longer period as MAS may allow, from the discovery of the reportable
incident.
Preparation Detection and analysis
Containment and
eradication
Post-incident recovery

23. © 2022 Vertical Institute
Defining an incident
• Is it an IT security incident?
• What type of IT security incident is it?
• Does it include power shutdown?
• What is its impact?
Preparation Detection and analysis
Containment and
eradication
Post-incident recovery

24. © 2022 Vertical Institute
Designated team members, roles and responsibilities
• Who will own and manage this incident?
• Who is involved and what are their responsibilities?
• Is public communication needed if the press calls?
Preparation Detection and analysis
Containment and
eradication
Post-incident recovery

25. © 2022 Vertical Institute
Cyber Incident Response Team (CIRT)
• Team is responsible for responding to cyber breaches, attacks and other critical incidents that an
enterprise will face.
• Include technical specialists who can respond to cyber threats, but also experts in
communication to internal and external stakeholders.
Preparation Detection and analysis
Containment and
eradication
Post-incident recovery

26. © 2022 Vertical Institute
Examples of
incident response
plan
40 pages
https://www.fipco.com/solutions/it-audit-security/cyber
-security-resources-links/Template_Incident_Respon
se_Plan.pdf
15 pages
https://www.michigan.gov/-/media/Project/Websites/
msp/cjic/pdfs6/Example_Incident_Response_Policy.p
df?rev=4bf335b6d1344226a92a0947bc8688ec

27. © 2022 Vertical Institute
Detection and
analysis
If you cannot detect, you cannot prevent.
Preparation Detection and analysis
Containment and
eradication
Post-incident recovery

28. © 2022 Vertical Institute
Detection and
analysis
• For example, if you downloaded a malicious file into
your computer, however, your anti-virus is out of date
and is unable to scan the file for malicious code. Then
we are unable to move to the next stage of incident
response.
• In real life, if you are unable to detect a fire in a part of
a building, then you cannot respond in time to the
incident.
• If you are not able to verify a scammer from a real
caller, likewise, we are unable to detect the threat and
move forward with incident response management.
Preparation Detection and analysis
Containment and
eradication
Post-incident recovery

29. © 2022 Vertical Institute
Detection and
analysis
• Detect deviation from normal operations
• Investigate on deviation to confirm on security
incident
• Speed of detection is critical
Example:
If a malicious user enters a bank dressed up as an IT
Technician, and the security team did not question
the user, it is a failure of detection
Preparation Detection and analysis
Containment and
eradication
Post-incident recovery

30. © 2022 Vertical Institute
Detection and
analysis
The earlier you can detect, the earlier you can
respond. The earlier you can respond, the less
potential damage to your organization and systems.
Preparation Detection and analysis
Containment and
eradication
Post-incident recovery

31. © 2022 Vertical Institute
Detection and analysis
Malicious user
piggyback into
building
Malicious user
follows a user
into a level
Malicious user goes into
data center dressed as
an IT Technician
Malicious user
downloads data
from data center
Malicious user
exits building
IT system detects and
notifies security team of
data ex-filtration
Detects early and
no information is
exposed
Detects late and
information is
gone

32. Vertical Institute
© 2022 Vertical Institute
Detection and analysis
• Analysis
• Check computer logs
• Check access paths
• Check for indicators of attacks
• Check for indicators of compromise
• Example:
• If a malicious user enters a bank
dressed up as a IT Technician, and the
security team did not question the
user, it is a failure of detection
• Security team goes up to the IT
Technician to verify his identity
Preparation Detection and analysis
Containment and
eradication
Post-incident recovery

33. Vertical Institute
© 2022 Vertical Institute
What are IoAs and IoCs?
• Indicator of attacks
• Someone trying to break through the
door
• Someone trying to tailgate into a
restricted area
• Scanning computer network for
vulnerabilities
• Trying multiple attempts to login to an
account
• Indicator of compromise
• A user who typically logs in from
Singapore now logs in from other parts
of the world
• A user’s browser has changed from
Firefox to null
• A computer system communicating
with unusual systems on the Internet

34. © 2022 Vertical Institute
How well tuned are your security tools?
• Turning on a firewall and fine-tuning a firewall to specific applications make a drastic difference in
the ability to detect
• Are you getting too much alerts a day with plenty of false positives?
• False positives: False leads, incorrectly identified threats
• A user who forgot his/her password logging in from overseas because of a vacation may be
positively correlated with a hacker trying to brute force attack into the login page with the
user’s credentials
• How do you differentiate?

35. © 2022 Vertical Institute
Alert
Fatigue
Here’s what happens: Frequent alerts about cybersecurity
threats can lead to so-called “alert fatigue” which numbs
the staff to cyber alerts, resulting in longer response times
or missed alerts. The fatigue, in turn, can create burnout in
IT departments, which then results in more turnover
among the staff. When replacement personnel are hired,
the cycle begins again.
https://www.forbes.com/sites/edwardsegal/2021/11/08/alert-fatigue-can-lead-to-mi
ssed-cyber-threats-and-staff-retentionrecruitment-issues-study/?sh=1dd7df4a35c
9

36. © 2022 Vertical Institute
Automation and
streamline
• Let machines run the low-level work with
automation
• Fine-tune the alert systems regularly
• Let humans focus on the prioritised security work

37. © 2022 Vertical Institute
Containment and eradication
• Prevent further damage
• Fire breaks out early
• Can stop the fire with water
• Fire continues to burn more parts of the building
• Requires multiple fire trucks and firefighters to take out the fire
Preparation Detection and analysis
Containment and
eradication
Post-incident recovery

38. © 2022 Vertical Institute
Containment and eradication
• Quick fix solution
• Isolate computer system that is under attack
• Diverting traffic to backup systems
• Long term solution
• Update computer system
• Figuring out attack method and defense mechanism
• What is the root cause?
• What is the long-term fix?
Preparation Detection and analysis
Containment and
eradication
Post-incident recovery

39. © 2022 Vertical Institute
Post-incident recovery
• Affected systems are brought back online
• Recovery point objective
• Maximum acceptable amount of data loss after an incident
• Recovery time objective
• Maximum length of time to restore back to normal operations
• Real-life scenario:
• A fire has been contained in a building, how can we restore the affected parts of the building
• A system has been hacked, what can we do to restore the service
Preparation Detection and analysis
Containment and
eradication
Post-incident recovery

40. © 2022 Vertical Institute
Post-incident recovery
• Recovery point objective
• Maximum acceptable amount of data loss after an incident
• System that has been hacked has been contained. What is our latest backup?
• 7 days ago, of data
• 14 days ago, of data
• Recovery time objective
• Maximum length of time to restore back to normal operations
• System that has been hacked has been contained. How long do we need to recover the
system to its normal operations?
Preparation Detection and analysis
Containment and
eradication
Post-incident recovery

41. © 2022 Vertical Institute
Lessons learnt • How can we do better?
• How can we communicate better?
• Was there any process that needs to be updated?
• Are there new policies that we need to introduce?
• Can we shift to prevention instead of constantly
responding to threats?

42. © 2022 Vertical Institute
Security automation
• How can we automate our computer systems to respond to threats?
• Write code to take in detection events to trigger incident response activities
• A hacker is scanning our systems for services
• Detected by firewall
• Firewall sends alert to automation system
• Automation system triggers firewall update to block hacker
• A user is logged in from other parts of the world with different keystrokes pattern and strange
browser
• Detected by system
• System sends alert to automation system
• Automation system sends a trigger to login screen
• Login screen triggers step-up authentication (multi-factor authentication)
• User is challenged to provide additional details in order to successfully login
• Email is sent to user informing the user of a strange login

43. © 2022 Vertical Institute
Security Orchestration, Automation and Response
A system in charge of bi-integration with other systems to respond to cyber incidents
https://aws.amazon.com/blogs/publicsector/automate-security-orchestration-in-aws-security-hub-with-trend-micro-cloud-one/

44. Incident preparedness and response
in financial-services organisation

45. © 2022 Vertical Institute
Shift left security
Coding Build QA Security Production
Incident response meant
working after changes are
already implemented in
production
Shifting left means we are
introducing prevention
than reaction

46. © 2022 Vertical Institute
Incident Response
Checklist
https://www.csa.gov.sg/gosafeonline/-/media/Gso/Files/Resources/CSA-Inciden
t-Response-Checklist.pdf

47. © 2022 Vertical Institute
Security incident #1
– Blockchain
Technology
Company
Breach of Protection Obligation by InfoCorp
20 Jun 2019
A financial penalty of $6,000 was imposed on
InfoCorp for failing to put in place reasonable security
arrangements to protect the personal data of
individuals. Personal data of some individuals
participating in a registration exercise via InfoCorp’s
website were disclosed to other participants in the
course of the registration exercise.
https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/
Commissions-Decisions/Grounds-of-Decision---InfoCorp-
Technologies-Pte-Ltd---200619.ashx?la=en

48. How would you respond to
this incident?

49. How would you prepare
for this incident in the
future?

50. © 2022 Vertical Institute
Security incident #2
– Finance Startup
Singapore unicorn Pine Labs allegedly hit by
ransomware; bank clients may be impacted
https://www.livemint.com/companies/news/ipobound-pine-labs-to-probe-source-of-ransomware-attack-11629294362325.html

51. How would you respond to
this incident?

52. How would you
prepare for this
incident in the
future?

53. © 2022 Vertical Institute
Tabletop Exercise
Stimulate discussion on response processes and procedures due to a
security incident that impact the company.

54. Vertical Institute
© 2022 Vertical Institute
Tabletop Exercise
Advantages
• Low cost
• Low stress environment
• Build long term incident preparedness
and response
Disadvantages
• Lack realism
• Not operationally tested

55. © 2022 Vertical Institute
Tabletop Exercise example - Ransomware
• Designed to help technical and administrative staff prepare
for a ransomware attack, to understand their roles and
actions as if there was a real event.
• Expected outcome
• Scenario:
• A staff member working in finance called you to inform
you that their entire department’s computers have been
locked out. A red screen appears showing instructions to
make payment in Bitcoin in order to unlock the
computers within 72 hours.
• Within minutes, you receive another 5 phone calls from
finance department regarding the same issue. There are
millions of dollars of transactions stuck in the system
now because all the computers are locked.

56. © 2022 Vertical Institute
Tabletop Exercise example - Ransomware
• What are your first actions to contain or minimise the attack?
• What do you need to do to report the attack?
• Do you have an obligation to notify other parties of the attack?
• Once contained, what is your process to recover?
• How did the attack occur and how can you prevent it from happening again?
Preparation Detection and analysis
Containment and
eradication
Post-incident recovery

57. © 2022 Vertical Institute
Tabletop Exercise example – Insider Threat
● Designed to help technical staff prepare for an insider threat, to understand
their roles and actions as if there was a real event.
● Expected outcomes
● Scenario:
○ Your security monitoring system is highlighting that an IT contractor has
accessed your finance systems without authorisation

58. © 2022 Vertical Institute
Tabletop Exercise example – Insider Threat
• What are your first actions to contain or minimise the attack?
• What do you need to do to report the attack?
• Do you have an obligation to notify other parties of the attack?
• Once contained, what is your process to recover?
• How did the attack occur and how can you prevent it from happening again?
Preparation Detection and analysis
Containment and
eradication
Post-incident recovery

59. © 2022 Vertical Institute
Tabletop Exercises Packages
https://www.cisa.gov/cisa-tabletop-exercises-packages

60. © 2022 Vertical Institute
Threat
Simulation
• Cyber-attacks hitting production environment
• Measuring incident response team’s efficiency and
effectiveness in managing the cyber-attack

61. © 2022 Vertical Institute
Incident
Response
Playbook
• Autonomous decision-making for people and teams
• Consistent culture for identification and management of
cybersecurity incidents
• Standardised response process for cybersecurity incidents

62. © 2022 Vertical Institute
Cybersecurity Operations Center

63. © 2022 Vertical Institute
Incident Response Simulation
https://www.ibm.com/security/digital-assets/cybersecurity-ops/terminal/

64. © 2022 Vertical Institute
Incident Response Simulation
• How did you feel during the simulation?
• Did you know what you should do during the incident?
• Did you know who were the point of contact for different types of incidents?
• Does the people around you know what to do during the incident?

65. © 2022 Vertical Institute
Incident Response
Simulation
If you were prepared, how would things turn out?

66. Vertical Institute
© 2022 Vertical Institute
Blue Team vs Red Team
• Blue Team
• Security controls
• Hardening of computer systems
• Responding to attacks
• Red Team
• Offensive security
• Penetration testing
• Vulnerability analysis

67. Vertical Institute
© 2022 Vertical Institute
Blue Team vs Red Team
• Blue Team members
• Security strategy
• Hardening techniques for different
types of systems
• Analysis skills for tracing hacks
• Security detection knowledge
• Red Team
• Understand computer systems and
protocols
• Software development skills
• Penetration testing and ethical
hacking skills
• Social engineering skills

68. Vertical Institute
© 2022 Vertical Institute
Red/Blue team exercises
• Red team runs attack against systems
and infrastructure
• Simulate attackers’ latest techniques and
tactics
• Blue team is not aware of these attacks
being planned
• Test responsive efforts against Red team

69. © 2022 Vertical Institute
Purple Team
• Red + Blue team working in unison
• Understands both Red and Blue teams’ engagement model
• Provide improvement opportunities with 2 sets of data from offensive and defensive

70. © 2022 Vertical Institute
Cybersecurity Insurance
There is growing reliance on data, technology and interconnectivity with companies
collecting, storing and processing massive amounts of data. Handling of confidential personal
or corporate data can expose you to various Third Party liability and First Party costs and
expenses.
• Liability settlement and defence costs
• Regulatory defence and penalties
• Breach response costs such as legal costs to comply with privacy regulations, credit
monitoring, PR, notification costs where legally required
• Cyber extortion expenses and extortion monies
• Restoration costs of damaged digital assets
• Income loss, Interruption Expenses
https://www.tokiomarine.com/sg/en/non-life/products/business/liability/cyber-insurance.html

71. Do you think
cybersecurity
insurance is
effective?

72. Cyber-Security
career tracks

73. © 2022 Vertical Institute
Cybersecurity Career Tracks
Red team
• Penetration testing
• Vulnerability
assessment
Purple Team
• Improve security
posture
Blue team
• Security controls
• Security
monitoring

74. What is the future of
cyber-security?

75. © 2022 Vertical Institute
What is an IoA?
A. Indicator of Action
B. Indicator of Attack
C. Indicator of Activity

76. © 2022 Vertical Institute
What is an IoA?
A. Indicator of Action
B. Indicator of Attack
C. Indicator of Activity

77. © 2022 Vertical Institute
What does RPO stand for?
A. Recovery Position Objective
B. Recovery Point Objective
C. Recovery Platform Objective

78. © 2022 Vertical Institute
What does RPO stand for?
A. Recovery Position Objective
B. Recovery Point Objective
C. Recovery Platform Objective

79. © 2022 Vertical Institute
What is blue team?
A. Defenders of an organization
B. Offensive team against an organization
C. Unifies defense and offense for an organization

80. © 2022 Vertical Institute
What is blue team?
A. Defenders of an organization
B. Offensive team against an organization
C. Unifies defense and offense for an organization

81. © 2022 Vertical Institute
What is the 1st
phase of Incident
Response Management?
A. Preparation
B. Detection and analysis
C. Containment and eradication
D. Post-incident recovery

82. © 2022 Vertical Institute
What is the 1st
phase of Incident
Response Management?
A. Preparation
B. Detection and analysis
C. Containment and eradication
D. Post-incident recovery

83. Thank You!