The document provides a comprehensive guide on preparing for incident response, detailing the steps for improving organizational readiness, managing incidents, and post-incident evaluations. It emphasizes the importance of team roles, communication, containment strategies, and the use of incident severity models for effective response. Additionally, it highlights the need for ongoing training, documentation updates, and establishing solid relationships with external parties for support during incidents.

1. Incident Response:
How to Prepare
June 11, 2014

2. Intro
Process Fundamentals
Technical Fundamentals
AGENDA
Staying Evergreen
Leadership Challenges

3. • Ted Julian, CMO – Co3 Systems
• Sean Mason, Global Incident Response Leader - CSC
Introductions

4. AGILE WEB
DEVELOPER
Sean A. Mason @SeanAMason
SEC
ANALYST
SR. IT
AUDITOR
SW DEV
MANAGER
SUPPLY
CHAIN
DEVELOPER
IR
LEADER
INFO SEC
TEAM LEAD
PMP
CISA
CISSP
CISM
ISSMP
CSSLP
DIRECTOR
IR
’96-’00 ’01-’03 ’04-’06 ‘07 ’08-’10 ‘11 ’12-13 ’14-
BS MIS
McKendree University
Technical School
USAF
MBA
Webster University
NMDC & AIMC
GE Crotonville CCFP
EXEC IR
LEADER

5. END-TO-END IR: BEFORE, DURING, AND AFTER
Prepare
Improve Organizational
Readiness
• Appoint team members
• Fine tune response
SOPs
• Link in legacy
applications
• Run simulations (fire
drills, table tops)
Mitigate
Document Results
& Improve Performance
• Generate reports for
management, auditors,
and authorities
• Conduct post-mortem
• Update SOPs
• Track evidence
• Evaluate historical
performance
• Educate the organization
Assess
Identify and Evaluate Incidents
• Assign appropriate team
members
• Evaulate precursors and
indicators
• Track incidents, maintain
logbook
• Automatically prioritize
activities based on criticality
• Log evidence
• Generate assessment
Manage
Contain, Eradicate and Recover
• Generate real-time IR plan
• Coordinate team response
• Choose appropriate
containment strategy
• Isolate and remediate cause
• Instruct evidence gathering
and handling

6. Recent incidents highlight
exposure to top brands

7. Leadership Challenges

8. • Credibility
LEADERSHIP
• Trust
• Rapport
• Consistency

9. Process Fundamentals

10. IR EVOLUTION
IR

11. END-TO-END IR: BEFORE, DURING, AND AFTER
•Movement
•Methods
•Accounts
•Actors
•Timelines
•Rebuild Host(s)
•Reset Password(s)
•Countermeasures
•Lessons Learned
•Contain Host(s)
•Reset Password(s)
•Acquire Evidence
• SIEM
• AV/HIPS
• Proxy
• ATD
• DLP
• Etc…
Detect
Contain &
Collect
AnalyzeRemediate
Intel

12. • Wiki or other Platform
• Flexibility
• Track Changes
• “Open” Access
DOCUMENTATION — “A plan doesn’t need to be a single document anymore.”

13. • Who is needed for wing-to-wing IR? (think outside security)
• Who is on-call and when? (consider Holidays)
• Pre-built DL’s for e-mails and info
• Think through basics:
• Phones, chat rooms, conference lines, and remote access
PEOPLE
Name Role Phone #
Ray Incident Coordinator 555-2368
Danny Incident Coordinator 555-0840
Kate Network Team 606-0842
Jenny AD Team 867-5309
Alicia CISO 489-4608
Mike Incident Response 330-281-8004
Emily CIO 212-664-7665
Philip Legal Counsel 818-775-3993
Ramona Public Relations 212-664-7665
Business Leaders?
Law Enforcement?
• Clear expectations for returning phone calls

14. • Who does what? (think outside security)
• Set expectations
• Helps define process
RACI

15. • Define an incident severity model- one common lexicon
INCIDENT SEVERITIES — “Not all incidents are created equal.”
Rating Impact Description
Breach 1 1 Intruder has exfiltrated sensitive data or is suspected of exfiltrating sensitive data based on volume, etc.
Breach 2 2 Intruder has exfiltrated nonsensitive data or data that will facilitate access to sensitive data
Breach 3 3 Intruder has established command and control channel from asset with ready access to sensitive data
Cat 1 4 Intruder has compromised asset with ready access to sensitive data
Cat 2 5 Intruder has compromised asset with access to sensitive data but requires privilege escalation
Cat 3 6 Intruder is attempting to exploit asset with access to sensitive data
Cat 6 7 Intruder is conducting reconnaissance against asset with access to sensitive data
Vuln 1 8 Intruder must apply little effort to compromise asset and exfiltrate sensitive data
Vuln 2 9 Intruder must apply moderate effort to compromise asset and exfiltrate sensitive data
Vuln 3 10 Intruder must apply substantial effort to compromise asset and exfiltrate sensitive data
Rating Description Response/Containment
Severity 0 Intruder has exfiltrated sensitive data or is currently inside network. DDOS that has impacted availability. Malware outbreak. 1 hour
Severity 1 Indicators show that an intruder is attempting to gain a foothold or has attained an initial foothold on the network. DDOS that
has the potential to impact availability. Malware causing disruption.
4 hours
Severity 2 Compromised machine (General Malware) 72 hours
• Simplified & Flexible
• Focus more on capability

16. Incident Severity Comm Rhythm Audience
Grave (KC7) Within 1hr – Conf. Call
2x Daily – Conf. Call
COB Daily – E-mail
• COO
• CSO
• CIO
• General Counsel
• Director of PR
• CISO
• Director of IR
• Chief Security Architect
Significant (KC6) Within 1hr – E-mail
COB Daily – E-mail
• CISO
• Director of IR
• Chief Security Architect
Benign (KC1-5) As needed or upon escalation • Director of IR
• Security Manager
• Communicate broadly, engage others
• Communication template, rhythm and formats
• Mobile technology and speed of information
INTERNAL COMMUNICATION — “Incidents are not an opportunity to compartmentalize information.”

17. Kill Chain Phase: If your org uses the KC, allows for a quick look at where the current incident is at.
Business(es) & Location(s) Impacted: If your org has different locations or business units, helps to narrow impact.
Summary: Executive level summary, no longer than a paragraph, on the current status.
Impact: Current actual business impact- exfil? Servers down?
Next Update: 06-11-2014 1600 EST
Incident Status: More details on what is currently happening during the incident.
Intelligence & Attribution Summary: If your org has an intelligence group, details would go here.
Host Status: Deeper details on affected accounts or hosts.
Action Items:
Note: Updated information is shaded in Green and completed actions are struck through.
Action Status Owner Est. Comp
Assemble Response Team Complete J. Smith 11 Jun 1200 EST
Review Network Architecture Diagrams Complete S. Johnson 11 Jun 1600 EST
Review Configuration Settings In Progress S. Johnson 13 Jun 1200 EST
Establish secure FTP site In Progress S. Johnson 13 Jun 1600 EST
Collect forensic evidence Pending R. White TBD
COMMUNICATIONS — “‘I don’t know’ is a valid answer, but qualify it with actions.”

18. • “Think Twitter” & the speed of information
• Have approved templates ready to go
• External, Internal, and Business Partners
• Test and ensure you can actually identify all parties
• Establish “easy-to-sign” NDA’s for use in the event of x-biz incidents
EXTERNAL COMMUNICATIONS

19. Poll
How long ago was your Incident Response plan
and related information updated?

20. Technical Fundamentals

21. • Who can access the compromised devices?
CONTAINMENT — “Containment is arguably the most critical decision in IR”
• When do you contain?
• Who makes the containment call?
• What method(s) will you use?
• How will you track down the devices?

22. • Where are the logs? Do you aggregate logs?
• Does the team have access to the compromised logs & devices?
• Preserve forensic evidence
• Who is properly trained to do the forensics? Do they have tools?
HOST & NETWORK FORENSIC ANALYSIS
Volatility

23. Poll
Do your Incident Responders have immediate
access to logs and devices?

24. Staying Evergreen

25. • Paper Test – Ensure all documentation,
templates, etc… are properly updated.
• Table Top Exercise – Verbally walking
through a number of different IR scenarios.
• Simulated Incident – A more invasive test
that leverages a Red Team to simulate an
attack (or utilize existing malware samples).
Allows for a more comprehensive test of the
IRT, to include forensic work.
• Blind Test – Similar to Simulation testing,
but leadership coordinates the attack
unbeknownst to the IRT.
RECURRING TESTING – “You shouldn’t be inventing process during a crisis.”

26. • Architecture
• People
• Attacks/TTPs
• Infrastructure
• Regulations (HIPAA, PCI-DSS, DFARS)
ENVIRONMENTAL CHANGES

27. • DURING the incident- carve out cycles
• Carve out a process ahead of time
• Dissect every step of the attack
• Learn from others/external incidents
POST INCIDENT REVIEW

28. • Leverage the team for other hot issues such as:
• Heartbleed
• Insider cases
• Counterfeit gear
• Software piracy
• Acquisition evaluations
• Etc…
OUTSIDE OF IR…

29. Poll
Does your organization test your entire Incident
Response plan on an ongoing basis?

30. • Ensure everything is auditable
FINAL THOUGHTS!
• Build-in a Contingency Budget
• Education ahead of time
• Establish a relationship with your local FBI office
• Think beyond IT- form allies in the business
• Don’t forget metrics
• Reward your Incident Responders after the battle

31. One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“We’re doing IR in one-tenth of the time.”
DIRECTOR OF SECURITY & RISK, USA FUNDS
“It’s the best purchase we ever made.”
CSO, F500 HEATHCARE PROVIDER
Sean Mason
Executive Incident Response Leader
smason33@csc.com
702-498-6615
@SeanAMason
www.csc.com/cybersecurity/IR
“One of the hottest products at RSA…”
NETWORK WORLD
“Co3 has done better than a home-run...it has
knocked one out of the park.”
SC MAGAZINE