Timothy Opsitnick and Eric Vanderburg of TCDI presented at the Risk Management Society's 2017 Northeast Ohio Regional Conference on Cybersecurity incident response strategies and tactics.

1. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Cybersecurity Incident Response
Strategies and Tactics
TIMOTHY OPSITNICK
EXECUTIVE VICE PRESIDENT & GENERAL COUNSEL
ERIC VANDERBURG
VICE PRESIDENT, CYBERSECURITY
RIMS 2017 Northeast Ohio Regional Conference
October 5, 2017

2. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
About Us
TCDI founded in 1988
Microsoft Certified Partner since 2003
Services include:
◦ Digital forensics
◦ Cybersecurity
◦ eDiscovery
Minority owned enterprise

3. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Over 40 certifications
Published author
Licensed private investigator
Expert witness and thought leader
18 years in cybersecurity
Specializations include:
Risk management
Governance and compliance
Security strategy
TIMOTHY OPSITNICK
EXECUTIVE VICE PRESIDENT AND
GENERAL COUNSEL
ERIC VANDERBURG
VICE PRESIDENT, CYBERSECURITY
E-Discovery special master
Expert witness
Advisory board member for the
Georgetown University Law
Center’s CLE and the American
College of e-Neutrals
Numerous publications and legal
education seminars
Member of the Sedona
Conference Working Group

4. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Introduction

5. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Impact of Cybersecurity Incidents
Loss of Valuable Information
Direct Financial Loss
Unfavorable Media Exposure/Damage to Reputation
Outages and Disruption
Data breach
Notification
Lawsuits

6. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Statistics
◦ 87% responded to at least one incident in the past year
◦ 20% responded to at least 100 incidents
◦ 68% identified malware as the root cause of incidents
◦ 50% reported employee personal information (ex. SSN)
was prioritized
*The Show Must Go On! The 2017 SANS Incident Response Survey
87% reported
incidents
identified
malware
as cause
◦ 82% reported that remediation activities
took place within one month of containment
◦ 33% take place within 24 hours68%

7. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Pre Response Planning
Identify data types and locations
Identify legal obligations
◦Regulatory
◦Contractual
Create and implement security policies
◦Incident Response Plan
◦Other Policies

8. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Analysis of legal obligations
National laws and directives
GDPR / EU directives
State / province laws
Civil liabilities
Legally-advisable practices

9. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Business value of IR
Protects proprietary / classified information
Reduces impact to business operations
Minimizes public relations damages
Reduces costs of response
Ensures data is collected for evidentiary
purposes

10. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Incident Response Planning

11. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
The Team
IT Compliance Privacy
Human
Resources
Security / Risk
Management
Third-party
Cyber Security
team
Legal
Public
Relations
Physical
Security
Senior
management
Law
Enforcement
Liaison

12. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Counsel and Privilege
Early involvement affects whether communications
will be considered privileged
◦Early assessments are frank
◦Privilege law is complex
Law in area developing
Regulatory and legal requirements complex, e.g.
notice

13. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Activating the team and the plan
Initial scoping, typically IT
Trigger
◦Confidentiality or privacy of information effected/or in
care
◦Integrity of systems or data
◦Availability of systems or data

14. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Incident Response Readiness

15. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Scenario planning
◦Document procedures for likely incidents
◦Document steps for a non-specific incident
◦Is geographic diversity needed?
◦Determine notification procedure

16. ©2017 Technology Concepts & Design, Inc. All Rights Reserved.
Employee theft
of intellectual
property and
misconduct
An employee removes internal client
information for sale to a competitor
A disgruntled employee destroys
data critical to business success
An employee downloads illegal
software containing a backdoor

17. ©2017 Technology Concepts & Design, Inc. All Rights Reserved.
Data breach
Large upload of files to unknown
destination
Confidential information on public
sources
Files mistakenly sent to the wrong
customer

18. ©2017 Technology Concepts & Design, Inc. All Rights Reserved.
Malware or
ransomware
Ransomware encrypts central data repository
Botnet causes company email and domain to be
blacklisted due to spam and searches
Malware makes hundreds of machines unusable
Company receives notices of Denial of Service (DoS)
attacks originating from the corporate network.

19. ©2017 Technology Concepts & Design, Inc. All Rights Reserved.
Lost or stolen
device
Employee loses an encrypted laptop while on
vacation.
Backup tapes are stolen from an employee’s
vehicle while they are in a restaurant.
The phone of the CEO’s assistant is stolen at a
coffee shop and the phone was unlocked at
the time.

20. ©2017 Technology Concepts & Design, Inc. All Rights Reserved.
Key system
failure
Power outage in the server room in the
middle of the day.
Non-redundant firewall failure

21. ©2017 Technology Concepts & Design, Inc. All Rights Reserved.
Data loss or
corruption
Multiple hard drives fail in the main database
server.
Administrator accidentally deletes the wrong
virtual machine.
A restore overwrites production data rather
than going to an alternate location.
Encryption keys expire

22. ©2017 Technology Concepts & Design, Inc. All Rights Reserved.
Social
engineering
Company instructed to change payment
information.
Fake CEO emails instruct AR to make
payments to an account.
Employees divulge passwords to a
person claiming to be from IT.

23. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Table top exercises
PROCESS
◦IR team assembles
◦Facilitator describes
scenario
◦Plans are invoked and
tested
◦ Review actions
◦ Completion and Success criteria
◦ Notification methods and
messages
VALUE
◦New Insight gained
◦Plans updated
◦Team more comfortable
with the process

24. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Security testing
Penetration testing
Vulnerability management
Red teaming

25. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Locking systems down
Configuration audits and System hardening
Hardening Zone Purpose
User Configuration Least privilege, secondary logon
Network Configuration IP4 vs IP6, encryption, static/dynamic
Features and Roles Configuration Add what you need, remove what you don't. GUI?
Update Installation Address vendor-addressed vulnerabilities
NTP Configuration Clock synchronization
Firewall Configuration Minimize your external footprint.
Remote Access Configuration Authorization, types (RDP, SSH, admin tools)
Service Configuration Minimize your attack surface.
Logging and Monitoring Know what's happening on your system.

26. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Improving detection capability
SIEM
Anomaly detection
End user training
Motivation and Accountability

27. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Vendor or third party coordination and
planning
Identify required third-parties
Establish expectations and contractual
agreements
Make vendors aware of internal procedures
Solicit feedback

28. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Awareness training
Acceptable use
◦Email, Internet, Social
Passwords
Incident indicators
Malware
Social engineering
Data handling
Other policy elements

29. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Process and system implementation
Preservation
Log management and retention
Business continuity
Auditing
Prepare resources
◦Human
◦Technical

30. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Incident Response Execution

31. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Incident response phases
Identification
Containment
Investigation
Eradication
Recovery
Reflection

32. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Identification
◦Use of dormant accounts
◦Log alteration
◦Presence of malicious code
◦Notification by partner or peer
◦Notification by hacker
◦Loss of availability
◦Corrupt files
◦Data breach
◦Violation of policy
◦Violation of law
Report Incident indicators (Employees or automated systems)
Validate indicators
Indicators

33. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Containment
Assemble the IR team
Quarantine
◦Disable accounts, disconnect from network, isolate VM
Preserve Evidence
Expand IR resources as necessary

34. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Investigation
Interviewing
Analysis
◦ Logs
◦ Memory
◦ Forensic images
◦ Public data
Documentation
◦ IP address of compromised
system
◦ Time frame
◦ Malicious ports
◦ Flow records

35. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Eradication
Resolution
◦ List action items
◦ Rank in terms of risk level and time required
◦ Prioritize
◦ Coordinate and track remediation to completion
Validation
◦ Confirm measures successfully remediated the incident

36. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Recovery
Remediate vulnerabilities
Restore services
Restore data (Ensure that backups are clean)
Follow notification procedures in IRP
Restore confidence

37. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Reflection
Refine plans and processes
Create new IRPs
Debrief

38. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Reflection (continued)
Debrief (After-action
review)
◦Rankless discussion
◦Goals
◦Were goals achievable?
◦Successes
◦Pitfalls
◦Lessons learned
◦Action items and
responsibilities
◦Positive summary

39. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Key Issues

40. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Preserving chain of custody and evidence
As soon as the team begins its work, must start and
maintain a strict chain of custody
Chain of custody documents that evidence was under
strict control and that no unauthorized person was
given the opportunity to corrupt the evidence

41. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
When and if to engage Law enforcement
Nature of data compromised
Nature of incident (theft vs. external hacking vs. employee misconduct)
Regulatory scheme or statute applies to data or operations
Country or residence of persons involved in compromise or persons whose
information implicated
Your industry
Specific benefit
Policy of Good Corporate Citizen
Prior relationship established

42. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Communications
Alternate
In person

43. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Engaging vendors
Pre selected
Experience
New entries in market

44. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Notice
Insurance carriers
Impacted individuals
Regulators
Credit reporting agencies

45. © 2017 Technology Concepts & Design, Inc. All Rights Reserved.
Questions?