The First 24 Hours After a BreachBy Ondrej KREHEL

Paul Kubler

2

3

ONDREJ KREHEL CISSP, CEH, CEI FOUNDER & CEODIGITAL FORENSICS LEADLIFARS, LLCTwitter: @LIFARSLLC

LIFARS is a NYC-based Digital Forensics, Incident Response, and Cybersecurity Intelligence firm.

4

PAUL KUBLERCISSP, EnCE, CCNA, Sec+, ACEDigital Forensics Examiner

LIFARS, LLCTwitter: @LIFARSLLC

LIFARS is a NYC-based Digital Forensics, Incident Response, and Cybersecurity Intelligence firm.

6

Digital Firefighter

Agenda

1 Getting the Call

2 Arrival on the Scene

3 Crisis Management

4 Evidence Collection & Remediation

5 Q&A

Ever Wonder What Happened Before You Saw These in the News?

Part 1: Getting the Call

Getting the Call» Detection of a Breach• By the internal IT/security team• By an outside organization

» State of Panic• Unprepared to deal with a breach• Try to contain the attack internally

Getting the Call (continued)

» Internal IT team is heavily utilized• External assistance required

» Race against time• High pressure to stop “cyberbleeding” and minimize

the impact• Effectively engage a third party emergency response

team

Part 2: Arrival on the Scene

Arrival on the Scene» Emergency response team arrives• Investigation and remediation begins

» Primary objectives• Understand attacker profile and motives• Assess compromised systems state• Secure digital evidence• Involve key decision tenants

IT’S ABOUT TIME FOR SOME…

“INVESTIGATION”

Arrival on the Scene» Damage Assessment• Of business and technological areas• Reveals how deeply the attacker was able to

penetrate the network• Examination of lateral movement of the attacker

Part 3: Crisis Management

Crisis ManagementExecutive table follows a data breach plan and prepares:» PR/Privacy/Legal actions needed to cover the

enterprise responses to: • The public• The regulators• The partners

» Wrong message can trigger an avalanche

Crisis Management» Data Breach:• Is a C-Suite exercise that tests:

- Coherence and conciseness of the incident response preparedness

- Ability of the enterprise to function in crisis mode• Unfortunately is a live exercise (and comes at a

high price)

Part 4: Evidence Collection & Remediation

Evidence Collection & Remediation» Forensic team collects available evidence• Performs initial analysis• Preserves additional evidence

» Informs the board of initial findings• Actions need to be weighted carefully• Aggressive moves can have negative effects

(attackers still inside the network)

Evidence Collection & Remediation» With hackers in the system• Each blocking action needs to be closely monitored• Remediation can detected by attacker and evidence

and data put at risk» Securing the environment can take years• Scheduling necessary changes with key internal

tenants is a difficult task

Q&A

THANK YOU