After the BreachLearning how to get through it

Chuck McGann

Chief Cyber Strategist

Salient CRGT, Inc.

2

Disclaimer and Ground Rules

» This is not an endorsement or indictment of any vendor, product or service that might be inadvertently referenced.

» A discussion on the impacts of the breech and what a CISO and his team went through

» We will not discuss breach specifics, some details may still be classified

» Suggestions on actions are that – suggestions!

3

Survey Says…. CyberEdge Group 2016 Cyberthreat Defense Report

“…decreasing optimism expressed by our survey respondents – with 62.1% now expecting their organization will fall victim to a successful cyberattack in the coming year, compared to only 51.9% two years ago – is not particularly surprising…”

“…89% of breaches had a financial or espionage motive…” 2016 Verizon Data Breach Investigation's report

If That’s the Expectation….

» Be prepared with an “Incident Response Playbook” - practice

» Prepare your organization with scenario press releases

» Have your team identified, and prepared

» Be mentally prepared for the fall-out!

The Spirit of Security Staff» In my experience, they…

• Are intelligent and technical

• Are experienced and self confident

• Are self sufficient/self-reliant

• Are always connected

• Find attacks an insult

• Don’t accept failure well

Breach “Typology”» There seem to be two types that effect you

• One is non-discriminate targets

- Everyone is at risk – zero day exploits- Technology errors- Human error (phishing, pharming, whaling, etc.)- Conficker, Stuxnet, etc.

• One is discriminate targets

- Known uncorrected technology errors- Failure to recognize a compliance failure- Password cracking, “get’s and puts”, file replacements, etc.- Ransomware

The Challenge

» Offshore attack launched against organization

» Notified of a possible file exfiltration

» Details of files and data elements unknown

» All data was classified and required clearances for full briefing

» Required to take no defensive action

The Challenge Continues…actions» Provide details to senior management

» Provide notice to customers on “impact”

» Engage law enforcement agents

» Take remediation action on application code and infrastructure

» Identify possible threat vectors and controls

The First 24 Hours» Remote decision making with team – not read in.

• Challenge event classification – not everything is TS and SCIF restricted

• Lesson Learned – have all staff cleared to the maximum possible

» Understand that Clarity is missing in some cases• Questions on impact and loss will be asked – what does the breach mean

• Lesson Learned - avoid a specific statement unless you know – and you don’t!

» Understand the information will get out• Don’t be in trouble alone – convene your response team

• Lesson Learned - Public relations is a key player in messaging the situation

The State of Frustration» 60 days before the event notice I sat with Senior Management

providing an assessment of our security posture

» Assessment validated by third party 15 days prior to event

» I was on business travel and couldn’t get to a SCIF for a secure briefing

» Management was receiving briefings from separate players

» Multiple agencies were targeted - the event was classified.

The Second 24 Hours» Playbook executed, but activities constrained

» Unidentified impact and data loss

» Staff roles and responsibilities initiated

» Notification requirements looming

• Jurisdictions

• Restrictions

Ah, the Emotional state» Anger at our tools having missed the threat and

exfiltration» Guilt at having thought we were better positioned to

identify and contain the attack» Was Management going to trust me again?» Were the customers going to trust the company again?» I let the company, my boss, my team and my family

down» How would this effect future employment?

Making Sense of it all» Un-enforced policy is like “no policy”!

» Use one communication network

» Preparation and Practice

» Poor data management played a role in the loss

» Need consistent leadership - I delayed my planned retirement for 2 months to drive mitigation

Getting Through – suggestions» Depression will occur – recognize it, deal with it

» You are not super human – you need help, you need sleep

» Use your network for advice

• Others may have been through this too

» TALK within appropriate boundaries – get those feeling out

» Keep your management informed

• Clear activity recording – dedicated scribe in each team

» It’s not a matter of “if”, it’s a matter of “when” – be ready for this

Let’s Talk About It!

Questions/CommentsThank You

Chuck McGannChief Cyber Strategist,

Director, CyberSecurity Center for Innovation and Growth

Charles.mcgann@salientcrgt.com

17