got hacked? it’s too late to run now!
TRANSCRIPT
GOT HACKED?IT’S TOO LATE TO RUN NOW.
Janne Kauhanen
Twitter: @JKauhanen
360°OF CYBER SECURITY
2
MINIMIZE ATTACK SURFACE
PREVENT INCIDENTS
UNDERSTAND YOUR RISK, KNOW YOUR ATTACK SURFACE,
UNCOVER WEAK SPOTS
REACT TO BREACHES, MITIGATE THE DAMAGE,
ANALYZE AND LEARN
RECOGNIZE INCIDENTS AND THREATS, ISOLATE AND CONTAIN THEM
AGENDA
3
Definitions
Threat detection, a short summary
Why do you get hacked?
What to do when you get hacked?
Incident Response process
Forensics
Incident Response capabilities you should (and shouldn’t) have
Crisis management
SECURITY INCIDENTS
Hacker actions
4
Information leak Widespread malware infection
Internal misbehavior
(unintentional included)
"A SECURITY INCIDENT IS ANY KIND OF ACTION
THAT RESULTS IN A CHANGETO A KNOWN GOOD STATE.“
KURTHAGERMAN, CISO, ARMOR DEFENSE INC.
5
THE DOS AND DON’TS OF THREAT DETECTION
RECAP OF WEBINAR #3
6
WHY DID I GET HACKED?
7
"DRIVE BY" & SCRIPT KIDDIES
FOCUS
SKILL
TARGETED ATTACKS
IDENTITY THEFT, 0DAY
EXPLOITS
ADVANCED PERSISTENT
THREATS
INCIDENT RESPONSE PROCESS
16
Briefing Identification Containment Recovery Aftermath
INCIDENT RESPONSE PROCESS
17
Briefing Identification Containment Recovery Aftermath
INCIDENT RESPONSE PROCESS
18
Briefing Identification Containment Recovery Aftermath
INCIDENT RESPONSE PROCESS
19
Briefing Identification Containment Recovery Aftermath
INCIDENT RESPONSE PROCESS
20
Briefing Identification Containment Recovery Aftermath
FORENSIC INVESTIGATION
1. HOW WAS THE DEVICE BREACHED?‒ WHAT WAS THE ROOT CAUSE?
2. HOW DID THE ATTACKER COMMUNICATE WITH THE DEVICE?‒ IS THE ATTACKER STILL ABLE TO COMMUNICATE WITH THE DEVICE?
3. WAS THE ATTACKER ABLE TO MOVE BEYOND THIS DEVICE?‒ IS THERE A WAY TO DETECT INFECTED DEVICES?
4. WAS DATA EXFILTRATED FROM THE DEVICE?‒ HOW MUCH DATA, WHAT KIND OF DATA, AND WHERE DID IT GO?
21
FORENSIC INVESTIGATION
1. HOW WAS THE DEVICE BREACHED?‒ WHAT WAS THE ROOT CAUSE?
2. HOW DID THE ATTACKER COMMUNICATE WITH THE DEVICE?‒ IS THE ATTACKER STILL ABLE TO COMMUNICATE WITH THE DEVICE?
3. WAS THE ATTACKER ABLE TO MOVE BEYOND THIS DEVICE?‒ IS THERE A WAY TO DETECT INFECTED DEVICES?
4. WAS DATA EXFILTRATED FROM THE DEVICE?‒ HOW MUCH DATA, WHAT KIND OF DATA, AND WHERE DID IT GO?
22
FORENSIC INVESTIGATION
1. HOW WAS THE DEVICE BREACHED?‒ WHAT WAS THE ROOT CAUSE?
2. HOW DID THE ATTACKER COMMUNICATE WITH THE DEVICE?‒ IS THE ATTACKER STILL ABLE TO COMMUNICATE WITH THE DEVICE?
3. WAS THE ATTACKER ABLE TO MOVE BEYOND THIS DEVICE?‒ IS THERE A WAY TO DETECT INFECTED DEVICES?
4. WAS DATA EXFILTRATED FROM THE DEVICE?‒ HOW MUCH DATA, WHAT KIND OF DATA, AND WHERE DID IT GO?
23
FORENSIC INVESTIGATION
1. HOW WAS THE DEVICE BREACHED?‒ WHAT WAS THE ROOT CAUSE?
2. HOW DID THE ATTACKER COMMUNICATE WITH THE DEVICE?‒ IS THE ATTACKER STILL ABLE TO COMMUNICATE WITH THE DEVICE?
3. WAS THE ATTACKER ABLE TO MOVE BEYOND THIS DEVICE?‒ IS THERE A WAY TO DETECT INFECTED DEVICES?
4. WAS DATA EXFILTRATED FROM THE DEVICE?‒ HOW MUCH DATA, WHAT KIND OF DATA, AND WHERE DID IT GO?
24
FORENSIC INVESTIGATION
1. HOW WAS THE DEVICE BREACHED?‒ WHAT WAS THE ROOT CAUSE?
2. HOW DID THE ATTACKER COMMUNICATE WITH THE DEVICE?‒ IS THE ATTACKER STILL ABLE TO COMMUNICATE WITH THE DEVICE?
3. WAS THE ATTACKER ABLE TO MOVE BEYOND THIS DEVICE?‒ IS THERE A WAY TO DETECT INFECTED DEVICES?
4. WAS DATA EXFILTRATED FROM THE DEVICE?‒ HOW MUCH DATA, WHAT KIND OF DATA, AND WHERE DID IT GO?
25
IN-HOUSE CAPABILITIES
26
What kind of capabilities should I
have in-house?
Is there anything I should not try to do myself?
“BY FAILING TO PREPARE YOU ARE PREPARING TO FAIL”
BENJAMIN FRANKLIN
27
Scenarios based on real life, adjusted to target organization
GameMaster monitors actions and generates additional inputs
28
CRISIS MANAGEMENT EXERCISE
THERE ARE TWO TYPES OF COMPANIES:
THOSE WHO HAVE BEEN BREACHED, AND THOSE WHO
DON’T KNOW IT YET.
29
Q&A
30
