Presenter

Date

INCIDENT RESPONSE 101: TESTING THE IR PLANIncorporating Tabletop Exercises

August 2, 2019

Shawn K. Dorsey

Director, Americas Incident Response

Cyber Security Services

2Copyright © 2019 Symantec Corporation

o Incident Response Defined

o Elements of IR Plan / IR Program

o Incident Response Program Process Elements

o Purpose of the IR Tabletop Exercise

o Tabletop Exercise Participants

o Benefits of an IR Tabletop Exercise

o Best Practices

o A Tale of Two Breaches

Presentation Overview

3Copyright © 2019 Symantec Corporation

Incident response is an organized approach to addressing and managing the aftermath of a security breach or cyberattack, also known as an IT incident, computer incident or security incident. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.

- Source: Rouse, Margaret. “Definition - Incident Response.” WhatIs.com,searchsecurity.techtarget.com/definition/incident-response. Accessed 28 Nov 2018.

Incident Response DefinedWhat is Incident Response?

4Copyright © 2019 Symantec Corporation

Technology

Cohesive ecosystem to driveearly detection and

rapid response

Process

Well constructed, detailed, well-rehearsed response plans

People

Qualified, well-trained, cross-functional team with

additional expertise on retainer

INCIDENT RESPONSE PROGRAM

Process is Critical

5Copyright © 2019 Symantec Corporation

Failure to Plan is Planning to Fail

37%Have not reviewed or

updated their response plans since they were put

in place

Organizations are not confident that they can deal with the aftermath

of a breach. Have a Response Plan

60%68%

6Copyright © 2019 Symantec Corporation

Readiness Processes – Plans, Playbooks, TTXCopyright @ 2019 Symantec Corporation

Co

nti

nu

ou

s -

Test

ing

Tabletop Exercises

Stra

tegi

c -

Po

licy

IR Plan

Define: stakeholders, roles, responsibilities

Technical Considerations: logging, visibility, capacity, skills

Non-Technical Factors: Communications, policy, legal, IR Partner engagement

Tact

ical

-P

roce

du

res

Incident Playbooks

Define top 3-5 attack types you are likely to face.

Create Checklists to manage common incident types.

Educatestakeholders and participants

Test the plan through a mock scenario.

Update the plan as the organization changes.

Regular re-trainingon updated plans.

7Copyright © 2019 Symantec Corporation

Purpose of an IR Tabletop Exercise

o Practice incident response and test the Incident Response Plan and Playbooks

o Success is identifying gaps and areas for improvemento Suggest solutions to gaps

o Satisfy regulatory requirements (PCI, FISMA, etc.)

7

8Copyright © 2019 Symantec Corporation

IR is a “Team Sport”Who Should Participate?

Senior Leadership External

Investigators/Law Enforcement

Privacy Attorney & Cyber InsurerLegal

IT

CorporateCommunications

TEAMIR

9Copyright © 2019 Symantec Corporation

Benefits of an IR Tabletop Exercise

o Improved IR Plan / More Efficient Response Efforts

o Extended Team Engagement / Great Team Building!

o Increased Information Security Awareness

o Highlight Information Security Policy and Budget Requirements

10Copyright © 2019 Symantec Corporation

IR Tabletop Exercise Best Practices

o Make it Realistico Customize your scenarios to your specific organization/environment.

o No more than 4 hours (per session)

o Ensure participants understand the “ground rules”o e.g., no outside discussion; no actions on live systems; etc.

o Assign a Scribe to be responsible for capturing responses

o Pull in as many stakeholders as possibleo Include various departments, external partners, outside counsel, etc.

11Copyright © 2019 Symantec Corporation

A Tale of Two Breaches | Unprepared

Loss of all Proprietary Information

Backup files encrypted

Email, Database servers non-

functional

Loss of business

Operational impact

Forced into difficult ransom

decision

OUTCOME:

• Unsophisticated Ransomware (Cryptowall) infects victim network

• Malware searches network for accessible Windows file shares

• Malware encrypts all data it is able to access

SITUATION:

• Unregulated network environment

• No access controls on Windows network shares

• Outsourced backup/recovery infrastructure backs up to read/write network shares

• Anti-virus only endpoint protection

• No egress filtering at Internet gateways

• No Incident Response Plan in place

PREPAREDNESS:

12Copyright © 2019 Symantec Corporation

A Tale of Two Breaches | Better Prepared

No loss of critical business data

Files restored from off-site backups

Critical systems re-built quickly

Minimal loss of business operations

Low operational impact

No ransom decision to make

OUTCOME:• Very sophisticated ransomware (SamSam) infects network using unpublished exploit

• Attacker steals administrator credentials

• Malware spreads to hundreds of workstations and servers

• Malware encrypts data and displays ransom notice

SITUATION:

• Regulated network environment

• Monitored Security Service Provider providing 24/7 coverage

• Best practices for disaster recovery followed

• Endpoint protection with next-gen features

• Well-trained IT operations leadership and staff

• Incident Response Plan in place and practiced

PREPAREDNESS:

13Copyright © 2019 Symantec Corporation 13Copyright © 2019 Symantec Corporation

Thank You!

Shawn K. Dorseyshawn_dorsey@symantec.com