incident response 101: testing the ir plan · shawn k. dorsey director, americas incident response...
TRANSCRIPT
Presenter
Date
INCIDENT RESPONSE 101: TESTING THE IR PLANIncorporating Tabletop Exercises
August 2, 2019
Shawn K. Dorsey
Director, Americas Incident Response
Cyber Security Services
2Copyright © 2019 Symantec Corporation
o Incident Response Defined
o Elements of IR Plan / IR Program
o Incident Response Program Process Elements
o Purpose of the IR Tabletop Exercise
o Tabletop Exercise Participants
o Benefits of an IR Tabletop Exercise
o Best Practices
o A Tale of Two Breaches
Presentation Overview
3Copyright © 2019 Symantec Corporation
Incident response is an organized approach to addressing and managing the aftermath of a security breach or cyberattack, also known as an IT incident, computer incident or security incident. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.
- Source: Rouse, Margaret. “Definition - Incident Response.” WhatIs.com,searchsecurity.techtarget.com/definition/incident-response. Accessed 28 Nov 2018.
Incident Response DefinedWhat is Incident Response?
4Copyright © 2019 Symantec Corporation
Technology
Cohesive ecosystem to driveearly detection and
rapid response
Process
Well constructed, detailed, well-rehearsed response plans
People
Qualified, well-trained, cross-functional team with
additional expertise on retainer
INCIDENT RESPONSE PROGRAM
Process is Critical
5Copyright © 2019 Symantec Corporation
Failure to Plan is Planning to Fail
37%Have not reviewed or
updated their response plans since they were put
in place
Organizations are not confident that they can deal with the aftermath
of a breach. Have a Response Plan
60%68%
6Copyright © 2019 Symantec Corporation
Readiness Processes – Plans, Playbooks, TTXCopyright @ 2019 Symantec Corporation
Co
nti
nu
ou
s -
Test
ing
Tabletop Exercises
Stra
tegi
c -
Po
licy
IR Plan
Define: stakeholders, roles, responsibilities
Technical Considerations: logging, visibility, capacity, skills
Non-Technical Factors: Communications, policy, legal, IR Partner engagement
Tact
ical
-P
roce
du
res
Incident Playbooks
Define top 3-5 attack types you are likely to face.
Create Checklists to manage common incident types.
Educatestakeholders and participants
Test the plan through a mock scenario.
Update the plan as the organization changes.
Regular re-trainingon updated plans.
7Copyright © 2019 Symantec Corporation
Purpose of an IR Tabletop Exercise
o Practice incident response and test the Incident Response Plan and Playbooks
o Success is identifying gaps and areas for improvemento Suggest solutions to gaps
o Satisfy regulatory requirements (PCI, FISMA, etc.)
7
8Copyright © 2019 Symantec Corporation
IR is a “Team Sport”Who Should Participate?
Senior Leadership External
Investigators/Law Enforcement
Privacy Attorney & Cyber InsurerLegal
IT
CorporateCommunications
TEAMIR
9Copyright © 2019 Symantec Corporation
Benefits of an IR Tabletop Exercise
o Improved IR Plan / More Efficient Response Efforts
o Extended Team Engagement / Great Team Building!
o Increased Information Security Awareness
o Highlight Information Security Policy and Budget Requirements
10Copyright © 2019 Symantec Corporation
IR Tabletop Exercise Best Practices
o Make it Realistico Customize your scenarios to your specific organization/environment.
o No more than 4 hours (per session)
o Ensure participants understand the “ground rules”o e.g., no outside discussion; no actions on live systems; etc.
o Assign a Scribe to be responsible for capturing responses
o Pull in as many stakeholders as possibleo Include various departments, external partners, outside counsel, etc.
11Copyright © 2019 Symantec Corporation
A Tale of Two Breaches | Unprepared
Loss of all Proprietary Information
Backup files encrypted
Email, Database servers non-
functional
Loss of business
Operational impact
Forced into difficult ransom
decision
OUTCOME:
• Unsophisticated Ransomware (Cryptowall) infects victim network
• Malware searches network for accessible Windows file shares
• Malware encrypts all data it is able to access
SITUATION:
• Unregulated network environment
• No access controls on Windows network shares
• Outsourced backup/recovery infrastructure backs up to read/write network shares
• Anti-virus only endpoint protection
• No egress filtering at Internet gateways
• No Incident Response Plan in place
PREPAREDNESS:
12Copyright © 2019 Symantec Corporation
A Tale of Two Breaches | Better Prepared
No loss of critical business data
Files restored from off-site backups
Critical systems re-built quickly
Minimal loss of business operations
Low operational impact
No ransom decision to make
OUTCOME:• Very sophisticated ransomware (SamSam) infects network using unpublished exploit
• Attacker steals administrator credentials
• Malware spreads to hundreds of workstations and servers
• Malware encrypts data and displays ransom notice
SITUATION:
• Regulated network environment
• Monitored Security Service Provider providing 24/7 coverage
• Best practices for disaster recovery followed
• Endpoint protection with next-gen features
• Well-trained IT operations leadership and staff
• Incident Response Plan in place and practiced
PREPAREDNESS:
13Copyright © 2019 Symantec Corporation 13Copyright © 2019 Symantec Corporation
Thank You!
Shawn K. [email protected]