OCTOBER 1 – 4, 2018 | WASHINGTON, D.C.

Putting Your Incident Response to the Test: How Ready Are You, Really?Jeff Laskowski, Director, FireEye Mandiant Evan Pena, Global Red Team Lead, FireEye Mandiant

Why test incident response?

“For the things we have to learn before we can do them, we learn by doing them.”

Aristotle, Greek philosopher and scientist

©2018 FireEye

Brutal Truth

§ Security compromises are inevitable…but they can be mitigated

§ Are you prepared?How do you know?

©2018 FireEye

Ever Increasing Complexity of Systems

©2018 FireEye

Accelerating Technology Innovation

©2018 FireEye

Few Risks or Repercussions for the Attackers

©2018 FireEye

Importance of Internal Detection

GLOBAL

38%

62%

Notification By Source

Internal

External

KEY

1100

1000

700

900

800

600

500

400

300

200

100

0

Day

s

GLOBAL EMEAAMERICAS APAC

186

57.5101

124.5

42.575.5

305

24.5

175

1088

320.5

498

Internal Discovery

External Notification

KEY

All Notification

Median Dwell Time, By Region

Source: M-Trends 2018

©2018 FireEye

Who We Are

©2018 FireEye

©2018 FireEye

What Do Leaders Need To Know/Ask Before A Breach?

§ What are our current cyber risks and what is the potential business impact related to each risk? What is our plan to address those risks?

§ How are our executives informed about cyber risks and their potential business impact to the company?

§ Does our cyber security program apply industry standards and best practices?

§ How many and what types of cyber incidents do we detect in a typical week? At what point is the executive team notified?

§ How comprehensive is our cyber incident response plan and how often is it tested?

©2018 FireEye

What Will Leaders Ask During A Breach?

“If you’re breached and you know it, somebody else knows too. You are in an absolute foot race to get your arms around what happened and what you are doing about it. ”

Kevin Mandia, CEO, FireEye

©2018 FireEye

Response Capability By Security MaturityIN

CID

ENT R

ESPO

NSE

CA

PABI

LITY

Technology Reliant(Anti-virus, Firewalls, IDS/IPS,

Siem Monitoring)

• May have people but donot have responseprocesses

• Alert-response challenges

• Limited process to controlcritical data

Response Capability(Basic IR Capability, ThreatDetection, Log Analytics,

On-demand CIRT Services)

• Core procedures in places,efficiencies may vary

Threat Intel andData Analytics

(Advanced IR Capability,Threat Intelligence and

Subscriptions, APT Hunting)

• Solid response capability,consistently refiningresponse processes andprocedures

PREDICTIVE

PROACTIVE

REACTIVE

OptimizedSecurity MaturityAd hoc

(Advanced IR Capability,Threat Intelligence andThreat Intelligence andThreat Intelligence andThreat Intelligence and

Subscriptions, APT Hunting)Subscriptions, APT Hunting)

• Solid response capability,• Solid response capability,

©2018 FireEye

An Intelligence-Led Approach to Services

FireEye Threat Intelligence

Attacker Telemetryand Proliferation

Machine Intel Victim IntelAdversary Intel

AttackerContext

Indicators ofCompromise

Attacker TTPs Victim Behavior Before,During and After Incident

©2018 FireEye

Testing Your IR Processes – At Many Levels

Paper-based, inject-driven roll play assessing technical response capability and/or crisis management capabilities

Technical Executive

Why Assess technical response capability Assess crisis management capability, through lens of executive team

Who • Cyber incident response team (CSIRT)• Security / SOC manager• Technical team

• Chief Information Security Office (CISO)• C-Suite executives• General Counsel• Public relations and corporate

communications

What • How analysts follow defined IRP, communication plan and escalation matrix

• When to isolate hosts on network• When to reimage a system• When and how to engage legal counsel

and third party vendors

• Decision-making around the impact of containment tactics

• Considerations for paying extortion or ransom threats

• Breach disclosure requirements to regulators and key stakeholders

• Customer notification best practices• Media communication best practices

Tabletop Exercises

©2018 FireEye

Case Study – Executive Tabletop Exercise

§ Who: Global consulting firm

§ Why: Validate executive communications throughout an incident

§ Simulated incident included an unconfirmed data loss, executive extortion, social media, and systems outage during remediation

§ Outcomes:– Clarified notification and escalation thresholds between CIO, Executives and

Board level communication– Identified out-of-band communications protocols to be used during an incident– Improved incident response plan to address gaps

©2018 FireEye

Where the rubber meets the roadRed Team Assessments

Test your ability to respond to a real world attack without the real-world risk.

Red Team Operations Red Team for Security Operations

Objective Test ability to protect key assets, such as executive email and customer data against targeted attack

Evaluate detect, prevent and respond capabilities

How it works Emulate real-world targeted attack, doing whatever is necessary to accomplish the goal

Mandiant incident responder works with your security team, coaching along the way

Customer security team involvement

Respond to targeted attack. Option for security team to know they are in exercise

Respond to attack scenarios with Mandiant incident responder observing and coaching

©2018 FireEye

Case Study – Red Team Assessment

§ Who: Building materials manufacturer

§ Why: Evaluate their security posture by achieving pre-defined goals (access CEO emails, intellectual property, etc.)

§ History: PoC hired Mandiant twice before while working at former companies

§ How: Phishing -> priv+/lateral movement -> CEO used iPAD! -> Exchange admin -> email delegation rules FTW

§ Outcomes: – Updated password policy– Logging and alert email delegation rules– Various other account and infrastructure security configuration updates

©2018 FireEye

Helping you practice for a better tomorrow

§ Assess existing technical capabilities and processes through targeted attack investigations in virtualized environment

§ A cyber “range” is configured to simulate a typical enterprise environment

§ Practice detecting and responding to new and emerging real-world attack scenarios and threat actor TTPs

ThreatSpace: Practice responding to real-world threats without real consequences

©2018 FireEye

Incident Response Retainers –Rapid Response When Needed Most

§ Pre-established terms and conditions for service in event of a suspected or confirmed cyber security incident save precious time when it matters most

§ Provides your organization a trusted partner to call when the inevitable happens

§ Proactive approach to reduce response time and speed containment

§ Ultimately reducing business impact and cost of a breach

©2018 FireEye

Key Takeaways

§ Testing your response process is critical to program development

§ Use the right tools for the job

§ Selecting the right security partner– First hand investigation experience matters– Tailored TTPS– Beyond automation– Objective oriented– Ability to covertly test– Compliance and beyond

Q&A

Thank you!

Read our latest case study at:fireeye.com/services/red-team-assessments

Jeff LaskowskiJeff.Laskowski@Mandiant.com

Evan PenaEvan.Pena@Mandiant.com

Contact us at: