Joe, Larry, Josh, Susan, Mary, & Ken
Team 3 – Incident Response Team 3 is the senior IT Operations that owns Target’s Security Operation Center (SOC). Focus on Incident Response and Operations. Team 3: Cybersecurity Risk Management of Incident Response How would you describe your current processes for incident response? What do you want change in your incident response plans and processes? What exercises do you want to conduct going forward? How do you plan to work with others to ensure that you can better respond and recover?
Target’s multiple layers of protection Target has multiple layers of protection in place: Firewalls, malware detection, intrusion detection, intrusion prevention, and data loss prevention tools. Target has certified as compliant with the Payment Card Industry Data Security Standards (PCI-DSS) in September 2013.
Target Incidents Timeline
Target current processes failed to respond to incidents: 1. How would you describe your current processes for incident response? Target current processes failed to respond to incidents: Failed to respond to multiple automated warnings from the company’s anti-intrusion software. Failed to respond to Symantec software identifying malicious activity. Failed to respond to multiple FireEye alerts. Failed to respond to infiltration due to improperly isolating its most sensitive network assets.
2. What do you want change in your incident response plans and processes? Replace from static tool to continuously monitoring. Implement multifactor authentication and use white listing. Hardening systems and accounts, and elimination or alteration of unneeded default accounts. Analysis of false positive and false negative reporting in more detail and analysis of the location of credentialed users in the network. Separate sensitive network assets from suppliers and vendors, and install strong firewalls between Target’s internal systems and the outside Internet. Share threat information with partners and encourage collaboration with community. Properly report unknown security incident to the U.S. Computer Emergency Readiness Team (US-CERT).
3. What exercises do you want to conduct going forward? Phishing emails. Malicious attachments. Malware attack. Penetrations test, password and other suspicious requests. Whitelist and blacklist. Unauthorized computers and devices on network.
Training and practice incident response exercises. 4. How do you plan to work with others to ensure that you can better respond and recover? Coordinate incident response activities with organization’s contingency planning activities. Collaborate with others to implement incident response that includes preparation, detection and analysis, containment, eradication, and recovery. Training and practice incident response exercises. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and exercises, and implements the resulting changes accordingly.
Team 5: Senior Corporate Operations Group What is the best way to manage the risk of others interfacing with our network and systems? Identify, Segregate and Monitor. How should you control others on your network for access and authorization? 2 Factor authentication and least privilege. What should be required of vendors and sub-contractors to work with your systems? Restrict based on PPS/DAPE. Require signed AUPs/SLAs for cybersecurity. How do you ensure proper training and certification of sub- contractors and vendors? Develop standard. Tie to contracts award/renewals and performance reviews. Continuously monitor.
Back Up Steps for success incident response exercises: Design and plan exercise around a real-world scenario. Establish the exercise objectives and identify participants. Define success criteria to judge exercise’s performance. Brief the facilitator, scribe, and judging panel in advance. Evaluate your exercise’s performance in a Hotwash. Capture recommendations in an After-Action report.