Cyber Security Incident Response Playbooks

Slides:

Advertisements

Similar presentations

PayPal Phishing Example. Can you tell which is real? 1. 2.

Advertisements

Recruitment Booster.

The Threat Within September Copyright © 2004 Q1 Labs. All Rights Reserved Agenda Customer Pain Industry Solutions Network Behavior Enforcement Example.

ISO How to leverage Dick Hacking Cornerstones of Trust 2014.

Security Training Lunch ‘n Learn. Agenda  Threat Analysis  Legal Issues  Threat Mitigation  User Security  Mobile Security  Policy Enforcement.

The development of Internet A cow was lost in Jan 14th If you know where it is, please contact with me. My QQ number is QQ is one of the.

Slide 1 of 28 Welcome to GSA’s Vendor and Customer Self Service (VCSS) course Section 2: VCSS Account Registration & Requesting Access This presentation.

LittleOrange Internet Security an Endpoint Security Appliance.

Advanced Internet Bandwidth and Security Strategies Fred Miller Illinois Wesleyan University.

Trend Micro Deployment Kelvin Hwang IT Services University of Windsor.

Incident Response Updated 03/20/2015

1 Network Quarantine At Cornell University Steve Schuster Director, Information Security Office.

Cyber Security Issues in South Korea and CSIRTs Cooperation September 17, 2014 Eunju Pak

First Community Bank Prevx Safe Online Rollout & Best Practice Presentation.

Reducing False-Positives and False-Negatives in Security Event Data Using Context Derek G. Shaw August 2011.

APA of Isfahan University of Technology In the name of God.

Outline  Infections  1) r57 shell  2) rogue software  What Can We Do?  1) Seccheck  2) Virus total  3) Sandbox  Prevention  1) Personal Software.

Comprehensive Training for Distributor on Help Desk Application

1 Internet Security Threat Report X Internet Security Threat Report VI Figure 1.Distribution Of Attacks Targeting Web Browsers.

Malware Hunter How To Guide for SecurityCenter Continuous View™

Information Systems Security Computer System Life Cycle Security.

ED 505 Educational Technology By James Moore.  What is the definition of Netiquette and how does it apply to social media sites? ◦ Netiquette is the.

Computer Forensics in Practice Armed Forces of the Slovak Republic mjr. Ing. Albert VAJÁNYI 1Lt. Ing. Boris ZEMEK (c) May 2005.

Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

How to fight an APT attack: Identifying and Responding to a visit from China.

1 Introduction to Malcode, DoS Attack, Traceback, RFID Security Cliff C. Zou 03/02/06.

Forensic and Investigative Accounting Chapter 16 Cybercrime Loss Valuations © 2013 CCH Incorporated. All Rights Reserved W. Peterson Ave. Chicago,

Enjoy seamless Stock & Commodity Trading with one of the fastest growing Integrated Wealth Advisory Group NET.NET New Development – “2FA PASSWORD”

IT Security. What is Information Security? Information security describes efforts to protect computer and non computer equipment, facilities, data, and.

Mastering Windows Network Forensics and Investigation Chapter 10: Introduction to Malware.

The Koobface Botnet and the Rise of Social Malware Kurt Thomas David M. Nicol

Module  Introduction Introduction  Techniques and tools used to commit computer crimes Techniques and tools used to commit computer crimes.

Vendor Master Record Registration To Register New or Update an Existing Supplier Registration

Incident Response… Be prepared for “not if” but “when” it happens.

CERT cooperation with ISP’s on Cybersecurity C ă t ă lin P ă trașcu CERT-RO 29 October 2015 RONOG 2 Meeting1.

©2015 HEAT Software. All rights reserved. Proprietary & Confidential. Ransomware: How to Avoid Extortion Matthew Walker – VP Northern Europe.

Creating an Account on Our School Website

NETWORK SECURITY Definitions and Preventions Toby Wilson.

Unit 1 Understanding computer systems: How legal, ethical, safety and security issues affect how computers should be used OCR Cambridge Nationals in ICT.

Threats To Data 30 Threats To Data 30. Threats To Data 30 We’re now going to look at a range of different threats to people’s data: Opportunity Threats.

2015 TCPA WASHINGTON SUMMIT | SEPT. 27TH-29TH | WASHINGTON DC The Anatomy of a Breach Phillip Naples, Pritchard & Jerden, Inc. Jeremy Henley, ID Experts.

1. Definition : Malicious code refers to a program that is covertly inserted into another program with the intent to Malicious activities. 2.

Washington State Auditor’s Office Cybersecurity Preparing for the Inevitable Washington State Auditor’s Office Peg Bodin, CISA, Local IS Audit Manager.

Final Project: Advanced security blade

Ilija Jovičić Sophos Consultant.

Cybersecurity - What’s Next? June 2017

Accenture Proprietary, All Rights Reserved, Not for Distribution

Instructor Materials Chapter 7 Network Security

Active Cyber Security, OnDemand

Rules of Thumb to Mathematical Rule- A Cyber Security Journey

Conquering all phases of the attack lifecycle

Assessing Targeted Attacks in Incident Response Threat Correlation

Webroot Product Key code for Serial Key Activation

Salesforce interview questions and answers

Intercept X for Server Early Access Program Sophos Tester

Information Security Session October 24, 2005

Time Sheet User Guide in KnightLine

Intro to Ethical Hacking

Chapter 4: Protecting the Organization

Manual for Supplier Registration

If you need to set your agency up as a new user, select Setup Agency Profile.

Forensic and Investigative Accounting

Incident response and intrusion detection

LISTING INCIDENT ID 1 Category Listing Status Submitted

Information Protection

IASP 470 PROJECT PROPOSAL MALWARE DETECTION

Information Protection

Fortify YOUR Defense with CyberSponse Adaptive Security

AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.

Presentation transcript:

Cyber Security Incident Response Playbooks V1.0 Can be used in conjunction with the Standard Categories for Incident Response v2.1. https://www.st- andrews.ac.uk/itsupport/security/standardcategoriesforincidentresponse/ Can be used with the Standard Categories ‘TheHive’ templates v1.0 To be released For questions and comments, please email stacsirt@st-andrews.ac.uk All playbooks are designed to be a template which can be filled out with more specific local steps and measures. Example flows (from:to) are included in the ‘block applied’ playbook.

External Investigation Step Action From To 1 Notification 2 Identify affected users / systems 3 Categorize incident 4 Determine severity 5 Investigate with playbook 6 Report, considering external

Malicious code Step Action From To 1 Notification of malicious code 2 Submit sample to malware analysis / AV vendor 3 Determine IoCs 4 Create IDS rules 5 Historical log search 6 Block relevant IoCs 7 Identify previous infections 8 Block machines from network 9 Inform service desk / user 10 Close when ‘clean’

Internal Investigation Step Action From To 1 Notification / Requirement 2 Identify any investigation requirements 3 Categorize Incident 4 Investigate with playbook

Copyright Infringement Step Action From To 1 Notification 2 Identify user 3 Inform user, with regulations 4 Follow regulation process

Denial of Service Step Action From To 1 Identification 2 Identify target (s) 3 Get packet dump 4 Initiate out of band comms if required 5 Report to upstream service provider 6 Check for extortion messages 7 Consider mitigation techniques

Unauthorised Access Step Action From To 1 Notification 2 Identify affected systems 3 Isolate system 4 Determine severity 5 Identify IoCs 6 Identify spread 7 Update IDS 8 Isolate as required 9 Recover systems (rebuild)

APT Step Action From To 1 Notification 2 Identify IoCs 3 Historical search 4 Determine severity / internal spread 5 Escalate 6 Update IDS

Social Step Action From To 1 Notification of compromised account 2 Secure the account 3 Refresh logins 4 Determine IoCs 5 Check historical records 6 Determine severity of information 7 Escalate

Vulnerability notification Step Action From To 1 Notification of vulnerability 2 Research relevant sites 3 Calculate CVSS score 4 Write up report 5 Release

Block applied (with example flows) Step Action From To 1 Get source email Internal / External CSIRT 2 Extract URLs Email 3 Check current status of sites DNS 4 Report to block provider/technology Block provider / RPZ 5 Put into IDS rules IDS 6 Check historical records Networks - DNS 7 Follow relevant playbook for detections Playbooks

Threat / Extortion / Blackmail Step Action From To 1 Notification 2 Determine severity 3 Check with externals for cases (real or hoax) 4 Escalate