Incident Response… Be prepared for “not if” but “when” it happens. www.pwc.co.uk Incident Response… Be prepared for “not if” but “when” it happens. James Campbell

1 2 3 4 Agenda Threat Recap Reality and Models Response Components Practical Defence 4

Who is attacking? Insiders Espionage Hacktivism Terrorism/ Sabotage Tools and Techniques Hacktivism Insiders Terrorism/ Sabotage Organised Crime

Reality Check

IR Models NIST 800-61

ISO/IEC 27035:2011 Information technology IR Models ISO/IEC 27035:2011 Information technology Security techniques — Information security incident management Plan and prepare: establish an information security incident management policy, form an Incident Response Team; Detection and reporting: someone has to spot and report “events” that might be or turn into incidents; Assessment and decision: someone must assess the situation to determine whether it is in fact an incident; Responses: contain, eradicate, recover from and forensically analyse the incident, where appropriate; Lessons learnt: make systematic improvements to the organisation’s management of information security risks as a consequence of incidents experienced.

IR Models Triage Detection Response Threat Intelligence Mitigation Making sense of alerts Prioritisation Visibility of External and Internal Influences Business Operations Visibility Further analysis needed? Data Enrichment Detection Intrusion Detection, Analysis and Discovery Network Monitoring Host Monitoring Centralised Log File Analysis Physical Factors Signature Development Response Communications Plan Response Coordination Response Escalation plan Forensic Response and Readiness Initial Reporting and Awareness Investigation Threat Intelligence Threats Against an Organisation Threat Actor Knowledge APT, Hacktivists, Crime, Insider, Corporate Espionage Tools Techniques and Procedures Messaging and Education Mitigation Tactical and Strategic mitigations Long term or short term Accessibility and actions required Mitigation Vs Isolation Vs Business Impact Mitigation Deployment Plan Resource Coordination Mitigation verification

Triage, Risk and Scope ? Triage, what are you trying to answer…Key Questions How was the incident identified? Is it an incident? When did the incident occur? What is compromised? Who is compromised? How did the compromise happen? Who is the suspected threat actor? Internal, APT, Terrorism, Hacktivism, Crime Was it targeted or non targeted? Has anyone taken initial steps or actions? ? ? ? ? ? ?

Triage, Risk and Scope… Understand the risks, key questions… What are the critical elements and systems required to stay operational? What are the critical information assets? What are your worst fears? Scoping, in order to scope you need to know your organisation in detail. What do your operational systems look like? What does your network look like? How geographically disperse are you? Are there data privacy considerations, or evidential considerations? What in house resources do you have, technology and or people? What is the appetite to monitor vs mitigate?

Communications, Coordination Roles and Responsibilities Set and agree objectives and goals early on Ensure you have access to the necessary resources… Beyond the typical incident Crisis management, legal, media monitoring Alerting and or reporting obligations to regulators and law enforcement Alerting stakeholders, such as customers or business partnerships Network Infrastructure IT support Change Control ICT Security Seniors and Executives 3rd Parties…

Communications, Coordination Agreed communications methods, out of band options? Agreed escalation paths, in/out of hours Communications frequency Communication audience (what and when to communicate) Communication audience (what and when to communicate) Technical audience Technical analysis, deploy IOCs for detection… Non technical audience Risks, exposure and key messages Poor Communication = Failure

Effective Incident Response What wave of compromise are you in? How long have the attackers been in your environment? How regularly do they access it? How deeply are they entrenched? How have you been communicating about remediation? Has data already been exfiltrated? Duration of compromise High Risk Year Month Week High Risk Day Rolling Remediation Surgical Strike

Lets go Tactical Detection Isolation Mitigation Detection, Isolation and Mitigation vs Business Impact Detection What don’t we know, how can we find out? What don’t we have visibility of, and how we can improve this? Increased host based logging (event logs run out quickly!) Central logging and capture host/network Isolation Isolate critical systems and or information Segregation and security enhancement Mitigation (quick wins, but only after consideration) Initial blocking of C2 Resetting passwords Deploying updated AV signatures, covering malware family

Time to Investigate

Going Strategic Enhance network visibility; consolidate egress points where cost and performance benefits can be realised. Continue to identify any remaining vulnerabilities through internal and external penetration testing. Conduct a forensic and crisis readiness review Consider implementing application whitelisting across the entire network Further centralise and enhance logging capability Subscribe to threat intelligence services Consider segmentation of sensitive areas Executive and user education and awareness campaign Further technical controls

Bring it all together now… Prepare, Test and Repeat! Forensic and crisis readiness Incident policy & playbook development Incident Pre incident Post incident Simulation, testing and refinement Posture improvement Recovery and remediation Investigate and contain Legal Technical Business Components

Bring it all together now… Incident Response KPI’s DETECTION Triage alert & confirm incident CONTAINMENT Removing access and actor EVENT Threat actor establishes access to environment. REPORTING Document facts and containment approach, REMEDIATION Fully address the root cause of the issue. Dwell time Containment time Remediation time

Practical defence, prevention is better than cure… Harden your domain controllers Increase your visibility Leverage your endpoints Limit privileges Use what’s free to limit exploits and unauthorised execution Build incident response ‘muscle- memory’ and prepare

Questions… James.C.Campbell@uk.pwc.com @SomeIRguy This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. © 2015 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers LLP which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.