Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Game Plan: a tabletop exercise in defending a ransomware attack

Published byYanti Devi Kusnadi Modified over 6 years ago

Similar presentations

Presentation on theme: "Cyber Game Plan: a tabletop exercise in defending a ransomware attack"— Presentation transcript:

1 Cyber Game Plan: a tabletop exercise in defending a ransomware attack
November 16, 2017 Moderator: Frances Floriano Goins, Ulmer & Berne Panelists: Ryan Macfarlane, FBI Betty Shepherd, R-T Specialty, LLC Christopher M. Prewitt, TrustedSec, LLC Gregory P. Stein, Ulmer & Berne

2 Ransomware Exercise Overall goals of this exercise:
Gain a better understanding of how an incident progresses Identify appropriate questions to ask Determine roles and responsibilities during a response Ensure all team members understand the needs and capabilities of the team and organization Better understand what capabilities exist, how they can be used, and what is needed if there is an incident Questions and discussion are helpful No need to wait until the end, ask now, ask later, ask anytime, just ask!

3 Beginnings of an Incident
Public company, manufacturer, global business that includes operations in Europe IT Support Desk receives phone call from someone in the organization saying they cannot open certain files As IT dispatches someone to look into it, more and more calls start coming into the IT Support Desk The issue appears to be ransomware and it is encrypting data across the network Does your IT organization have a IR program for how to handle an incident? Who would you involve internally for the initial investigation? Do you have an incident response partner? Would you contact them immediately? Do you engage them through counsel? How do you communicate to senior management? Do you notify the board? Next steps? FBI? What is the process? Is it network dependent? Who is making the decisions? Legal guidance 3rd party involvement What steps do we take? Remote clean up of all effected systems System re-imaging Open source research Payment process

4 Incident Briefing #1 Your team is investigating the ransomware and you have engaged your Incident Response (IR) team. It is unclear whether you can recover data and systems if you pay the ransom systems are inaccessible for employees It is unclear whether there are multiple strains of ransomware Multiple systems are impacted, including systems that enable customers to place orders Questions: Systems are not available, do you have recovery plans? Can you pay BitCoin? Do you know how to procure? How are you coordinating the investigation? When do you contact your cyber insurance partner? Is ransomware or human error covered? Does the FBI or your IR partner suggest paying the ransom?

5 Incident Briefing #2 An IR forensic analyst has joined the investigation onsite. Based on logs and initial forensics, it appears that data may have been ex-filtrated in addition to encryption Web servers were accessed Internal file shares were accessed Appears that corporate s were accessed Difficult to identify specifically what was taken or whether data has been permanently lost Additional malware was found, unclear if it is related or not Questions: Do you have logs and security systems to provide the visibility needed to quickly identify issues and respond? How are you conducting the communications around the investigation? Does this change with the new information? What is counsel’s role in this? Engaging external IR support? Outside of the data identified, what other information are you most concerned about with the likelihood of compromise? Do you share information with the FBI? What can the FBI bring to the table?

6 Incident Briefing #3 You have paid the ransom, and while some of your systems and data are restored, some are not Your IR forensic analyst identifies that there are two similar but different payloads that are on your systems; one is taking the decryption key the other is not Where possible, you have restored from back up, but in some cases, restoration was not possible Questions: How confident are you in your backups? How long would it take to recover your data center? How are you conducting the communications around the investigation without a working system? What is counsel’s role in this? Engaging external IR support? Outside of the data identified, what other information are you most concerned about with the likelihood of compromise?

7 Incident Briefing #4 About 8 hours after the incident began, a well known online security journalist posts an article on his blog detailing the ransomware event and breach He cites an “undisclosed” source No specific mention of data theft, but describes broad outages The journalist called your CEO, CIO, and Security Director for a quote Questions: How does this change your approach to internal/external communications? Do you have a Crisis PR Firm identified? How do you communicate to employees? Who helps define this message? Do you have a way to determine if there are leaks? How would you communicate updates to your board?

8 Incident Briefing #5 Investigation determines that the attacker is still active in the environment Endpoint technology tracks current commands and activity performed by the adversary Attacker is leveraging an administrative account with access to all areas of the environment (Domain Admin) IR forensic analyst recommends speeding up remediation process to remove access and lock down the environment and to unplug from the internet Questions: What factors into your decision to remove the attacker’s access immediately vs. monitor activity as you ready for a full remediation event? How much of this information is shared with the board? With the employees? What risks and concerns do you have now that you know the attacker is still in the environment? What role would FBI or local law enforcement have at this point?

9 Are Corporate Directors concerned about liability from breach?
Incident Briefing #6 Large shareholders and important customers have reached out to your company to find out details about the incident Shareholders have expressed concerns about the impact on the organization Some large customers have called, asking for meetings to understand their exposure Questions: What assurances can you provide to consumers or suppliers to keep them from walking away? Are Corporate Directors concerned about liability from breach? Do you have Director and Officer (D&O) coverage? Does it cover for breach?

10 Incident Briefing #7 IR forensic analyst finalizes report about what happened and includes a list of remediation recommendations: The report identifies the attack to be tied to an organization working on behalf of the People’s Republic of North Korea Remediation recommendations require significant time, money, and resources to further lock down the environment There were other threats, in addition to the ransomware, and it is unclear whether they are related Questions: Does it matter who receives the report for maintaining attorney-client privilege? Does knowing who the attacker is matter? What factors into your decision to implement the list of recommendations and other ongoing value driven business initiatives? What next?

11 Lessons Learned Did you understand how a security incident can impact the organization beyond IT? What are your biggest takeaways from this exercise? Did anything catch you by surprise?

12 Questions

13 Frances Floriano Goins
Christopher M. Prewitt, CISSP, CISM Co-Chair, Data Privacy & Information Security, and Co-Chair, Financial Services & Securities Litigation Vice President, Advisory Services TrustedSec, LLC Ulmer & Berne Betty Shepherd Senior Vice President Ryan Macfarlane R-T Specialty, LLC Supervisory Special Agent, Cyber Squad – Cleveland Division Federal Bureau of Investigation Gregory P. Stein Vice-Chair, Data Privacy & Information Security

Download ppt "Cyber Game Plan: a tabletop exercise in defending a ransomware attack"

Similar presentations

Business Continuity Training & Awareness by Sulia Toutai (ANZ)

Business Continuity Training & Awareness by Sulia Toutai (ANZ)
ELOC Bank Table Top Exercise Executive Leadership of Cybersecurity Austin, TX December 3, 2014 1.

ELOC Bank Table Top Exercise Executive Leadership of Cybersecurity Austin, TX December 3,
Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is.

Confidential and proprietary materials for authorized Verizon personnel and outside agencies only. Use, disclosure or distribution of this material is.
Copyright 2004 Turning Point Solutions Establishing Lines Of Communication Before a Crisis.

Copyright 2004 Turning Point Solutions Establishing Lines Of Communication Before a Crisis.
Malware Response Infrastructure Planning and Design Published: February 2011 Updated: November 2011.

Malware Response Infrastructure Planning and Design Published: February 2011 Updated: November 2011.
Network security policy: best practices

Network security policy: best practices
Why are Small and Mid-Size Companies Easy Targets for Hackers, and What can You do to Protect Yourself? 2/11/2015 Asher Dahan.

Why are Small and Mid-Size Companies Easy Targets for Hackers, and What can You do to Protect Yourself? 2/11/2015 Asher Dahan.
UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.

UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.
Responding to a Security Incident Maryland Security Day March 2, 2004 Joy Hughes, CIO

Responding to a Security Incident Maryland Security Day March 2, 2004 Joy Hughes, CIO
Implementing and Auditing Ethics Programs

Implementing and Auditing Ethics Programs
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer.

Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer.
INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435.

INCIDENT RESPONSE IMPLEMENTATION David Basham University of Advancing Technology Professor: Robert Chubbuck NTS435.
A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.

A PRACTICAL GUIDE TO RESPONDING TO A HEALTHCARE DATA SECURITY BREACH May 19, 2011 | State College, PA Matthew H. Meade Stephanie Winer-Schreiber.
Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.

Cloud Computing Security Keep Your Head and Other Data Secure in the Cloud Lynne Pizzini, CISSP, CISM, CIPP Information Systems Security Officer Information.
Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.

Tamra Pawloski Jeff Miller. The views, information, and content expressed herein are those of the authors and do not necessarily represent the views of.
Incident Response November 2015 Navigating a Cybersecurity Incident.

Incident Response November 2015 Navigating a Cybersecurity Incident.
1 Executive Leadership of Cybersecurity Austin, TX December 3, 2014 ELOC Bank Table Top Exercise.

1 Executive Leadership of Cybersecurity Austin, TX December 3, 2014 ELOC Bank Table Top Exercise.
Managing Your Cyber/E&O Risk with Willis FINEX Robert Barberi, Vice President, Willis Cyber Practice.

Managing Your Cyber/E&O Risk with Willis FINEX Robert Barberi, Vice President, Willis Cyber Practice.
Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

Module 12: Responding to Security Incidents. Overview Introduction to Auditing and Incident Response Designing an Audit Policy Designing an Incident Response.

Similar presentations

Ads by Google