Presentation is loading. Please wait.

Presentation is loading. Please wait.

Incident Response… Be prepared for “not if” but “when” it happens.

Published byByron Joseph Modified over 8 years ago

Similar presentations

Presentation on theme: "Incident Response… Be prepared for “not if” but “when” it happens."— Presentation transcript:

1 Incident Response… Be prepared for “not if” but “when” it happens.
Incident Response… Be prepared for “not if” but “when” it happens. James Campbell

2 1 2 3 4 Agenda Threat Recap Reality and Models Response Components
Practical Defence 4

3 Who is attacking? Insiders Espionage Hacktivism Terrorism/ Sabotage
Tools and Techniques Hacktivism Insiders Terrorism/ Sabotage Organised Crime

4 Reality Check

5 IR Models NIST

6 ISO/IEC 27035:2011 Information technology
IR Models ISO/IEC 27035:2011 Information technology Security techniques — Information security incident management Plan and prepare: establish an information security incident management policy, form an Incident Response Team; Detection and reporting: someone has to spot and report “events” that might be or turn into incidents; Assessment and decision: someone must assess the situation to determine whether it is in fact an incident; Responses: contain, eradicate, recover from and forensically analyse the incident, where appropriate; Lessons learnt: make systematic improvements to the organisation’s management of information security risks as a consequence of incidents experienced.

7 IR Models Triage Detection Response Threat Intelligence Mitigation
Making sense of alerts Prioritisation Visibility of External and Internal Influences Business Operations Visibility Further analysis needed? Data Enrichment Detection Intrusion Detection, Analysis and Discovery Network Monitoring Host Monitoring Centralised Log File Analysis Physical Factors Signature Development Response Communications Plan Response Coordination Response Escalation plan Forensic Response and Readiness Initial Reporting and Awareness Investigation Threat Intelligence Threats Against an Organisation Threat Actor Knowledge APT, Hacktivists, Crime, Insider, Corporate Espionage Tools Techniques and Procedures Messaging and Education Mitigation Tactical and Strategic mitigations Long term or short term Accessibility and actions required Mitigation Vs Isolation Vs Business Impact Mitigation Deployment Plan Resource Coordination Mitigation verification

8 Triage, Risk and Scope ? Triage, what are you trying to answer…Key Questions How was the incident identified? Is it an incident? When did the incident occur? What is compromised? Who is compromised? How did the compromise happen? Who is the suspected threat actor? Internal, APT, Terrorism, Hacktivism, Crime Was it targeted or non targeted? Has anyone taken initial steps or actions? ? ? ? ? ? ?

9 Triage, Risk and Scope… Understand the risks, key questions…
What are the critical elements and systems required to stay operational? What are the critical information assets? What are your worst fears? Scoping, in order to scope you need to know your organisation in detail. What do your operational systems look like? What does your network look like? How geographically disperse are you? Are there data privacy considerations, or evidential considerations? What in house resources do you have, technology and or people? What is the appetite to monitor vs mitigate?

10 Communications, Coordination
Roles and Responsibilities Set and agree objectives and goals early on Ensure you have access to the necessary resources… Beyond the typical incident Crisis management, legal, media monitoring Alerting and or reporting obligations to regulators and law enforcement Alerting stakeholders, such as customers or business partnerships Network Infrastructure IT support Change Control ICT Security Seniors and Executives 3rd Parties…

11 Communications, Coordination
Agreed communications methods, out of band options? Agreed escalation paths, in/out of hours Communications frequency Communication audience (what and when to communicate) Communication audience (what and when to communicate) Technical audience Technical analysis, deploy IOCs for detection… Non technical audience Risks, exposure and key messages Poor Communication = Failure

12 Effective Incident Response
What wave of compromise are you in? How long have the attackers been in your environment? How regularly do they access it? How deeply are they entrenched? How have you been communicating about remediation? Has data already been exfiltrated? Duration of compromise High Risk Year Month Week High Risk Day Rolling Remediation Surgical Strike

13 Lets go Tactical Detection Isolation Mitigation Detection, Isolation and Mitigation vs Business Impact Detection What don’t we know, how can we find out? What don’t we have visibility of, and how we can improve this? Increased host based logging (event logs run out quickly!) Central logging and capture host/network Isolation Isolate critical systems and or information Segregation and security enhancement Mitigation (quick wins, but only after consideration) Initial blocking of C2 Resetting passwords Deploying updated AV signatures, covering malware family

14 Time to Investigate

15 Going Strategic Enhance network visibility; consolidate egress points where cost and performance benefits can be realised. Continue to identify any remaining vulnerabilities through internal and external penetration testing. Conduct a forensic and crisis readiness review Consider implementing application whitelisting across the entire network Further centralise and enhance logging capability Subscribe to threat intelligence services Consider segmentation of sensitive areas Executive and user education and awareness campaign Further technical controls

16 Bring it all together now… Prepare, Test and Repeat!
Forensic and crisis readiness Incident policy & playbook development Incident Pre incident Post incident Simulation, testing and refinement Posture improvement Recovery and remediation Investigate and contain Legal Technical Business Components

17 Bring it all together now… Incident Response KPI’s
DETECTION Triage alert & confirm incident CONTAINMENT Removing access and actor EVENT Threat actor establishes access to environment. REPORTING Document facts and containment approach, REMEDIATION Fully address the root cause of the issue. Dwell time Containment time Remediation time

18 Practical defence, prevention is better than cure…
Harden your domain controllers Increase your visibility Leverage your endpoints Limit privileges Use what’s free to limit exploits and unauthorised execution Build incident response ‘muscle- memory’ and prepare

19 Questions… James.C.Campbell@uk.pwc.com @SomeIRguy
This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it. © 2015 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers LLP which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.

Download ppt "Incident Response… Be prepared for “not if” but “when” it happens."

Similar presentations

Mobile World Congress 2013 mHealth: Making a positive difference to end users PwC Strategy 28 February 2013.

Mobile World Congress 2013 mHealth: Making a positive difference to end users PwC Strategy 28 February 2013.
Efficiency of recruitment process: trends based on PwC Saratoga HR Effectiveness Survey Anna Kozlova October 7, 2011 www.pwc.com/ru.

Efficiency of recruitment process: trends based on PwC Saratoga HR Effectiveness Survey Anna Kozlova October 7,
Calderdale Children & Young Peoples Service

Calderdale Children & Young Peoples Service
Control System for the Credit Accounts and Guarantees (SCCCyG) regarding VAT Certification Conference given by the Tax Authority (SAT) on October 6th,

Control System for the Credit Accounts and Guarantees (SCCCyG) regarding VAT Certification Conference given by the Tax Authority (SAT) on October 6th,
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Public Conference 16th December 2010

Public Conference 16th December 2010
Washington State Transit Insurance Pool Preliminary Discussion Funding Strategies and Metrics www.pwc.com.

Washington State Transit Insurance Pool Preliminary Discussion Funding Strategies and Metrics
Recent Trends and Insurance Considerations March 2015

Recent Trends and Insurance Considerations March 2015
Higher Apprenticeship and Graduate Recruitment Complementary Approaches to Expanding the Talent Pool – A Professional Services Example Sara Caplan Partner,

Higher Apprenticeship and Graduate Recruitment Complementary Approaches to Expanding the Talent Pool – A Professional Services Example Sara Caplan Partner,
 Source Seminar Intelligent Cost-Cutting February 2009 Eilish Henry.

 Source Seminar Intelligent Cost-Cutting February 2009 Eilish Henry.
Housing Delivery Vehicle Option Appraisal Joe Reeves Director www.pwc.co.uk Cornwall Council February 2011.

Housing Delivery Vehicle Option Appraisal Joe Reeves Director Cornwall Council February 2011.
Time to pay back the benefits of bonus depreciation... Or maybe not any time soon with some tax planning… September 21, 2011 www.pwc.com.

Time to pay back the benefits of bonus depreciation... Or maybe not any time soon with some tax planning… September 21,
Meeting the requirements of IAS 16 - Componentisation

Meeting the requirements of IAS 16 - Componentisation
Effective planning for international employees - tax, social security, immigration www.pwcias.com 18 November 2013 Monica Xu Senior Manager PwC International.

Effective planning for international employees - tax, social security, immigration 18 November 2013 Monica Xu Senior Manager PwC International.
Business Continuity Check List PageOne. - Why Does Your Business Need A Continuity Checklist? Should the unexpected occur, your business will be able.

Business Continuity Check List PageOne. - Why Does Your Business Need A Continuity Checklist? Should the unexpected occur, your business will be able.
Retail and Consumer Roadmap to Retailing in the Digital Era Strictly Private and Confidential 17 June 2015.

Retail and Consumer Roadmap to Retailing in the Digital Era Strictly Private and Confidential 17 June 2015.
Network security policy: best practices

Network security policy: best practices
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Held in partnership with Creating Connections. Held in partnership with Creating Connections This document has been prepared for general guidance on matters.

Held in partnership with Creating Connections. Held in partnership with Creating Connections This document has been prepared for general guidance on matters.

Similar presentations

Ads by Google