A Look Inside Incident Response Planning

let's enjoy the size satx um my name's duncan macklin i am the co-founder and ceo of operandis i'm also a partner in eccoctf.red that is a cyber range feel free to go out there check it out play around with some of our challenges see what kind of badges that you can acquire all that great stuff i'm also the host of cyber speaks live a cyber security podcast series with some of the most amazing guests from this community the same community that you're partaking in today so uh be sure to check that out wherever you listen to podcasts so with that being said i'm going to jump right in to things uh we're going to skip the whole bio

stuff i've got a lot of content to cover with you guys this should actually be like a half day full day workshop but we're going to try to condense as much of it as possible into this 45 minute window so uh my contact information is on screen i'll have it again at the end don't worry about things like taking notes or anything i've got great speaker notes with you know all the same kind of stuff that i'm going to be talking through there's a link at the end of my slide that you'll be able to download the powerpoint with the speaker notes immediately after this presentation it's one of the things that i like to do

as a presenter is make that stuff immediately available to you don't worry about note-taking you can just follow along and uh download the speaker notes afterwards okay so moving forward the first thing we need to really talk about is the stages of incident response so as we look at how we prepare our organization to handle a cyber security incident you know we need to understand the stages but unfortunately the incident response authorities can't seem to come to a general consensus if you will on the exact phases of incident response you know so whether there's four five six even seven phases involved uh depending upon which framework you're using they all seem to share you know some version of the core

elements of identification containment eradication and recovery those are like the four common elements now they may be grouped into some other phases depending upon the framework but uh you know the precursory and resultant phases like preparedness and lessons learned you know some of those add to the number of overall phases but essentially all the frameworks are the same it's just how they group these and how they term them um you know things like containment eradication and recovery as one phase or detection and analysis as another you know that's the case with organizations like nist for example uh so regardless which framework you adopt there are many uh of them out there the important thing is to adopt one of them and stick to it

learn the phases and what's required to move from one phase into the next and that's really not just going to be a aspect of the team that's assembled but also the executive sponsor needs to know what is required to move from one phase to the next and should be familiar with all those phases because ultimately your executive sponsor will get into this in more detail but they're going to be responsible for making that determination uh now in the speaker notes i do include several different examples of the frameworks that are out there and you'll see how they differ on the naming conventions the number of phases how they group uh tasks that are required into particular phases so be sure to

check out those examples moving on um conducting an incident response risk assessment should be one of the first aspects of creating your cert team and putting them to work and an ir risk assessment is not a and when i say i ir obviously i'm talking about incident response but i don't want to use acronyms without explaining them so our incident response risk assessment you know it's not just a vulnerability risk assessment like we commonly think this is not a technical assessment but one that's based on organizational risk and primarily those that get grouped into one of four categories and those would be legal financial reputational or operational and unlike our traditional assessments i looked at

things like how our networks and systems and data may be attacked by cyber criminals ir risk assessments look at what is the fallout if they are successful you know what are we going to have to deal with and what is the risk the financial the legal the reputational risk to our organization if they do have a successful attack and depending upon which type of attack it may be what is that risk level now the output of this ir risk assessment will be what the incident response team um executive sponsor uses for threat classification and prioritization which again we'll talk about it in a bit but uh that's essentially what this resulting assessment report will provide them as the details

about how to classify and prioritize the risk uh to the organization as we've talked about now these risk assessments may also be part of whatever industry you're in where you're conducting business where you are headquartered um who your your suppliers who your customers are all these things can have an impact on what state federal or industry regulations may require a risk assessment and most notably and most recently and when i say most recently i mean this month if we look at what has transacted with the recent cyber attacks against the united states pipelines the output of that or the outcome i should say of that is new directives coming from the tsa who is responsible for the us pipelines

and their safety uh they've just put forward a new cyber security directive that does state in addition to some other very aggressive directives regarding notification timelines which we'll talk about when we get to that section um being able to name to at least cyber security coordinators that are available 24 7 around the clock and responsible for the cyber security of the owner operator of that pipeline but in addition to that they've got this 30-day window from i think it was uh may 28 to be able to conduct this uh cyber security risk assessment based upon their existing cyber security controls and best practices and they only have a 30-day window to complete that assessment do a gap

analysis and provide remediation recommendations for their own organization back to the tsa and csu so um you have to pay attention to what industry you're in you have to pay attention to where you're conducting business where you're headquartered etc because you may have various state federal uh european union or industry regulations that are dictating what has to happen when it comes to these types of assessments so keep that in mind and again one of the things that i do want to call out if there are any questions we are going to have the volunteer help with fielding those towards the end but feel free also if you want to dump them into uh our discord channel

for track three in the clouds just be sure to at me infosec war and if we don't get to the questions and able to complete them all during this session i will go to discord and make sure that i answer all of your questions today that's my commitment to you all right so moving on uh setting up and creating your cyber security incident response team so uh but before we get into the specifics of creating your first surf team or maybe a reforming your searching based on some of the things you learned today let's discuss just a minute the criticality of having executive sponsorship because it is so important this doesn't matter if you're a fortune 500 or you're a

security team of just one you're going to have to have some form of executive sponsorship before you can start down the path of an incident response program because that executive sponsor will approve hopefully in addition to some budget for you and being able to do this but they're going to approve your mission statement and we're going to talk about that next uh the roles that we'll discuss as well here in just a few minutes but also prioritizing the threats and assign threat levels to attacks or potential attacks against your organization so this person is typically of the cio or cso class and will approve moving between phases of an incident response so you're gonna have to have

those uh or have that support from an executive sponsor that has the authority to implement these changes approve budget as well as handle the critical decision making that goes into your incident response all right so next hopefully being besides sa um satx i should say san antonio texas my current location um hopefully you guys recognize the alamo here but it was obviously a uh a mission before that so let's talk about the mission statement that i have mentioned earlier you know this is basically a unifying mission statement that can help ensure everyone on the team understands the why of what's happening here you know simon setnick uh talks about the significance of the why and i'm doing air quotes for those

that may just be listening and not seeing the video here but the why in what we do in particular particularly when it comes to incident response now i've linked to simon's ted talk in my speaker notes and uh you'll be able to download that today and listen to is i want to say it's a short you know 15 16 minutes ted talk and i'll have that linked in the deck but you know be sure you understand the why and that you're able to communicate that your mission statement doesn't have to be a dissertation though you know it could be as simple as something like the mission of xyz corp is to rapidly and effectively address

all cyber security incidents with a well-vetted response plan that reduces our organizational risk and protects our shareholders whoever they may be right uh the important thing is that you have one that is collectively agreed upon and signed off by your executive sponsor um and again i'll have simon's talk about the importance of why in my talk notes and you'll be able to download that immediately after this so when it comes to roles to assign um boy those look good i have an eight today i'm really digging those rolls but anyhow when it comes to rolls to assign i'm just gonna throw some of these out there and some of them are pretty obvious the ones that aren't i'll give a

little bit of talk to you but in the time of or in the interest of time i want to be as brief as possible with these but you know you're going to need a team leader now the team leader is just that team lead it is not the executive sponsor you're still going to need that cio or cso level uh executive and if you're a really small company it may be your ceo uh i i feel sorry for you if you are that security team of one because you have a lot of on your shoulders and i'm not trying to pile more onto it but think about these roles because if you are that team of one or

maybe just a team of one or two you're gonna have to take on a lot more burden than say an enterprise class organization that has a full security team and other departments that they can pull from but we have our team lead we have our cso or cio caliber risk manager is one uh that may be in that executive suite that you need to pull from same thing with a privacy officer if you have a data privacy officer legal counsel cannot get away from having legal counsel whether that's internal or external you have to have legal representation same thing with hr uh customer service if you're in that kind of uh situation where you do have a large

customer service organization you're gonna need some representative from them because if this does go public if it is that kind of incident you're surely going to see an uptick in customer service calls or emails that are going to have to be handled so make sure you have a representative for customer service and that you're providing them information on a need to know basis they do not need to know everything because again they're going to be communicating with the public and that can get very dangerous be sure whatever you do provide to your customer service agents or their representative that it has been cleared by legal counsel and your executive sponsor finance may need to be involved and i think in

light of recent events with ransomware payments being made which i am not a proponent of i'll be very clear about that i have my reasons and if you want to get into the debate of whether or not to pay ransomware demands let's take that offline but i'll be more than happy to have that debate with you politely um finance may need to be involved uh there may be budgets being spent on incident response handlers external resources that you need to bring in i'm gonna talk specifically to those later on they definitely will need to be involved if you're making a ransomware payment um but be sure you have finance involved business continuity if you have a business

continuity unit within your organization you need their participation we've already talked about the executive sponsor i.t without a doubt needs to be involved in your cert team as well as a dpo if you have a data protection officer they're going to need to be involved typically because it involves data breaches data leaks uh you know double extortion schemes you name it um so be sure your gpo if you do have one that they're a part of your cert team again any questions on these you know feel free to hit me up in discord but those are the most common groups that i do see participating in cert team structures and um for different purposes and cause

now again if you're a 102 person security team you're gonna have to assume some of these responsibilities on your own without the support of obviously it goes to parties excuse me just wetting my whistle all right moving on to establishing communication channels now this is different than a communication plan which we'll discuss next but com channels are basically those bilateral calm feeds that we're likely going to need to help with our serve team efforts and these may include you know inbound threat intelligence fees whether those are open or closed source so you can get threat intel fees that you can subscribe to or free feeds that fit into things like sticks and taxi so that you can have a free threat

intelligence platform or a tip as they're commonly referred to or you can subscribe to feeds you know um i don't want to throw any vendor names out there but there are you know several predominant feeds that these vendors provide and they're basically just going to supply you with indicators of compromise that will help you understand if your company or your industry are likely targets for an ongoing cyber attack that's going on in the wild you may also want to participate in these as an outbound supplier of iocs maybe in a closed loop with others within your industry or sector vertical sector um you know to be able to help one another protect and defend it's kind of a closed source

think of it like a networking right everybody trusts everybody everybody shares information business guards are being swapped you share best practices with each other that kind of stuff it's the same thing except with the threat intelligence uh of indicators of compromise that are being shared between these organizations you may also need to set up internal distribution lists that receive inbound notifications or to be able to share information amongst yourselves on the serp team about different security elements whatever it may be and of course if there is some kind of cyber security incident you may be using that internal distribution list as a way to communicate and then there's also regulatory authorities that may have their own ways of

communicating with those that are subject to their directives so you'll want to look at those and see if there's any types of you know communication uh channels that they have set up whether it's an rss feed a tip or threat intelligence platform feed something that feeds into sticks or taxi maybe they have an rss for you know some blog that they published you whatever the case may be but just look at it and understand what channels exist for yourselves then there's a need to establish a backup form of cert team communications in the event that your primary you know phone systems email systems your slack you know whatever the case may be if those are what has been compromised

you may need to have a backup for those uh in which case you may want to use something like a third-party voip system encrypted device application like signal sudo slack discord whatever the case may be as long as that's not the platform that's been compromised in your cyber attack okay so uh creating a communications plan now this is one of the the most critical aspects of the search team besides the actual responding to an incident setting up your communication plan is really going to be one of the successor failures of how it is perceived that you have handled a cyber security incident let's go back to equifax you know there's a reason why there was a change to equifax to

equifs if you will um during a lot of the online discussion of how they handled that cyber security incident let's just face it it was a complete cluster from the get-go and it all had to do with how they communicated what was going on and the back pedaling and the multiple story angles and it was just by far one of the worst cyber security incidents that i've ever seen now in contrast i want to say the organization was fox ig that deals with cyber security and they got breached themselves as a cyber security organization yet the way that they handled theirs in the communication that they had with the entire community how transparent they were throughout the entire process

was amazing they got it right you want to be one of them you do not want to be in equifax so uh assign a 13 communications officer in a cert team comms office right that establishes with authority let me repeat that with authority who says what when and to whom and this includes things like the media shareholders employees partners customers uh clients as well as the state federal and industry regulators and yeah let's talk about that list the fbi the secret service many don't understand that the secret service do a lot of cyber security investigations um your state attorney's offices ccpa or the california consumers privacy act you know you have to know not only what regulations are applicable

to you but you also need to know what the notification requirements are for you communicating to those regulators within their defined timeline what is going on and how you are handling that cyber security incident we see with california you have 72 hours to report that incident you know that's not a very long window same thing with the uh eu's gdpr you have a 72-hour window to notify their um dpo or dps excuse me new york dfs part 500 same thing i think there's i'm getting confused uh i think theirs is either 48 or 72 i want to say 72 hours though uh but they have their own requirements you know we talked earlier about the department of homeland

security which has tsa and tsa and cisa have to be notified within 12 hours 12 hours you have half a day to get your together and let them know what's going on that's not a lot of time so you have to almost have this stuff templatized and ready to go which is part of setting up your communications plan knowing how you're going to respond to each of these or types of organizations some of the other things that you'll want to do as part of your communications plan is conducting mock interviews right and playing the devil's advocate having someone really push the envelope when it comes to the types of questions you may be asked by the press if you're working for

the type of organization that would need to go public with this type of uh security incident yeah so go through those mock interviews and you know let your communications officer that's been assigned to the team really get put to the test on how well they're able to handle themselves under the duress of three or four people asking this you know different questions all at the same time because that's how these press conferences go when i was with the city of atlanta's ransomware you know response team yeah the mayor would sit there in the middle of the city hall um entry entryway their forum and give a press release every day or a press conference every day about how they're handling it

and then it went to legal counsel and cio but um you know know how you're going to handle those kinds of interviews as far as internal and external do's and don'ts you know the one thing i i did talk already about customer service and being sure you're limiting information that they're provided same thing with internal employees it is on a need to know basis um and it's not that they're not trustworthy it's just for company-wide communication it is need to know basis you want to limit the risk and exposure of potentially saying the wrong things there was one incident involving a financial organization and a bank teller said the wrong thing to one of the

customers and next thing you know this thing's getting blown way out of proportion and what ended up getting into the press was not accurate whatsoever but again it's because of company-wide communications when it should have been need to know basis um okay uh compromise channels obviously you have to be careful in making sure that you understand the scope of what has transpired what you're dealing with because the last thing that you want to do is start having your cert team talk about how they're handling the incident response over a potentially compromised channel so if you are dealing with an active attack against your organization you may want to immediately go to that fallback communications network that you've set up whether

that's through yeah sudo slack discord whatever app or service you want to use but you may want to fall back to that immediately not knowing if your email servers or your voip system whatever has been compromised okay incident classes classifications and threat levels you know this again is really back to the cio and cso and the importance of them being able to assign those threat levels and knowing based off of that continuous um you know risk assessment that you're going to do every six 12 months you know they're going to get to understand these threat levels know the assignment and as uh incidents start to occur particularly if you're having to deal with multiple threats simultaneously not only are they

going to be assigning the threat levels but they're also going to be prioritizing the the uh the responses based off of those threats so again all that's based off of the risk to the organization as perceived by that those now from the executive suite essentially okay one of my favorite things to talk about is jump backs um we have to have these jump backs ready to go this is basically your bug out bag except you don't get to bug out of this situation you just have to deal with it right so this is a physical bag how many of them exist in your organization depends on how big your team is and how often you

want to be responsible for carrying a bag and being responsible for its contents so um you should have at least two of them one to remain on-site one to remain off-site with whoever is the steward of that bag for that rotation period uh the stewards are going to be members of the serp team they are responsible 24 7 for that bag if there is a cyber security incident that means they have to be on call as well and that's typically the case with most of the server team members but particularly this one um and it could be any person on the team just as long as they're responsible for the bag and can bring it to wherever

you're going to huddle up in your physical or virtual war room the reason you're going to need this bag is you don't know what the level of impact is going to be to your infrastructure within the organization right so if we're dealing with something like the city of atlanta's attack where um now that's public record and everybody's pretty much been briefed on what all transpired and it's public information um their entire environment was just toast the sam sam ransomware took it down active directory took down workstations took down servers it didn't give a flying flip um so we were starting with nothing my badge which i wish i had brought it out here to show you guys uh it had to be

printed off like a uh [Music] not a dot matrix a color inkjet printer it's a horrible looking badge but then they use one of those lamination kits that you can go into office depot and buy that was my badge for like the first week to get around this completely lockdown city hall and everything uh so you're going to want some of the contents of this jump bag to be immediately available day one hard copy of your incident response plan documents uh network cables notebooks and pens you know you may not be able to take notes on normal computers you may have to go back to pen and paper usb storage devices digital cameras you know we had to

use little digital cameras to take people's photos print them off on a portable printer scanner which is one of the other items that should be in your jump bag and then scissor cut the image and paste it onto that badge before we use a little lamination kits you're going to need this kind of stuff digital camera sound recorder uh you may want to use that for note-taking may want to use it for meeting records etc uh we talked about the portable printer scanner fully patched laptop and a tablet to walk around with you're also going to need an iphone preferably for added security or just a burner device but there needs to be a charged ready-to-use phone fully

patched laptop tablet portable printer scanner etc you get it that's your jump back there should be two one on-site one off-site stewards are on-call 7 ready to jump with that tabletop exercises another great great use of your cirque team's time um you know creating and sourcing exercises for you guys to go through doesn't have to be a heavy lifting i've done the effort of searching for and linking five different sets of tabletop exercises that are in my speaker notes of the slide deck so you'll have those uh you can also just google for them or actually go for them and just look for cyber security plus you know tabletop exercises that's how i found all these

um you can also look for amanda berlin on youtube she's got a great couple of videos on tabletop exercises there now the frequency and duration of these it's going to be up to you guys to decide but normally you want to do let's say one a month and keep them short you know 15 to 30 minutes each you know you're wanting to think through the purpose and intent of the exercise look at some of those that i've provided in the speaker notes um come up with your own but try to keep them short so it's not this daunting task and arduous heavy lifting that your team has to go through you want them to be excited you want them to

have fun with this being engaged and you know participating in it you don't want this to be a dreadful kind of thing it should be fun it should be uh i guess thought provoking those kinds of things but also be sure as you're doing these tabletop exercises as you learn things about yourselves your team your organization and your cyber resiliency update your cyber security incident response plan to reflect those lessons learned okay um getting close on time here preserving digital for run six let's talk about this so really when it comes to handling the digital forensics of a cyber attack against your company there really really is a need to engage a specialist for this so

if you don't have a certified dfir expert in-house you're definitely going to want to consult with one early on in your cert effort so you have them um ready to go if you do get hit by an attack many of them will actually conduct a free or you know sometimes paid workshop just to help get your retainer to keep them you know on the ready so feel free to ask them about that even if it's not publicly stated on their sites um now one of the things that i want to call out when it comes to preserving your digital forensics you know something not to do is and i know the knee jerk reaction is

to shut down all systems but really it's best to try to be land or segment your compromise systems or you know disconnect their land cables or turn off their wi-fi signals so that you can preserve as much of that physical evidence as possible while still containing the malware and not allowing it to spread but keep that in mind that as soon as you shut down these systems they start to lose the digital forensics particularly stuff that may be still resident in memory okay uh last bit and we're fixing our wrap up so i know we're just a couple minutes over time here but engaging outsiders talked about that a little bit earlier and there are

many outside experts that you may need to call in as part of your incentive response and as valuable as as folks are the time to build those relationships and formalize contract agreements and stuff is not during a cyber security incident you know um it's best to shortlist your top prospects well ahead of an attack game get those agreements redlined and executed you know early on so that they're on retainer and ready to go sometimes you know that's going to involve paying that retainer fee but knowing the likelihood of an attack is you know very likely you're gonna have to just make that call on your own um but some of the outside sorry um what happened there

there we go um some of the outsiders may include insurance carriers you know your cyber security insurance they're going to need to be engaged early on outside legal counsel if that's necessary forensics investigators your regulators you know 12 to 72 hours not a whole lot of time law enforcement agencies we talked about those earlier uh crisis communications or a pr firm if you're dealing with a customer centric type of attack where data's been leaked and those kinds of things you're probably going to need to have a crisis communications company or pr firm engaged response vendors simply to stand up the environment we had six different response vendors as part of the city of atlanta's response

can't disclose who those are right now but you know keep in mind you're going to need those as well and other third parties as needed so you know make sure you've got those contracts set up retainers established teams ready to go so that if you get hit you can start dialing you know those numbers again those folks engaged all right folks uh we're a couple minutes over i do apologize for that okay so one of the questions asks do you believe that enterprises lack a way to share information after attack what can we use to solve this issue if this is one yes that is a big big issue

a way for organizations to say in a redacted form an anonymous form what happened how they were hit you know what systems were targeted and what their response was anything that i've seen if anybody else is aware of a resource like that that would allow for organizations to freely share redacted information or anonymous information about how they got hacked by cyber criminals hacking is not a crime i get it let me just talk but um i don't know if anybody knows anything pop it into discord or to chat here alonzo saying why not use usrt um you know that's fine for disclosing to them i think the question is more sharing openly with the community and

the level of details that would be required i'm not sure that's a good fit i appreciate everybody's time today and uh thank you for sitting in on the talk enjoy the rest of your b-side san antonio texas as a native not native but as one living here myself i want to be sure that we extend a warm welcome and thank you for everything that you guys do to be part of this community and make it thrive even amidst missed pandemic so thank you

[Music]

[Music]

[Music] you