Incident Response are you prepared? by Christina Barker
Show transcript [en]
all right we're back and uh for some reason our speaker uh video didn't work on the last talk we're looking into it we haven't found a um an answer to that problem yet uh but we apologize in advance uh up next is our 10:30 talk incident response are you prepared welcome Christina Barker hi thank you um so yes my my name is Christina Barker um sorry I can't get a video going for you guys but hopefully you can at least see my picture so you can put a face to the name um I have been in information security for about uh a little over a decade now um I've worked in both government and private
sectors um and I spent about half of my career so far with um NCC group for those of you who aren't familiar with them they are a global cyber um cyber security consulting firm um and I started there as a incident response consultant and uh by the time I left I was the director of the North American cyber incident Response Team um so as you can imagine i' I've seen my fair share of uh incidents uh currently I am the manager of the global cyber defense team at uh salonist so with that chrisa let me share my slides oh yep I was just gonna say if you were sharing anything we didn't see it yet but you you're no
worries sorry all right let's see oh no looks like I'll have to start that after okay
well we go all right are those coming through okay yes okay perfect all right all right so so let's start with the basics um I'm sure you know many of you or anyone who has been part of an incident in the past has uh definitely experience the the panic and sometimes the what feels like chaos um during an incident and so um you know the idea of of today's talk is to kind of talk about how you can do things in advance to um to basically avoid avoid that kind of chaos and whatnot um and to start the best thing we need to do is is kind of come up with some common language so
um we basically have uh you know we have operational versus physical sec versus information U cyber security incident so when someone says incident it really can be talking about um you know any any one of these things so normally um i' I've given this talk in in in person so I'd have a little feedback from the audience but since we can't do that today um I'll go ahead and just kind of let you guys think of these um you know to yourselves but uh if you have an organization's ISP that is suffered a Cyber attack and as a result has a mass mive outage meaning your organization has lost its connection to the internet would that be
an operational a physical or an information um security event so in this case it would be operational right so even though the ISP might have suffered an information security attack it's not it's not our our organization um and just merely having an outage of of internet connection isn't a a security incident not to say that a security incident couldn't have caused that but in this case this would be operational all right so a security update was pushed to production servers and now several have gone down um again even though security is involved in this this would be an operational outage because it wasn't any kind of um attack uh cyber security attack against the environment it's just merely that you
know for some reason an update caused um caused something to malfunction in in production servers and and when those go down that would be considered operational in that case and then last but not least and this one's a tricky one um a visitor to the office has stolen a developer's laptop so in this case we're looking at both a physical security incident because somebody stole physical um you know property from from the the office um and then this would also be an information or cyber security incident because of course there is data on that laptop that is likely sensitive and and needs to to be um needs to be secured so so they we can you know sometimes we'll
have its operational and you know cyber security or physical and cyber security so um you know just just things to think of as as you go through and and we talk about the different types of incidents um so it's really it's really important that you know you go through and you talk with u with your organization and make sure that everybody understands what the differences are between these different incidents so that when the word incident is getting thrown around um you know under duress uh people are are basically on the same page and know what everybody's talking about um and in speaking of common language oh sorry um yeah again so this is just talking about you know make sure
everyone knows before things happen um so in common language um you know again what is a security incident I've I've heard this term often misused um and it's usually it's usually misused um in the way of describing a security vulnerability or a security event um so for example you know fed ramp compliance has a requirement that all security incidents are reported within one hour of being found um but if an auditor comes in and hears that a security incident happened and finds that it wasn't reported it can cause a lot of headaches especially if it wasn't actually an incident right so if someone's using that term to describe um you know a security vulnerability or
security event you know just using the wrong terminology can can end up causing a big headache so it's important to make sure that you know everybody's using the the correct terminology for things like this so you know a security vulnerability obviously it's a weakness in an information system um and and is something that can be um exploited for you know to create a security incident but the vulnerability itself is not an incident um a security event is something that happens that might indicate an incident but you know that itself isn't an incident so I think the example here is um you know if somebody tries to log on um to some you know an attacker tries to log onto somebody's
account you know multiple times but they fail that's definitely a security event because somebody's obviously trying to attack but it's not an actual incident because none of the attempts were were um successful and so again you know in the security Incident That's when somebody actually takes advantage of a vulnerability and is successful at doing that and then from there has access to you know data and and things they shouldn't all right so uh this is this is just a quick easy way to think of it um security vulnerability is um you the potential for an attack security event is an attempt of an attack and a security incident is when one or more events have been confirmed to be
successful attacks all right so one of the most important things in in being prepared for an incident is having um you know having different processes and procedures and things like that in place um and a really good way to kind of determine how you're going to build out your incident response uh program is is to use um to use a model that's already in place right I'm very much a firm believer in work smarter not harder um and so a couple of of the models that are usually used are either nist um or pickeral um and for for this presentation because it's my personal favorite we're going to talk about the pick roll model um and so
that stands for Preparation identification containment eradication recovery and Lessons Learned um and so you know preparation is that's what we're going to talk about today mostly right it's just making sure you're ready for an incident um and honestly it's probably the most most it's probably the most boring step I'll be honest um but you know it's definitely I would I would argue the most important step um because if you are prepared properly for um for an incident it's going to be much much easier to deal with than um then you know if you skip that step everything else just kind of gets muddled NOP all right so um basically preparation the the preparation steps can be broken down into two parts so you
have strategic planning that's things like uh policy and process creation um you know talking to to third parties and and making sure you have communication set up for for how to communicate internally and externally um IR runbooks all that kind of fun stuff which we'll we'll go over here in detail in a minute and then you have your technical controls which are things like um you know making sure you have upto-date Asset Management proper logging backups um and the needed tools uh that that you're going to need that you have them ahead of time so for strategic planning um a solid incident response plan is important so we're going to kind of talk about some some best practices
in how you would want to set up um a solid incident response plan so the idea uh behind the plan is that it's going to provide guidance and standardization in high stress and chaotic situations um you know it should be easy to follow and understand um again I highly recommend having it follow um an IR model for your organization so like I said in this case we're going to use pickerl um so we'll kind of talk about how you would build out an incident response plan based on that model um you can start with a template I mean again you know I It's always important to try and and make things a little easier on yourself if you can um
but there is no one- siiz bits all you're not going to find a template out there that's like great I only have to put my company logo on it and this is it it just doesn't work that way just like you know every business has its own little idiosyncracies just like every person does right so you're definitely going to have to you know you can take that template but you're going to have to go through and customize it so that it fits your your organization um another really important um thing to do is to get input from all stakeholders um and that includes people in and out outside of it um you know you want to make sure that there's not
process conflicts um before an incident nothing worse than you know having something come up in the middle of an incident and you know finding out that one team does it this way and the other team does it that way and now you know there's this conflict of what's supposed to be done those are not the kinds of things you want to try and deal with when you're already dealing with an attack so you know making sure that everybody has has input on it um there's no conflicting information in any other policy or procedures anywhere and then everyone knows what they're supposed to do and what their role is um another thing that I I would
recommend um is having a glossery in your incident response plan kind of going back to what we were talking about with common language um it's just it's helpful to make sure that when people are talking about um incidents and the different steps and and what's going on that everybody has the same um the same term so data breach comes to mind right I mean some people might consider the loss of um you know some code uh source code to be a data breach and it technically is but you know gdpr has a very different meaning for data breach and so while that doesn't seem like a big deal when you're talking about an incident and and possible
reporting requirements in those short time frames you know just little terms like that can can cause a lot of confusion so kind of having all that set up ahead of time can be can be very helpful all right so um as far as the the incident response plan um like I said we're going to talk about preparation but some of the areas within preparation that should be included in the IR plan are training um roles and duties so things like who are your First Responders um who's your core incident Response Team who's your extended incident Response Team um you know things like that communication strategies um you know what's your war room look like what
kind of out of- band Communications do you have um what external communication authorization exists and we'll go over more of this um here in just a little bit um and standardized tooling right so make sure you have a jump bag approved software and Hardware making sure all of all of the the details around how those things should work should be included in the preparation step in the IR plan all right so go moving forward um like I said we're kind of uh basing this off of pick roll so the next step would be that identification so this section should talk about um logging and Reporting events you know what what things should be logged um you
definitely link things like this back to your other policies so if your company has a logging policy you know or data retention policy make sure that you you know you link this document back to those um that will also help with you know not running into conflicting um data points by by making sure that you're referencing the things that already exist plus it's a little less for you to write so that's always nice too um and then you know identification will cover how to validate events how to collect incident uh evidence and then how to declare and classify an incident should also be included in there um The Next Step would be containment so things to
include here would be short-term and long-term containment strategies um again you know you're not going to be able to cover every possible long-term or short-term containment strategy but you know maybe have a list of of a few common ones um you know talk about how to determine the risk of continued operations um how to work within the organization's Change Control process again this is where referencing the current Change Control policy is super helpful um and this would be one of those conversations you'd want to have to make sure that within that policy there's a way for your team um to make changes right because as we all know wouldn't it be great if incidents only
happen from 8 to 5 Monday through Friday they don't um in fact they usually happen at night or or excuse me or um in uh the middle the middle of the weekend right so making sure that you have the ability to make changes as needed and go back and have that vetted through Change Control um is going to make life a lot easier than having to make that argument you know in the middle of working an incident all right so the next part is AR medication um and that is talking about you know root cause analysis strategies um vulnerability analysis and recommended strategies on improving defenses so you know making sure that you've got every you've got everything
kind of wrapped up in and you know stop stop the bleeding and and have capped the the um incoming method of of attack right um and making sure that you've got the attacker out and and whatnot um and then of course following that is going to be recovery so um you know recommended recovery strategies um recommended continuous monitoring and system validation strategies so you know watching the the system closely U maybe running a few extra vulnerability scans things like that um and then you'll also want to reference to the disaster recovery or business continuity plan because a lot of times you know ransomware is a great example of this um you know there's going to be there's
going to be a need to rebuild um those assets and so having the ability to reference back to how the the business already has a plan for that again is is better than trying to come up with your own all right and then last but definitely not least is Lessons Learned um and this is just where you know it talks about the team going through um identifying activities that did or didn't work um and then of course from there flowing that back into the preparation step of updating those processes and procedures um you know based on those findings so that's that's kind of at a very high level um the way an inent response plan should flow and kind of
those steps that should be included all right things that your IR plan should not include specific strategies for specific types of attacks it is impossible to have what playbooks and and or run books are are fantastic it is impossible to have one for every potential scenario that may or that may happen right because technology is constantly changing and attack methods are constantly changing um and so you definitely do not want to have these kinds of details in your IR plan because you'd have to constantly be updating it and on top of that it would be like you know a War and Peace novel for anybody to go through and and they're not going to want to look at it if that the case
um so you know definitely save these things for run books and playbooks um again great to have um definitely you know helpful but just not part of the IR plan they should be their separate their own separate thing uh the other thing that is really important not to include in the IR plan are specific names of team members and contact information um as we all know people come and go uh you don't want to have to update a policy and submit it for approval every time somebody's email changes or somebody leaves the company or somebody new comes on um so it's it's important just to reference um positions and titles within the plan and then from
there you can have a separate list that you keep that you know says okay for example legal the legal representative that's you know what it says legal in the IR plan but you have a document says okay for legal contact Joan Smith at you know and then her phone number and email um much much easier to keep track of by by doing it that way all right and I'm hoping there are there any questions in Discord so far that that because I'm unfortunately unable to see that while I'm sharing my screen uh we're monitoring just the Q&A right now and then disc we'll take a look at afterward okay sounds good okay no problem Al righty um so some good run
books and playbooks to have um and and I'm going to share these these slides so they can be shared with everybody um so don't you know don't worry about trying to to hurry up and write things down um but just some good ones to I've I've listed out here so um and I just realized I have ransomware twice so really important for ransomware uh but yeah you know denial service Insider threat lost and stolen devices malware fishing you know nothing nothing super um surprising here all right um so compliance and policy reviews something that we don't necessarily think of as incident responders um are some of the the more gdpr type or not gdpr I'm sorry um the
more um GRC type of of issues that come up um that involve incidents right um so for example you know fed ramp has these eight different sections that that are related to incidents that have to be that have to be met um you know Hippa has an incident procedures um section to it um you know it it's oops it's it's important to of go through and make sure um again ahead of time that these things are are matched up if you have any kind of compliance standards that you have to meet um a great example of this right so let's say that your IR plan um it says that you have to report a data breach within one
week all right um so a data breach occurs you're two days into working it and now you find out that your company has to comply with gdpr which requires data breach reporting within three days now you only have one day to try and get together all of the things that gdpr needs to get it reported in time which is definitely going to add additional stress under an already you know stressful situation so having those knowing those things ahead of time and knowing what's expected is going to definitely help um you know it's going to help during an incident so it better to have that stuff figured out ahead of time and not get surprised with it um
during an incident um likewise you know we kind of talked about this already but you know going through and making sure that um related policies line up with your plans and procedures so like I said Disaster Recovery or business continuity plan um a Communications policy making sure that you know what that says doesn't conflict with how you identify how communication should take place in your IR plan um you know the logging policy data retention Change Control all of those have um a bearing on incident response and so making sure that the IR plan either either references those directly or at least lines up with them is going to save you headaches down the road all right so
Communications um you know information sharing is obviously a very sensitive topic when it comes to to incidents um and so laying out ahead of time what can and cannot be shared during an incident can be super helpful it doesn't leave incident responders guessing um so you know knowing what teams are included in the quote unquote need to know um and you know obviously that may change based on on the asset that's uh under investigation and things like that but just kind of having an outline of you know okay so if this asset's involved that system's administrator can be in the need to know maybe not the entire CIS admin group or something like that um it just helps responders quickly and
efficiently get the information out that they need to without having to go through and look for approval for every every little update that they have to send um likewise how will incident data be restricted in ticketing systems and emails and things like that um and then public Communications right that that's a huge one especially if it's something that has to be reported to the public having having a plan for how to do that ahead of time is going to um alleviate a lot of stress and confusion during during an incident um and then again like I said you know refer to the organization's communication policy if it doesn't cover um you know communication for for incidents then
that's something that you can work with with your Communications Department or whoever handles Communications at the company um to make sure that you guys have that in place before something happens uh out of band Communications uh you know big thing there is just making sure that you have ahead of time methods that are secure and approved that aren't part of your daily communication so you know for example if Zoom is the client that you know know your company uses for for meetings and things like that and phones you know maybe having a u you know signals a common one that people use that's that's out of band um that's an encrypted uh communication method um
and so that way if for some reason the communications uh platform that you use is compromised you have a a secondary way of communicating um all the IR team members should have access to that approved method so that includes not just the core incident response team but also the extended incident response team so your legal um Human Resources whoever may may be involved in that um and then again make sure there aren't any compliance restrictions so um I go back to Fed ramp something I have a little bit of experience with you know we we have signal we we were using signal when this came up um and it turns out that's not fed ramp compliant so you know we had to
go find a secondary out of band communication platform that was fed ramp compliant but also not part of what we were using on a daily basis and so like I said little things like that that don't seem like a big deal now but can make a big difference in in the middle of an incident all right so War rooms um traditionally they were usually physical rooms um that were were usually like a conference room or something like that that was dedicated as a war room so when an incident broke out everybody could meet in that room um it would have limited access with locking doors no windows or or at least covered U blinds things like that and
then locking cabinets for physical evidence and hard drives still great if your company wants to have something like this not a problem at all um definitely should be spelled out in the incident response plan um however with more and more remote working um virtual War rooms are becoming more common than than the traditional physical one um so the thing there to remember is to have some kind of video or audio conference Bridge um you know that definitely again have become more popular with remote working um make sure that whatever you choose for that that bridge can be uh have restricted access and is encrypted if possible um and then again like I said before you want to make sure there
aren't any compliance restrictions that keep you from from using that particular system and then um in addition to that having some kind of secure location to save digital evidence so whether that's um a dedicated server in your call location if you have AWS you know a dedicated and and well locked down S3 bucket um something like that where you can you can basically take that digital evidence and and keep it keep it in there and ensure that it's that it's safe um but either way like I said um you want to make sure that you uh make sure to put the details of of what is required in your incident response plan um the other thing is to
if you're going to go with a virtual War Room make sure you also have an outof band virtual war room um kind of like we were just talking right you need to make sure that if the the initial one that you have has been compromised that you have a that you have a backup so just something to keep keep in mind with the virtual one you kind of have to have a backup whereas the physical one that's not usually the case all right third party involvement something that a lot of people do not think about until an incident happens is um how your data is handled by third-party vendor services so um you know say that you're using
slack for example and there was some potentially sensitive you know pii type data that was saved with a third party or sorry not saved but shared with a with a third party that had been invited to a chat by someone in inside the company you know you need to they the person who shared it said I deleted it right away I don't think anybody seen it or downloaded it how can you tell so being able to go back and making sure that you know obviously because slack is a sff service as incident responders or whatnot we don't have direct logs for that per se um if your contract doesn't say that you have access to those logs
you may not be able to get them which puts you in a sticky position of not being able to confirm or deny that somebody outside your information or outside of your um organization was able to access that pii um so knowing these things knowing what your vendor contracts are knowing what rights you have to logs and things like that before an incident happens um can be hugely helpful uh you know if if you don't have the access that you want you can at that point renegotiate contracts and things of that nature um so you know it's it's it's important to look at these again ahead of time um and then I speak from experience I've been in the boat where
you don't find out until you know you're in the middle of of the investigation and suddenly it's like oh well you know we can't get access to that so much better to know know before than after uh law enforcement these are just some uh you know having law enforcement contacts usually um you know if you're if you're a us-based company um like the FBI and things like that um I imagine in Europe it would be like interpole um having a Conta ta for those types of things so if if an incident reaches that level you know right away who you can get a hold of um again it just saves time and stress in in an incident um and
you know definitely you would want to add this contact information to to that list of incident response um team members and contacts that we talked about before uh retainers so you know you good to decide ahead of time um you know is the organization's IR team going to do everything in house is a retainer needed um super important to get one before uh before your organization needs one um it's usually more cost effective to do because you don't you know you're not in an emergency at the moment and you're not requiring emergency help right away um and of course it saves time and ensures availability you know I can say having LED an incident response team of
Consultants not always available you know especially if something kind of widespread hits you know we get booked up pretty quick you don't to be the one that doesn't have a retainer with an SLA sitting there going well I need help and they're like sorry I can't help you um so definitely you know definitely something that if you think you're going to need it uh get it ahead of time all right um cyber Insurance again I know this isn't always the most exciting stuff but important to think about um if your organization does have it great it should be included um they should be included in the incident response plan and as far as when to
contact them um and then of course the direct contact detail should also be in that IR contact list if your company does not have cyber insurance I would highly recommend looking at getting one before your organization has an incident it's pretty much just like if you have car insurance if you get it before you have a car accident it's going to be a lot cheaper than after you have a car accident so you know if you have any sway in making these kinds of decisions which I realize not everybody does um you know try try to get your company to to maybe think about doing that if if they haven't already before before you guys get hit with uh something
big public relations confirm if your organization um has the capability to handle public relations internally um if not it's recommended to get an outside provider so um and you'll find too A lot of times the Cyber insurance will um recommend um a PR firm if you don't have one um and so there are some different things you can kind of work you know the two kind of go hand inand um but definitely you know you want to make sure again that you have this ironed out beforehand um because if you do end up having a you know uh Marriott level type incident where you're having to talk to the news and things like that having
somebody that knows what they're doing is is going to be it's going to be better for the company overall then um you know you definitely don't want to try and stress out your um incident responder and have them trying to do that when when they're already dealing with the incident itself all right um and then last but not least training um really really important so user the a few different kinds of trainings right so we have user security awareness training talk with the people um I know it's not everybody's favorite thing to do totally understand um but it's super important to make sure everyone knows everyone in the company knows how how they fit into
the IR um and and really there's there's nobody in the company who doesn't right even even a janitor if you have a janitor and they see that a door has been propped open that means somebody could have come in and stolen laptops or you know stolen data or things like that that's an information security incident so you know EV everybody has a role to play when it comes to IR um and so making sure everyone understands that you know whether it's how to report it where to report it um you know from like an end user perspective from a admin perspective hey we may be coming to you and asking you for this information um
you know all the way up to the CEO of hey you may have to make these kinds of decisions super important to to just make sure that everyone understands that um tabletop exercises can help with this and we'll talk about those a little bit more in just a second um looks like we have a a couple oh what are the big names in cyber insurance companies I off the top of my head I don't have any right now but I can definitely um you want to throw that in the Discord chat Martin I'll definitely take a look at that and and get some to you um says person recently told me about a company they had a
relationship with didn't have a clear set plan oh it looks like someone was Ryan was just trying to to help here let's see failed understand policy when they were apparently have 30day window to report and failed to do so causing ah okay um so so Ryan's saying here basically um he heard about a company that didn't have a clear plan and they didn't understand their their policy when they were hit with ransomware um and so they missed their reporting window um and so he says you know how small is the group that should understand the IR plan uh and I think I kind of just talked about this a little bit but really everybody right I mean
everybody should have some kind of awareness of the IR plan and how they fit into it so that's why I always say like you know user security awareness training is a great place to do that because usually everybody in the company has to take that um and you know you don't have to go into the nitrr detail of what the plan is but making sure that at the very least you know if there's if people are required to report something within a certain time making sure they understand that you know again how to report it whether that's through an email through a phone number um through a ticketing system just making sure that they understand how and and when to do
it and you know I I would even just say throw in the the idea that they're not going to get in trouble um sometimes people are afraid to report things um especially I've seen this with like lost and stolen devices because they're they're worried about you know the consequences and I think maybe sometimes just kind of easing that fear will get you better um better results in in quick reporting of of incidents and and whatnot so hopefully that answers your question Ryan all right so moving on we have um IR team training um incident responders require ongoing external training to stay on top of emerging threats right we talked about that a little bit earlier
where threats are constantly changing the threat landscape is constantly changing um whether that's because there's you know new vulnerabilities or your company gets new um you know new technology in place things are constantly constantly changing for them and so it's extremely important that they they get that ongoing um training all the time um unfortunately you know tends to be more expensive than traditional cyber security training um and so you know this is one of those things again planning for it um making sure that you have that that requirement first of all in the IR plan that says that they need that training so you have a policy to back the request and then having a plan
for the budget right um because again you know it it it's unfortunately very expensive I would say on average you know IR training courses or usually between 4 and 8,000 um from what I've seen I mean there are some that are cheaper but you know just just in general if you can't do that there are some good resources um Black Hill security usually does some some good uh some good trainings for for free or you know pay what you can um so there are things out there but just definitely make sure that you know even if you can't afford to get training you're getting something um for your team because it is you know it's crucial for
them to be able to stay up to date on that stuff Stu uh tabletop exercises so for tabletop exercises um you know I I would generally it's recommended that you do um you do one on a quarterly basis with your Technical Resources so like your what we call your court incident response team which is like your incident responders um you know maybe some maybe you know one quarter it would be in conjunction with like it help desk and one quarter be conjunction with some CIS admins you know kind of like that and keep it a little more Technical and then um once annually it's recommended to do a more um I can't think of the word it just
left my brain um but you know a full a full tabletop with everybody more inclusive that's it um and so you know you want to make sure that you have the the executives the non-technical Departments like legal and HR um for for the quarterly ones you know you can do those inhouse um if if you want to do them through a third party provider that's totally fine just that tends to get a little more expensive and so doing them in house can be more cost effective but for the but for the big annual one it's recommended to hire a third party um just so that you know everybody involved there's nobody that knows what the answers to everything because that's
the idea right it's supposed to be like an incident where you don't know um and so having them having somebody else come in and do it um is is important one thing I will say though is that when going and looking for third party uh companies to do this make sure that it's not a can scenario um the problem with can scenarios is that they don't always comply um or they don't always match your environment um when they don't it's people tune out real quick right that that wouldn't happen here because we don't have you know Zoom or we don't have slack or we don't have you know whatever technology they've used um or you know we we
don't whatever the case may be right so you want you want people to make sure that they stay tuned in um and they're not going to do that if it doesn't apply to your environment so having something tailored to your organization's environment is going to be far more effective all right so that is um everything with strategic planning so we'll go ahead and go into technical controls and how am I doing on time here okay we're good all right so technical control um for if you're going to go ahead and do in-house digital forensics and incident response um you know you need to to make sure you have an idea of a couple things right so if you already
have tools in your organizations like an EDR or a Sim you know find how you can leverage those for for digital forensics and incident response um you know a lot of a lot of security tools can be can be leveraged for this um however there are usually a few things that you know those tools won't do that are going to be specific especially for digital forensics um that may be needed and so you know make sure that you have um you have the tools that are needed so these are just these are some I've used in the past there're definitely not the only ones um but you know for like digital forensics make sure that you have
something that can do you know Digital Collection for all the kind for all the devices in your environment right so if you have if you have just Windows great ftk imager the free version you're good to go um however it doesn't necessarily work very well for mac and Linux so you know you have to kind of go through and determine what you have in your environment make sure you have the tools that are needed um to meet those those different uh requirements all right um and then of course again get the tools get the tools before you need them um I can tell you a story of a particular incident um that was being worked one time and a digital
forensic of a laptop was needed but the tool um we did not have the tool um and so we spent believe it or not I won't name the company but it took almost a week just to get a hold of somebody to give us a quote for the tool of course you know thankfully by that point we figured out that we didn't actually need the the the forensic image um that if we had that would have been that would have put us in a really bad place right um so having these things again before it just makes life so much easier uh all right so retained uh retained services so um if you're going to go ahead and instead of doing
in-house if you're going to retain uh digital forensics and incident response Services through like a retainer um a couple of things to keep in mind from a tooling perspective um some providers will leverage your organizations in house tooling so um the big thing there is just make sure that you have the ability to Grant the provider the access they'll need quickly when an incident occurs um from a Consulting side I can tell you there's been many times where we've started an engagement and we ended up waiting two days and unfortunately you know the client's burning two days of money because we're dedicated to them and can't do any other work and while they're just trying to figure out how to
get us um access to the the the tool we needed within their environment so costly um and also you know again just takes time away from from getting that incident contained as soon as possible so making sure that you have those types of things ready whether whether it's an account that's set up and just disabled or whether you know you have a a quick way to to request the access and Grant it however the case may be just make sure you know how you're going to do that so when the time comes you can get it for them very quick um some providers do require that um that your IR team deploy their tool within your or organization's
environment so again nothing wrong with that either um just make sure that you have a way either that you've already deployed the tools in the environment before an incident occurs if that's possible or that you have a way to quickly deploy them um you know whether whether it's through something like jamp or or whatever the case may be just making sure that you can get those out quickly um again like I said from a Consulting perspective been in that boat too where it took the the client two or three days just to get the tool rolled out and now that's two or three days not only wasted in in being able to respond to the incident but also in in money um
and when you're talking about you know I would say on average don't quote me this is just off the top of my head but I would you know guess about four to $500 um you know a day or more um for for these kinds of services you don't want to be the one responsible for blowing you know that kind of money because you just weren't ready so always good to to make sure you have that kind of stuff U ready to go all right um yep and then again you know like I said you pricing this a lot make sure you're ready before an incident occurs it's kind of the the Mantra of this of this
talk all right technical control and knowing your environment um knowing what exists in your organization's environment absolutely a requirement if you want to protect it um you you can't protect it if you don't know about it right that's kind of the as the saying goes um so it's it's super important that oops um super important that you have asset and configuration management um up to date and and in your environment um and that's all assets so my my little saying if you can see here is if it can be track if it can be attacked it should be tracked that's the the little thing I've come up with so kind of keep that in the back of your mind right if it can
be attacked it should be tracked um and that includes you know includes servers uh appliances desktops laptops terminals mobile devices networking gear I mean it's all of it should be um should be accounted for and you should be able to look it up um and that should include things like configuration details like the operating system Baseline security controls what is approved software what you know things things like that so when you go in you can look at it and you know okay everything here is good um and you know if you find an outlier it's going to be a lot easier to identify that if you if you know what what good looks like on on that
machine um and that also includes application and information owners right um so and again this goes back to not just Hardware but even even databases and applications knowing um knowing who owns these applications and these databases in these systems um or who's responsible for them is hugely helpful um you know incident responders are not going to be as familiar with the systems as those who work with them on a daily basis so being able you know having an incident responder be able to identify a system quickly is going to have a huge impact on time to respond and time to contain um I've seen I've seen in cases where there's hours or even days lost just in
trying to track down the right person to answer the questions or to get the evidence needed by the IR team um and again you know anytime you're losing hours or days in an incident that's never a good thing um so again having that stuff ahead of time super super helpful um a logical Network map again logical not necessarily physical but having a logical Network map is super crucial as well um and this really goes to when you start talking about lateral movement and things like that um it's infinitely harder to determine how an attacker may have moved within the environment and what other systems they may have um you know been able to compromise if
you don't have a logical Network map of your environment um so you know if it's something that you don't have yet I would say definitely you know try to work with your networking team I know that you know neither asset management or logical Network mapping neither of those are small tasks and you know completely understood but if you start working on it now even if it's not perfect by the time you know you have an incident it's better to have something than nothing so you know I would still say definitely if you don't have these things in place try to work on them um super important all right I see another question here um let's see do we need a separate
in-house policy for thirdparty software that is installed which can read sensitive data when engaging third parties for incident forensics um honestly that's going to just depend on on your internal company's you know choice on that I'm not sure in house policy for are we talking like like what it's allowed to access um or like how it gets installed I guess I I guess I need a little more information on on that that question um but but ultimately you know it it's up to your it's up to your organization how they'd like to move forward with it if if you think that a third party um an in-house policy for third party software for for that kind
of thing um would be helpful if you know you're going to run into issues with being able to say install it because it says it's not approved um yeah getting any kind of policy in place or getting any kind of pre-approvals again you know hopefully you know all the tools you're going to be using before something happens so maybe you can just get those pre-approved so that when it comes um time or you know if it's engaging with third parties and and you don't know what they're going to give you um then yeah maybe having a policy could help with that but it really just kind of depends on how your organization works so hope hopefully that answers your
question all right so moving on um logs logs logs logs logs logs um I'm sure everyone here has heard before but um you know having logs the more logs you can get the better um now that doesn't mean that every log created in your environment should be captured that obviously you know would be an enormous ass Associated cost with that um and and it could also cause data paralysis right I mean there is a point where you have too much data and it's just it's too much to look through but rather the the idea here is that it's important to make sure you're corre you're collecting the right log sources from all the systems on the network um or within your
environment you know including SAS services including Cloud environments and things like that um if you're not getting if you're not getting the data from all those different endpoints applications Network appliances databases you're going to have gaps in in what you know and what you can or cannot um determine in regards to an inent um I can't tell you the number of times that we would it would come down to logs for trying to help a client with um with an incident and they didn't have them and at you know at that point there's only so much we can do without the data that's needed and so you know we maybe weren't able to identify brot
cause or or you know things like that because the data wasn't there because it wasn't being collected so super important um if you do nothing else log um another thing too and I know this is sometimes a hard a hard ask from a money perspective but if you can try to retain logs for a year um the cost of a data breach report if anyone's familiar with that um between 2016 and 2022 the average number of days to detect a breach was 203 days so you know if you're getting rid of of logs after 60 days chances are that if you do find out that a breach happened you're not going to have any of the evidence that you
need to go through and determine how it happened or anything else if you're only keeping them for say 60 days or 30 days so if you can try to retain them for 360 days um if not you know just do the best that you can you know if you want cost of a data breach report is a great resource to show upper management and say hey this is why I'm asking for it it's not just because you know this is a frivolous number like there's a reason um I would definitely recommend that uh Network flow that's a little different in as much as because it usually is so massive um you know keeping it for a year is just it's not
it's not realistic so if you know if you can keep Network flow for 90 days and everything else for 360 you'll be in pretty good shape um all right and then of course last but not least backups right this is something we've all been hearing since the beginning of it um you know back up your stuff it's super important um and so you know make sure that that there's backups in place um throughout your your environment um that those things are being tested and done on a regular basis um again you know the big one here is especially with with the peration of ransomware uh recently you know it's much it's much easier if you have if you
have backups and and it's being done on a regular basis it's much easier to be able to say hey you know what we don't have to pay that rent will restore from backup and go from there than it is to have to try and come up with that money give it to some attacker and hope that they give you a keyb back um because there is no guarantee that just because you pay that you're you're going to get the decryption key that you need right um so having backups is is a far better plan than than that um and yeah like I said it's it's the easiest and quickest way to recover from an incident right if
you know you can kind of just go back in time before it happened and then patch the holes that were there it's going to be a lot easier than trying to you know cherry pick all the all the different things that might have been dropped or might have been done so so backups are are super important to have all right okay I think I'm coming coming close here so um clothing thoughts um incident response is not I said it and forget it right it's it's a constant active program that needs regular maintenance um maintenance in order to be successful um so you know it's not something you can just set up and walk away it it it's a living breathing
program if you will um practice makes perfect make sure that your incident responders um and the incident response team are properly trained um don't allow those skills to atrophy whether that's through the training of the responders the tabletop exercises things like that make sure everybody's kind of you know on their toes and ready for when something happens um and again preparation is Paramount uh if your organization is unprepared I guarantee you security incidents will cost you more um and time and money and and stress right and and I don't know about you guys but I don't need any more gray hairs I'm sure nobody else does either so um with that I think I'm not sure if
we have time for questions um I think we might be at the end here you could take a um there are no open questions in the Q&A so I think um what we should do is uh anyone who wants to have continued conversation about this can head over to the channel for your talk and Discord perfect I will definitely be there perfect thank you for an excellent talk um and if everyone would like to head over to Discord we're going to take a minute to shakes to transition to our next speaker and we'll be back at the bottom of the hour 11:30 Central Time thank you Christina thank
you
Related talks
35:11
28:55
57:29
42:12
54:53
49:45