Cyber Incident Response Management: Breaking Glass Presented by Darrell Switzer Sr. Director Incident Response Services BAE Systems
About BAE Systems $25B Annual Revenue 80,000+ Employees Operates in 40+ Countries With Major Clients in Banking, Insurance, Energy/Utilities, Healthcare, Media and Government $2B Invested Annually in R&D Cyber Security Financial Crime Communications Intelligence Core Heritage in Secure Government and Agencies
Incident Response Money Is The Target FFIEC Overview Critical Steps To Prepare
WHY INCIDENT RESPONSE?
The Incident Response Life Cycle From: NIST 800-61
FFIEC Overview Business Continuity Planning The board & senior mgmt are responsible for business continuity planning Including assigning personnel & allocating resources BCP is divided into 4 steps: 1. Business Impact Analysis 2. Risk Assessment 3. Risk Management 4. Risk Monitoring & Testing BCP process uses the word should throughout Not backed by legislation or regulations
FFIEC Overview Information Security Gramm-Leach-Bliley Act of 1999 (GLBA) section 501(b) Provides enforcement if institutions establish & maintain adequate information security programs FFIEC information security process defines 5 areas: 1. Information Security Risk Assessment 2. Information Security Strategy 3. Security Controls Implementation 4. Security Monitoring 5. Security Process Monitoring and Updating
FFIEC Overview Information Security Security objectives: Availability Integrity Confidentiality Accountability Assurance Integrity + Accountability = Non-Repudiation
FFIEC Overview Chief Executive Officer Responsibilities: Develop a plan to conduct the assessment Lead employee efforts during assessment to facilitate timely responses Set target state of cyber security preparedness that aligns with the board of directors Review, approve & support plans to address risk mgmt & control weaknesses Analyze & present results for executive oversight Oversee ongoing monitoring to address evolving cyber security risk Supervise changes to maintain or increase cyber security preparedness
FFIEC Overview The Board Responsibilities: Engage mgmt in establishing the institution s vision, risk appetite & strategic direction Approve plans to use the assessment Review analysis of assessment results Evaluate decision of whether the institution s cyber security preparedness aligns with its risks Assess & approve plans to address risk mgmt or control weaknesses Examine results of ongoing monitoring of the institution s exposure to & preparedness for cyber threats
The ability to respond to an incident is only as good as an organization s ability to detect the incident.
Having proper analysis capabilities requires both trained personnel and the proper tools to perform the analysis.
Plan vs. Framework No plan of operations extends with certainty beyond the first encounter with the enemy s main strength. -Helmuth Karl Bernhard Graf von Moltke
Framework Authority and Scope Team Members and Responsibilities Logistics Process to Determine Severity and Escalation Post-Incident Activities Supporting Documentation
The most critical component in any Incident Response Practice Authority and Backing from Executive Management
Scope Will define what areas of the business the Incident Response Practice affects, i.e., any computing device, Wifi, etc.
Incident Response Team Primary Team Extended Team Third Parties
Primary Team Security Team Incident Response Lead Operations Team Service Desk Team
Extended Team Executives Legal Communications Human Resources Compliance Physical Security
Third Parties Outsourced IT (Help Desk, Server Support) Forensic Firms ISPs Legal Counsel Law Enforcement Public Relations Teams
Logistics Email Distribution / Call Bridge for Communication War Room Computing Equipment Evidence Locker Often Overlooked Items: Succession of Command Catering Shipment of Evidence OpTempo
Escalation Department/LOB/ Branch/Group of VIPs (High) Small Group of Users or VIP (Medium) Core Business Services (High) Support Services (Medium) Non-Urgent Services (Low) Critical High High Critical High Medium Single User (Low) High Medium Low
Post-Incident Root Cause Analysis: Determining an addressable cause that led to the incident
Supporting Documents Incident Tracking Forms Chain of Custody Form Indicator of Compromise Matrix
Building an Indicator of Compromise Matrix Firewall DNS Server Log Active Directory NetFlow IP Address X X Domain Name X Registry MD5 Username X
Recall Roster All members of the incident response team should have their contact information documented. For third parties, supporting information, such as PoCs, contract numbers, etc., should be included.
Create an Incident Response Playbook
Testing Incident Response High Level Audit Review of documentation Discussion based interview of capabilities Objective Based Assessment Technical tasks requested of the IR team Tabletop Exercise War Game
Thank You