Key Takeaways. 4. Stay calm and do no harm in an incident Overreacting can be as damaging as underreacting

Transcription

1

2

3

4 Purpose of the Guide Organizations face many pitfalls that can dramatically increase the negative impact of an incident The guide includes recommendations for technical, operational, legal, and communications aspects of a major cybersecurity incident and is focused primarily on the Respond and Recover phases defined in the NIST cybersecurity framework (NIST CSF) The guide is a collaboration between Microsoft, EY, Edelman and Orrick and brings together leading practise from the respective focus areas of each of these global class leading organizations

5 Key Takeaways 1. Preparation pays off Preparing for a major incident can reduce damage to the organization, as well as reduce incident cost and management difficulty 2. Operationalize your incident management processes Managing major cybersecurity incidents must be part of standard business risk management processes 3. Coordination is critical Effective cybersecurity incident management requires collaboration and coordination of technical, operations, communications, legal, and governance functions 4. Stay calm and do no harm in an incident Overreacting can be as damaging as underreacting

6

7 Preparation Overview Good preparation for responding to a cybersecurity attack can significantly reduce the business risk of an attack and the difficulty of managing the response and recovery Cybersecurity incident response preparation helps the organization think through and plan key aspects the enterprise cybersecurity response plan across these key functions: Technology Operations Legal Communication

8 Technology General Identify High-Value Assets (HVAs) Identify the critically important business assets and their technical composition (servers, applications, data files, etc.) This classification will also be useful for prioritizing protective and detective controls for these assets and identifying threats to them Confirm reliable software deployment Incomplete or unreliable software deployment systems can significantly hamper recovery efforts Ensure the ability to rapidly execute scripts/installers on all endpoints

9 Technology Investigation Phase Threat detection and monitoring capabilities Ensure the tools and skills are in place that allow detection of advanced attackers in your environment These capabilities are constantly evolving, but an advanced program currently would include: o Event correlation and analysis o Integrated threat intelligence (CTI) o User and entity Behavioural Analytics o Ability to detect IOCs from historical patterns and IOAs for evolving techniques o Machine Learning (ML) and advanced Analytics

10 Technology Investigation Phase Investigation and forensic capabilities Ensure the ability to investigate targeted attacks through malware and attack activity analysis to produce an accurate attack timeline Capability can be built internally via own tools and analysts or via managed cybersecurity services (MDR) Track and analyze response costs To enable risk management, keep a record of the costs involved in responding to incidents IR cost elements include: o Direct costs (e.g. external services, repair/replacement of damaged equipment, etc.) o Labour cost of the IR team spent on investigation and recovery o Reputational cost impacting on your organization s business

11 Validated backup and recovery capability for critical data Prepare for a destructive attack that deletes or encrypts data (such as ransomware) by validated the ability to recover critical data Data can be backed up using an offline and/or ransomware resistant cloud backup capability Create technical recovery documentation Write and validate technical recovery documentation (and/or use automation) for procedures that are frequently required during a security incident, including: o Compromised account recovery procedures o Compromised host recovery procedures o Network segregation and isolation procedures

12 Operations General Establish a framework Create a framework that defines the incident management program The framework must clearly delineate roles & responsibilities (RACI) as well as the operations model for security incident handling Adopt a disaster management approach Major incidents represent an organizational crisis and require a command structure to manage them For example, Incident Command System (ICS) is used extensively in disaster management and is extremely effective for cybersecurity incidents

13 Operations General Exercise your crisis process Establish a schedule to exercise crisis teams and processes on relevant scenarios Exercises should include individual components of the incident management program as well as tabletop exercises that include all elements & stakeholders (legal, communications, and organizational leadership) Exercises must also validate nonintrusive technical procedures including backup recovery and threat detection tools Emergency approval process - A streamlined emergency approval process should exist for handling rapid changes during an incident e.g., authority to approve rapid change proposals without change board approvals Establish clear guidelines for escalation Document when internal investigations should escalate to specialists and external investigation teams based on time spent on investigation, complexity, malware type, specific adversary, etc.

14 Operations Preparedness - Lessons Learned Just buying more tools does not equal better security Buying tools without having time and skills to use them is a waste and a distraction Enabling every log source will only drown you in data, slowing investigation Placing your security staff in a dual role with IT operations diminishes their effectiveness Preparing staff sufficiently and scheduling availability of required resources reduces the cost of incidents Capturing lessons learned is critical to ensure improved incident handling in future

15 Communications General Cyber attack communications expectations Organizations are not expected to prevent all security incidents, but they are expected to effectively manage them Increasingly companies will be judged (by regulators and customers) by how well they manage incidents Effective cybersecurity incident communications Effectively communicating security incidents requires careful planning, and an understanding of the unique dynamics inherent in cybersecurity issues Most crises require transparency and speed of communication, but the complex nature of cyber incident investigation make facts fluid, which could lead to unnecessary negative coverage and could also alert attackers

16 Communications Response Plan Appoint a communications lead In a crisis, precious time and energy can be lost identifying who is leading communications Pre-appoint a communications lead with insight into cybersecurity response as part of the core team Draft a communications plan Many companies have technical incident response plans but what s often missing is a communications-centric portion to manage what to disclose to whom and when Develop the communications portion of existing incident response plans, including clear ownership and approval processes Create a stakeholder map A company must understand its contractual obligations to inform various stakeholders Map the stakeholders that need to receive communications including customers, media, partners, regulators, employees and vendors

17 Communications Response Plan Develop draft media statements Draft statements and other materials should be created for the major types of incidents expected for the early stages of an investigation Develop key communications considerations for each of the expected incidents, to help guide decision-making (e.g. if and under what circumstances the company would pay to remove ransomware) Practice the plan Host tabletop exercises with members from the entire incident response team to test how they would react to the media, customer, and regulator attention Tabletops are best done in conjunction with outside legal counsel and are intended to focus on all the non-technical aspects of incident response

18 Legal General Designate a cyber lead from Legal Cybersecurity incident response preparation must include evaluating and managing legal risk Legal counsel (internal and/or external) should direct certain incident response preparation activities and retain outside forensic and communications experts Review policies and public statements Public representations (e.g., privacy statements, service representations) and also internal security policies must be abided by to reduce legal risk Policies and public disclosures must be regularly reviewed to represent the current state Conduct regular board briefings Directors cannot fulfil their fiduciary responsibilities if they are not aware of the risks Boards should be regularly briefed on cybersecurity risks, and have sufficient information and expert assistance, so that they can effectively manage cybersecurity risk

19 Legal General Manage third party vendors Perform diligence on vendors to evaluate the risks that they present as vendors are often the weakest link Negotiated agreements to include security standards, as well as legal protections (indemnification, limitation of liability, insurance, etc.) that vendors must comply with The incident plan should include how vendors will cooperate as part of the incident response team Develop an audit, review or certification process to test vendors compliance with security standards and the incident response plan

20 Legal General Involve legal council in developing the incident plan Regulators and plaintiffs focus on the technical security measures in place, as well as the speed, efficiency, and effectiveness of the response to a cyber attack Involve expert cyber counsel to craft operationally effective processes that reflect the latest insights from regulators and litigated cases Conduct cybersecurity assessments and tests at Legal s direction Legal counsel should direct penetration tests, vulnerability assessments, etc., in close collaboration with Security Operations, thus protecting related communications, work products, etc. under legal privilege Reports should be prepared sparingly, and only at the direction of counsel to minimize discovery risks Organizations often cannot implement all the recommendations from these assessments, and should make risk based judgments around remediation and mitigation efforts to show due diligence

21

22 Incident Handling Overview Keep calm Incidents are extremely disruptive and can become emotionally charged Stay calm and focus on prioritizing efforts on the most impactful actions first Do no harm Incident response must avoid loss of data, loss of business critical functionality, and loss of evidence Avoid decisions that compromise the ability to create forensic timelines, identify root cause, and learn critical lessons Strike critical balances Speed - balance the need to act quickly to satisfy stakeholders with the risk of rushed decisions Sharing information - inform investigators, stakeholders, and customers while limiting liability and unrealistic expectations Be accurate Confirm anything shared with the public and to customers is correct and truthful Get help when needed Investigating and responding to attacks from sophisticated attackers benefits significantly from deep expertise and experience

23 Investigation Phase Critical Success Factors Identify scope of attack operation Most adversaries use multiple persistence mechanisms, try and uncover them all Identify objective of attack, if possible - Persistent attackers will frequently return for their objective (data/systems) in a future attack, so it is imperative to secure all vulnerabilities associated with the objective Stay focused Keep the focus on business-critical data, customer impact, and getting ready for remediation Don t investigate forever Ruthlessly prioritize investigation efforts (e.g., only perform forensic analysis on hosts that attackers have actually used or modified). When an attacker has administrative privileges, it is impractical to investigate all potentially compromised resources. Response capability will be negatively impacted Plan for 50% of staff operating at 50% of normal capacity due to situational stress

24 Investigation Phase - Tips Consider ICS for crisis management If there is no permanent function that manages security incidents, its recommend to use ICS as a temporary organizational structure to handle the crisis The show must go on Confirm the daily security operations are not completely side lined to support incident investigations as the normal work still needs to be done Don t use online scanners Many adversaries monitor instance counts on services like VirusTotal for discovery of targeted malware Don t modify the environment Unless faced by an imminent threat of losing business critical data (deletion, encryption, exfiltration), do not start recovery operations until the investigation is complete Share information Confirm that all investigation teams (including all internal teams and external investigators) are fully sharing their data with each other Access the right expertise Integrate people with deep knowledge of the systems into the investigation (internal staff or external entities like vendors as needed), not just security generalists Legal check Check with Legal on whether they plan to involve law enforcement so that investigation and recovery procedures are planned appropriately Avoid wasteful spending Many major incidents result in organizations purchasing an assortment of expensive security tools in a panic that are never deployed or used. If new tools can t be deploy and used during the investigation, defer acquisition until after the investigation is finished.

25 Recovery Phase Critical Success Factors Clear plan and defined scope Work closely with technical teams to build a clear plan with defined scope whilst being diligently to limit scope creep as the recovery unfolds. Limit response scope to assure the recovery operation can be executed within 24 hours or less. Coordination and role clarity Establish distinct roles for recovery operations, including designating a clear project lead, in support of the crisis team and confirm technical, legal and communications teams are keeping each other informed Business perspective Always consider the impact on business operations, both through adversary actions and your response actions Stakeholder communications Work with communication teams to provide timely updates and active expectation management for organizational stakeholders Avoid distractions Anything that does not have direct and immediate impact on the current recovery operation is a distraction, e.g. investing new security solutions

26 Recovery Phase - Tips Never reset all passwords at once Password resets should focus first on knowncompromised accounts (from investigation) and potentially administrator/service accounts. If warranted, user passwords should be reset only in a staged/controlled manner. Consolidate execution of recovery tasks Unless there is an imminent threat of losing business-critical data, use a consolidated operation to rapidly remediate all compromised resources (hosts, accounts, etc.) vs. remediating compromised resources as they re discovered. Compressing recovery will make it difficult for adversaries to adapt and maintain persistence. Use existing tools Research and use the capabilities of tools already deployed (software deployment, antimalware, etc.) before trying to deploy and learn a new tool during a recovery Avoid tipping off adversaries Adversaries typically have access to all production data and in a major cybersecurity incident, but may not have time to monitor all your communications. Despite this, take steps to limit the information available to adversaries about the recovery operation. Know your capabilities and know your limits Managing major security incidents is very challenging, complex, and new to many organizations. Bring in expertise from external organizations/professional services if the response team is overwhelmed or aren t confident. Capture lessons learned Build and continually improve role-specific handbooks for security operations, even if it s your first incident without any written procedures

27 Communications Critical Success Factors: Focus on actions not outcomes - Focus communications on actions the company is taking to investigate and remediate the incident. Avoid disclosing details of the incident until there is forensic certainty of the facts. Keep customers as your north star - Focus on how operations are helping protect customers vs. details about the incident (who, how, etc.). Focus on providing actionable guidance to customers. Keep media interactions transactional - Contain and manage news coverage of the event and confirm that the key messages of the company come across, which can be achieved by providing the media with written statements and only granting media interviews if necessary Tips: Leverage your owned properties - Create a single online destination where stakeholders can get accurate and updated information, including official company statements, Q&As for customers, and useful resources Brief internal audiences - Brief customer-facing employees about the incident and provide them with the appropriate talking points or escalation processes, should they get questions Monitor the conversation - Use crisis-specific traditional and social media monitoring to detect media leaks early in an investigation and then to understand the sentiment once an issue is disclosed publicly Consider steps to regain or earn trust - Consider if there are steps the company should take to regain customer trust after an incident is concluded

28 Legal Critical Success Factors: Maintain confidentiality and protect privilege - Legal counsel should direct the investigation and response efforts, in close partnership with the IT Security Operations lead, to identify legal obligations and manage risk, thereby adding confidentiality protection through legal privilege Identify legal statutory, contractual, and other obligations - Consider notification and communication decisions carefully in light of current legal interpretations, as well as accepted and expected practices Engage law enforcement - Engage law enforcement as part of incident response, as it is often required depending on industry (e.g. government) and type of data affected (e.g. credit card breach) Tips: Take care regarding post-breach actions/statements - All communications and post-breach accommodations to affected individuals should be carefully vetted to managing risk as plaintiffs can use post-incident actions and communications to support potential lawsuits Keep executives/board members adequately informed - Updates must balance the quality and quantity of information to enable them to carry out their fiduciary responsibilities and exercise business judgment, while avoiding overloading them with technical details

29

30