PRACTICAL GUIDE FOR CRITICAL INFRASTRUCTURE ORGANIZATIONS

Similar documents
DETECTION, ERADICATION & FORENSIC: CYBER THREATS INTELLIGENCE MODEL FOR CNII ORGANIZATIONS

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

MANAGING SECURITY THREATS IN THE NEW CONNECTED WORLD THROUGH FORENSIC READINESS

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Gujarat Forensic Sciences University

Heavy Vehicle Cyber Security Bulletin

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

CompTIA CSA+ Cybersecurity Analyst

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Cyber Security Program

Bradford J. Willke. 19 September 2007

Cyber Resilience. Think18. Felicity March IBM Corporation

Cybersecurity Overview

Information Security Incident Response Plan

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

METHODOLOGY AND CRITERIA FOR THE CYBERSECURITY REPORTS

External Supplier Control Obligations. Cyber Security

Are Cyber Security Exercises Useful? The Malaysian Case Study. Adli Wahid Head of Malaysia CERT (MyCERT) Twitter: adliwahid

Cyber Security Technologies

Cybersecurity: Incident Response Short

Greg Garcia President, Garcia Cyber Partners Former Assistant Secretary for Cyber Security and Communications, U.S. Department of Homeland Security

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Presentation to the ITU on the Q-CERT Incident Management Team. Ian M Dowdeswell Incident Manager, Q-CERT

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

EC-Council Certified Network Defender (CND) Duration: 5 Days Method: Instructor-Led

85% 89% 10/5/2018. Do You Have A Firewall Around Your Cloud? Conquering The Big Threats & Challenges

Cyber Resilience - Protecting your Business 1

Statement for the Record

Standing Together for Financial Industry Resilience Quantum Dawn 3 After-Action Report. November 19, 2015

Delivering Integrated Cyber Defense for the Cloud Generation Darren Thomson

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

Provisional Translation

Forensics and Active Protection

Cyber Threat Intelligence Sharing Standards

Cyber Security Strategic Level Landscape in Poland. Krzysztof Silicki NASK Institute, Poland ENISA MB, EB

Cyber Defense Operations Center

CYBERSECURITY RESILIENCE

ICS-CERT Year in Review. Industrial Control Systems Cyber Emergency Response Team

Information Security Incident Response Plan

Credit Card Data Compromise: Incident Response Plan

Designing and Building a Cybersecurity Program

PIPELINE SECURITY An Overview of TSA Programs

Data Security and Privacy Principles IBM Cloud Services

SANS Institute 2003, All Rights Reserved.

_isms_27001_fnd_en_sample_set01_v2, Group A

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Framework for Improving Critical Infrastructure Cybersecurity. and Risk Approach

Fidelis Overview. 15 August 2016 ISC2 Cyber Defense Forum

WHO AM I? Been working in IT Security since 1992

Position Description. Computer Network Defence (CND) Analyst. GCSB mission and values. Our mission. Our values UNCLASSIFIED

Security Monitoring Engineer / (NY or NC) Director, Information Security. New York, NY or Winston-Salem, NC. Location:

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

Mapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective

Cyber Security & Homeland Security:

The GenCyber Program. By Chris Ralph

CERT Development EFFECTIVE RESPONSE

Make IR Effective with Risk Evaluation and Reporting

Security by Default: Enabling Transformation Through Cyber Resilience

End-to-End Trust, Segmentation and Segregation in the IIoT

Enhanced Threat Detection, Investigation, and Response

UNCLASSIFIED. National and Cyber Security Branch. Presentation for Gridseccon. Quebec City, October 18-21

CCNA Cybersecurity Operations 1.1 Scope and Sequence

Defining Computer Security Incident Response Teams

CYBER SECURITY POLICY REVISION: 12

Cisco Networking Academy CCNA Cybersecurity Operations 1.1 Curriculum Overview Updated July 2018

Security Standards for Electric Market Participants

Legal Foundation and Enforcement: Promoting Cybersecurity

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

Cybersecurity Today Avoid Becoming a News Headline

FISMA Cybersecurity Performance Metrics and Scoring

Sage Data Security Services Directory

June 5, 2018 Independence, Ohio

Digital Health Cyber Security Centre

American Association of Port Authorities Port Security Seminar & Expo Cyber Security Preparedness and Resiliency in the Marine Environment

IBM services and technology solutions for supporting GDPR program

COMMISSION RECOMMENDATION. of on Coordinated Response to Large Scale Cybersecurity Incidents and Crises

Cybersecurity Strategy of the Republic of Cyprus

Automating the Top 20 CIS Critical Security Controls

Cybersecurity for IT Online. kaspersky.com/awareness #truecybersecurity. Kaspersky Enterprise Cybersecurity

Training for the cyber professionals of tomorrow

How to Align with the NIST Cybersecurity Framework

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Standing Together for Financial Industry Resilience Quantum Dawn IV after-action report June 2018

GridEx IV Initial Lessons Learned and Resilience Initiatives

Cybersecurity, safety and resilience - Airline perspective

Threat Intelligence to enhance Cyber Resiliency KEVIN ALBANO GLOBAL THREAT INTELLIGENCE LEAD IBM X-FORCE INCIDENT RESPONSE AND INTELLIGENCE SERVICES

RSA INCIDENT RESPONSE SERVICES

Standard CIP 007 4a Cyber Security Systems Security Management

DEVELOP YOUR TAILORED CYBERSECURITY ROADMAP

CYBER SECURITY AIR TRANSPORT IT SUMMIT

RFD. for ICERT ( ) RESULTS-FRAMEWORK DOCUMENT. Department of Information Technology. Results-Framework Document (RFD) for CERT-In ( )

Stakeholders Analysis

The NIS Directive and Cybersecurity in

Cyber Security Incident Report

Why you should adopt the NIST Cybersecurity Framework

भ रत य ररज़र व ब क. Setting up and Operationalising Cyber Security Operation Centre (C-SOC)

Transcription:

CSIRT MANAGEMENT WORKFLOW: PRACTICAL GUIDE FOR CRITICAL INFRASTRUCTURE ORGANIZATIONS PREPARED BY : NURUL HUSNA MOHD NOR HAZALIN ZAHRI YUNOS ASWAMI FADILLAH ARIFFIN MOHD AZLAN MOHD NOR

INTRODUCTION 3

TYPE OF CYBER THREATS 4

CYBER INCIDENTS BY SECTORS 5

CYBER INCIDENTS - MALAYSIA April 2015 June 2015 MYNIC Berhad Malaysia Airlines Unauthorized modification were made to the.my (domain registry DNS (domain name server) to redirect traffic to a rogue site when users visited websites such as Google Malaysia & Yahoo Malaysia. Some internet users see the affected page for 24 hours due to DNS hijacking. The home page of Malaysia Airllines website was replaced by a photo of a MAS Airbus A380, with the word 404- Plane not found. A group calling itself Cyber Caliphate has claimed responsible for the incident. 6

REPORTED CYBERSECURITY INCIDENTS - MALAYSIA Reported incidents based on general incident classification statistics 2015 7

REQUIREMENTS FOR CSIRT IN ORGANIZATION IN MALAYSIA In 2013, the National Security Council of Malaysia (NSC) released the guideline NSC Directive 24: National Cyber Crisis Management Mechanism. This directive specifies the requirement for all government agencies to establish their own CSIRT as one of the initiatives to manage cyber incidents In 2013, the latest version of the ISMS standard (27001:2013(E)) contains three additional sub clauses under paragraph A16.1, which emphasize on response and assessment of information security incidents: 1. A 16.1.5 Response to information security incidents 2. A 16.1.6 Learning from information security incidents 3. A 16.1.7 Collection of evidence 8

SERVICES OFFERED BY CSIRT (Example) Prepare for any possible imminent problems Respond to problems & incident handling Quality management service 9

CyberDEF D E F detection of cyber treat eradication of cyber treat forensic analysis of cyber treat This stage is iterative, return to D or E to improve the technique further 10

CyberDEF (cont ) Typical CSIRT CyberDEF Detection Eradication Detection Eradication F O R E N S I C 11

CyberDEF (cont ) Identify any loopholes, vulnerabilities and existing threats 1. Sensors 2. Sandbox 3. Analytics Detection 4. Visualization Eradication Close loopholes, patch vulnerabilities and neutralize existing threats Perform cyber threats exercise or drill to test the feasibility and resiliency of the new defense / prevention system Forensics 1. E-Discovery 2. Root cause analysis 3. Investigation 4. Forensics readiness 5. Forensic compliance 12

CyberDEF (cont ) Why CyberDEF is unique? 3 Technical Departments Consists of 3 technical departments : 1. Secure Technology Services department (STS) 2. Digital Forensic department (DF) 3. Malaysia Computer Emergency Response Team (MyCERT) Centralized Governance Effective centralized governance because all of the 3 involved departments report directly to Vice President of Cyber Security Responsive Services. Forensic Element Forensic element incorporated in the services offered 13

CSIRT MANAGEMENT WORKFLOW Process MyCERT STS DF C-Level Detection Response time = 0.5 hour Constant monitoring Detect threats Register case in OTRS Constant monitoring Detect threats Verification Analyze threats Identify device Response time = 3 hour Conduct debrief to team members Inform Top Management Containment Response time = 1 hour Inform HoD of suspected device s owner Verify threat with actual device Preserve memory dump Collect device Preservation Response time = 16 hour Preserve device Analysis Response time = 5 days Security analysis Produce security analysis report Evidence analysis Produce root cause analysis report Eradication Response time = 1 hour Eradicate the threats based on recommendations Recover device Return device Reporting Report submission to Top Management Response time = 1 hour 14

CASE STUDY: DETECTION Appliance detected the victim is accessing malicious website which is sl-reverse.com and download malicious executable files 15

CASE STUDY: DETECTION (Cont ) Affected device identified 16

CASE STUDY: ERADICATION Eradicate the malware 17

CASE STUDY: FORENSICS Analysis Extract metadata & registry info from malicious file and analyze it using available tools Findings 18

CASE STUDY: FORENSICS (Cont ) Findings 19

CONCLUSION CSIRT Workflow Management should include elements of Detection, Eradication & Forensic It work for us! effective CSIRT implementation effective governance for managing incidents Communication, collaboration and information sharing are critical in CSIRT management 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback