INCIDENT RESPONDER'S FIELD GUIDE INCIDENT RESPONDER'S INCIDENT RESPONSE PLAN FIELD GUIDE LESSONS FROM A FORTUNE 100 INCIDENT RESPONSE LEADER

Similar documents
Incident Responder Field Guide: Lessons from a Fortune 100 Incident Responder

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

Cybersecurity The Evolving Landscape

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

Assessing Your Incident Response Capabilities Do You Have What it Takes?

CYBER RESILIENCE & INCIDENT RESPONSE

Security. Protect your business from security threats with Pearl Technology. The Connection That Matters Most

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Welcome to the CyberSecure My Business Webinar Series We will begin promptly at 2pm EDT All speakers will be muted until that time

Position Description. Computer Network Defence (CND) Analyst. GCSB mission and values. Our mission. Our values UNCLASSIFIED

10 FOCUS AREAS FOR BREACH PREVENTION

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Key Takeaways. 4. Stay calm and do no harm in an incident Overreacting can be as damaging as underreacting

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

Threat Hunting in Modern Networks. David Biser

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

A practical guide to IT security

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

Cybersecurity Auditing in an Unsecure World

to Enhance Your Cyber Security Needs

CNIT 50: Network Security Monitoring. 9 NSM Operations

Cybersecurity for Health Care Providers

CYBERSECURITY RISK LOWERING CHECKLIST

What It Takes to be a CISO in 2017

Cyber security tips and self-assessment for business

Managed Endpoint Defense

Defining cybersecurity.

Are we breached? Deloitte's Cyber Threat Hunting

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Cybersecurity Threat Modeling ISACA Atlanta Chapter Geek Week Conference

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

The Resilient Incident Response Platform

4/13/2018. Certified Analyst Program Infosheet

SECURITY OPERATIONS CENTER BUY BUILD BUY. vs. Which Solution is Right for You?

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

2018 IT Priorities: Cybersecurity, Cloud Outsourcing & Risk Management. Follow Along

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Integrated, Intelligence driven Cyber Threat Hunting

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

Eliminating the Blind Spot: Rapidly Detect and Respond to the Advanced and Evasive Threat

Cyber Security Stress Test SUMMARY REPORT

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Nine Steps to Smart Security for Small Businesses

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Presentation to the ITU on the Q-CERT Incident Management Team. Ian M Dowdeswell Incident Manager, Q-CERT

Enhancing the Cybersecurity of Federal Information and Assets through CSIP

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Incident Scale

Click to edit Master title style. DIY vs. Managed SIEM

You ve Been Hacked Now What? Incident Response Tabletop Exercise

esendpoint Next-gen endpoint threat detection and response

How NSFOCUS Protected the G20 Summit. Guy Rosefelt on the Strategy, Staff and Tools Needed to Ensure Cybersecurity

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

The New Era of Cognitive Security

Ransomware A case study of the impact, recovery and remediation events

2018 HIPAA One All Rights Reserved. Beyond HIPAA Compliance to Certification

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

OA Cyber Security Plan FY 2018 (Abridged)

Brian S. Dennis Director Cyber Security Center for Small Business Kansas Small Business Development Center

YOU VE GOT 99 PROBLEMS AND A BUDGET S ONE

Symantec Security Monitoring Services

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

50+ Incident Response Preparedness Checklist Items.

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

Building Resilience in a Digital Enterprise

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak

CYBER ALERT. Cyber Investigations, Part 4: Hallmarks of Enterprise Impact Investigations. Key Components of an Enterprise Impact Investigation

What to do if your business is the victim of a data or security breach?

Information Security Incident Response Plan

THE ACCENTURE CYBER DEFENSE SOLUTION

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

Designing an Adaptive Defense Security Architecture. George Chiorescu FireEye

EXABEAM HELPS PROTECT INFORMATION SYSTEMS

THE LIFE AND TIMES OF CYBERSECURITY PROFESSIONALS

2017 Annual Meeting of Members and Board of Directors Meeting

Sage Data Security Services Directory

NetWitness Overview. Copyright 2011 EMC Corporation. All rights reserved.

BOLSTERING DETECTION ABILITIES KENT KNUDSEN JUNE 23, 2016

Staffing Services UnderDefense your source of experienced professionals to solve security staffing challenges today

Fidelis Overview. 15 August 2016 ISC2 Cyber Defense Forum

Best Practices in Healthcare Risk Management. Balancing Frameworks/Compliance and Practical Security

FROM SIEM TO SOC: CROSSING THE CYBERSECURITY CHASM

Information Security Is a Business

NW NATURAL CYBER SECURITY 2016.JUNE.16

SECURITY & PRIVACY DOCUMENTATION

CCISO Blueprint v1. EC-Council

Automated Response in Cyber Security SOC with Actionable Threat Intelligence

Defining Computer Security Incident Response Teams

Real-world Practices for Incident Response Feb 2017 Keyaan Williams Sr. Consultant

Cybersecurity: Incident Response Short

Transcription:

INCIDENT RESPONDER'S FIELD GUIDE INCIDENT RESPONDER'S INCIDENT RESPONSE PLAN FIELD GUIDE LESSONS FROM A FORTUNE 100 INCIDENT RESPONSE LEADER 1

INCIDENT RESPONDER'S FIELD GUIDE TABLE OF CONTENTS 03 Introduction & How to Use This Guide 04 Introducing Tim Bandos 05 Part One: Incident Response Do s and Don ts 08 Part Two: Get Ready 18 Part Three: The Five Stages of Incident Response 31 Part Four: Advanced Threat Protection as a Service 35 Appendix: Digital Guardian Next Generation Data Protection 2

INTRODUCTION WHY READ THIS GUIDE? Careful cyber security incident response planning provides a formal, coordinated approach for responding to security incidents affecting information assets. This e-book provides easy-to-follow steps for crafting an incident response plan in the event of cyber security attacks. HOW TO USE THIS GUIDE IF YOU ARE... New to Incident Response Plan Not sure where to start? Familiar with Incident Response Plans, but how do I implement in my organization Worried about managing Incident Response with limited resources Looking to understand what makes Digital Guardian different GO TO... Part One: Incident Response Do's and Don'ts Part Two: Get Ready Part Three: The Five Stages of Incident Response Part Four: Advanced Threat Protection as a Service Appendix: Digital Guardian Next Generation Data Protection 3

INTRODUCTION INCIDENT RESPONSE EXPERT Tim Bandos is the Director of Cybersecurity at Digital Guardian. He has over 15 years of experience in the cybersecurity realm at a Fortune 100 company with a heavy focus on Internal Controls, Incident Response & Threat Intelligence. At this global manufacturer, he built and managed the company s incident response team. Tim recently joined Digital Guardian to help build our Managed Security Program (MSP) to deliver advanced threat protection to our global customer base. He brings a wealth of practical knowledge gained from tracking and hunting advanced threats targeted at stealing highly sensitive data. SEE OUR BLOG To learn why Tim joined Digital Guardian read his blog post, Why I Signed on with an IT Security Vendor. TIM BANDOS Director, Cybersecurity Digital Guardian CISSP, CISA, CEH & CASS 4

INCIDENT RESPONDER'S FIELD GUIDE PART ONE INCIDENT RESPONSE DO'S AND DON'TS 5

PART ONE: INCIDENT RESPONSE DO'S AND DON'TS 5 THINGS NOT TO DO DURING AN INCIDENT PANIC 1 Do not panic. It's the worst thing you can do. You want to remain calm and having an IR plan will help to do just that. An IR plan will provide you with a predefined path that outlines the best course of action to take during an incident. 2 SHUT DOWN SYSTEMS Do not shut down infected systems. By shutting them down, you could lose volatile data that contains important forensic information. This information can be essential in determining the timeline of what transpired. SOCIALIZE 3 Do not discuss the incident with others unless otherwise directed. It s important to be cautious about the audiences that you choose to communicate with about an incident that has just begun to unravel. USE DOMAIN ADMIN CREDENTIALS 4 Do not use domain administrative credentials when accessing systems environment. Threat actors patiently wait for a user with enterprise-wide access to login in order to capture the password to gain complete control over the environment. 5 NON-FORENSIC TOOL USAGE Do not execute any non-forensic software on the infected systems because this will overwrite the timelines associated with the attack in the Master File Table. 6

PART ONE: INCIDENT RESPONSE DO'S AND DON'TS 4 THINGS TO DO DURING AN INCIDENT COLLECT DATA 1 Collect volatile data and other critical artifacts off the system using forensic tools. Forensically sound tools have the ability to connect to the system without modifying any timestamps on the device. EXTERNAL INTELLIGENCE 2 Gather external intelligence based on identified indicators of compromise (IOC). Search the web for intelligence about specific MD5s, IP addresses, domains that you discovered during your initial incident investigation. You are attempting to identify what the potential infection is or what type of malware may have been executed within the environment. 3 Safeguard SAFEGUARD systems and other media for forensic collection. 4 COLLECT LOGS Collect the appropriate logs. This may include Windows Events, Firewall, Netflow, Anti-Virus, Proxy, etc. It is important to view the story both at the network and at the endpoint level. 7

INCIDENT RESPONDER'S FIELD GUIDE PART TWO GET READY 8

PART TWO: GET READY BUILD YOUR IR TEAM An Incident Response team is a centralized team that is responsible for incident response across the organization. The team receives reports of security breaches, analyzes the reports and takes necessary responsive measures. The team should be composed of: INCIDENT RESPONSE MANAGER SECURITY ANALYSTS THREAT RESEARCHERS IR manager oversees and prioritizes different steps in detection, analysis and containment of the incident. In case of high severity incidents, IR manager also interfaces with the rest of the company, including corporate security, human resources, etc. to convey findings, status, and requirements. These are the cyber-ninjas that go deep down into the weeds to identify when an incident has occurred and what has happened during that period of time. The team consists of: Triage Analysts - Filter out false positives and alert on potential intrusions Forensic Analysts - Recover key artifacts of data and maintain integrity of evidence to ensure a forensically sound investigation. Threat researchers complement security analysts by providing threat intelligence and context to the incident. They are constantly combing the internet, identifying intelligence that may have been reported externally. They then build an internal database of internal intelligence derived out of prior incidents. 9

PART TWO: GET READY GET CROSS-FUNCTIONAL SUPPORT All business representatives must fully understand and advocate the Incident Response plan in order to ensure that the plan is properly executed, smooth information flow occurs and remediation takes place. MANAGEMENT HUMAN RESOURCES AUDIT AND RISK MANAGEMENT SPECIALISTS Management buy-in is necessary for provision of resources, funding, staff, and time commitment for incident response planning and execution. Human Resources is called upon when an employee is discovered to be involved with the incident. The specialists help develop threat metrics and vulnerability assessments, along with encouraging best practices across the constituency or organization. GENERAL COUNSEL The Attorney s role is to ensure the forensic value of any evidence collected during an investigation in the event that the company chooses to take legal action. An attorney can also provide advice regarding liability issues in the event that an incident affects customers, vendors, and/or the general public. PUBLIC AFFAIRS The Public Relations role is to communicate with team leaders, ensuring an accurate understanding of the issue and the company s status, so as to communicate with the press and/or informing the stockholders about the current situation. 10

TIPS FROM TIM TIM BANDOS Director, Cybersecurity Digital Guardian CISSP, CISA, CEH & CASS COMMUNICATION WITHIN AND Communications during an incident should be conducted in a manner which protects the confidentiality of the information that is being disseminated. The incident response manager should be the central point of all communication and only those with a valid need-to-know is included in communications regarding key incident details, indicators of compromise, adversary tactics and procedures. Securing this communication so that Mr. Threat Actor is unable to snoop your messages is extremely vital to avoid tipping them off that an on-going investigation is occurring. Any indication that You re On to Them may lead to swift changes by the attackers to further mask their activity. ACROSS TEAMS IS CRITICAL 11

PART TWO: GET READY WE HOPE YOU ENJOYED THIS SAMPLE! TO READ ON, CLICK HERE & DOWNLOAD THE COMPLETE GUIDE THE FULL EBOOK INCLUDES EASY-TO-FOLLOW STEPS AND PRACTICAL GUIDANCE FROM TIM BANDOS, A FORMER FORTUNE 100 INCIDENT RESPONSE LEADER TO HELP YOU: 1 Build your Incident Response team. 2 Implement an Incident Response plan in your organization. 3 Manage Incident Reponse with limited resources. TO READ ON, FILL OUT OUR SHORT FORM AND DOWNLOAD THE COMPLETE GUIDE NOW >> 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback