You ve Been Hacked Now What? Incident Response Tabletop Exercise Date or subtitle Jeff Olejnik, Director Cybersecurity Services 1
Agenda Incident Response Planning Mock Tabletop Exercise Exercise Tips 2
Wipfli Firm Foundation Founded in 1930 in Wausau, Wisconsin, by Clarence J. Wipfli 87-year history of client service 219 partners More than 1,800 associates 42 U.S. offices CA, ID, IL, MN, MT, PA, VA, WA, WI and two offices in India Over 60,000 clients Wipfli is ranked in the top 20 among America s 100 largest public accounting firms Our Mission To contribute to the success of our associates and clients. 3
Cybersecurity Services Comprehensive Governance, Risk, Compliance, and Testing 4
Breach Detection Concerns 205 days Median number of days that hackers were present on a victim s network before being discovered. Longest presence: 2,982 days. 69% - Victims notified by external entity (e.g. law enforcement) Source: Mandiant M-Trends 2015 5
Reality check Cybercrime is big business. There is a well-organized and well-funded underground economy for stealing and selling corporate data. 100% protection is not possible. There are thousands of ways attackers can compromise security and they need only be successful once. Cyber incidents will happen. How quickly and effectively organizations detect and respond makes all the difference. Breaches are expensive. Average cost of data breach is $4 million. 6
Incident Response Lifecycle 7
What should you prepare for? Incident Response Plan framework to address any incident Handling Procedures for common attacks External / Removable Media Attrition or brute force (e.g. DDoS) Website or web-based application Email Impersonation spoofing, man in middle, rogue wireless, SQL injection Improper usage / policy violation Loss or theft of equipment Ransomware 8
Preparation Incident Response Policy Team Structure Management Information assurance / handling IT support Legal department Public affairs and media relations Business continuity planning Physical security and facilities management Communication and Facilities Contact information for all stakeholders Incident reporting & tracking Secure storage facility 9
Preparation Forensic Readiness Incident Analysis Hardware and Software Digital forensic workstations / backup devices & software Spare equipment Network diagrams Baselines of expected network, system and application activity Prevention Risk Assessments Host security Network security Malware prevention User awareness and training 10
Detection & Analysis Determine whether an incident has occurred Analyze precursors and indicators Research and look for correlating information Document investigation and gathering evidence Prioritize (functional impact, information impact, recoverability effort, velocity, etc.) Report to appropriate internal and external stakeholders 11
Containment, Eradication & Recovery Acquire, preserve, secure and document evidence Isolate and contain Eradicate the incident Identify and mitigate all vulnerabilities Remove malware, inappropriate materials and other components Repeat if necessary Recover Return to normal Implement additional monitoring (if necessary) 12
Post-Incident Activity Create follow-up report Post-mortem meeting 13
Incident Response Exercise 14
Incident Response Exercise Instructions & Ground Rules There are no wrong answers Meet your team and designate a captain One incident scenario with 4 sections Deal only with the information and timeline provided 5 minutes per section to discuss within small group 5 minutes sharing with all 15
ACME Social Services Provides variety of social services related to basic necessities of life food and shelter, physical health and safety, counseling and support. Main office provides is main office for administration, IT and also location for counseling services. There is no formal disaster recovery plan or alternate site identified for disaster recovery. IT recently moved to an off-site data backup solution, but still backs up to tape each week. 16
Section 1 9:30 AM Monday An upset and embarrassed employee contacts the IT director to let him know that she thinks she got a computer virus while working at home over the weekend. She brought it into this office and was hoping that by connecting to the network, things would be resolved. 17
CyrptoLocker Message $300 ransom is demanded to be paid in Bitcoin Ransom increases to $5,000 if not paid in 72 hours. 18
Discussion questions 1. What are your most urgent priorities at this time? 2. What information do you need to determine your next action? How will you obtain this information? 3. Describe the team you would need to execute the next steps; who should be involved? 19
Things to Consider Do all employees know who to notify of suspected incidents? Are there multiple methods of communication or alternate contacts? Who are the members of the Incident Response Team? 20
Section 2 2 hours later IT manager looks to recover from the off-site vaulting solution, but discovers that it was not backing up the laptop only network drive. He also discovers that the employee s network drive is also encrypted. Other user s begin contacting IT saying they have also received the pop-up message and they cannot access files. 21
Discussion questions 1. What your top priorities now? 2. What are the options? What are the consequences associated with each? 3. Who will ultimately make the decision on how to proceed? 4. How would identify the extent of the incident? 5. What resources will you need? Which key partners or vendors should be notified? 6. What are the possible legal and regulatory implications? 22
Things to Consider Do you have formal incident handling procedure? Do you have contact information for legal, IT resources, forensic expertise, executive team, insurance, and law enforcement? Is there an understanding of the legal and regulatory implications for the data that you have? 23
Section 3 3 days later After 3 days of being down, researching the options, and locating a Bitcoin dealer the decision had been made to pay the ransom. The ransomware had infected several workstations and a few drives on the network server. 24
Discussion questions 1. How will you assured that the virus has been completed eradicated? 2. How will you check to verify that personally identifiable data has not been exfiltrated? 3. Who needs to be notified? 4. Do you have insurance to cover the costs associated with downtime and ransom payment? 5. What would you discuss in a post-mortem meeting? 25
Tips for IRP Exercises Simulate reality Set realistic goals and objectives Simulate decision making under stress and normalcy Have surprise elements Provide room for participants to make errors and learn from them Avoid Armageddon 26
Other Scenarios Laptop / Mobile Device Lost or Stolen DDoS Attack Destructive Malware Key vendor disruption Website defacement Third-Party Breach Internal Fraud Accidental Disclosure Inappropriate Use 27
Final thoughts The actions that are taken immediately following an incident will either greatly minimize or compound the impact. The vendors that you need during a crisis are not your day-to-day vendors. Incident response is a business issue, not an IT issue. Get the right people on the IR team. Get ready for the curveball. Plans are written during times of normalcy, not chaos. Practice, practice, practice. Employees will be looking to leadership for direction. 28
Contact Information Jeff Olejnik, Director Wipfli LLP 7601 France Avenue South, Ste. 400 Minneapolis, MN 55435 Direct: 952.230.6488 E-mail: jolejnik@wipfli.com www.linkedin.com/in/jeffolejnik 29