You ve Been Hacked Now What? Incident Response Tabletop Exercise

Similar documents
Legal Aspects of Cybersecurity

Incident Response Lessons From the Front Lines. Session 276, March 8, 2018 Nolan Garrett, CISO, Children s Hospital Los Angeles

Incident Response Table Tops

Business continuity management and cyber resiliency

Real-world Practices for Incident Response Feb 2017 Keyaan Williams Sr. Consultant

COUNTERING CYBER CHAOS WITH HIPAA COMPLIANCE. Presented by Paul R. Hales, J.D. May 8, 2017

Cyber Insurance: What is your bank doing to manage risk? presented by

Cyber Attack: Is Your Business at Risk?

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Data Theft

UPDATE: HEALTHCARE CYBERSECURITY & INCIDENT RESPONSE Lindsay M. Johnson, Esq. Partner, Freund, Freeze & Arnold, LPA

DHG presenter. August 17, Addressing the Evolving Cybersecurity Landscape. DHG Birmingham CPE Seminar 1

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

SURVIVING THE CYBERPOCALYPSE. Craig Felty Vice President, Patient Care Services Hancock Regional Hospital

Security Breaches: How to Prepare and Respond

The Impact of Cybersecurity, Data Privacy and Social Media

Data Breach Preparedness & Response

Data Breach Preparedness & Response. April 16, 2015 Daniel Nelson, C EH, CIPP/US Lucas Amodio, C EH

Cybersecurity. Overview. Define Cyber Security Importance of Cyber Security 2017 Cyber Trends Top 10 Cyber Security Controls

Ransomware, Viruses, and Hackers in Health Care: Five Steps to Avoid Being the Next Victim. Michael Overly and Chanley Howell.

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Cyber Risks in the Boardroom Conference

Going Paperless & Remote File Sharing

Cybersecurity and Nonprofit

Cyber Security Incident Response Fighting Fire with Fire

Cyber Security. February 13, 2018 (webinar) February 15, 2018 (in-person)

Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed member of Baker Tilly International.

Cybersecurity The Evolving Landscape

locuz.com SOC Services

What to do if your business is the victim of a data or security breach?

DeMystifying Data Breaches and Information Security Compliance

Cybersecurity and Hospitals: A Board Perspective

Information Security Is a Business

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

Information Security Incident Response Plan

The Data Breach: How to Stay Defensible Before, During & After the Incident

Information Security Incident Response Plan

CCISO Blueprint v1. EC-Council

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

Ransomware A case study of the impact, recovery and remediation events

Incident Response Services

112 th Annual Conference May 6-9, 2018 St. Louis, Missouri

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

CYBER SECURITY RISK ASSESSMENT: WHAT EVERY PENSION GOVERNMENTAL ENTITY NEEDS TO KNOW

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

50+ Incident Response Preparedness Checklist Items.

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

T11: Incident Response Clinic Kieran Norton, Deloitte & Touche

Data Privacy Breach Policy and Procedure

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak

Dell EMC Isolated Recovery

INTELLIGENCE DRIVEN GRC FOR SECURITY

EFFECTIVELY TARGETING ADVANCED THREATS. Terry Sangha Sales Engineer at Trustwave

Heavy Vehicle Cyber Security Bulletin

Healthcare HIPAA and Cybersecurity Update

Cybersecurity Today Avoid Becoming a News Headline

Too Little Too Late: Top Reasons Why You Got Hacked

Incident Response Plans: The Emergency Shutoff Control for Cyber Risk. Tabitha Greiner, Acumera Chris Lietz, Coalfire

NIST Standards. October 14, 2016 Steve Konecny

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

Computer Security Incident Response Plan. Date of Approval: 23-FEB-2014

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

Nebraska CERT Conference

Forensic analysis with leading technology: the intelligent connection Fraud Investigation & Dispute Services

Sage Data Security Services Directory

INCIDENT RESPONDER'S FIELD GUIDE INCIDENT RESPONDER'S INCIDENT RESPONSE PLAN FIELD GUIDE LESSONS FROM A FORTUNE 100 INCIDENT RESPONSE LEADER

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

A Privacy and Cybersecurity Primer for Nonprofits Nonprofits in the Digital Age March 9, 2016

Automating Security Administration Are We There Yet? John Phelan, Ph.D. HIPAA Summit XIII September 26, 2006

Payment Card Industry Data Security Standard (PCI DSS) Incident Response Plan

Data Breach Preparation and Response. April 21, 2017

Effective Cyber Incident Response in Insurance Companies

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Cybowall Solution Overview

SECURITY & PRIVACY DOCUMENTATION

Cybersecurity Auditing in an Unsecure World

Cyber fraud and its impact on the NHS: How organisations can manage the risk

Hacking and Cyber Espionage

DATA BREACH NUTS AND BOLTS

American Association of Port Authorities Port Security Seminar & Expo Cyber Security Preparedness and Resiliency in the Marine Environment

CYBERSECURITY IN THE POST ACUTE ARENA AGENDA

Teradata and Protegrity High-Value Protection for High-Value Data

Cybersecurity Session IIA Conference 2018

CYBERSECURITY RISK LOWERING CHECKLIST

How to Prepare a Response to Cyber Attack for a Multinational Company.

Cyber Security in M&A. Joshua Stone, CIA, CFE, CISA

Credit Card Data Compromise: Incident Response Plan

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

Information Security Policy

It s Not If But When: How to Build Your Cyber Incident Response Plan

The Cyber War on Small Business

Brian S. Dennis Director Cyber Security Center for Small Business Kansas Small Business Development Center

Welcome to the CyberSecure My Business Webinar Series We will begin promptly at 2pm EDT All speakers will be muted until that time

Data Breach Incident Management Policy

Incident Response: Are You Ready?

(c) Apgar & Associates, LLC

Incident Response. Is Your CSIRT Program Ready for the 21 st Century?

University of Pittsburgh Security Assessment Questionnaire (v1.7)

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

PA TechCon. Cyber Wargaming: You ve been breached: Now what? April 26, 2016

Transcription:

You ve Been Hacked Now What? Incident Response Tabletop Exercise Date or subtitle Jeff Olejnik, Director Cybersecurity Services 1

Agenda Incident Response Planning Mock Tabletop Exercise Exercise Tips 2

Wipfli Firm Foundation Founded in 1930 in Wausau, Wisconsin, by Clarence J. Wipfli 87-year history of client service 219 partners More than 1,800 associates 42 U.S. offices CA, ID, IL, MN, MT, PA, VA, WA, WI and two offices in India Over 60,000 clients Wipfli is ranked in the top 20 among America s 100 largest public accounting firms Our Mission To contribute to the success of our associates and clients. 3

Cybersecurity Services Comprehensive Governance, Risk, Compliance, and Testing 4

Breach Detection Concerns 205 days Median number of days that hackers were present on a victim s network before being discovered. Longest presence: 2,982 days. 69% - Victims notified by external entity (e.g. law enforcement) Source: Mandiant M-Trends 2015 5

Reality check Cybercrime is big business. There is a well-organized and well-funded underground economy for stealing and selling corporate data. 100% protection is not possible. There are thousands of ways attackers can compromise security and they need only be successful once. Cyber incidents will happen. How quickly and effectively organizations detect and respond makes all the difference. Breaches are expensive. Average cost of data breach is $4 million. 6

Incident Response Lifecycle 7

What should you prepare for? Incident Response Plan framework to address any incident Handling Procedures for common attacks External / Removable Media Attrition or brute force (e.g. DDoS) Website or web-based application Email Impersonation spoofing, man in middle, rogue wireless, SQL injection Improper usage / policy violation Loss or theft of equipment Ransomware 8

Preparation Incident Response Policy Team Structure Management Information assurance / handling IT support Legal department Public affairs and media relations Business continuity planning Physical security and facilities management Communication and Facilities Contact information for all stakeholders Incident reporting & tracking Secure storage facility 9

Preparation Forensic Readiness Incident Analysis Hardware and Software Digital forensic workstations / backup devices & software Spare equipment Network diagrams Baselines of expected network, system and application activity Prevention Risk Assessments Host security Network security Malware prevention User awareness and training 10

Detection & Analysis Determine whether an incident has occurred Analyze precursors and indicators Research and look for correlating information Document investigation and gathering evidence Prioritize (functional impact, information impact, recoverability effort, velocity, etc.) Report to appropriate internal and external stakeholders 11

Containment, Eradication & Recovery Acquire, preserve, secure and document evidence Isolate and contain Eradicate the incident Identify and mitigate all vulnerabilities Remove malware, inappropriate materials and other components Repeat if necessary Recover Return to normal Implement additional monitoring (if necessary) 12

Post-Incident Activity Create follow-up report Post-mortem meeting 13

Incident Response Exercise 14

Incident Response Exercise Instructions & Ground Rules There are no wrong answers Meet your team and designate a captain One incident scenario with 4 sections Deal only with the information and timeline provided 5 minutes per section to discuss within small group 5 minutes sharing with all 15

ACME Social Services Provides variety of social services related to basic necessities of life food and shelter, physical health and safety, counseling and support. Main office provides is main office for administration, IT and also location for counseling services. There is no formal disaster recovery plan or alternate site identified for disaster recovery. IT recently moved to an off-site data backup solution, but still backs up to tape each week. 16

Section 1 9:30 AM Monday An upset and embarrassed employee contacts the IT director to let him know that she thinks she got a computer virus while working at home over the weekend. She brought it into this office and was hoping that by connecting to the network, things would be resolved. 17

CyrptoLocker Message $300 ransom is demanded to be paid in Bitcoin Ransom increases to $5,000 if not paid in 72 hours. 18

Discussion questions 1. What are your most urgent priorities at this time? 2. What information do you need to determine your next action? How will you obtain this information? 3. Describe the team you would need to execute the next steps; who should be involved? 19

Things to Consider Do all employees know who to notify of suspected incidents? Are there multiple methods of communication or alternate contacts? Who are the members of the Incident Response Team? 20

Section 2 2 hours later IT manager looks to recover from the off-site vaulting solution, but discovers that it was not backing up the laptop only network drive. He also discovers that the employee s network drive is also encrypted. Other user s begin contacting IT saying they have also received the pop-up message and they cannot access files. 21

Discussion questions 1. What your top priorities now? 2. What are the options? What are the consequences associated with each? 3. Who will ultimately make the decision on how to proceed? 4. How would identify the extent of the incident? 5. What resources will you need? Which key partners or vendors should be notified? 6. What are the possible legal and regulatory implications? 22

Things to Consider Do you have formal incident handling procedure? Do you have contact information for legal, IT resources, forensic expertise, executive team, insurance, and law enforcement? Is there an understanding of the legal and regulatory implications for the data that you have? 23

Section 3 3 days later After 3 days of being down, researching the options, and locating a Bitcoin dealer the decision had been made to pay the ransom. The ransomware had infected several workstations and a few drives on the network server. 24

Discussion questions 1. How will you assured that the virus has been completed eradicated? 2. How will you check to verify that personally identifiable data has not been exfiltrated? 3. Who needs to be notified? 4. Do you have insurance to cover the costs associated with downtime and ransom payment? 5. What would you discuss in a post-mortem meeting? 25

Tips for IRP Exercises Simulate reality Set realistic goals and objectives Simulate decision making under stress and normalcy Have surprise elements Provide room for participants to make errors and learn from them Avoid Armageddon 26

Other Scenarios Laptop / Mobile Device Lost or Stolen DDoS Attack Destructive Malware Key vendor disruption Website defacement Third-Party Breach Internal Fraud Accidental Disclosure Inappropriate Use 27

Final thoughts The actions that are taken immediately following an incident will either greatly minimize or compound the impact. The vendors that you need during a crisis are not your day-to-day vendors. Incident response is a business issue, not an IT issue. Get the right people on the IR team. Get ready for the curveball. Plans are written during times of normalcy, not chaos. Practice, practice, practice. Employees will be looking to leadership for direction. 28

Contact Information Jeff Olejnik, Director Wipfli LLP 7601 France Avenue South, Ste. 400 Minneapolis, MN 55435 Direct: 952.230.6488 E-mail: jolejnik@wipfli.com www.linkedin.com/in/jeffolejnik 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback