Professional Documents
Culture Documents
Duncan McAlynn
https://about.me/mcalynn
@infosecwar
/in/duncanmcalynn
Operandis
Operandis LLC
LLC ©
© Copyright
Copyright 2018.
2018. All Rights Reserved.
All Rights Reserved.
So, look, we all know what’s been going on lately. You can’t turn on the news these days
without catching yet another cybersecurity incidents, whether a data breach, ransomware
demand with payouts in the tens of millions of dollars, or double-extortion schemes…
there’s seemingly no end in sight. Each new incident leaves organizations to wonder if
they’ll be next. If YOU’LL be next. The ones that have a solid, well-tested Incident Response
Plan will be much better positioned to respond and recover than those who do not. We
have case matter to support this argument. So, let’s get into it, shall we?
Stages of
Incident
Response
Incident response authorities can’t seem to come to a general consensus on the phases of
incident response. Whether 4, 5, 6 or even 7 phases involved, they all seem to share some
version of the core elements of:
1. Identification
2. Containment
3. Eradication
4. Recovery
Regardless which framework you adopt, and there are many, the important point is
to adopt one, learn the phases and what is required to move from one phase into
the next.
What Are the Phases of an Incident Response Plan? - (ISC)² Blog (isc2.org)
6 Phases in the Incident Response Plan (securitymetrics.com)
What Are the Incident Response Phases? - D3 Security - D3 Security
Incident
Response Risk
Assessment
Unlike traditional assessments that look at how our networks systems and data
maybe attacked by cyber criminals IR risk assessments look at what is the fall out if
they are successful.
As we have seen in the past (and very recently) there can be significant legal,
financial, reputational, and operational losses.
The output of the IR risk assessment will be what the incident response team
executive sponsor uses for threat classification and prioritization, which we’ll talk
about in just a bit.
Creating a Cybersecurity
Incident Response Team
Operandis LLC © Copyright 2018. All Rights Reserved.
Before we get into the specifics of creating a CIRT, let’s discuss for a minute the
criticality of executive sponsorship.
Whether if you’re a fortune 500 or a security team of one you’re going to have to
have some form of executive sponsorship before you can start down the path of
incident response program.
The executive sponsor will approve (in addition to budget hopefully) your mission
statement, the roles that we’ll discuss here in a second, but also prioritizing threats
and assign threat levels to attacks. This person, typically a CIO/CISO, will also
approve moving between the phases of incident response.
Mission
Statement
MISSION STATEMENT
A unifying mission statement can help ensure that everyone on the team understands the
“why” of what’s happening. Simon Sinek talks about the significance of the why in what we
do. I’ve linked to his Ted talk in my speakers notes that you can download today. There’ll be
a link at the end to my deck.
The important thing is that you have one that is collectively agreed upon and signed off on
by your executive sponsor.
https://youtu.be/u4ZoJKF_VuA
The WHY in Action | Simon Sinek
Roles to Assign
This Photo by Unknown Author is licensed under CC BY-NC-ND Operandis LLC © Copyright 2018. All Rights Reserved.
ROLES TO ASSIGN:
• Team leader
• CIO/CISO
• RISK MANAGER
• PRIVACY OFFICER
• LEGAL COUNSEL
• HR
• COMMUNICATIONS/PR
• CUSTOMER SERVICE
• FINANCE
• BUSINESS CONTINUITY
• EXECUTIVE SPONSOR
• IT
• DPO
Establishing
Communications
Channels
Creating a
Communications Plan
Operandis LLC © Copyright
This Photo by2018.
UnknownAll Rights
Author Reserved.
is licensed under CC BY-SA
COMMUNICATIONS PLAN
Assigning a CIRT comm officer and a CIRT comms office that establishes with
authority who says what, when, and to whom; including:
• Media
• Shareholders
• Employees
• Partners
• Customers/clients
• State/federal/industry regulators
o FBI
o Secret Service
o State Atty offices
o CCPA*72hrs
o EU DPS
o NY DFS
o DHS/TSA*12hrs
o CISO
Incident
Classifications
and Threat
Levels
This Photo by Unknown Author is licensed under CC BY-SA Operandis LLC © Copyright 2018. All Rights Reserved.
Prioritizing threats:
Assigning threat levels
The cio/ciso importance of threat level assignment
Threat levels 1 2 3
Conducting
Tabletop
Exercises
(319) Intro to Tabletop Exercises with Amanda Berlin & Jeremy Mio (1 Hour) - YouTube
Six-tabletop-exercises-FINAL.pdf (cisecurity.org)
Tabletop exercises | Office of CyberSecurity (wa.gov)
3 Tabletop Cyber Security Training Exercises You Can Do Today – Cyberbit
CISA Tabletop Exercise Package | CISA
Preserving
Digital
Forensics
What NOT to do. Power down systems. It’s best to VLAN/segment your
compromised systems or disconnect their LAN cables or turn off their Wi-Fi so you
can preserve as much evidence as possible while containing the malware.
What to expect.
Engaging
Outsiders
There are many outside experts that may need to be called in as part of your
incident response. As valuable as these folks are, the time to build those
relationships and formalize contract agreements is NOT during a cyber incident. It’s
best to shortlist your top prospects well-ahead of an attack and get those
agreements redlined and executed. Sometimes this will involve paying a retainer
fee, but knowing the likelihood of an attack happening, you’ll have to make that
call.
• Insurance carriers
• Outside legal counsel
• Forensic investigators
• Regulators
• Law enforcement agencies
• Crisis communications/pr
• Response vendors
• Other third parties as needed
../connect/
dmc@operandis.net
@infosecwar
https://mcalynn.com/bsidessatx2021