6/12/2021

Inside Incident Response Planning

Duncan McAlynn
Operandis/echoCTF.red

Operandis LLC © Copyright 2018. All Rights Reserved.

© Operandis, LLC - All rights resevered. 1

 6/12/2021

Duncan McAlynn
https://about.me/mcalynn
@infosecwar
/in/duncanmcalynn

Operandis
Operandis LLC
LLC ©
© Copyright
Copyright 2018.
2018. All Rights Reserved.
All Rights Reserved.

So, look, we all know what’s been going on lately. You can’t turn on the news these days
without catching yet another cybersecurity incidents, whether a data breach, ransomware
demand with payouts in the tens of millions of dollars, or double-extortion schemes…
there’s seemingly no end in sight. Each new incident leaves organizations to wonder if
they’ll be next. If YOU’LL be next. The ones that have a solid, well-tested Incident Response
Plan will be much better positioned to respond and recover than those who do not. We
have case matter to support this argument. So, let’s get into it, shall we?

© Operandis, LLC - All rights resevered. 2

 6/12/2021

Stages of
Incident
Response

Operandis LLC © Copyright 2018. All Rights Reserved.

Incident response authorities can’t seem to come to a general consensus on the phases of
incident response. Whether 4, 5, 6 or even 7 phases involved, they all seem to share some
version of the core elements of:

1. Identification
2. Containment
3. Eradication
4. Recovery

Others include, depending on the framework, include precursory and resulting

phases like preparedness and lessons learned. And some frameworks will rollup two
or more phases like “Containment, Eradication, and Recovery”, or “Detection &
Analysis” such as with NIST.

Regardless which framework you adopt, and there are many, the important point is
to adopt one, learn the phases and what is required to move from one phase into
the next.

© Operandis, LLC - All rights resevered. 3

 6/12/2021

What Are the Phases of an Incident Response Plan? - (ISC)² Blog (isc2.org)
6 Phases in the Incident Response Plan (securitymetrics.com)
What Are the Incident Response Phases? - D3 Security - D3 Security

© Operandis, LLC - All rights resevered. 3

 6/12/2021

Incident
Response Risk
Assessment

Operandis LLC © Copyright 2018. All Rights Reserved.

IR Risk Assessment is not a vulnerability risk assessment like we commonly think.

This is not a technical assessment, but one based in organizational risks. Primarily
those are categorized into:
• Legal
• Financial
• Reputational
• Operational

Unlike traditional assessments that look at how our networks systems and data
maybe attacked by cyber criminals IR risk assessments look at what is the fall out if
they are successful.

As we have seen in the past (and very recently) there can be significant legal,
financial, reputational, and operational losses.

The output of the IR risk assessment will be what the incident response team
executive sponsor uses for threat classification and prioritization, which we’ll talk
about in just a bit.

© Operandis, LLC - All rights resevered. 4

 6/12/2021

Creating a Cybersecurity
Incident Response Team
Operandis LLC © Copyright 2018. All Rights Reserved.

Before we get into the specifics of creating a CIRT, let’s discuss for a minute the
criticality of executive sponsorship.

Whether if you’re a fortune 500 or a security team of one you’re going to have to
have some form of executive sponsorship before you can start down the path of
incident response program.

The executive sponsor will approve (in addition to budget hopefully) your mission
statement, the roles that we’ll discuss here in a second, but also prioritizing threats
and assign threat levels to attacks. This person, typically a CIO/CISO, will also
approve moving between the phases of incident response.

© Operandis, LLC - All rights resevered. 5

 6/12/2021

Mission
Statement

Operandis LLC © Copyright 2018. All Rights Reserved.

MISSION STATEMENT

A unifying mission statement can help ensure that everyone on the team understands the
“why” of what’s happening. Simon Sinek talks about the significance of the why in what we
do. I’ve linked to his Ted talk in my speakers notes that you can download today. There’ll be
a link at the end to my deck.

Your mission statement doesn’t have to be a dissertation. It can be as simple as:

“The mission of the XYZ Corp. CIRT is to rapidly and effectively address all cybersecurity
incidents with a well-vetted response plan that reduces our organizational risks and
protects our shareholders.”

The important thing is that you have one that is collectively agreed upon and signed off on
by your executive sponsor.

https://youtu.be/u4ZoJKF_VuA
The WHY in Action | Simon Sinek

© Operandis, LLC - All rights resevered. 6

 6/12/2021

Roles to Assign

This Photo by Unknown Author is licensed under CC BY-NC-ND Operandis LLC © Copyright 2018. All Rights Reserved.

ROLES TO ASSIGN:

• Team leader
• CIO/CISO
• RISK MANAGER
• PRIVACY OFFICER
• LEGAL COUNSEL
• HR
• COMMUNICATIONS/PR
• CUSTOMER SERVICE
• FINANCE
• BUSINESS CONTINUITY
• EXECUTIVE SPONSOR
• IT
• DPO

© Operandis, LLC - All rights resevered. 7

 6/12/2021

Establishing
Communications
Channels

Operandis LLC © Copyright 2018. All Rights Reserved.

• Inbound threat intel feeds

• Outbound threat feeds
• Internal disrto list
• Regulatory authorities
• Backup for CIRT comms

© Operandis, LLC - All rights resevered. 8

 6/12/2021

Creating a
Communications Plan
Operandis LLC © Copyright
This Photo by2018.
UnknownAll Rights
Author Reserved.
is licensed under CC BY-SA

COMMUNICATIONS PLAN

Assigning a CIRT comm officer and a CIRT comms office that establishes with
authority who says what, when, and to whom; including:
• Media
• Shareholders
• Employees
• Partners
• Customers/clients
• State/federal/industry regulators
o FBI
o Secret Service
o State Atty offices
o CCPA*72hrs
o EU DPS
o NY DFS
o DHS/TSA*12hrs
o CISO

© Operandis, LLC - All rights resevered. 9

 6/12/2021

Conduct mock interviews

Internal/external do’s and don’ts
Compromised channels

© Operandis, LLC - All rights resevered. 9

 6/12/2021

Incident
Classifications
and Threat
Levels

This Photo by Unknown Author is licensed under CC BY-SA Operandis LLC © Copyright 2018. All Rights Reserved.

Prioritizing threats:
Assigning threat levels
The cio/ciso importance of threat level assignment
Threat levels 1 2 3

© Operandis, LLC - All rights resevered. 10

 6/12/2021

Jump Bag Use

and Rotation

Operandis LLC © Copyright 2018. All Rights Reserved.

What is a jump bag

How many should you have
Where to keep them
Stewarts

What should be included in a jump bag

Hard copy IRP docs
Network cables
Notebooks/pens
USB storage devices
Digital cameras
Sound recorder
Portable printer/scanner
Fully patched laptop
Tablet
Iphone/burner device

© Operandis, LLC - All rights resevered. 11

 6/12/2021

Conducting
Tabletop
Exercises

Operandis LLC © Copyright 2018. All Rights Reserved.

• Creating and sourcing exercises (5 linked below)

• Freq and duration of exercises
• Team member engagement
• Continuous improvement loop

(319) Intro to Tabletop Exercises with Amanda Berlin & Jeremy Mio (1 Hour) - YouTube
Six-tabletop-exercises-FINAL.pdf (cisecurity.org)
Tabletop exercises | Office of CyberSecurity (wa.gov)
3 Tabletop Cyber Security Training Exercises You Can Do Today – Cyberbit
CISA Tabletop Exercise Package | CISA

© Operandis, LLC - All rights resevered. 12

 6/12/2021

Preserving
Digital
Forensics

Operandis LLC © Copyright 2018. All Rights Reserved.

When it comes to handling the digital forensics of a cyberattack, there really is a

need for specialists. If you don’t have a certified DFIR expert in-house, you will want
to consult with one early on in your CIRT efforts. Many will conduct free or paid
workshops to help win your retainer.

What NOT to do. Power down systems. It’s best to VLAN/segment your
compromised systems or disconnect their LAN cables or turn off their Wi-Fi so you
can preserve as much evidence as possible while containing the malware.

What to expect.

© Operandis, LLC - All rights resevered. 13

 6/12/2021

Engaging
Outsiders

Operandis LLC © Copyright 2018. All Rights Reserved.

There are many outside experts that may need to be called in as part of your
incident response. As valuable as these folks are, the time to build those
relationships and formalize contract agreements is NOT during a cyber incident. It’s
best to shortlist your top prospects well-ahead of an attack and get those
agreements redlined and executed. Sometimes this will involve paying a retainer
fee, but knowing the likelihood of an attack happening, you’ll have to make that
call.

Some of these outsiders may include:

• Insurance carriers
• Outside legal counsel
• Forensic investigators
• Regulators
• Law enforcement agencies
• Crisis communications/pr
• Response vendors
• Other third parties as needed

© Operandis, LLC - All rights resevered. 14

 6/12/2021

© Operandis, LLC - All rights resevered. 14

 6/12/2021

THANK YOU! QUESTIONS?

../connect/
dmc@operandis.net
@infosecwar
https://mcalynn.com/bsidessatx2021

Operandis LLC © Copyright 2021. All Rights Reserved.

© Operandis, LLC - All rights resevered. 15