Preparation is the best defense Guide to The first 24hr

Neumann Lim, CISSP, CCNA, CHFI

Network and Security Architect

New firewall rules Server patching Firewall updates Threat Intel ingestion User account audits Password failure audits Access removal requests VPN account creations Enforce Vendors violating

policy Endless Meetings with business

units requesting access they don’t need

CEO’s laptop infected again Threat hunting!? When do I

have time…

The Ransom Note

CISO Phone call

When you think your day couldn’t get any worse…

Speaker BIO Neumann Lim

Lead IT Network and Security Architect, Detour Gold Corporation

Neumann Lim has been at Detour for the last year serving as the Enterprise Security Architect responsible for developing Detour's enterprise security architecture, strategies and methodologies on cyber security. Prior to this role, Neumann spent several years working with enterprises such as, Microsoft, Cognizant, and Johnson Control, specializing in incident response. Neumann has over 8 years of cyber security and networking experience. He currently holds the CISSP, CCNA and CHFI certifications and is an active member of various security organizations such as HTCIA, ISC2 and the Cloud Security Alliance.

ASSUMPTIONS - Very much a People, Technology, Process Problem

#1 – You have the right technical people.

#2 – You have the support of the C-suite and the budgetary funding.

#3 – You have the right defensive Safeguards.

#4 – You have the right network architecture to give you maximum visibility.

#5 – The Incident Response Plan is part of a key business process.

Today’s Fire Alarm 12mins 28sec full investigation time

10min fire response time

If today’s fire alarm were a breach it would be:

12min x 1gbps = 72GB (theoretical) or ~54GB (actual)

If you have Fire escape plans… why not an incident response plan

Why have an incident response plan? In the midst of an incident, there is no time to think about how to coordinate efforts or who will be doing what.

The incident response plan’s main purpose is to

1) Plan, Coordinate and Prepare the entire corporation on the proper processes and protocols to engage during a breach.

2) Allow the teams of personnel to engage a structured plan of attack, gain proper resources and track all their efforts.

3) Minimize potential financial costs as a result of the breach.

Plenty of free templates online from different security frameworks. Find the one that works best for your corporation and industry.

Breach Costs Data breaches are very costly (Data from https://eriskhub.com/mini-

dbcc)

Average breach cost: $665,000 (NOTE: SME)

if HealthCare: $717,000

Per record cost: $17,000

Average Crisis Services cost: $357,000

Average cost of Defense: $130,000

Average cost of Settlement: $815,000

One EXTREMELY IMPORTANT Aside – Digital Privacy Law “Bill S-4”

Very possibly coming into force this year.

Mandatory Breach Notification Requirement.

Federal Privacy Commissioner will investigate your breach.

Possible harsh regulatory penalties.

Even harsher litigated penalties from victims.

PIPEDA Report 2014-004 – safeguards found to be appropriate

First 24 Hours

Assemble the team Starting with the designated Incident Commander.

Activate your IT and Security Teams.

Notify Executive Leadership, Legal, Breach Coach***, PR, HR, and other appropriate vendors.

Activate the WAR ROOM or EOC

***Breach Coach is a Lawyer specializing in data breaches (SANS 2014)

Start the INVESTIGATION

1. Raise Shields! Secure the environment.

2. Begin a Business Impact Assessment. 3. Start at the source. Analyze the data

and begin link analysis. 4. Note down the timestamps. Gather

and correlate the network logs, security logs, event logs.

5. Once root cause is identified and breach is confirmed, notify stakeholders (and activate Breach Coach). Activate forensics team for evidence preservation.

Collect Evidence First Then Remediate Document everything; Interview everyone

To whom it was reported? Who discovered it? Who knows about it? What was the cause of the breach? What was stolen? How? How are the current systems affected…

Assess the priorities and risk to the business

Review the communication protocols and update everyone on a “need-to-know” basis

Consult with Breach Coach and PR for next steps

Contact Law Enforcement

Only do this under the advice of Legal!!!

Make sure your forensics team know about the decision and have what they need to do their job.

Once LE is on-site, chain of command may change. Additional seizures of equipment may occur.

There may be a risk of public disclosure of sensitive data.

NOTIFICATION, Call Centers and Support

Using Alberta’s OIPC Breach Report Form as reference for now

Make public announcement

Activate a Call Center for victims (Crisis Communications)

Activate identity or credit protection for victims and support them

Don’t forget to support your staff!!!

Sample Letter

Returning to normal Make response teams and executives understand that any new business

projects may have to be postponed until the return to normal order

Once RTO is achieved and all traces of threat actor is removed, the Incident Commander can issue the return to normal order

Hardening Up (Lessons Learned) Update your BIA, Contact lists, Response plan, DR and BCP

Improve Vendor relations, contracts and safeguards

Review communications and notification guidelines

Review IT Security playbooks

Review Staff security awareness

Train, Engage, and Support your IT Staff

Drills

You know you are truly prepared when…

You are calm like this guy

Questions

Further inquires, email: lneumann@protonmail.com