24 hours after a breach
TRANSCRIPT
The First 24 Hours After a BreachBy Ondrej KREHEL
Paul Kubler
2
3
ONDREJ KREHEL CISSP, CEH, CEI FOUNDER & CEODIGITAL FORENSICS LEADLIFARS, LLCTwitter: @LIFARSLLC
LIFARS is a NYC-based Digital Forensics, Incident Response, and Cybersecurity Intelligence firm.
4
PAUL KUBLERCISSP, EnCE, CCNA, Sec+, ACEDigital Forensics Examiner
LIFARS, LLCTwitter: @LIFARSLLC
LIFARS is a NYC-based Digital Forensics, Incident Response, and Cybersecurity Intelligence firm.
6
Digital Firefighter
Agenda
1 Getting the Call
2 Arrival on the Scene
3 Crisis Management
4 Evidence Collection & Remediation
5 Q&A
Ever Wonder What Happened Before You Saw These in the News?
Part 1: Getting the Call
Getting the Call» Detection of a Breach• By the internal IT/security team• By an outside organization
» State of Panic• Unprepared to deal with a breach• Try to contain the attack internally
Getting the Call (continued)
» Internal IT team is heavily utilized• External assistance required
» Race against time• High pressure to stop “cyberbleeding” and minimize
the impact• Effectively engage a third party emergency response
team
Part 2: Arrival on the Scene
Arrival on the Scene» Emergency response team arrives• Investigation and remediation begins
» Primary objectives• Understand attacker profile and motives• Assess compromised systems state• Secure digital evidence• Involve key decision tenants
IT’S ABOUT TIME FOR SOME…
“INVESTIGATION”
Arrival on the Scene» Damage Assessment• Of business and technological areas• Reveals how deeply the attacker was able to
penetrate the network• Examination of lateral movement of the attacker
Part 3: Crisis Management
Crisis ManagementExecutive table follows a data breach plan and prepares:» PR/Privacy/Legal actions needed to cover the
enterprise responses to: • The public• The regulators• The partners
» Wrong message can trigger an avalanche
Crisis Management» Data Breach:• Is a C-Suite exercise that tests:
- Coherence and conciseness of the incident response preparedness
- Ability of the enterprise to function in crisis mode• Unfortunately is a live exercise (and comes at a
high price)
Part 4: Evidence Collection & Remediation
Evidence Collection & Remediation» Forensic team collects available evidence• Performs initial analysis• Preserves additional evidence
» Informs the board of initial findings• Actions need to be weighted carefully• Aggressive moves can have negative effects
(attackers still inside the network)
Evidence Collection & Remediation» With hackers in the system• Each blocking action needs to be closely monitored• Remediation can detected by attacker and evidence
and data put at risk» Securing the environment can take years• Scheduling necessary changes with key internal
tenants is a difficult task
Q&A
THANK YOU