An Introduction to KPMG s Cyber Response Services

An Introduction to

KPMG’s Cyber

Response Services

1© 2020 KPMG Advisory (Hong Kong) Limited, a Hong Kong entity and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative ("KPMG International"), a Swiss entity. All rights reserved.

Cyber Response Services Overview

Our three pronged approach of the Cyber Incident Response is as set out below:

Incident management

On-call cyber incident response

Cyber incident simulation

Incident response plan

Continuous Monitoring

Remediation Advice

Policy document that covers

activities to handle a cyber incident,

sets out roles and responsibilities, and helps to establish

metrics for measuring

effectiveness of incident response.

A simulated cyber incident to test an

organization’s readiness to handle

the incident and guide the

stakeholders through the

complexities of responding to it.

Making available on-demand cyber

response specialists with appropriate skill and experience,

who can be contacted rapidly to

assist upon the occurrence of a cyber incident.

Incident response activities to be

performed under a two-pronged

approach, namely containment of

threat and investigation of root

causes.

Remediation measures to be

undertaken, which would consider the

root causes that allowed a cyber

incident to occur.

Monitoring for a period of time to

confirm that there are no other indicators of

compromise or recurring attempts

to compromise.

Readiness Response Post breach


Cyber Response ServicesReadiness

While it is not possible to predict when the next cyber incidentis going to happen, you can build controls to enable yourespond to it effectively. A crucial control in this regard to is anIncident Response Plan, which is a primary reference documentto define roles and responsibilities of different stake holdersduring an incident management, and give guidance on how toundertake which activities to respond and recover.

Technology• Location of data• Extraction of data• Legal considerations• Requisite analysis tools

People• Critical decision makers• Requisite training and

skillsets

Processes• Incident response steps• Key processes defined• Internal vs external

communicationsThreat

Vectors

Business Impact

Threat Actors

Cyber Incident SimulationIncident Response Plan

To obtain an understanding of the bank’s readiness on cyberresponse, a cyber incident simulation is an experiential exercisethat will uncover operational issues. A facilitator walks through atailored cyber incident with the group in stages, presenting keydecision moments and works with the group, to evaluate optionsand make decisions, exposing key individuals to real life challengesof handling a cyber incident.

Assess IR Capability

Recommendation

Assess Controls

Attack Scenarios

Threat Vectors

Business Impact

Threat Actors

Assess IR Capability

1. Cyber Response: Readiness Assessment


Cyber Response ServicesResponse

KPMG’s On-Call Cyber Incident Response Services model is a custom-tailored service for our Clients, which helps in ensuring an effective and faster response to the cyber incidents. The onboarding exercise helps KPMG gain a prior

understanding of the Clients’ IT environment and testing remote access mechanisms, if necessary. It is a highly flexible model, which can also be integrated with an Attorney Client Privilege or a Cyber Insurance Model.

Simple and effective execution

On-demand agreement

Onboarding Incident Occurs

Contact KPMG via

Cyber hotline

Notification email

to start work

KPMG responds

• Easy contracting• Optionally, no retainer• Integration with Cyber Insurance

Model, if necessary

• Accelerated Response Times either in Person or Remotely

• Hit the ground running with onboarding

• Amenable to Legal Privilege

• Technology agnostic

Key Differentiators

2. Cyber Response: On Call Services


Cyber Response ServicesResponse

Cyber incident management is a dynamic set of actions tohandle a cyber security breach in a timely manner. There is aneed to respond effectively and efficiently to cyber incidents,conducting technical analysis and identify effective mitigationmeasures.

Incident response should be conducted under a two-prongedapproach, namely containment of threat and investigation ofroot cause. Considering the complexities associated with acyber incident, the aforesaid two approaches may runsimultaneously.

Incident Detection and Reporting

Analyze

Report and Review

Incident Reporting and Notification

Initial Understanding and Analysis

Incident Impact Assessment

Incident Handling

Evidence Gathering and Handling

Evidence Analysis Threat Hunting

Incident Containment

Incident Eradication

Recovery

Post-incident Learning and Reporting

Contain, Eradicate and Recover

Triage and Initiate

A typical incident investigation work flow is asgiven below:

2. Cyber Response: Incident Management


Cyber Response ServicesPost-Breach – Remediation Advice & Continuous Monitoring

There are two key aspects, which should be considered subsequent to a cyber incident:

Remediation Advice

To prevent recurrence of cyber incidents in the future, a series of remediationmeasures should be undertaken, which would consider the root causes thatallowed a cyber incident to occur. E.g. Phishing Emails, Brute Force/ PasswordSpraying Attacks, Zero Day Payloads, Exploitation of unpatched OS/ Applicationvulnerabilities, poor IT change management and Smoke Screens, among others.

Continuous Monitoring

To confirm that there are no other indicators of compromise (‘IOC’) or therecurring attempts to compromise, continuous monitoring of the compromisedsystems/ subnets/ IT environment should be performed subsequent to a cyberincident for a limited period of time.

3. Cyber Response: Post Breach


Overview of our forensic practice and select team members


• Forensic practice in the region was established in Hong Kong SAR in 1992 and in mainland China in 2004.

• Our client base is made up of numerous different entities, including multinational companies, local enterprises and government departments.

• We provide a wide range of Forensic services ranging from Fraud Risk Management to Forensic technology services.

• Our team is comprised of over 100 local and expatriate professionals based in Hong Kong, Shanghai and Beijing.

• Our individuals have a wide range of qualifications and backgrounds in accounting, technology, law, law enforcement, corporate intelligence, etc.

• We routinely work together with KPMG’s International Forensic network to deliver our services to inbound and outbound investors in China. We have a staff rotation program with major overseas Forensic practices such as the United States, United Kingdom and Australia.

Paul PuPartner, ForensicHead of Forensic China & Hong Kong+86 (21) 2212 [email protected]

KPMG has been in Hong Kong SAR since 1945 and was the first international accounting firm to be granted a foreign joint venture license in China in 1992. KPMG China has some 9,500 staff located across China. Our professionals provide services to a large and diversified portfolio of clients, including many of the leading public companies, multi-national companies, financial institutions, government authorities and public sector organizations.

Katy WongPartner, Head of Forensic, Hong Kong & Headof Fraud Risk Management Services+852 2140 [email protected]

Overview of our forensic practice

Dakai LiuPartner, Forensic Shanghai+86 (21) 2212 3371 [email protected]

Ravindranath PatilDirector, Forensic Hong Kong+852 2826 [email protected]

Clark ZhuDirector, Head of Forensic, Beijing+86 (10) 2212 3699 [email protected]


Background

■ Dakai leads KPMG’s Forensic Technology team in Shanghai and he has over 13 years of combined experiencesin providing Cyber Incident Response, E-Discovery and Data Analysis services. He stared his career in KPMGHolland and relocated to Shanghai in year 2011.

Dakai LiuPartner, Forensic, Shanghai

KPMG, 22nd Floor, Plaza 66, Tower 2, 1266 Nanjing West Road, Shanghai

Tel: +86 21 2212 3371 Fax: +86 21 2212 1889 [email protected]

Function and Specialization Investigation Computer forensic Cyber Incident Response

Qualifications Bachelor of information, multimedia and

management. Vrije Universiteit Amsterdam Master of information science. Vrije Universiteit

Amsterdam Certificated Clearwell Administrator

Dakai Liu, Partner

Professional and Industry Experience

■ Dakai started his Forensic Technology career at KPMG The Netherlands and has been working with differentteams across Europe ever since. He was on various international projects where he spent years working in UK,German, Belgium for projects serving different large multinational corporations.

■ In 2011, Dakai relocated to KPMG’s Shanghai office, where he continued to provide technology solutions tooversea companies as well as supporting engagements in regards to internal auditors, cyber security, risk andcompliance, fraud prevention/detection, anti-corruption practices, FCPA and UK-Bribery compliance, duediligence, data acquisition and preservation, Anti Money Laundry, litigation support engagements.

■ Dakai lead various Digital investigation engagements in China to assist client and its external counsel exploringfacts lay beneath different ERP data sources. He has significant knowledge working with different local ERPpackages as well as global ERP solutions to identify, extract, map, modelling, analysis and visualizing data fromdifferent angles, transform such information into meaningful business interpretations.

■ Dakai combines his extensive knowledge of data analytics with his system development skills to assist clientsfrom various industries. Including provide information system solution to meet client’s specific requirementson fraud/loss prevention and detection related issues.

■ Dakai also specialized in E-Discovery by assisting clients and their internal and external counsels to collect,preserve and analyze large volume of structural and un-structural data. He provides technical inside andidentifies factual findings in related to various commercial investigations and litigations. Over the past years,Dakai has been leading numerous large E-Discovery projects in China for pharmaceutical companies.

■ In the past few years, Dakai helped clients investigate urgent cyber breaches such as ransomware, phishingattacks, etc. by providing Incident Response service in Mainland China.

mailto:[email protected]


Background

■ Ravindranath leads the Forensic Technology team in Hong Kong. He is a former Indian Police Service (‘IPS’)officer having a professional experience of over 17 years. He started his career as a software engineer with TataInfotech Limited in 1998. He was selected into the Indian Trade Service (‘ITS’) of Government of India in theyear 2002 and served as the Assistant Director General of Foreign Trade, Ministry of Commerce until August2004. As an Indian Police Service officer (2004-10), he has led and investigated multiple, sensitive terrorism andcyber crime cases in India. The spectrum of his policing experience includes law and order management,criminal investigation and prosecution, intelligence gathering and police administration, amongst others. SinceAugust 2010, he has been working as corporate forensic professional.

Ravindranath PatilDirector, Forensic, Hong Kong

KPMG7/F, Prince’s Building10 Chater RoadPrince’s BuildingHong Kong

Tel +852 2826 7295Fax +852 2973 6616 [email protected]

Function and Specialization Investigation Computer forensic Cyber Incident Response

Qualifications Bachelor of Engineering, University of Pune (1998) L.L.B., University of Pune (2014-15) PG Diploma in Cyber Laws, NALSAR University of

Law, Hyderabad (2016) Certified Cyber Forensic Professional (CCFP-IN) &

Member – ISC2 (2017-20) Certified Ethical Hacker

Ravindranath Patil, Director

Professional and Industry Experience

■ As a forensic professional, Ravindranath has led and investigated multiple complex forensic engagementsinvolving accounting frauds, whistleblower allegations, sexual harassment, FCPA issues, counterparty duediligence, supply chain leakages, fraud risk assessments, brand protection and counterfeiting, across variousSectors. He also specialises in conducting suspect interviews as well as in preparing an evidence matrix postcompletion of investigation.

■ During the last 13 years, Ravindranath has extensively contributed to digital forensic analysis and cyber crimeinvestigations such as unauthorized access, data and identify theft, denial of service, corporate espionage,cheating by impersonation through electronic means (e.g. money mules, Nigerian frauds, fake job scams),SWIFT cyber attacks, ATM malware frauds, cyber defamation and cyber terrorism, amongst others. He is anexpert in Cyber Laws and specialises in the collection of electronic evidence in a legally secure and aforensically sound manner. He was recipient of the Vice Chancellor’s Gold Medal at NALSAR University of Lawin 2016, as he became the University Topper in PG Diploma in Cyber Laws.

■ Ravindranath takes keen interest in conducting training of police officers and high court judges on technologyrelated issues. Currently, he is a visiting faculty at SVP National Police Academy (Hyderabad), National JudicialAcademy (Bhopal), North Eastern Police Academy (Shillong), Maharashtra Police Academy (Nasik) andYashwantrao Chavan Academy for Development Administration (YASHADA, Pune). The spectrum of histrainings include Computer & Mobile Forensics, Use of Technology for Intelligence Gathering, OnlineInvestigations, Cyber Terrorism, Social Media Analysis and Legal and Procedural Aspects of Digital EvidenceRecovery, amongst others.

mailto:[email protected]


Select Relevant Experience


A Hong Kong based retailer

Hong Kong based company had its refrigeration system shutdown due to its ICS being manipulated. KPMG was appointed toidentify the source of breach and the perpetrator who manipulated the ICS to shutdown the systems.

The incident response included understanding of the working of the ICS and various logs capturing access to the system. Duringthe course of investigation we learned system administrator had configured the ICS to turn to alternate supply mode withsupply of 15 mins if anyone other than him tried to enter his cabin. This supply would trigger back to power only if you turnedback the switch which was only know to him

A Philippines basedCompany

A Company in Philippines had its entire sub network encrypted by Ransomware, which contained important customerinformation. KPMG assisted the client by prioritising isolating of the servers, triaged the infected systems, monitored thesecurity of the network.

We also performed log analysis, host based forensics and implemented proactive monitoring of suspicious IP addresses whichenabled us to get the critical evidence for analysis. The client was also involved the legal counsel for regulatory require for dataexfiltration.

Investigation of the ransomware behaviour was performed in KPMG’s forensic lab in a sandbox environment. Payloadsignatures were shared with client to scan across network to identify if another systems were compromised.

A Hong Kong basedtechnology company

A technology company in Hong Kong were victims of a wire transfer fraud as a result of an office365 email account breach.

We were commissioned to understand what went wrong and the procedures to take in order to prevent the incident fromhappening again. Based on the request, we analysed email metadata, logs, and discovered how the attackers carefullymanipulated the email flow to socially engineer the finance team to make payments to an unknown bank account.

Through the investigation, we have identified that multiple accounts were compromised using a phishing link to an externalcloud storage website. As an immediate remediation, we recommended IT team to block emails from suspicious IP identifiedduring our investigation and implement multiple factor authentication for the email accounts.

We present below a select list of credentials in relation to cyber incident response:

Select Relevant Experience – Cyber Response


Financial institution in Nepal

The electronic transaction system of the client was compromised by an attacker who performed unauthorised NEFT and RTGStransactions. The client requested KPMG to conduct a fact finding investigation to identify the root cause and the associatedmodus operandi. KPMG performed the following procedures:• Review of the digital footprints associated with the unauthorized transactions• Forensic acquisition and review of electronically stored information• Analysis of network logs during the period of review• Web server log analysis, forensic acquisition and malware analysis performed to identify the compromised systems.

A detailed reverse engineering of the digital foot prints of the Trojan revealed the attack was initiated by an insider. Furtheraction against employee initiated by the Client.

A large exchange in Kuwait City

The Client noticed that unauthorized financial transactions were made by obtaining wrongful access to its login credentials andthe client suspected that an Advanced Persistent Threat may have been responsible for the breach of its IT security. As part ofthe response, KPMG performed the following:• Forensic preservation and analysis of electronically stored information from mail server and end point machines used for

carrying out financial transactions• Analysis of peripheral logs• Cyber security review of the Client's IT infrastructure connected or related to the unauthorized financial transactions

We identified a backdoor, which was connected to a rogue IP address having a geo-location of an East European Nation,identified internet explorer password grabbers and other customised malware used for carrying out a targeted attack andidentified systemic vulnerabilities, which potentially led to the cyber heist. Specific recommendations were provided toremediate the above.

An automobile manufacturingcompany

We were engaged by an automobile manufacturing company with substantial market share in India, and having significantexports across Asia, Europe, etc. to investigate a number of ransomware attacks. As part of the response plan, KPMG assistedthe client with the following:• Forensic analysis of infected systems• RCA using system files, event logs, e-mails, web browser• Reverse engineering of identified malicious file sin a controlled sandboxed environment• Assistance in remediation

As a result of our work, we blocked malicious files from causing infection on other machines, identified the root case of themalware infection and blocking o the command and control server IP address at the network level and providedrecommendations for strengthening the IT environment.

Select Relevant Experience – Cyber Response (cont’d)

Document Classification: KPMG Confidential

kpmg.com/socialmedia

© 2020 KPMG Advisory (Hong Kong) Limited, a Hong Kong entity and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in Hong Kong.

The KPMG name and logo are registered trademarks or trademarks of KPMG International.

This capability statement is made by KPMG Advisory (Hong Kong) Limited, a Hong Kong entity and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity, and is in all respects subject to the negotiation, agreement and signing of a specific engagement letter or contract and subject to the completion of customary client acceptance procedures. KPMG International provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis-à-vis third parties, nor does KPMG International have any such authority to obligate or bind any member firm.

An Introduction to KPMG s Cyber Response Services

Documents

Transcript of An Introduction to KPMG s Cyber Response Services