Lessons learned and best practices for cyber incidents
ATSAIC Geoff Noonan, US Secret Service
Renana Friedlich, EY
March 13, 2018
U.S. Department of Homeland Security
United StatesSecret Service
Page 2 Lessons learned and best practices for cyber incidents
Agenda
► Know your enemy
► What do they want
► War stories and recommendations
► Summary
Page 3 Lessons learned and best practices for cyber incidents
Know your enemy
Script kiddies
► Common
exploits,
easily
available
tools
Hacktivists
► Motivated by
ideology or
social justice
► Range of
capabilities
Insiders
► Malicious and
accidental
► Knowledge of
company and
business skills
Organized
crime
► Highly
networked,
highly
resourced and
motivated
State-
sponsored
attacks
► Heavily
resourced, have
access to most
advanced tools
Page 4 Lessons learned and best practices for cyber incidents
You can’t avoid being attacked or breached
Being attacked is unavoidable, so how prepared are you?
Can you answer yes to these five key questions?
But you can be prepared to protect the “crown jewels”
Valued assets
Intellectual property
People information
Financial information
Business information
(strategy
performance
transactions)
1. Do you know what
you have that
others may want?
2. Do you know how your
business plans could make
these assets more vulnerable?
3. Do you understand how these
assets could
be accessed or disrupted?
4. Would you know if you were
being attacked and if the assets
had been compromised?
5. Do you have a plan to
react to an attack and minimize
the harm caused?
Page 5 Lessons learned and best practices for cyber incidents
What CEOs and CIOs are asked during an incident (no particular order)
► What resources do you need?
► How long will X be down?
► What data (if any) was taken?
► How long was the attacker in our network before we shut
them down?
► What percentage of the way through the incident are you?
► What do we know about the attacker?
► What systems or technologies failed during the intrusion?
► Do we need to notify regulators? Should we issue a
statement?
► Are we 100% sure we’ve scoped the incident properly?
To answer these questions, you need an incident response
strategy and “battle-tested” incident response plans and procedures.
Page 6 Lessons learned and best practices for cyber incidents
What is incident response?
“An organized approach to addressing and managing the
aftermath of a security breach (also known as an incident).
The goal is to handle the situation in a way that limits
damage and reduces recovery time and cost.”
Event
An observable
occurrence in an
information system
that happened at
some point in time
and was written to a
log file
Incident
Any activity that
harms or represents a
threat to the whole or
part of the company
assets
Breach
An incident that
involved data
exfiltration
Source: EY’s IR brochure
Page 7 Lessons learned and best practices for cyber incidents
Data Exfiltration
► Following same “playbook” (no need to change):
► Gain access to internal company network
► Deploy remote access tool
► Obtain Windows Domain Administrator privileges
► Dump and crack password hashes of all corporate users
► Use cracked accounts to access sensitive data
► Extract data to a staging server
► Sell records when black market conditions are most favorable
Conduct
background
research
Execute initial
attack
Establish
foothold
Enable
persistence
Conduct
enterprise
reconnaissance
Move laterally
to new systems
Escalate
privileges
Gather and
encrypt data of
interest
Exfiltrate data
from victim
systems
Maintain
persistent
presence
Intelligence
gathering
Initial
exploitation
Command
and control
Privilege
escalation
Data
exfiltration
Page 8 Lessons learned and best practices for cyber incidents
Maksik Case Study
► “Maksik” is a Ukrainian carder well known for selling
stolen debit and credit card credentials on the black
market.
► Involved in several high-profile data breaches in the mid-
2000s, including Dave & Buster’s in 2007 and TJX
Companies, which was considered the largest breach for
its time at more than 45 million cards stolen that same
year.
► Among other things, he was highly sought after for his
ability to crack PINs and to make sure that packet sniffers
went undetected.
Page 9 Lessons learned and best practices for cyber incidents
Maksik
► Banks provide CPP
information to USSS
► Identify major card
distributor/ many arrests
► Establish a U/C with
credibility on carding forums
► Major U/C buy of ten of
thousands of dumps
► Establish personal
relationship
► Dust off our passports
Page 11 Lessons learned and best practices for cyber incidents
Business email compromise
Targeted affiliate
Parentholding
company
Victim receives phishing email in personal Yahoo Mail account.
1
Wiretransfer
Domain
Phishing email directs victim to provide their business Gmail credentials.
2
Attacker blocks all emails from parent to victim’s Gmail account.
5
Attacker finds wire transfer forms in victim’s Gmail.
4
Parent validates request and transmits funds.
8
Day 1 Day 2 Day 4
Attacker sends wire request to parent from fake associated press user email account.
7
Attacker registers fake affiliate domain.
6
Attacker accesses victim’s Gmail account.
3
Page 12 Lessons learned and best practices for cyber incidents
Lessons learned from breach investigations
► Compliance ≠ secured
► Audit did not test for current attack path
► Too many ways to get to sensitive data
► Not enough protection of privileged domain
administrator / service accounts
► “Blind spots” on network identified after
breach
► Not enough logs
► Breaches detected via external parties vs.
internal monitoring capabilities
Page 13 Lessons learned and best practices for cyber incidents
Steps to take before a cyber intrusion or attack occurs
1. Identify your “crown jewels”
2. Develop an actionable response plan
3. Have appropriate technology controls
4. Have Appropriate Authorization in Place
to Permit Network Monitoring
5. Make your Legal Counsel familiar with
incident management
6. Engage with Law Enforcement Before an
Incident
7. Establish relationships with cyber
information sharing organizations
Page 14 Lessons learned and best practices for cyber incidents
Steps to take before a cyber intrusion or attack occurs (cont.)
2. Map all entry points for third-party vendor
access to the environment, identify
controls and review notification
requirements
3. Clearly define investigation objectives
4. Engage in advance with retainer provider
and outside counsel
5. Identify all regulatory and notification
requirements
6. Protect privilege
7. Review log retention policy and increase
logging
Page 15 Lessons learned and best practices for cyber incidents
After a Computer Incident
1. Continue monitoring the network for any
anomalous activity to make sure the
intruder has been expelled and you have
regained control of your network.
2. Conduct a post-incident review to identify
deficiencies in planning and execution of
your incident response plan.
Page 16 Lessons learned and best practices for cyber incidents
Cybersecurity countermeasure frameworkA new approach
Establish a strong governance program to continuously drive and sustain improvements
Govern
Threat intelligence
Risk tolerance
Business priorities
Complicate
Respond
DetectEducate
Complicate an attacker’s
ability to achieve their
objective
Implement controls to detect
the attack before meaningful
business impact is
accomplished
Effectively and efficiently
respond and remediate
an attack
Maintain a security-
conscious workforce
EY | Assurance | Tax | Transactions | Advisory
About EY
EY is a global leader in assurance, tax, transaction and
advisory services. The insights and quality services we
deliver help build trust and confidence in the capital markets
and in economies the world over. We develop outstanding
leaders who team to deliver on our promises to all of our
stakeholders. In so doing, we play a critical role in building a
better working world for our people, for our clients and for our
communities.
EY refers to the global organisation and may refer to one or
more of the member firms of Ernst & Young Global Limited,
each of which is a separate legal entity. Ernst & Young
Global Limited, a UK company limited by guarantee, does
not provide services to clients. For more information about
our organisation, please visit ey.com.
© 2017 Ernst & Young. Published in Ireland. All Rights
Reserved.
SCORE no. XXXXXXXXX
1703-2214616
ED None
The Irish firm Ernst & Young is a member practice of
Ernst & Young Global Limited. It is authorised by the Institute
of Chartered Accountants in Ireland to carry on investment
business in the Republic of Ireland.
Ernst & Young, Harcourt Centre, Harcourt Street, Dublin 2,
Ireland.
Information in this publication is intended to provide only a
general outline of the subjects covered. It should neither be
regarded as comprehensive nor sufficient for making
decisions, nor should it be used in place of professional
advice. Ernst & Young accepts no responsibility for any loss
arising from any action taken or not taken by anyone using
this material.
ey.com
Top Related