Post on 03-Sep-2020
Hit by a Cyberattack
Lessons “Learned”
Miguel De Bruycker
1
Introduction
• Belgian Defence 2006 Cyber Defence project
– Protect, Detect & Respond
• Expertise
– Malware detection
– Malware analysis
– Incident handling
2
3
For some networks you
Need “more security”
“More” security?
• “Good” security, but sexy
• Long time undetected
– AV is good, but…
• “Strong” Counterparts
4
5
The CEO handles the incident
“We” take care of this
• Management makes decisions
• Evaluate the risks fast
• Bring in “real” experts
• Your ICT get the fame
6
7
Talk about it …
When the time is right
Communication plan
• Control your communication• Involve Legal
– File a complaint?– Maintain a list– Make liable– Prepare a clear message
• Share IOC ?
8
Diagnosis?
• Identification• Diagnosis• Intervention
– Narcosis– Surgery– Wake up
• Recover• Follow up
Silent (no media, no action)
Protect forensics & evidence
Plan clean up, communication, post Ops
Counterpart will try
(Steal last crown jewels)
Erase all traces
Install backdoor
10
It’s better to detect yourself
All intrusions leave traces
• Monitor (do it, check it)
– Install IDS
– Log & check
– Detect at the first stage
– But protection = step 1
• Periodic Board Report
• Have IH procedures
11
12
There are seldom lessons “learned”
We mostly have lessons “Identified”
THANK YOU
Miguel De Bruycker
13