Responding to Global Cyber Incidents in a Legally ... · Responding to Global Cyber Incidents in a...
Transcript of Responding to Global Cyber Incidents in a Legally ... · Responding to Global Cyber Incidents in a...
#RSAC
SESSION ID:SESSION ID:
Natasha Kohne
Responding to Global Cyber Incidents in a Legally Defensible Manner
SOP-W05
PartnerAkin Gump Strauss Hauer & Feld LLP
Ted TheisenSenior Managing DirectorAnkura Consulting Group
#RSAC
Objectives
Our Backgrounds
Incident Response Best Practices
Legal Considerations
Strategy and Success Milestones
Case Study
Questions/Answers
#RSAC
Definition
Incident – a violation or imminent threat of violation of security policy or practices
Data breach – an incident where unintended or unauthorized exposure, access, or acquisition has or is suspected to have occurred to sensitive information
An incident is not always a data breach!
#RSAC
Incident Response Methodology
NIST (NIST 800-61 rev 2) is the industry best practice recommended guideline for cyber security incident management
These are general guidelines for public and private entities responding on their own without the benefit of a consulting firm
• Preparation• Detection & Analysis• Containment• Eradication• Recovery / Post-Incident
Activity
#RSAC
PREPARATION
Possibly the most important!IR Plans & ProceduresTabletop ExercisesPreparation of system diagrams and data mappingIdentification of the location of pertinent dataUnderstand existing corporate standardsThird party relationships
“In preparing for battle I have always found that plans are
useless, but planning is indispensable”
--General Dwight D. Eisenhower
#RSAC
Incident Response Plan
Include core areas of NIST 800-61 and/or ISO27035-1
Define criticality of incidents
Define specific escalation/communication points
Consider adding “playbooks” to your IR planDocument “plays” for recurring proceduresHighlight process and/or workflows to guide incident response
Include case management templates
#RSAC
DETECTION & ANALYSIS
Conduct effective interviews to triage and scope – this is crucialEliminate panicAscertain the entire threat landscapeIdentify peripheral locations where evidence may reside and ENSURE PROPER PRESERVATION Event Logging &
Correlation
Network
Host
Application
ALERT!
#RSAC
PRESERVE EVERYTHING
Encourage broad preservation – but understand why all evidence is being preservedDo not analyze original evidence – make a copy first
Before running queries against any logs, ensure they cannot be altered by the queries
Consider packet captures of machines before removing them from the networkCapture RAM before shut-down of primary machinesConsider live acquisitionsDocument everything you doDestroy nothing
#RSAC
DETECTION & ANALYSIS
IoC• Indicators of Compromise
PoC• Patterns of Compromise
VoC• Vector of Compromise
#RSAC
DETECTION & ANALYSISImportant best practices of analysis:
Log analysisReview infrastructure diagrams to identify peripherally affected systemsReview data-maps and process flow diagrams to understand points of failureIdentify access and/or acquisition of regulated data (PHI/PII/etc…)
Many of these combined factors will assist with stakeholder legal and risk assessments
#RSAC
DETECTION & ANALYSIS
After identification of attack vectors, attribution, and exposed data – now what?
#RSAC
CONTAINMENT
This is a cyclical process associated with detection and analysis
After understanding the Elements of Compromise, strategies can be implemented to isolate the threat
#RSAC
ERADICATION
Reduce the likelihood of recurrenceUse caution when deleting anything— Ask yourself what you gain by deleting— Loop in counsel and/or 3rd parties (PCI-PFI) with these
decisions— Update malware IDS/IPS signatures— Deploy emergency patches— Black-list identified malicious IP addresses— If malware/malicious IPs are found, consider providing info to
online repositories. Ex. NIST, SANS, etc.— Validate eradication with EDR or similar high visibility
detection mechanisms
#RSAC
RECOVERY & POST BREACHGenerate After Action Reports (AAR)
Review all documented activityDiscuss in roundtable environment, both with clients and internal meetingsIdentify what was done well and what needs improvementUpdate and Improve existing IR plan and procedures
Develop final deliverableInquire with counsel on privilege considerationsArticulate the scale and scope of the incidentPrepare affidavitTrial prepTestimonyNotifications to victims
Clarify legal/contractual obligations
#RSAC
Legal Considerations
Why should you engage outside counsel during a cyber incident?The role of general or legal counsel in incident responseThe attorney-client privilege and other communicationsGovernment/regulatory inquiries and litigation
Pre-BreachCompliance/policies and proceduresVendor/third-party managementM&A due diligenceBoard oversightCybersecurity insurance
#RSAC
Role of the General Counsel in Incident Response
Gather team and activate breach response plan
Investigate to determine what happened and work to
contain the breach
Lead fact-finding efforts and hire technical experts (to
preserve privilege)
Determine whether sensitive information has
been accessed
Identify potentially applicable laws and assist
with compliance
Identify and address obligations with respect to
regulators, insurance carriers, customers,
individuals, and third parties
Interface with regulators and law enforcement Interface with third parties
Evaluate obligations under insurance policies
Prepare for potential regulatory investigation and
litigation
Legal concerns surrounding information sharing
Reassess and revisit administrative, physical, and
technical safeguards to prevent recurrence
#RSAC
Legal Considerations
Cyber forensics may be covered by legal privilegeMultiple cases in the U.S. have confirmed that under the proper structure cyber forensics would be covered by the attorney-client privilege or attorney work product doctrine Precedent suggests that risk assessments undertaken for purposes of assisting the lawyers in providing legal advice may be covered by the privilege
Controlling communicationsAlternative methods
Government/regulatory inquiries and litigationMulti-country investigationsHeightened risk of litigation and regulatory fines
#RSAC
Pre-Breach Consulting
Compliance/policies and proceduresWhat is reasonable security?Data mappingFramework
Vendor/third-party managementNegotiating contract provisionsPrioritizing and diligencing vendors
M&A due diligenceBoard oversight/governanceCybersecurity insurance
#RSAC
Modern Incident Response Methodology
25
Modern IR techniques ensure both best practices and more rapid recovery
Shorten timeline to containment
Ensure availability of ample evidence
Legally defensible
ResponseTime to Incident
Broad Preservation
SoundInvestigativeProtocol
Advanced Endpoint Detection &
Response
User Behavior Analytics
Digital ForensicsNetwork Anomaly Analytics
Emerging Event Correlation
#RSAC
Incident Response Success Milestones
Develop an After Action Report
Take the time to review the entire incident with all members of the team
Ensure all appropriate changes are in place to prevent recurrence of the incident
Define broader remediation plans to shore up other related security weaknesses
#RSAC
Case Study: Intrusion of Medical Device Corporation
Outcome and Findings• Preservation of Evidence requests filed in the US
• Emergency subpoena and search warrant served in the US
• Search Warrant executed at residence of main subject
Lessons Learned• Have an Incident Response plan in place before an
incident occurs
• Engage outside counsel prior to an incident
• Proactively reach out to your local law enforcement
Overview: Criminal Computer Intrusion
• Preparation• No IR Plan
• Detection and Analysis• Hacker communicated directly with system
administrator• Identified vector of compromise – remote access
tool• Identified originating IP address
• Containment, Eradication, and Recovery• Blocked remote access• Obtained search warrant• Arrested main subject
• Post Incident• Scanned infrastructure for similar vulnerabilities• Reviewed needs for remote access tools
#RSAC
Apply What You Have Learned Today
28
Next week you should:Draft or review your cyber incident response planBegin to prepare for the cyber incident that will occur
In the first three months following this presentation you should:Ensure that your cyber incident response plan adequately reflects the elements detailed in this presentation (detection/analysis, containment, eradication, recovery, after action)
Within six months you should:Conduct a tabletop exercise to practice your cyber incident response plan, preferably while including outsiders to provide unbiased feedback