Incident Response InThe Age Of Nation State Cyber Attacks

Page 2

Agenda

• Introduction

• Incident Response Framework

• Construction of Corporate IR Plans

• Corporate Preparedness

Page 3

Introductions: Today’s Speakers

• Art Ehuan, Managing Director, Alvarez and Marsal

• Michael Gibbons, Managing Director, Alvarez and Marsal

• Gant Redmon, General Counsel, Co3 Systems

Page 4

Co3 Automates Incident Response

PREPARE

Improve Organizational Readiness• Invite team members• Fine-tune response policies and

procedures• Run simulations (firedrills / table

tops)

REPORT

Document Results & Improve Performance• Generate reports for management,

auditors, and authorities • Document results• Conduct post-mortem• Update policies and procedures• Track evidence• Evaluate historical performance

ASSESS

Identify and Evaluate Incidents• Engage appropriate team members• Evaluate precursors and indicators• Track incidents, maintain logbook• Automatically prioritize activities

based on criticality• Log evidence• Generate assessment summaries

MANAGE

Contain, Eradicate, and Recover• Generate real-time IR plan• Coordinate team response• Choose appropriate containment

strategy• Isolate and remediate cause• Instruct evidence gathering and

handling

Page 5

Supporting Strength For Investigations Including Breach

Our global firm and its professionals bring creditability to investigations and presentations in regulatory, criminal, civil and other proceedings.

Alvarez & Marsal (A&M) is a global professional services firm specializing in turnaround and interim management, performance improvement and business advisory services. A&M delivers specialist operational, consulting and industry expertise to management and investors seeking to accelerate performance, overcome challenges and maximize value across the corporate and investment lifecycles. Founded in 1983, the firm is known for its distinctive restructuring heritage, hands-on approach and relentless focus on execution and results.

Our experts have worked for Big Four accounting firms, the Securities and Exchange Commission and other regulatory bodies, and some of the world’s leading corporations. In addition, our professionals hold advanced degrees and designations, including:

• Certified Public Accountants (CPA), JDs, MBAs, and PhDs• Accredited Valuation Analysts (AVA)• Certified Computer, Forensic, and EnCase Examiners (CCE, CFCE, EnCE)• Certified Information System Security Professionals (CISSP)• Certified Information Privacy Professionals (CIPP)• Chartered Financial Analysts (CFA)• Certified Fraud Examiners (CFE)• Certified Management Accountants (CMA)• CPAs Certified in Financial Forensics (CFF) and Business Valuation (ABV)

Page 6

Who Are A&M Clients?

98

20%

19

300+

50%

18 out of 20

of AmLaw 100 firms

of the Fortune Global 500

of the FTSE 100

Mid- and Large-Cap Private Equity Firms

of all Fortune 100 companies

of the largest banks in the United States

Page 7

Cyber Crime Is Mainstream

• The consensus from both government and business is that cyber attacks against organizations will continue to increase for the foreseeable future

• It is estimated that the global cost of cyber crime is in the hundreds of millions to billions of dollars

• The costs are either direct or indirect due to revenue that organizations must spend to prepare, contain during a breach or remediation after the event

Page 8

Cyber Crime Is Mainstream (cont.)

• Corporations have myriad cyber criminals to contend with

• In particular, the financial sector will continue to see expanded attacks from Organized Crime groups that have extensive resources to target small, medium and large financial institutions

• Regardless of the size of the business, there are no organizations that are immune from cyber attack, Organized Crime groups are interested in the data that are stored/maintained or access to systems

Page 9

Cyber Crime Is Mainstream (cont.)

• Nation-States are increasingly aggressive in their compromise of corporate and government systems for intellectual property, research and development information and other data

• It is estimated that there are currently dozens of countries with cyber warfare capability around the globe with many more building capacity in the coming years

Page 10

Cyber Crime Is Mainstream (cont.)

• The Nation-State threat is the most difficult to identify and defeat due to the sophisticated nature of the adversary

• Nation-State actors are tenacious, deliberate and methodical in their approach to breaching an organization

POLL

Has your organization suffered a cyber attack or intrusion in the last 5 years?

Page 12

Types Of Compromise

Source: Ponemon Research Institute, “Post Breach Boom 2013”

3,529 IT and IT Security respondents

Page 13

Timeframe for Corporate Incident Discovery

Source: Ponemon Research Institute, “Post Breach Boom 2013”

3,529 IT and IT Security respondents

The discovery of malicious breaches averages 80 days for corporations:

Page 14

The Advanced Persistent Threat (APT)

APT is a cyber threat that is considered:

• Intelligent and sophisticated• Dynamic and flexible• Extremely patient• Difficult to attribute• Not identified, detected, or

prevented by traditional security tools

Page 15

Corporate Information Loss

Malicious Cyber-Attacks

Lost / Stolen Assets

Third-Party Leaks

Internal / Employee

Actions

Hackers stole customer data, including credit card information 100 million records

Laptops with patient data stolen by former employee 208,000 records

Digital marketing agency exposes customer data of dozens of clients Millions of records

Employee sent CD-ROM with personal data on registered advisors 139,000 records

Information Loss: The exposure / loss of consumer or employee Personal Information, as well as trade secrets and intellectual property from a compromise.

Page 16

Incident Response Corporate Awareness

Can you answer these questions?

Is your organization adequately prepared for an incident?

When the incident occurs, is management actively engaged and can respond

to the Board and customers?

Will management know how the incident occurred and how to

prevent breach from reoccurring?

Will management know what IP or data was compromised?

Does management have a plan for the adverse market

impact from the incident?

Market Impact

Data Loss

Prevention

Engaged

Preparation

Page 17

Incident Response Cycle

• Prepare the Incident Response Plan• Detection the Incident• Analysis of Incident Impact• Recover from the Incident• After-Action and Lessons Learned

Preparation Detection Analysis Recovery After-Action

Page 18

Incident Response Plan Development

• Develop the Incident Response Plan

• Identify Gaps in Required Technical Controls, Processes, and People

• Identify All Stakeholders and Vendors (change management)

• Prepare for Legal and Regulatory Obligations in case of Breach

• Conduct Training, (may include a table top exercise)

• Test and improve plans on a periodic schedule or after incidents to improve the plan

Page 19

Documented Procedures for Every Step in the Process

Detailed, Step-by-Step Instructions for Staff

Page 20

IR Plan is Strategic Document for Entire Corporation

Incident Response Initiation

Initial steps to take:• Invoke incident response plan• If logging not enabled, enable it immediately• Assemble incident response team• Document incident• Preserve evidence• Notify internal personnel• Notify external entities

CIO• Follow Company Crisis Management Plan• Update Business Continuity, and Disaster Recovery Plan to

Reflect IR Plan

Forensic Experts – Directed by CSO / CISO

-- Matching skills to event• Supervision of and instructions to forensic experts• Interaction with other experts

General Counsel

Professional ethics / obligations

Preservation of privilege• attorney-client• attorney work product• actions that can waive privilege

Communications Planning • Notifications

• Purposes, types• Forms (meetings, teleconferences, email, IM, online

postings to site)• Risks with forms• Documentation and preservation

Business Units• Owner of systems and data• Identifying operational impacts and risks• Interfacing with response team• Interfacing with communications staff

Employees• PR – Media inquiries handled by central authority• Information about event• Who provides• What to say to them• Postings or mass distribution • Policies regarding what employees say to press, Twitter,

social media, etc.

C-Suite and Board• Informing senior management and board• Form of communication• Ongoing (war room, meetings, teleconferences, etc.)• Auditors – Financial Regulators

Page 21

Continual Improvement at all Levels of IR Plan

• Prepare and Customize the Incident Response Plan

• Develop Industry Specific Scenarios for Testing

• Identify List of Stakeholders

• Conduct Internal Plan Walkthrough

• Conduct Table Top Exercise With Stakeholders

• Improve and Implement Plan

Create DraftPlan

Bring Together

Stakeholders

Iterative Improvement

Prepare Risk Scenarios

Walkthroughs and

Table TopsREADY STATE

POLL

I feel comfortable that we have sufficient forensic capabilities in house

Page 23

Incident Response Case Study

Page 24

Incident Response Case Study

• Victim company was the subject of an intrusion whereby extremely sensitive information “PII” was stolen over a 1.5 year period

• The initial attack vector was an MS SQL server on the network

• Initial internal response and analysis by the company determined that the attack had been contained and eliminated

• The compromise of the MS SQL server created a staging area for deeper penetration of the network over a 1 1/2 year period

• Penetration and compromise of over 80% (hosts and network) of the systems was identified

• The company would occasionally find traces of unusual activity, block the intruder and the intruder would always return

Page 25

Incident Response Case Study

Intruder Approach:

• The intruder exploited a known vulnerability in an MS SQL Server

• Wiped and altered network and system logs

• Created numerous back doors throughout the network

• “Sniffed” network traffic for user id’s and passwords

• Used valid user credential to navigate throughout the network unmolested

• Encrypted, zipped, RAR’d data for exfiltration

Page 26

Incident Response Case Study

Intruder Identification:

• Identification did not occur from firewall, IPS / IDS monitoring or employee monitoring observations

• Anomalous activity was identified by a third-party company that notified victim of possible intrusion

• Victim company initiated their own internal investigation and overwrote critical digital evidence due to outdated processes and tools

• Outside assistance was sought when the victim company realized that they were not in a position to properly investigate due to the sophistication of attack

Page 27

Incident Response Case Study

Incident Response Mechanism:

• Immediate containment of known or suspect systems

• Extrusion monitoring of inbound/outbound traffic

• RAM forensic imaging and analysis

• System forensic imaging and analysis

• Identification and analysis of malware

• Log identification, capture and analysis

Network Traffic

Analysis

System Forensics

RAM Analysis

Log Analysis

Page 28

Incident Response Case Study

Issues Identified and Lessons Learned

• No centralized log analysis capability

• Flat network with little segmentation

• No policy or experience in properly securing sensitive Information systems

• No policy or experience in incident response

• No monitoring of outbound network traffic

• IT and security personnel did not have any training or experience on identifying anomalous or unusual behavior on the network

QUESTIONS

One Alewife Center, Suite 450

Cambridge, MA 02140

PHONE 617.206.3900

WWW.CO3SYS.COM

“Co3 Systems makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.”

PC MAGAZINE, EDITOR’S CHOICE

“Co3…defines what software packages for privacy look like.”

GARTNER

“Platform is comprehensive, user friendly, and very well designed.”

PONEMON INSTITUTE

Art EhuanManaging Director, Alvarez and MarsalEmail: aehuan@alvarezandmarsal.com

Michael GibbonsManaging Director, Alvarez and MarsalEmail: mgibbons@alvarezandmarsal.com

Page 31

Art Ehuan

Managing Director

San Antonio, TX

• Art Ehuan has extensive, high-profile industry and law enforcement experience in the field of information security. Mr. Ehuan has a specialization in nation-state strategic advisory services, including incident response, digital investigations, data protection and e-discovery, for corporate and government agencies, and provides domestic and global thought leadership on these topics. Mr. Ehuan also serves as a senior lecturer on cyber crime for the U.S. State Department, Diplomatic Security Service, Anti-Terrorism Assistance Program.

• Prior to becoming a Managing Director at A&M, Mr. Ehuan led the firm Forward Discovery for five years. Mr. Ehuan also served as Assistant VP and Director of the Corporate Information Security Department for USAA, a Fortune 200 financial services company. In this role, he was responsible for worldwide enterprise and strategic guidance on the protection of USAA information and established their digital forensic capability and Advanced Data Security and Incident reporting programs.

• Among Mr. Ehuan’s high-profile corporate positions was Deputy Chief Information Security Officer for the Northrop Grumman Corporation. He was responsible for protecting data from internal and external cyber threats, developing and managing security operations and implementing a corporate digital investigative unit. Mr. Ehuan was also a Federal Information Security Team Manager for BearingPoint (formerly KPMG Consulting), where he established information security initiatives and solutions for government and corporate organizations, as well as developing BearingPoint’s corporate incident response and digital forensic services. In addition, Mr. Ehuan served as the Program Manager for Cisco Systems Information Security, where he was responsible for securing corporate networks, managing risk assessments, protecting source code and developing Cisco’s worldwide digital forensic capability.

• As a law enforcement officer, Mr. Ehuan has worldwide experience working on cases involving computer crimes. His extensive background conducting and managing computer intrusion and forensic investigations with the Federal Bureau of Investigation (FBI) led to his assignment as a Supervisory Special Agent assigned to the Computer Crimes Investigations Program at FBI Headquarters in Washington, D.C. In addition, he served as a Computer Analysis Response Team Certified Examiner, where he developed and conducted training for law enforcement globally. Mr. Ehuan served as a computer crime Special Agent for the Air Force Office of Special Investigations, where he investigated cyber crime against the network systems of the U.S. Department of Defense. Mr. Ehuan has also testified in Federal, State and Military courts in cases involving digital forensics.

• Mr. Ehuan has received industry credentials including: EnCase® Certified Examiner (EnCE®), Certified Information Systems Security Professional (CISSP), Cisco Certified Network Professional (CCNP), Cisco Certified Design Professional (CCDP) and Certified Forensics Computer Examiner (CFCE). He also maintains the Infosec Assessment Methodology (IAM) credentials with the National Security Agency (NSA).

• Mr. Ehuan was previously an Adjunct Professor/Lecturer at George Washington University, Georgetown University and Duke University where he taught courses on cyber crime, incident response, digital investigations and computer forensics. He is a contributing author of Techno-Security’s Guide to E-Discovery & Digital Forensics and CyberForensics: Understanding Information Security Investigations.

Page 32

• J. Michael Gibbons is a Managing Director with Alvarez & Marsal’s Global Forensic and Dispute Services industry and a strategic information security specialist with over 25 years of experience on a global scale. Mr. Gibbons’ expertise focuses on service delivery, information protection, privacy, risk management, incident response, advisory services and governance, including compliance management.

• Mr. Gibbons offers a proven record of improving processes, reducing costs and mitigating risks by developing and implementing technical solutions that enable secure, reliable information sharing and computing. He expertly identifies and resolves security weaknesses to ensure regulatory compliance, and demonstrates confident leadership while working under high-stress, within tight deadlines, and for such major organizations such as Marriott, JPMorgan Chase, FDIC, DOS, ING, Freddie Mac, USAA, Department of Homeland Security, and F.B.I..

• Prior to joining A&M, Mr. Gibbons was a Principal at Deloitte & Touche, LLP, where he directly managed security services delivery at a major financial services client and three US federal agencies. Mr. Gibbons worked directly with the chief information security officer (CISO) and external audit staff to remove audit findings at a financial services regulator, and prepared a long term strategic vision for security for a large US Agency.

• For more than five years, Mr. Gibbons was a Managing Director at BearingPoint, where he oversaw all Security Services across the company and developed a security practice there growing a team to 65+ professionals. Mr. Gibbons led the development of new security services and implementation of information security products including intrusion detection and application security controls. He additionally was a Vice President for Security Services for Unisys for three years where he implemented a Security Operations Center that monitored the network security of three major U.S. Agencies including the TSA.

• Mr. Gibbons served a 15-year tenure at the Federal Bureau of Investigation (FBI), most recently as Special Agent, Chief of the Computer Investigations Unit, where key highlights included overseeing all cyber crime investigations for the FBI, nationally and internationally. In 1995 he established and led the largest Federal Health Care Fraud Task Force in the nation, still in operation today. The most notable investigation led by Mr. Gibbons was documented in the New York Times Bestselling book titled “The Cuckoo’s Egg”, which resulted in three convictions for cyber espionage in German Federal Court.

• Mr. Gibbons earned a B.S. in Communications and Administration of Justice from Southern Illinois University, and Special Agent, Security Officer, and advanced investigative training from the F.B.I. Academy at Quantico, VA. He graduated with Distinction from the National Defense University Advanced Management Program.

• Mr. Gibbons is a Certified Information System Security Professional (CISSP #20644), and a Certified Information Privacy Professional (CIPP # 867251). He also maintains the InfoSec Assessment Methodology (IAM) credentials with the National Security Agency (NSA).

J. Michael Gibbons

Managing Director

Washington, D.C.