homepage
Menu
Open menu
  • Training
    Go one level top Back

    Training

    • Courses

      Build cyber prowess with training from renowned experts

    • Hands-On Simulations

      Hands-on learning exercises keep you at the top of your cyber game

    • Certifications

      Demonstrate cybersecurity expertise with GIAC certifications

    • Ways to Train

      Multiple training options to best fit your schedule and preferred learning style

    • Training Events & Summits

      Expert-led training at locations around the world

    • Free Training Events

      Upcoming workshops, webinars and local events

    • Security Awareness

      Harden enterprise security with end-user and role-based training

    Featured: Solutions for Emerging Risks

    Discover tailored resources that translate emerging threats into actionable strategies

    Risk-Based Solutions

    Can't find what you are looking for?

    Let us help.
    Contact us
  • Learning Paths
    Go one level top Back

    Learning Paths

    • By Focus Area

      Chart your path to job-specific training courses

    • By NICE Framework

      Navigate cybersecurity training through NICE framework roles

    • DoDD 8140 Work Roles

      US DoD 8140 Directive Frameworks

    • By European Skills Framework

      Align your enterprise cyber skills with ECSF profiles

    • By Skills Roadmap

      Find the right training path based on critical skills

    • New to Cyber

      Give your cybersecurity career the right foundation for success

    • Leadership

      Training designed to help security leaders reduce organizational risk

    • Degree and Certificate Programs

      Gain the skills, certifications, and confidence to launch or advance your cybersecurity career.

    Featured

    New to Cyber resources

    Start your career
  • Community Resources
    Go one level top Back

    Community Resources

    Watch & Listen

    • Webinars
    • Live Streams
    • Podcasts

    Read

    • Blog
    • Newsletters
    • White Papers
    • Internet Storm Center

    Download

    • Open Source Tools
    • Posters & Cheat Sheets
    • Policy Templates
    • Summit Presentations
    • SANS Community Benefits

      Connect, learn, and share with other cybersecurity professionals

    • CISO Network

      Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

  • For Organizations
    Go one level top Back

    For Organizations

    Team Development

    • Why Partner with SANS
    • Group Purchasing
    • Skills & Talent Assessments
    • Private & Custom Training

    Leadership Development

    • Leadership Courses & Accreditation
    • Executive Cybersecurity Exercises
    • CISO Network

    Security Awareness

    • End-User Training
    • Phishing Simulation
    • Specialized Role-Based Training
    • Risk Assessments
    • Public Sector Partnerships

      Explore industry-specific programming and customized training solutions

    • Sponsorship Opportunities

      Sponsor a SANS event or research paper

    Interested in developing a training plan to fit your organization’s needs?

    We're here to help.
    Contact us
  • Talk with an expert
  • Log In
  • Join - it's free
  • Account
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Building an Information Security Program Post-Breach Part I
370x370_joe-sullivan.jpg
Joe Sullivan

Building an Information Security Program Post-Breach Part I

It usually takes an incident such as ransomware to change an organization’s focus and approach on how they view security, but where do they start?

September 30, 2020

I recently read the 2020 Cyber Insurance Claims Report by Coalition which reported that 41% of all cyber insurance claims filed in the first half of 2020 was attributed to ransomware. Breach response was at the top of the list. The top claims by attack technique are phishing and remote access.

This seems to indicate there are some deficiencies in those information security programs, if they had a program at all. I still see a lot of organizations today that don’t have a formal information security program. It usually takes an incident such as ransomware to change an organization’s focus and approach on how they view security, but where do they start?

For the purposes of this blog, l will focus on a fictitious organization as an example. The methodology to build the security program is based on MGT514: Security Strategic Planning, Policy, and Leadership.

PART I

Rekt Casino

Rekt casino recently suffered a breach as the result of a ransomware incident. Under the advisement the incident response firm, and regulators, they are creating a formal information security program. Rekt Casino is urgently wanting to establish security and open the doors again.

Rekt Casino has been in business for approximately 20 years. To this point they have only invested in the very basic technology needs. Security has never been at the forefront. From a security perspective, they are subject to MICS under the Nevada Gaming Control Board. MICS is the Minimum Internal Control Standards for Casino technology.

Rekt has a small IT team of 3 people that serve as help desk, network administration, and server administration. The team tries to secure these systems as they are deployed. Rekt Casino has a very old school approach to information security.

     

200930_JoeSullivanBlog_Picture1_Part1.png

Figure 1: Information Security Evolution

By establishing a formal information security program Rekt hopes to modernize their approach to information security in such a way that it will align with their business goals. Up until the breach, the leadership at Rekt assumed they were secure because they were compliant with MICS regulations.

This scenario can be viewed from a few different perspectives:

  • A current business leader now charged with the information security program
  • A new security leader coming into assist with the recovery
  • A consultant coming in to assist the casino with the recovery

Whichever perspective you choose, a plan needs to be developed to better secure the casino, but where you do start when things have gone really wrong? Deciding where to start is daunting and it’s easy to develop analysis paralysis.

My goal with this blog post is to help develop an approach for creating or improving an information security program after the breach has occurred.

On the he positive side, this scenario can be viewed as an “unscheduled penetration test” based on a real threat, with actual techniques, and you know what the real impact is. Ordinarily, you might run tabletops, step through the incident response, and BCP/DR process based on some hypothetical actions and results. In this scenario you have real results that justify your business case.

If you happened to be there during the incident, the actions taken by the IT team can give you valuable clues as to the state and maturity of the information security program.

For example:

BCP/DR

If the casino has a BCP/DR plan you would expect to see it activated and assets being brought online while the incident is being worked. However, that wasn’t the case at Rekt Casino. The three IT technicians were simultaneously scrambling to get systems back online while negotiating with the attacker for the ransom.

Communications

You would also observe the communications between the IT team members and the business leaders at the casino. Ideally, there should be regular updates and expectations should be well managed.

During the incident at Rekt Casino there was little communication from the IT team working the incident. They were siloed and there were no lateral communications between the team, the other areas of the casino, or to the business leaders. The rumor mill started to churn out wild conspiracy theories that soon spread all over town.

The only real communications during the incident was a back-channel conversation between one of the IT team members and a friend, that was a seasoned incident responder, helping them out while she was on vacation.

Policies and Procedure

If Rekt Casino had basic policies, procedures, and supporting documentation that aligned with those, you would hope to see things such as:

  • A functional call list for executives, board members, employees, and vendors.

  • How to proceed with contacting law enforcement and a relationship already in place.
  • Administrative controls that could have prevented the incident.
  • How to handle an incident, specifically if the philosophy is contain and clear, or watch and learn.
  • Network diagrams, configuration information, change documentation, and exception requests.

Rekt casino didn’t have any of this in place. This had been discussed many times at board meetings over the years, but it was never a priority. The business leaders didn’t think Rekt casino was a viable target. There were bigger casinos around, and they didn’t feel like the gaming industry as a whole was a target for attackers.

That stance also informs you about their overall security awareness. Just a few years previous, a large casino was attacked by a nation state and was taken completely offline. The story was in the headlines for weeks, but somehow the executives and

board members of Rekt were completely oblivious.

Backups

In ransomware incidents the one thing that can save the day is good backups. Organizations with a solid security program have backups and snapshots that are at least tested monthly. Rekt was backing up their data to disk on the same servers that were affected by the ransomware.

They also took an end-of-month backup off site, but that data was for historical purposes and not recovery purposes. There were some key files recently sent over email, but even the local email files were encrypted on the affected machines. Rekt is really in a bad spot with this incident.

As you can tell, things were going really bad for Rekt Casino. One of the board members recalled reading about a recent breach where the organization called an incident response team to assist with the containment and recovery. The board member reached out to that firm to help with Rekt casino.

Incident Responders

The incident response team arrived on the scene approximately 28 hours after they were contacted. The reason for the long delay was that Rekt didn’t have an expedited procedure in place to get approval for the incident responders.

Each one of the incident responders had to pass a background check and be approved by the Nevada Gaming Commission before they were allowed access outside the publicly available areas.

The incident responders started their investigation and observed the following:

  • The incident responders started by reviewing firewall logs and found multiple connections from the network to IP addresses in another country over port 6500. Packet captures showed that those connections were encrypted.

    This observation was assumed to be malicious since there was no supporting documentation indicating it was normal traffic. In fact, there was no network flow documentation at all.

  • The email server was hosted on site and had no log retention policy, anti-spam, or malware countermeasures.
  • Memory dumps revealed the ransomware executables running in memory, along with psexec, Power Shell, and an unknown executable.

  • A review of the event logs of affected systems showed remote desktop session from various other systems using the domain administrator account after hours for the previous 3 weeks
  • There was no centralized logging for the network devices such as routers, switches.
  • The endpoint protection was a signature based anti-virus that had an expired license and was receiving no updates.

The incident responders confirmed that ransomware was utilized in the attack and contained the affected systems.

All the servers were offline, the majority of the workstations were offline, and the only road to recovery was reinstalling the operating systems and restoring the data that could be salvaged. The fear of a root kit was on everyone’s mind, simply scanning and putting the machines back into production was not an option.

Post-Mortem

The time has come to start securing the network, recovering, and laying the foundation for the security program. Other than your own observations, you’ll want to take a look at the incident report, and in particular the post-mortem or lesson lessons learned section.

This section will answer some key questions such as:

  • How did this happen?

  • Why did this happen?
  • Who did this?
  • How can this be prevented from happening again?

The answers to those questions will help inform the immediate steps you need to take after the breach/incident.

The high-level findings of the incident are as follows:

  • Rekt Casino suffered a ransomware incident.
  • The systems became nonresponsive over a holiday weekend.
  • All servers and live workstations were affected by the ransomware.

  • Triage forensics and memory forensics show evidence of Powershell, PSexec, and the ransomware executables.
  • The firewall logs show outbound connections to a foreign country. Packet captures were taken, but the connections were encrypted.
  • The email server has been in production for more than 10 years and has limited countermeasures for spam or malware.
  • The endpoint protection is signature based with an expired license.
  • The firewall was a basic port filtering firewall with no outbound rules. All outbound connections were allowed.
  • The attacker compromised the domain administrator account and was able to move laterally throughout the network.

There was little evidence to identify the attacker, or how the malware entered the network. In situations like this, you might be able to get an idea based on publicly available research or threat intelligence.

You must be cautious with threat intelligence. Attackers can change their tactics, techniques and procedures quickly. They can also change their indicators of compromise and frequently do. A good reference for this is the MITRE ATT&CK framework and the Pyramid of Pain.

In this scenario, publicly available researched showed that this particular strain of ransomware has been delivered over email in other breaches. We will assume that’s how it compromised the systems at Rekt Casino.

If the publicly available researched had shown the typical point of entry was over a USB drive inserted into a workstation or server, that would change our initial steps on implementing the new information security program.

You might be pressured to determined who’s to blame. The best answer to this question, and honestly the most correct one, is that the cause of a breach is due to a break down in policy and procedure.

Don’t get caught up in the blame game, it’s not productive, it can create an adversarial atmosphere where you need the support and cooperation of all those involved.

This is Part I of a 3-part blog series based on SANS MTG514: Security Strategy, Policy, and Leadership.

Read Part II here. Read Part III here.

About the Author

Joe Sullivan has over 20 years of experience in information security. Joe is Principal Consultant at Rural Sourcing in Oklahoma City where he manages and develops the security consulting services and the teams that provide them. Over his career Joe has worked in incident response, penetration testing, systems administration, network architecture, forensics, and is a private investigator specializing in computer crime investigations. Joe teaches MGT514: Security Strategic Planning, Policy, and Leadership. Read more about Joe here.



Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Tags:
  • Cybersecurity Leadership

Related Content

Blog
emerging threats summit 340x340.png
Digital Forensics, Incident Response & Threat Hunting, Offensive Operations, Pen Testing, and Red Teaming, Cyber Defense, Industrial Control Systems Security, Cybersecurity Leadership
May 14, 2025
Visual Summary of SANS Emerging Threats Summit 2025
Check out these graphic recordings created in real-time throughout the event for SANS Emerging Threats Summit 2025
No Headshot Available
Alison Kim
read more
Blog
LDR - Blog - It’s Dangerous to Go Alone- A Consensus-Driven Approach to SOC Metrics_340 x 340.jpg
Cybersecurity Leadership
April 25, 2025
It’s Dangerous to Go Alone: A Consensus-Driven Approach to SOC Metrics
Metrics play a crucial role in understanding the performance of Security Operations Center (SOC) functions.
Mark-Orlando-370x370.jpg
Mark Orlando
read more
Blog
Cybersecurity Leadership
April 24, 2025
Visual Summary of SANS Cybersecurity Leadership Summit 2025
Check out these graphic recordings created in real-time throughout the event for SANS Cybersecurity Leadership Summit 2025
No Headshot Available
Emily Blades
read more
  • Company
  • Mission
  • Instructors
  • About
  • FAQ
  • Press
  • Contact Us
  • Careers
  • Policies
  • Training Programs
  • Work Study
  • Academies & Scholarships
  • Public Sector Partnerships
  • Law Enforcement
  • SkillsFuture Singapore
  • Degree Programs
  • Get Involved
  • Join the Community
  • Become an Instructor
  • Become a Sponsor
  • Speak at a Summit
  • Join the CISO Network
  • Award Programs
  • Partner Portal
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • Privacy Policy
  • Terms and Conditions
  • Do Not Sell/Share My Personal Information
  • Contact
  • Careers
© 2025 The Escal Institute of Advanced Technologies, Inc. d/b/a SANS Institute. Our Terms and Conditions detail our trademark and copyright rights. Any unauthorized use is expressly prohibited.
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn