LDR553: Cyber Incident Management

Overview

In Section 1 we will focus on understanding the incident, gathering information from different groups and standardizing the language. To assist in this, we will remind ourselves of some of the common terms to optimize communications. From there we will define what the Incident Management (IM) group will seek to achieve, so we can state and focus on our objectives. This is important as retaining focus can be hard when it gets super busy.

With the objectives defined we then turn to initial tasks and delegating those to the team; this is to give us some breathing space to plan the next steps. Our initial tasking output will be based on one of the core tools in the Cyber Incident Response Tool Kit (CIMTK) the "IM Starting Grid". This detailed list of Yes/No questions outputs a list of core IM tasks that aide rapid response. By identifying these tasks early, concurrent activity can be initiated for both support teams (Incident Response (IR), Information Technology (IT), Human Resources (HR), Legal etc.) and the IM team. As IM is totally dependent upon a good team, we will assess team composition and what different groups need to contribute to the mission. Finally, we dig into communication and how to interact with different stakeholders. Tracking activity, tasks, and communications is a big theme throughout this course.

Exercises

• Reviewing the initial incident briefing
• The incident management starting grid
• Setting the objectives for the IM team
• Crisis communications: briefing the executives

Topics

Initial Information Gathering

• Using common language
• Understanding the attack
• IR Frameworks, OODA loops and non-Zero-sum games
• Scoping your initial tasks

Defining your Objectives

• What are typical objectives in IR/IM?
• Mapping attacks to business impacts

Who's on our Team

• Understanding the skills needed
• Where should the team be located
• How big does the team need to be?
• Managing people to create productive teams

Building our Communications Plan

• Communications planning
• Communicating with Execs, teams, and 3rd parties

Overview

After reviewing Section 1, we conclude the communications topic by looking at communications with the attackers. While you may have no plans to pay any ransom, by entering into dialogue with attackers, you can gain time to fix issues the attackers have uncovered, discovered, or could leak. While controversial and possibly contrary to your own beliefs, it is important to understand options are available to the organization. We will cover how attacker dialogue may occur and what factors will influence the response options and process.

We will look at what incident information should be tracked and options or ways to achieve that. We review both commonly available products as well as bespoke options (including those for on prem and cloud hosted solutions).

Getting into the remediation of the network and data damage, we have a large section on categorizing the damage the attackers have inflicted and then mapping to the necessitated remediation work that will need to be prioritized and tracked to ensure that all possible vulnerabilities have been removed. A much-overlooked aspect, we discuss secrets that are included in stolen data and systems and consider how this might affect our future operations.

In the reporting and documenting of the case, we review some of the outputs from the IM process. While a solid IR report is always useful, we will cover what aspects could be added to expand it to cover IM. This is important as the direction of the Incident Response is often mandated by Incident Management, so linking the two into one report makes for a more structured reading while outsourcing some aspects to others.

In planning the closure of the incident, we discover what remediation and vulnerability closure tasks should be moved to non-incident mainstream projects and what reflection meetings should be held to ensure Root Causes Analysis outputs (RCA) are captured and lessons are identified and tracked. We will look at the 5-why method for undertaking an RCA and some different (good and bad) examples.

Exercises

• Dealing with the attackers
• Drafting a public statement
• Crisis communications - briefing the team
• Prioritizing the data and system remediation planning
• What's a good Root Cause Analysis (RCA)

Topics

Talking to or working with, the attackers

• Understanding what results the attackers are trying to achieve
• Choosing a communications medium
• Attacker media and comms methods
• Proxies, trusted 3rd parties and attacker reputation
• Trying to control the narrative
• Understanding what the attackers have
• Options and impacts
• The cost of doing nothing
• Is paying the attackers really an option?

Tracking the Incident, tasks, people and progress

• Review of the functions we might want to include in our IM solution
• Incident Trackers and what they can look like
• Evidence management
• Task and work tracking
• Building the right solution for the organisation
• Using Google Docs as an emergency IM Platform

Remediation of network and data damage

• Types of Remediation system & data
• Tracking the remediation
• CIMTK: CC Systems and users impacted
• Categorizing exposed assets
• Identifying who owns the data
• Documenting and notifying impacted parties - Counter Compromise Activities
• Root Cause Analysis methods and outcomes

Reporting and documenting the case

• When do you start the report?
• Types of reports
• What goes in the report?
• Graphics are great!
• Getting input, support and consensus
• Control and access to the reports

Planning the closure of the Incident

• Reviewing the task and key objectives
• Understanding Business As Usual (BAU) for the impacted teams
• Running a FRCA
• Handing the ongoing initiatives to project managers
• Breaking up the IM team

Developing the wider team

• Why train others?
• Training the wider organization
• Planning enterprise-wide training
• Developing and running Cyber Incident Exercises

Planning the closure of the Incident

• Reviewing the task and key objectives
• Understanding Business As Usual (BAU) for the impacted teams?
• Running a FRCA
• Handing the ongoing initiatives to project managers
• Breaking up the IM team

Overview

In this session we are deep diving on training of IR/IM and the wider organization. We will examine the need for training and depending upon maturity, the type of training. We will have several labs to support this including a example of an exercise to onboard non-IR types to cyber incidents.

As we look to our own team training, we look at the types of exercises that historically are used and how they fail to help people grow and develop. We look at both long term training strategies and tactical fun exercises to get people talking and working together. We will focus on the gaps and the places people need practice rather than exercises for simple frequency compliance.

Cyber Threat Intelligence (CTI) features heavily in the press and many organizations have it but don't know how to connect it into IR/IM for the best effect. Additionally, many do not work to improve the availability of CTI when in an incident -- we will give you this knowledge and prep-list so you too could benefit from high quality polished CTI in the middle of your Ransomware incident to support IR/IM and even Execs. Finally, as we dig into CTIs various outputs we will explain and understand how we can provide input to the CTI team to best leverage their skills and focus them and their tools to support our local and strategic needs.

Supply chain or 3rd party compromises are increasingly common and have a high chance of increasing as more activities are outsourced to outside the organization. In this longer section we will dig into the limitations we have with these incidents and how we can improve that position.

We will look at the action plan of activities that need to be undertaken to successfully handle a 3rd party issue, and we will break this down in detail as deep dive on a case study for our Submarine Studios. We will show students how to understand the scope, impact, and immediate remediation options as well as investigation actions that fall to 'us', despite this appearing to be a 'them' problem. We will look at how to plan a call with the 3rd party, so our objectives are clear and what to do when we don't get the info we need. Finally, we will look at how and when to close down the 3rd party incident.

Exercises

• Choosing Cyber Training Exercises
• Example table-top exercise for non-IM Specialists
• Planning a HotSeat exercise
• Submitting an Request For Intelligence (RFI)
• 3rd Party Supply Chain: Reviewing the incident notification
• 3rd Party Supply Chain: Assessing the impact and developing an RFI
• 3rd Party Supply Chain: Planning the call with the 3rd party
• 3rd Party Supply Chain: Updating the Execs

Topics

Developing the wider team

• Why train others?
• Training the wider organization
• Planning enterprise-wide training
• Developing and running Cyber Incident Exercises

Developing the wider team

• Types of training
• Leaning needs analysis
• Maturity of exercises

Developing the SOC/IR/IM team

• Working and developing people on the exercises
• Who to include in the exercises
• External groups to include in exercises
• Planning and running hotseat exercises

Leveraging Cyber Threat Intelligence

• What is CTI
• Strategic/Operational/Tactical products
• What can CTI produce for IM?
• Developing CTI requirements
• Generating a PIR
• Avoiding common mistakes
• Intelligence feedback loops

3rd Party Supply Chain Compromise

• What is a supply chain and why is it attacked?
• Notification routes
• CIMTK: 3rd Party compromise IM Planning
• Analysis of the exposure
• Planning around the data void
• Developing an Request for Information (RFI) from 3rd Party
• Planning the 3rd party meeting
• Closing 3rd party incidents.

Overview

With the increase in incident complexity, we need to look at how to visualize the key facts. Timelines are a great way to do this, but we have to be careful. A badly thought out and poorly scoped timeline not developed for the target audience can be confusing and fail to convey the desired message. We will look at how to scope a timeline and the different styles that can be used. We will refer to some case study materials as examples of different lenses on the same incident.

Before we deep dive into BEC and other Cloud focused attacks, we will clarify some aspects of responsibility and attack focuses referring to the common cloud and MITRE models.

We hit Credential Attacks hard looking at what the attackers what to obtain and what they can use those credentials for (again linking to MITRE). We will consider the options of the attacker as they consider if they want do break in themselves and then harvest credentials or if they want to buy access. We will look at Initial Access Brokers and what they provide and how they get it as well as Underground Market places and log sources. Finally, we will cover user targeting aspects including MFA fatigue, Illicit Consent Attacks, Password manager attacks and even malicious browser extensions.

With the stolen credentials we will take a deep look at Business Email Compromise (BEC) starting off with the stages of BEC. As an increasingly common attack, we will look at the IM support to others including how we support the legal arguments, how liability will be decided and where we need to direct IR to forensicate. This is a great follow on to the 3rd part compromise from the Session 3 as we often find ourselves discussing how a supplier got compromised but it was our client lost $100K and they don't want to share compromise logs or data.

With the background set we will look at the 6+ types of BEC as we break down each attack, where the attacker is sitting and who will get impacted. We do this in detail as it makes investigating BEC so much easier when you have a template to compare it against. Naturally, we will have a real head scratcher of a lab where we bring one of the most underrated influences on an investigation -- doubt.

As we move around the cloud model, we focus on IaaS host compromise next again looking at the vector, the impact, the investigation requirements and how clean needs to be managed for completeness.

Finally, we look at cloud management console compromises and consider the impact of these, how they can be investigated and what clean-up work needs to be planned. For this we will look a little at the controls that could have prevented this attack and where the attacker got the credential from in the first place. This will help attendees understand that for some attackers (and luckily for the victim) the management console is not the end goal, but how it's totally dependent on the attacker motivation rather than anything defensive from the defending blue team.

Exercises

• Reviewing Incident Timelines
• Credential Loss Impact Assessment
• We paid the wrong account! (BEC)
• The cloud bill is vast (Cloud Management attack)
• Updating the public statement

Topics

Timelines for visualization

• Scoping the timeline
• Considering the audience
• Levels of detail

Defining Cloud Attacks

• Shared responsibility models
• MITRE for Cloud reference

Credential Theft Attacks

• What attackers are after and why
• BYOD vectors
• How do attackers get the access they want
• Credential Harvesting
• Underground Marketplaces
• Initial Access Brokers
• Malicious Browser Extension
• Password Manager Attacks
• MFA Fatigue
• Illicit Consent Grant Attacks
• CMITK: Credential Loss Immediate Actions (CLIA)

Business Email Compromise (BEC)

• Stages of BEC
• MITRE Refence to O365
• Where does liability fall?
• Supporting Legal staff
• Detailed step through the 6+ types of BEC
• Points to understand to support BEC
• Inbox investigations
• Multi-site and Multi-vendor compromises
• CIMTK: BEC Initial Actions (BECIA)

Cloud Asset Attack

• MITRE TTPs for Cloud Assets
• Differences between Cloud and On-Prem
• Finding the Pivot
• Forensicating the Cloud Virtual Machines
• Closing Policy Holes and Network Gaps

Cloud Management Console Attacks

• Defining the attack and the goals
• Goals for the Attacker
• Focusing the team
• Policy Checks and leveraging Auditors
• Considering the other vectors to 'touch' the console
• Cloud Focused RCA
• Reporting the Incident

Overview

In this last session we will look at some of the bigger issues facing the organizations. We start by looking at how to improve the team by working with others, linking to other teams and groups. We will consider KPIs and internal metrics and what they can show you and what they can hide. As IM is largely focused on big impact incidents, we will look at the wider DR piece for the organization and how you can tap into those teams, processes and exercises for a smoother operation.

ChatGPT is now a common word in press and is used by tech and non-tech people alike. With organizations seeming to rush to invest and claim they are using AI we will take some time to understand what we are talking about. We will look at the collective AI term and break it down types including (NLP, Neural Networks, Generative AI, Machine Learning and Robotics) before we focus on Large Language Model (LLM) and ChatGPT/Bard/Autopilot etc. Then with this understanding we can better understand what we can use where and how. We will examine the risks associated with AI and see how we can minimize those. Finally as part of our LLM exercise we will leverage LLMs to review some of the work we did with Submarine Studios various cases.

Ransomware is headline news almost every day. It's the one thing that keeps more CISOs and Boards awake each night, so we will go deep to look at it's history and where it is now in terms of development. We will look at the stages of a ransomware compromise and what detections points were missed as the attackers moved from initial access to the final closing blow of encryption. We will talk about the tasking of the IR team to support the learning of the details of the attack and we will examine the IM function to coordinate and provide context to the executives as we press them for decisions.

We will extensively refer back to previous sessions on team exercising, planning, cloud attacks, initial access and credential attacks we pull together the plan to minimize the impact so we might salvage the network and organization.

We will consider the alerts that often trigger what most consider the start of the ransomware incident, but we will establish what those alerts mean in terms of the over ransomware stages and what has really happened. We will cross-map that with what instant checks can be done and how automating these could give you early warning of an adversary in the preliminary stages of an attack.

We will talk about what the options are to organizations and what we need to get to execs to be able to get decisions from them. We will focus on no-regret options and consider the impacts of "going dark".

Building on our talking with attackers in Session two, we will consider how negotiation could and should be conducted; again we will look at how this can be exercised and planned for.

Finally, we will look at the need to investigate the network compromise in parallel to the remediation so the organization can repel a further attack that may come depending upon their decisions to pay/no-pay. We will consider the rebuild options and what records might help such activities.

We will cover the need for decisions to be recorded and careful tracking of impacts, systems and availability data. In the aftermath of an incident the 20-20 vision glasses will suddenly be being worn by everyone, so we discuss the need to log and document who knew what where and when.

Exercises

• Leveraging AI and LLM in IM
• Reviewing Ransomware cases
• Analysis and leadership in the middle of a Ransomware event
• Capstone exercise phase 1
• Capstone exercise phase 2
• Capstone exercise phase 3

Topics

Improving IR/IM

• Policies, playbooks and run books
• People vs Tools
• Metrics vs KPIs -- what's the difference
• The message behind the metrics
• Leveraging outside groups
• Getting in on the DR party
• Relationship management and approaches with different groups

Leveraging AI for IM

• What do we mean by AI
• What AI can we use where?
• What is an Large Language Model (LLM) and are they all the same
• Risks associated with leveraging LLMs
• Is there such a thing as a bad LLM? Are they evil?
• ChatGPT syntax and prompt considerations

Ransomware

• The history of Ransomware
• The stages of a ransomware compromise from start to end
• How the dirty get dirtier
• Does size matter
• Planning to meet the threat
• Exercising to meet the threat
• What are the DR options
• What are the key questions to answer
• What to execs really want
• Remember to breathe
• Documenting the impacts/reports and decisions

Summary and review of the sessions

• How to use the understanding from the course
• What to do on Monday/Day 1
• How to move the super tanker
• What does success look like
• How to continue to grow and improve

Capstone Exercise

• This is a multi stage time sensitive incident
• Analysis of reports will need to be undertaken
• Policies and procedures will need to be read and plans made
• Plans will need to be briefed to Leadership and Executives
• An initial end of day summary will need to be developed