LDR553: Cyber Incident Management™

Overview

In Section 1 we will focus on understanding the incident, gathering information from different groups and standardizing the language. To assist in this, we will remind ourselves of some of the common terms to optimize communications. From there we will define what the Incident Management (IM) group will seek to achieve, so we can state and focus on our objectives. This is important as retaining focus can be hard when it gets super busy.

After defining our objectives, we shift our focus to the crucial task of assigning initial responsibilities to the team. This step provides a breathing space for planning the subsequent actions. The cornerstone of this phase is the Cyber Incident Management Tool Kit (CIMTK), specifically a key component called "The Grid." This comprehensive set of questions and core Incident Management (IM) tasks expedites our response. Identifying these tasks early allows for concurrent activities within support teams (Incident Response, Information Technology, Human Resources, Legal, etc.) and the IM team.

Recognizing that effective Incident Management hinges on a strong team, we delve into assessing team composition and the unique contributions required from different groups to fulfill the mission. Lastly, we delve into the intricacies of communication and how to engage with various stakeholders. Throughout the course, a recurring theme is the meticulous tracking of activities, tasks, and communications-a critical aspect for successful incident management.

Exercises

• Setting up for the labs
• Reviewing the initial incident briefing
• The Cyber Incident Management Tool Kit: "The Grid"
• Setting the IM Objectives and Priorities
• Crisis Communications: Briefing the Executives

Topics

• Initial Information Gathering
  • Using common language
  • Understanding the attack
  • IR Frameworks, OODA loops and non-Zero-sum games
  • Scoping your initial tasks
• Defining your Objectives
  • What are typical objectives in IR/IM?
  • Mapping attacks to business impacts
• Who's on our Team?
  • Understanding the skills needed
  • Where should the team be located
  • How big does the team need to be?
  • Managing people to create productive teams
• Building our Communications Plan
  • Communications planning
  • Communicating with Execs, teams, and 3rd parties

Overview

After reviewing Section 1, we conclude the communications topic by exploring interactions with attackers. While ransom payment may not be in your plans, engaging in dialogue with attackers can buy time to address issues they've uncovered or prevent potential leaks. Acknowledging the controversy and the diverse beliefs surrounding this approach, it's essential to understand the available options for the organization. The course will delve into how attacker dialogue may occur and the factors influencing response options and processes.

Moving on to the remediation of network and data damage, there's an extensive section on categorizing the damage inflicted by attackers. This involves mapping the necessary remediation work, prioritizing tasks, and ensuring the removal of all possible vulnerabilities. Often overlooked, the course discusses the inclusion of secrets in stolen data and systems and considers their impact on future operations.

In the reporting and documentation phase, the course reviews outputs from the Incident Management (IM) process. While a robust Incident Response (IR) report is valuable, the course covers aspects that could be added to expand it to cover IM. This integration is crucial as Incident Management often dictates the direction of Incident Response, creating a more structured report while outsourcing some aspects to others.

When planning the closure of the incident, the course explores which remediation and vulnerability closure tasks should transition to non-incident mainstream projects. It outlines reflection meetings to capture Root Causes Analysis (RCA) outputs and lessons learned. The course introduces the 5-why method for undertaking an RCA, providing examples, both good and bad.

Exercises

• Dealing with the Attackers
• Drafting a Public Statement
• Crisis Communications - briefing the team
• Prioritizing the data and system remediation planning
• What's a good Root Cause Analysis (RCA)?

Topics

• Talking to or working with the attackers
  • Understanding what results the attackers are trying to achieve
  • Choosing a communications medium
  • Attacker media and comms methods
  • Proxies, trusted 3rd parties and attacker reputation
  • Trying to control the narrative
  • Understanding what the attackers have
  • Options and impacts - The cost of doing nothing
  • Is paying the attackers really an option?
• Tracking the Incident, tasks, people and progress
  • Review of the functions we might want to include in our IM solution
  • Incident Trackers and what they can look like
  • Evidence management
  • Task and work tracking
  • Building the right solution for the organisation
  • Using Google Docs as an emergency IM Platform
• Remediation of network and data damage
  • Types of Remediation system & data
  • Tracking the remediation
  • CIMTK: Counter Compromise of systems and users impacted
  • Categorizing exposed assets
  • Identifying who owns the data
  • Documenting and notifying impacted parties - Counter Compromise Activities
• Root Cause Analysis methods and outcomes
  • Understanding the need for a Root Cause Analysis meeting
  • Planning a good RCA (PALPATE)
• Reporting and documenting the case
  • When do you start the report?
  • Types of reports
  • What goes in the report?
  • Graphics are great!
  • Getting input, support and consensus
  • Control and access to the reports
• Planning the closure of the Incident
  • Reviewing the task and key objectives
  • Understanding Business As Usual (BAU) for the impacted teams?
  • Running a FRCA
  • Handing the ongoing initiatives to project managers
  • Breaking up the IM team

Overview

In this session, our focus is a deep dive into the training of Incident Response (IR) and Incident Management (IM), not only within our own teams but extending to the wider organization. We'll explore the imperative need for training, considering the type of training required based on organizational maturity. Engaging in hands-on labs, including an exercise exemplifying the onboarding of non-IR personnel to cyber incidents, we aim to provide practical insights.

Turning our attention to team training, we assess historical practices and their limitations in fostering individual growth and development. Emphasizing both long-term training strategies and tactical, engaging exercises, our approach aims to address specific gaps and areas where practical experience is needed, moving beyond mere frequency compliance.

Delving into the realm of Cyber Threat Intelligence (CTI), often featured prominently in the press, we address the challenge many organizations face in integrating it effectively into IR/IM efforts. Beyond its acquisition, we tackle the issue of maintaining CTI availability during an incident. Equipping participants with the knowledge and a prep-list, we empower them to leverage high-quality CTI in the midst of a Ransomware incident, supporting IR/IM efforts and executive decision-making. Furthermore, we explore how to provide input to the CTI team to optimize their skills and tools for local and strategic needs.

With the increasing prevalence of supply chain or 3rd party compromises, we dedicate an extended section to dissecting the limitations in handling these incidents and strategies to improve our position. Through an in-depth case study of our Submarine Studios, we guide students in understanding the scope, impact, and immediate remediation options, as well as investigative actions falling within our purview. We unravel the intricacies of planning a call with the 3rd party, ensuring clarity of objectives, and navigating scenarios where required information may not be readily available. Lastly, we tackle the crucial aspect of when and how to effectively close down a 3rd party incident.

Exercises

• Choosing Cyber Training Exercises
• Example table-top exercise for non-IM Specialists
• Planning a HotSeat exercise
• Submitting an Request For Intelligence (RFI)
• 3rd Party Supply Chain: Reviewing the incident notification
• 3rd Party Supply Chain: Assessing the impact and developing an RFI
• 3rd Party Supply Chain: Planning the call with the 3rd party
• 3rd Party Supply Chain: Updating the Execs

Topics

• Developing the wider team
  • Why train others?
  • Training the wider organization
  • Planning enterprise-wide training
  • Developing and running Cyber Incident Exercises
• Developing the wider team
  • Types of training
  • Leaning needs analysis
  • Maturity of exercises
• Developing the SOC/IR/IM team
  • Working and developing people on the exercises
  • Who to include in the exercises
  • External groups to include in exercises
  • Planning and running hotseat exercises
• Leveraging Cyber Threat Intelligence
  • What is CTI
  • Strategic/Operational/Tactical products
  • What can CTI produce for IM?
  • Developing CTI requirements
  • Generating a PIR
  • Avoiding common mistakes
  • Intelligence feedback loops
• 3rd Party Supply Chain Compromise
  • What is a supply chain and why is it attacked?
  • Notification routes
  • CIMTK: 3rd Party compromise IM Planning
  • Analysis of the exposure
  • Planning around the data void
  • Developing an Request for Information (RFI) from 3rd Party
  • Planning the 3rd party meeting
  • Closing 3rd party incidents.

Overview

In response to the escalating complexity of incidents, our focus turns to visualizing key facts, with timelines emerging as a powerful tool. However, we stress the importance of careful scoping, as a poorly conceived timeline, not tailored to the target audience, risks confusion and fails to convey the intended message. Our exploration delves into the art of scoping timelines, exploring various styles, and drawing insights from case studies that exemplify different perspectives on the same incident.

Before delving into Business Email Compromise (BEC) and other Cloud-focused attacks, we clarify aspects of responsibility and attack focuses, referring to prevalent cloud and MITRE models. Credential attacks take center stage, probing what attackers seek to obtain and how they leverage credentials, intricately linking back to the MITRE framework. We analyze attacker options, from breaking in and harvesting credentials to purchasing access. Concepts like Initial Access Brokers, Underground Marketplaces, and various user targeting strategies, including MFA fatigue and Illicit Consent Attacks, come under scrutiny.

With stolen credentials as our foundation, we embark on an in-depth exploration of BEC, elucidating its stages and examining the crucial Incident Management (IM) support it necessitates. This extends to supporting legal arguments, determining liability, and directing Incident Response (IR) efforts for forensics. Addressing the aftermath of a third-party compromise, we unravel the complexities of discussions where a supplier's compromise impacts the client's financial loss.

The session further dissects the nuances of six-plus types of BEC attacks, delineating the attacker's position and the affected parties. Our detailed breakdown serves as a template for easier BEC investigations, complemented by a hands-on lab challenging participants with an underrated investigative influence - that of doubt in everything you see and are told.

Navigating the cloud model, our focus shifts to Infrastructure as a Service (IaaS) host compromise, examining vectors, impacts, investigation requirements, and the nuanced management of cleanup for completeness.

Concluding our journey, we explore cloud management console compromises, assessing their impact, investigative approaches, and the requisite cleanup strategies. The session also touches on preventive controls and the origins of the attacker's credentials, emphasizing that, for certain attackers, the management console is a means to an end, shaped by attacker motivation rather than the defensive measures of the blue team.

Exercises

• Reviewing Incident Timelines
• Credential Loss Impact Assessment
• We paid the wrong account! (BEC)
• The cloud bill is vast (Cloud Management attack)

Topics

• Timelines for visualization
  • Scoping the timeline
  • Considering the audience
  • Levels of detail
• Defining Cloud Attacks
  • Shared responsibility models
  • MITRE for Cloud reference
• Credential Theft Attacks
  • What attackers are after and why
  • BYOD vectors
  • How do attackers get the access they want
  • Credential Harvesting
  • Underground Marketplaces
  • Initial Access Brokers
  • Malicious Browser Extension
  • Password Manager Attacks
  • MFA Fatigue
  • Illicit Consent Grant Attacks
  • CMITK: Credential Loss Immediate Actions (CLIA)
• Business Email Compromise (BEC)
  • Stages of BEC
  • MITRE Refence to O365
  • Where does liability fall?
  • Supporting Legal staff
  • Detailed step through the 6+ types of BEC
  • Points to understand to support BEC
  • Inbox investigations
  • Multi-site and Multi-vendor compromises
  • CIMTK: BEC Initial Actions (BECIA)
• Cloud Asset Attack
  • MITRE TTPs for Cloud Assets
  • Differences between Cloud and On-Prem
  • Finding the Pivot
  • How do we Forensicate the Cloud Virtual Machines
  • Closing Policy Holes and Network Gaps
• Cloud Management Console Attacks
  • Defining the attack and the goals
  • Goals for the Attacker
  • Focusing the team
  • Policy Checks and leveraging Auditors
  • Considering the other vectors to 'touch' the console
  • Cloud Focused RCA
  • Reporting the Incident

Overview

In this last session we will look at some of the bigger issues facing the organizations. We start by looking at how to improve the team by working with others, linking to other teams and groups. We will consider KPIs and internal metrics and what they can show you and what they can hide. As IM is largely focused on big impact incidents, we will look at the wider DR piece for the organization and how you can tap into those teams, processes and exercises for a smoother operation.

ChatGPT is now a common word in press and is used by tech and non-tech people alike. With organizations seeming to rush to invest and claim they are using AI we will take some time to understand what we are talking about. We will look at the collective AI term and break it down types including (NLP, Neural Networks, Generative AI, Machine Learning and Robotics) before we focus on Large Language Model (LLM) and Generative AI (especially ChatGPT) etc. Then with this understanding we can better understand what we can use where and how. We will examine the risks associated with AI and see how we can minimize those. Finally, as part of our LLM exercise we will leverage LLMs to review some of the work we did with Submarine Studios various cases.

Ransomware is headline news almost every day. It's the one thing that keeps more CISOs and Boards awake each night, so we will go deep to look at it's history and where it is now in terms of development. We will look at the stages of a ransomware compromise and what detections points were missed as the attackers moved from initial access to the final closing blow of encryption. We will talk about the tasking of the IR team to support the learning of the details of the attack, and we will examine the IM function to coordinate and provide context to the executives as we press them for decisions.

We will extensively refer back to previous sessions on team exercising, planning, cloud attacks, initial access and credential attacks we pull together the plan to minimize the impact so we might salvage the network and organization.

We will consider the alerts that often trigger what most consider the start of the ransomware incident, but we will establish what those alerts mean in terms of the over ransomware stages and what has really happened. We will cross-map that with what instant checks can be done and how automating these could give you early warning of an adversary in the preliminary stages of an attack.

We will talk about what the options are to organizations and what we need to get to execs to be able to get decisions from them. We will focus on no-regret options and consider the impacts of "going dark".

Building on our talking with attackers in Session two, we will consider how negotiation could and should be conducted; again, we will look at how this can be exercised and planned for.

Finally, we will look at the need to investigate the network compromise in parallel to the remediation so the organization can repel a further attack that may come depending upon their decisions to pay/no-pay. We will consider the rebuild options and what records might help such activities.

We will cover the need for decisions to be recorded and careful tracking of impacts, systems and availability data. In the aftermath of an incident the 20-20 vision glasses will suddenly be being worn by everyone, so we discuss the need to log and document who knew what where and when.

Exercises

• Updating the public statement
• Leveraging AI and LLM in IM
• Reviewing Ransomware cases
• Capstone exercise

Topics

• Improving IR/IM
  • Policies, playbooks and run books
  • People vs Tools
  • Metrics vs KPIs -- what's the difference
  • The message behind the metrics
  • Leveraging outside groups
  • Getting in on the DR party
  • Relationship management and approaches with different groups
• Leveraging AI for IM
  • What do we mean by AI
  • What AI can we use where?
  • What is an Large Language Model (LLM) and are they all the same
  • Risks associated with leveraging LLMs
  • Is there such a thing as a bad LLM? Are they evil?
  • ChatGPT syntax and prompt considerations
• Ransomware
  • The history of ransomware
  • The stages of a ransomware compromise from start to end
  • How the dirty get dirtier
  • Does size matter
  • Planning to meet the threat
  • Exercising to meet the threat
  • What are the DR options
  • What are the key questions to answer
  • What do execs really want
  • Remember to breathe
  • Documenting the impacts/reports and decisions
  • CIMTK: Ransomware Initial Actions (RIA)
• Summary and review of the sessions
  • How to use the understanding from the course
  • What to do on Monday/Day 1 when back in the office
  • How to move the super tanker
  • What does success look like
  • How to continue to grow and improve
• Capstone Exercise
  • This is a multi stage time sensitive incident
  • Analysis of reports will need to be undertaken
  • Policies and procedures will need to be read and plans made
  • Plans will need to be briefed to Leadership and Executives
  • An initial end of day summary will need to be developed