When a cyber security incident occurs, you need to understand exactly how the attack happened, so you can plan the best way to respond. Earlier this week, we hosted a webinar where our cyber security expert, Janne Kauhanen, talked about incident response. Article URL: https://business.f-secure.com/got-hacked-cyber-security-webinar4

1. GOT HACKED?
IT’STOO LATE
TO RUN NOW.
Janne Kauhanen
Twitter: @JKauhanen

2. 360° OFCYBER SECURITY
2
MINIMIZE ATTACK
SURFACE
PREVENT
INCIDENTS
UNDERSTAND YOUR RISK,
KNOW YOUR ATTACK SURFACE,
UNCOVER WEAK SPOTS
REACT TO BREACHES,
MITIGATE THE DAMAGE,
ANALYZE AND LEARN
RECOGNIZE INCIDENTS
AND THREATS, ISOLATE
AND CONTAIN THEM

3. AGENDA
3
 Definitions
 Threat detection, a short summary
 Why do you get hacked?
 What to do when you get hacked?
 Incident Response process
 Forensics
 Incident Response capabilities you should (and shouldn’t) have
 Crisis management

4. SECURITY INCIDENTS
Hacker actions
4
Information leak Widespread
malware infection
Internal
misbehavior
(unintentional
included)

5. "ASECURITY INCIDENT IS
ANYKINDOFACTION
THAT RESULTS INACHANGE
TOAKNOWN GOOD STATE.“
KURTHAGERMAN,CISO,ARMORDEFENSEINC.
5

6. THEDOS ANDDON’TS OF
THREAT DETECTION
RECAPOFWEBINAR#3
6

7. WHYDIDIGETHACKED?
7
"DRIVE BY" &
SCRIPT KIDDIES
FOCUS
SKILL
TARGETED
ATTACKS
IDENTITY
THEFT, 0DAY
EXPLOITS
ADVANCED
PERSISTENT
THREATS

16. INCIDENT RESPONSE PROCESS
16
Briefing Identification Containment Recovery Aftermath

17. INCIDENT RESPONSE PROCESS
17
Briefing Identification Containment Recovery Aftermath

18. INCIDENT RESPONSE PROCESS
18
Briefing Identification Containment Recovery Aftermath

19. INCIDENT RESPONSE PROCESS
19
Briefing Identification Containment Recovery Aftermath

20. INCIDENT RESPONSE PROCESS
20
Briefing Identification Containment Recovery Aftermath

21. FORENSICINVESTIGATION
1. HOW WAS THE DEVICE BREACHED?
‒ WHAT WAS THE ROOT CAUSE?
2. HOW DID THE ATTACKER COMMUNICATE WITH THE DEVICE?
‒ IS THE ATTACKER STILL ABLE TO COMMUNICATE WITH THE DEVICE?
3. WAS THE ATTACKER ABLE TO MOVE BEYOND THIS DEVICE?
‒ IS THERE A WAY TO DETECT INFECTED DEVICES?
4. WAS DATA EXFILTRATED FROM THE DEVICE?
‒ HOW MUCH DATA, WHAT KIND OF DATA, AND WHERE DID IT GO?
21

22. FORENSICINVESTIGATION
1. HOW WAS THE DEVICE BREACHED?
‒ WHAT WAS THE ROOT CAUSE?
2. HOW DID THE ATTACKER COMMUNICATE WITH THE DEVICE?
‒ IS THE ATTACKER STILL ABLE TO COMMUNICATE WITH THE DEVICE?
3. WAS THE ATTACKER ABLE TO MOVE BEYOND THIS DEVICE?
‒ IS THERE A WAY TO DETECT INFECTED DEVICES?
4. WAS DATA EXFILTRATED FROM THE DEVICE?
‒ HOW MUCH DATA, WHAT KIND OF DATA, AND WHERE DID IT GO?
22

23. FORENSICINVESTIGATION
1. HOW WAS THE DEVICE BREACHED?
‒ WHAT WAS THE ROOT CAUSE?
2. HOW DID THE ATTACKER COMMUNICATE WITH THE DEVICE?
‒ IS THE ATTACKER STILL ABLE TO COMMUNICATE WITH THE DEVICE?
3. WAS THE ATTACKER ABLE TO MOVE BEYOND THIS DEVICE?
‒ IS THERE A WAY TO DETECT INFECTED DEVICES?
4. WAS DATA EXFILTRATED FROM THE DEVICE?
‒ HOW MUCH DATA, WHAT KIND OF DATA, AND WHERE DID IT GO?
23

24. FORENSICINVESTIGATION
1. HOW WAS THE DEVICE BREACHED?
‒ WHAT WAS THE ROOT CAUSE?
2. HOW DID THE ATTACKER COMMUNICATE WITH THE DEVICE?
‒ IS THE ATTACKER STILL ABLE TO COMMUNICATE WITH THE DEVICE?
3. WAS THE ATTACKER ABLE TO MOVE BEYOND THIS DEVICE?
‒ IS THERE A WAY TO DETECT INFECTED DEVICES?
4. WAS DATA EXFILTRATED FROM THE DEVICE?
‒ HOW MUCH DATA, WHAT KIND OF DATA, AND WHERE DID IT GO?
24

25. FORENSICINVESTIGATION
1. HOW WAS THE DEVICE BREACHED?
‒ WHAT WAS THE ROOT CAUSE?
2. HOW DID THE ATTACKER COMMUNICATE WITH THE DEVICE?
‒ IS THE ATTACKER STILL ABLE TO COMMUNICATE WITH THE DEVICE?
3. WAS THE ATTACKER ABLE TO MOVE BEYOND THIS DEVICE?
‒ IS THERE A WAY TO DETECT INFECTED DEVICES?
4. WAS DATA EXFILTRATED FROM THE DEVICE?
‒ HOW MUCH DATA, WHAT KIND OF DATA, AND WHERE DID IT GO?
25

26. IN-HOUSE CAPABILITIES
26
What kind of
capabilities should I
have in-house?
Is there anything I
should not try to do
myself?

27. “BYFAILING TOPREPARE
YOUARE PREPARING TOFAIL”
BENJAMINFRANKLIN
27

28.  Scenarios based on real life,
adjusted to target organization
 GameMaster monitors actions
and generates additional
inputs
28
CRISIS MANAGEMENT
EXERCISE

29. THERE ARETWO TYPES OF
COMPANIES:
THOSE WHOHAVE BEEN
BREACHED, AND THOSE WHO
DON’T KNOW IT YET.
29

30. Q&A
30