Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Post-mortem of a data breach

How data breaches happen? What are their business implications? Learn more how to react when an incident does happen and how to get back to business as quickly as possible afterwards.

Article URL:

  • Login to see the comments

  • Be the first to like this

Post-mortem of a data breach

  1. 1. POST-MORTEMOF ADATABREACH Janne Kauhanen @jkauhanen Jani Kallio @janikallionet F-Secure Cyber Security Services
  2. 2. 2 100+ASSIGNMENTS/ 3YEARS
  3. 3. SERVICEPROVIDER”CORPX”  Listed on several international stock exchanges  Provides application services, e.g. to financial sector  Never thought they could be targeted – ”we’re just a regular company” 3
  4. 4. SITUATIONONEMORNINGINSEPT2015  ”7GB of data was sent from one financial department employees PC to IP-address”  F-Secure Labs confirmed the address as a known data exfiltration server, used in a recently activated campaign 4
  5. 5. 5 Watering hole Command & Control Data Exfiltration RECON
  6. 6. 6 Watering hole Command & Control Data Exfiltration EXPLOITATION
  7. 7. 7 Watering hole Command & Control Data Exfiltration ATTACKKIT DELIVERY
  8. 8. 8 Watering hole Command & Control Data Exfiltration LATERAL MOVEMENT
  9. 9. 9 Watering hole Command & Control Data Exfiltration DATA COLLECTION
  10. 10. 10 Watering hole Command & Control Data Exfiltration DATA EXFILTRATION
  11. 11. WHATWASTHEBUSINESSIMPACT ON”CORPX”? 11 Jani Kallio F-Secure Cyber Security Services Professional Services, Management Consulting
  12. 12. SIMPLIFIEDCYBERBREACH’SBUSINESSIMPACT TIMELINE Stakeholderfocus&attention Resourcedemand Discovery Long-term implications - Loss of revenue - Stock price effect - Brand & Reputation damage - Regulatory fines - Contractual fines - Costs incurred in remediation - 3rd party legal liability Incident Response - IT Forensics - Legal & Regulatory review External areas - Public Relations - Notification management - Stakeholder Communication - Remedial Service Provision Time Short-term implications - Loss of efficiency & delivery - Internal reporting mayhem - Management’s focus on incident, not on business - Costs incurred in response - Customer interface overload
  13. 13. SIMPLIFIEDCYBERBREACH’SBUSINESSIMPACT TIMELINE Stakeholderfocus&attention Resourcedemand Time IT anomaly
  14. 14. Stakeholderfocus&attention Resourcedemand Time IT anomaly Discovery, IRT- team involved Escalation to MIM Stakeholder notification according the process SIMPLIFIEDCYBERBREACH’SBUSINESSIMPACT TIMELINE
  15. 15. Stakeholderfocus&attention Resourcedemand Time Client’s FSA’s information request Legal (external), and internal Sec resources tied to find answers A client demands explanation; Who, why, how, scope, remediation? -> KAMs try to manage National Data Privacy Ombundsman requests information SIMPLIFIEDCYBERBREACH’SBUSINESSIMPACT TIMELINE
  16. 16. Stakeholderfocus&attention Resourcedemand Time COMMS department demands info to prepare statements in advance External PR company involved 1st forensics report: The breach larger than expected SIMPLIFIEDCYBERBREACH’SBUSINESSIMPACT TIMELINE
  17. 17. Stakeholderfocus&attention Resourcedemand Time CEO: prepare a statement to BoD Escalation to the Management Team IRT+MIM+CMT organization in place SIMPLIFIEDCYBERBREACH’SBUSINESSIMPACT TIMELINE
  18. 18. Stakeholderfocus&attention Resourcedemand Time Closed accounts hinder internal operations Client’s tender process freezed CMT decision: To isolate a suspected system. Reporting to client’s FSA Several units require instructions from CMT SIMPLIFIEDCYBERBREACH’SBUSINESSIMPACT TIMELINE
  19. 19. Stakeholderfocus&attention Resourcedemand Time Improvement program scoping Today Risk assessments Major Security Improvement program initiated SIMPLIFIEDCYBERBREACH’SBUSINESSIMPACT TIMELINE
  20. 20.  Succesfull business makes you a potential target  This case was a textbook example  Although prepared, the level of business disruption came as a surprise  You have firedrills – why not cyberdrills ? © F-Secure Confidential SUMMARY
  21. 21. SWITCH ON FREEDOM © F-Secure Confidential