SESSION ID: LAB2-T11 HOW TO RUN A CYBER-INCIDENT RESPONSE EXERCISE USING AN OPENSOURCE SCENARIO Aaron Rosenmund John Elliott Author Evangelist Pluralsight @ARosenmund Author & Consultant Pluralsight & others @withoutfire #RSAC #RSAC Two disclaimers 1v1 Nothing in this presentation represents the views of John or Aaron’s employers. This presentation is not intended to be legal advice. If you require legal advice you are advised to consult a qualified lawyer in your jurisdiction. #RSAC Agenda Why practice an incident? Preparation Facilitation 3 Have a go! #RSAC Why practice? John #RSAC NIST cyber security framework Gold Strategic Silver Tactical Bronze Incident Management Identify Protect Detect 5 Respond Recover #RSAC “Right of bang” Preparation (controls) Bang! Recovery #RSAC There really isn’t just a bang Preparation Bang! Fog of war Recovery #RSAC Why practice? Get the top team to actively think about this – It’s not just a theoretical playbook or an IT issue It’s better to make mistakes when the world isn’t watching We all learn from mistajes It’s very trite but … Personnel change frequently A control without assurance is not a control 8 #RSAC Preparation John #RSAC Typical incident management Practice here Gold Team Strategic Silver Team Tactical Incident Management / Bronze Operational Typical Gold Team members Chief Executive Officer Chief Operating Officer Chief Financial Officer CIO / Head of IT General Counsel / Head of Legal Heads of: – Marketing / PR – HR 11 #RSAC #RSAC Overcoming objections We don’t have time Incidents are unknowable It won’t happen to us We can do this without practice 12 It takes 2 hours. It can save a fortune. The general principles are the same. Mostly the questions you need to answer are the same. You can, and historically people who do this don’t do very well. #RSAC Facilitation Aaron #RSAC Facilitation: Setting the scene 1. Establish a safe place 2. Elicit expectations 3. Agree rules There are slides for this on the website 14 4. Clarify roles #RSAC 1. Establish a safe place It’s fine to pause, stop, think We’re all here to learn… If you feel pressured, say so Have fun It’s fine to say “I don’t know” #RSAC 2. Elicit expectations What are the participants hoping they will achieve? Gaps in our knowledge, processes, technology Things we can do better Training our breach response safely And anything else? 16 #RSAC 3. Agree rules Role play (or not) How long? Interruptions 17 Timeouts Car park 4. Clarify Roles Introductions and roles Gold leader Reserve gold leader (after n hours) Note takers – For the incident (they also need to practice). Important in real incidents for legal protection and “memory” – For the exercise (capture lessons) Someone responsible for post-exercise change #RSAC #RSAC Structure of the exercise Set the scene Establish a safe place Introduce the ‘Turn’ (inject) Elicit expectations Agree rules Discussion Clarify roles Turn-specific questions x number of turns Decisions & requests for more information Wrap-up #RSAC Facilitation tips Know your audience Allow conversation, deviations, learning GET THE DECISIONS at each turn – bring focus to the end of the turn Gently keep things moving 20