information security

Cybersecurity incident response guidelines for those who think they are not targets

Managing cybersecurity in an organization means managing risk at strategic level. While at operational level an organization might be “mature” in a way it manages information security risk (baseline security-hygiene controls are in place), at strategic level (top decision making level – strategic risk owners) it might not recognize Advanced Persistent Threats (APT) as a real threat. Under such circumstances an organization is not prepared to respond in case of a cybersecurity incident involving advanced threat actors.

I’ve presented lessons learned from responding to the cybersecurity incident involving APTs to defenders from the third line of defense (by COSO framework) at annual Audit, Risk and Governance Africa conference. The presentation covered incident response timeline with activities involving internal and external stakeholders, reverse analysis of attack flow (kill-chain), characteristics of “zero-day” malware back-doors discovered, impact analysis, and countermeasures.

Incident response took 5 months during which 10 “zero-days” malware were identified and analyzed, as well as 3 entry points to attackers command and control infrastructure. Some “zero-days” relate to UPS.EXE, MofRAT, and other back-doors that cybersecurity industry attributes to APT3, Pirpi, UPS Team, or Gothic Panda.

Presentation with notes and references could be downloaded here Viktor Polic APT incident response notes.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s