Cybersecurity incident response guidelines for those who think they are not targets

Managing cybersecurity in an organization means managing risk at strategic level. While at operational level an organization might be “mature” in a way it manages information security risk (baseline security-hygiene controls are in place), at strategic level (top decision making level – strategic risk owners) it might not recognize Advanced Persistent Threats (APT) as a real threat. Under such circumstances an organization is not prepared to respond in case of a cybersecurity incident involving advanced threat actors.

I’ve presented lessons learned from responding to the cybersecurity incident involving APTs to defenders from the third line of defense (by COSO framework) at annual Audit, Risk and Governance Africa conference. The presentation covered incident response timeline with activities involving internal and external stakeholders, reverse analysis of attack flow (kill-chain), characteristics of “zero-day” malware back-doors discovered, impact analysis, and countermeasures.

Incident response took 5 months during which 10 “zero-days” malware were identified and analyzed, as well as 3 entry points to attackers command and control infrastructure. Some “zero-days” relate to UPS.EXE, MofRAT, and other back-doors that cybersecurity industry attributes to APT3, Pirpi, UPS Team, or Gothic Panda.

Presentation with notes and references could be downloaded here Viktor Polic APT incident response notes.