Preparing for the Worst
Table Top Testing Your Incident Response Plan
Preparing for the Worst
April 24, 2017
S. Dirk Anderson
Agenda
•
•
•
•
•
•
•
PCI & Incident Response
Overview of a Table Top Exercise
Preparing Your Scenario
Example Scenario
Holding the Exercise
Documentation & Evaluation
Q&A
But First...
• Event: an unusual occurrence that impacts business as usual.
• Incident: an event or series of events that significantly
disrupts operations and business as usual.
• Breach or Compromise: an incident that has been confirmed
as directly impacting the confidentiality, integrity, or
availability of information resources.
• Test: an evaluation, with quantifiable metrics, in as close to
actual operational environment as possible.
• Exercise: a simulation of an event designed to validate plan
effectiveness.
PCI & INCIDENT RESPONSE
Core Requirements
• 12.10 Implement an incident response plan. Be prepared to
respond immediately to a system breach.
• 12.10.1 Create the incident response plan to be implemented in the
event of system breach. Ensure the plan addresses the following, at
a minimum:
– Roles, responsibilities, and communication and contact strategies in
the event of a compromise including notification of the payment
brands, at a minimum
– Specific incident response procedures
– Business recovery and continuity procedures
– Data backup processes
– Analysis of legal requirements for reporting compromises
– Coverage and responses of all critical system components
– Reference or inclusion of incident response procedures from the
payment brands.
Related Requirements
• 11.1.2 Implement incident response procedures in
the event unauthorized wireless access points are
detected.
• 12.5.3 Establish, document, and distribute security
incident response and escalation procedures to
ensure timely and effective handling of all situations.
• 12.10.3 Designate specific personnel to be available
on a 24/7 basis to respond to alerts.
Testing & Training
• 12.10.2 Review and test the plan, including all
elements listed in Requirement 12.10.1, at least
annually.
• 12.10.4 Provide appropriate training to staff with
security breach response responsibilities.
• 12.10.6 Develop a process to modify and evolve the
incident response plan according to lessons learned
and to incorporate industry developments.
PREPARING THE EXERCISE
What’s the Point
The overall objective is to evaluate the effectiveness incident response plan to
address an actual cyber incident, but specific objectives may include:
• Review roles and responsibilities
• Determine management’s ability to assess the event, declare an incident
and manage both the emergency response and service resumption
accordingly
• Evaluate staff, customer and community communications plans
• Demonstrate ability to interface forensic investigation teams and other 3rd
parties
• Verify Incident Response procedures and documentation are current
• Validate investigation and analysis capabilities to determine root cause
and identify program adjustments
Overview of an Exercise
• Consider conducting your team training at the same
time to meet (or at least partially meet) 12.10.4
• Prepare your scenario(s)
• Identify all the exercise participants
• Schedule exercise: 2-4 hours (may be a full day with
training)
• Send a copy of your current IR plan with the invitations
• Identify/assign a scribe (NOT the facilitator or generally
an active participant/IR team member)
Preparing the Scenario(s)
• Two or three depending on length and topics
• Pick items from 12.10.1 and specifically address
them
• Start with a basic premise and then layer on
additional information & details as you work
through it
• Prepare lots of questions to drive conversation
(more than you put in the scenario slides)
Read the News
•
•
•
•
•
Lost or stolen laptop
Missing backup tape
Malware discovery
Ransomware
Notification of common
point of purchase
• Disgruntled employee
• Service provider
breached
Example Scenario
At 8 a.m. Monday morning IT identifies a phishing email targeting store
managers and asking them to review and update employee time-off
accrual for their stores. A link in the message leads to a well spoofed
web site which prompts the user for their domain username and
password.
• What are the initial steps IT takes?
• What are the first containment steps?
• How would IT Security be notified?
• What investigative steps would be taken?
• What severity level would this be ranked at and what escalation of
notification would occur?
Example Scenario - Continued
Now assume it is determined that at least one manager provided their
full credentials when they received the email early on Sunday
morning?
• What severity level would this be ranked at and what escalation of
notification would occur at this point?
• What would need to be checked: remote access, access to
customer data? Other applications?
• What types of evidence would be collected along the way?
• What additional containment steps would need to be taken?
Make it Fun
What if...
• You literally had a “ghost
in the machine”
• The AI “singularity”
occurred (à la Terminator)
Just keep the elements
being evaluated relevant
CONDUCTING THE EXERCISE
Gaming it Out
• Do introductions by role in the IR
plan
• Review team members and contact
info
• Review IR plan if not conducting a full
training
• Cover exercise goals & objectives
• Introduce first scenario
• Remain flexible and try to roll with
the responses
Document in Detail
• Date, time & location
• Facilitator, scribe & attendees
• Include the specifics of the scenarios with the answers to any
questions
• Most importantly – any gaps, issues, or concerns that are
identified in the process
• Summary and any overall thoughts & lessons learned
• Assignments and due dates for any updates to the plan or
related procedures
Did We Win?
• Event Escalation and Management Response
– Event Identification
– Notice and Event Escalation
– Incident Determination and Declaration
• Availability of Necessary Resources
• Plan Effectiveness and Completeness
– Containment and/or Eradication
– Investigation/Analysis
– Evidence Collection
– Recovery
– Notification
• Root Cause Analysis and Lessons Learned
References
• VISA – What to do if Compromised
• PCI Responding to a Data Breach: A How-to
Guide for Incident Management
• NIST SP800-61 Computer Security Incident
Handling Guide
• NIST SP800-84 Guide to Test, Training, and
Exercise programs for IT Plans and Capabilities
Questions