2
SD Cyber Security Incident Response Methodology __________________________________________________________________________________________ 1 Easter Court, Suite E, Owings Mills, MD 21117 PHONE 410·902·0356 · FAX 410·902·9609 www.signalsdefense.com ©2014. ASTIC Signals Defenses, LLC. All rights reserved. Signals Defense has a robust Incident Response (IR) and cleanup methodology that has been utilized to help multiple Federal and Civilian agencies to identify the scope of compromises, identify malicious scripts and programs, and eradicate those systems. The Signals Defense IR staff is all fully certified, and cleared personnel dealing with both classified incidents as well as unclassified but highly confidential issues. Signals Defense begins this process by working with your network and security staffs to get a complete understanding of what is known about the compromise. At this time we will review any system and security logs as well as any packet captures that have been taken of the malicious activity. We have had great success identifying the initial point of entry of the attacker during this phase if it has not already been identified. Signals Defense works with your network and security staff to determine what level of network access should be provided to identify any currently compromised systems on the network while still maintaining the appropriate level of business confidentiality for your organization. Once this has been determined we develop custom scripts and programs to identify compromised systems and anomalous behavior. All data captured and reviewed in this phase will be stored on a removable encrypted drive. All data investigations will follow industry best practices for chain of custody. This will assure that all data and findings admissible in court if the case gets to that level. During this phase we are constantly working with your internal teams to ensure that any capabilities currently in place are maximized. Signals Defense uses the information gathered during this phase to establish the scope of the compromise and determine what steps should be taken next. After the compromised systems have been identified and the scope of the compromise has been determined, we will provide a comprehensive plan to return the compromised systems to an acceptable state. This plan includes multiple options, some of which can be used to successfully eliminate the attacker from the network; others can be used to mitigate the effectiveness of the attack while systems are returned to production state in stages. Our experience resides in the following environments and industries: Department of Defense International Law Firms Financial Firms Civilian and Government Health Care High net worth individual clients The US Republican Party Drug Development and Research Facilities US Critical Infrastructure US Federal Agencies Casino and Gaming industry partners

Cyber Security: Cyber Incident Response Methodology

Embed Size (px)

Citation preview

Page 1: Cyber Security: Cyber Incident Response Methodology

SD Cyber Security Incident Response Methodology

__________________________________________________________________________________________

1 Easter Court, Suite E, Owings Mills, MD 21117

PHONE 410·902·0356 · FAX 410·902·9609 www.signalsdefense.com

©2014. ASTIC Signals Defenses, LLC. All rights reserved.

Signals Defense has a robust Incident Response (IR) and cleanup methodology that has been utilized to help multiple Federal and Civilian agencies to identify the scope of compromises, identify malicious scripts and programs, and eradicate those systems. The Signals Defense IR staff is all fully certified, and cleared personnel dealing with both classified incidents as well as unclassified but highly confidential issues. Signals Defense begins this process by working with your network and security staffs to get a complete understanding of what is known about the compromise. At this time we will review any system and security logs as well as any packet captures that have been taken of the malicious activity. We have had great success identifying the initial point of entry of the attacker during this phase if it has not already been identified. Signals Defense works with your network and security staff to determine what level of network access should be provided to identify any currently compromised systems on the network while still maintaining the appropriate level of business confidentiality for your organization. Once this has been determined we develop custom scripts and programs to identify compromised systems and anomalous behavior. All data captured and reviewed in this phase will be stored on a removable encrypted drive. All data investigations will follow industry best practices for chain of custody. This will assure that all data and findings admissible in court if the case gets to that level. During this phase we are constantly working with your internal teams to ensure that any capabilities currently in place are maximized. Signals Defense uses the information gathered during this phase to establish the scope of the compromise and determine what steps should be taken next. After the compromised systems have been identified and the scope of the compromise has been determined, we will provide a comprehensive plan to return the compromised systems to an acceptable state. This plan includes multiple options, some of which can be used to successfully eliminate the attacker from the network; others can be used to mitigate the effectiveness of the attack while systems are returned to production state in stages. Our experience resides in the following environments and industries:

• Department of Defense

• International Law Firms

• Financial Firms

• Civilian and Government Health Care

• High net worth individual clients

• The US Republican Party

• Drug Development and Research Facilities

• US Critical Infrastructure

• US Federal Agencies

• Casino and Gaming industry partners

Page 2: Cyber Security: Cyber Incident Response Methodology

__________________________________________________________________________________________

1 Easter Court, Suite E, Owings Mills, MD 21117

PHONE 410·902·0356 · FAX 410·902·9609

www.signalsdefense.com

©2014. ASTIC Signals Defenses, LLC. All rights reserved.

Rick Mellendick holds Top Secret (TS) clearance and is the Chief Security Officer for Signals

Defense in Owings Mills, MD with 18 years of information technology security experience. Mr. Mellendick performs the duties of technical director and chief strategist to multiple DoD, federal, intelligence, and private organizations. He provides direct support to the U.S. Critical Infrastructure. His background is in designing secure networks in multi-platform/multi-classification environments. His knowledge was gained from researching the advanced threats to critical infrastructure, as well as civilian, and federal agencies which is the basis for the Signals Defense Computer Network Defense Team and Red Teams tactics to protect our clients’ systems. Rick has extensive experience in computer network operations including developing proof of concept attacks and performing demonstrations for many federal and corporate clients. The teams that Mr. Mellendick leads regularly perform Red Team analysis specializing in wireless and RF attack and defense as well as technical surveillance counter-measure (TSCM) sweeps. He is a subject matter expert for computer network operations, wireless offensive tactics, and designing information systems to comply with federal and local regulations. Mr. Mellendick has personally completed over 200 wireless and wired penetration tests. Rick was the chief security architect for a congressionally recognized center of excellence for a multi-billion dollar hosted service data center built using non-traditional defense in depth strategies. His teams utilize offensive network techniques to better defend the network and critical infrastructures. Mr. Mellendick specializes in designing and testing wireless networks with non-traditional strategies using offensive techniques. He is a builder and breaker of RF signals, inventor of the Wireless Capture the Flag (http://wctf.us), and breaking and entering through RF is his specialty. His certifications include CISSP, ISSEP, OPSA, CEH, IEM, IAM, MCP, Certified DoD System Administrator, and Linux Security certifications.

About Us Signals Defense, LLC headquartered in Owings Mills, Maryland, specializes in providing Full Spectrum Security Solutions for Commercial and Governmental organizations. Signals Defense’s approach includes the belief that full spectrum security is derived from addressing all three disciplines of security: IT/Cyber, Technical/EMSEC, and Physical/OPSEC. Our organization has significant experience in providing products and services across all three disciplines and can develop custom security mitigation solutions based on our unique SDTVA™ (Signals Defense Threat and Vulnerability Assessment.) SD Technology is deployed in over 1000 locations including Government Intelligence agencies, DoD and Fortune 100 companies. Our technology has become the de facto standard for the US Government and anyone desiring to properly secure locations handling sensitive and/or classified information.


Cyber Incident Response Road Map

Cyber Incident Response Road Map

Documents
ULT Cyber Incident Response Plan

ULT Cyber Incident Response Plan

Documents
Cyber Incident Response & Digital Forensics Lecture

Cyber Incident Response & Digital Forensics Lecture

Technology
Cyber risk management, incident response and investigation ... · comprehensive cyber incident response plans and stress testing those plans by conducting simulated cyber incidents

Cyber risk management, incident response and investigation ... · comprehensive cyber incident response plans and stress testing those plans by conducting simulated cyber incidents

Documents
Cyber Incident Response - Scottish Government · with the Cyber Incident Response Plan (CIRP) and Playbooks and how they link to wider Incident response arrangements. 1.2. Purpose

Cyber Incident Response - Scottish Government · with the Cyber Incident Response Plan (CIRP) and Playbooks and how they link to wider Incident response arrangements. 1.2. Purpose

Documents
CYBER SECURITY INTELLIGENCE LIFECYCLE (CSIL) · CYBER SECURITY INTELLIGENCE LIFECYCLE (CSIL) METHODOLOGY ... visibility, and sends the data ... appropriate incident response procedures,

CYBER SECURITY INTELLIGENCE LIFECYCLE (CSIL) · CYBER SECURITY INTELLIGENCE LIFECYCLE (CSIL) METHODOLOGY ... visibility, and sends the data ... appropriate incident response procedures,

Documents
FFIEC Cybersecurity Resource Guide Cyber Resources Guide Webinar...D HS Cyber Incident Reporting Guide • The DHS Cyber Incident Reporting Guide provides information on the importance

FFIEC Cybersecurity Resource Guide Cyber Resources Guide Webinar...D HS Cyber Incident Reporting Guide • The DHS Cyber Incident Reporting Guide provides information on the importance

Documents
Cyber Incident Response Plan Template - portal.ct.gov

Cyber Incident Response Plan Template - portal.ct.gov

Documents
HITRUST Cyber Threat Intelligence and Incident ... · HITRUST Cyber Threat Intelligence and Incident Coordination ... HITRUST Cyber Threat Intelligence and Incident Coordination Center

HITRUST Cyber Threat Intelligence and Incident ... · HITRUST Cyber Threat Intelligence and Incident Coordination ... HITRUST Cyber Threat Intelligence and Incident Coordination Center

Documents
Election Cyber Incident Communications Plan Template CommTemplate... · International Republican Institute Adapted in partnership with Election Cyber Incident Communications Plan

Election Cyber Incident Communications Plan Template CommTemplate... · International Republican Institute Adapted in partnership with Election Cyber Incident Communications Plan

Documents
Cyber Incident Response and Insurance - MPR … · Policy Cyber Incident Response and Insurance MPR Cyber Incident Response and Insurance Page 3 of 30 4. Limits of Liability and Payment

Cyber Incident Response and Insurance - MPR … · Policy Cyber Incident Response and Insurance MPR Cyber Incident Response and Insurance Page 3 of 30 4. Limits of Liability and Payment

Documents
Information Governance Incident Management and Reporting ... Policies/HIOW... · Cyber Incident There are many possible definitions of what a Cyber incident is. For the purposes of

Information Governance Incident Management and Reporting ... Policies/HIOW... · Cyber Incident There are many possible definitions of what a Cyber incident is. For the purposes of

Documents
CYBER INCIDENT MANAGEMENT PLAN

CYBER INCIDENT MANAGEMENT PLAN

Documents
California-Joint Cyber Incident Response Guide Cyber Incident...Feb 27, 2018  · Incident Response Lifecycle A security incident response capability will be developed and implemented

California-Joint Cyber Incident Response Guide Cyber Incident...Feb 27, 2018  · Incident Response Lifecycle A security incident response capability will be developed and implemented

Documents
CYBER RESILIENCE & INCIDENT RESPONSE - NCC Group

CYBER RESILIENCE & INCIDENT RESPONSE - NCC Group

Documents
Cyber Incident Response Proposed Strategies

Cyber Incident Response Proposed Strategies

Education
Cyber Security Incident Response Guide · PDF file4 Cyber Security Incident Response Guide Few organisations really understand their ‘state of readiness’ to respond to a cyber

Cyber Security Incident Response Guide · PDF file4 Cyber Security Incident Response Guide Few organisations really understand their ‘state of readiness’ to respond to a cyber

Documents
VIMRO Cyber Security Methodology

VIMRO Cyber Security Methodology

Technology
INCIDENT RESPONSE TRAINING - Cyber Griffin

INCIDENT RESPONSE TRAINING - Cyber Griffin

Documents
AN INHERENT SAFETY BASED INCIDENT INVESTIGATION METHODOLOGY 2005... · AN INHERENT SAFETY BASED INCIDENT INVESTIGATION METHODOLOGY ... Westray was a process safety incident, ... “Lessons

AN INHERENT SAFETY BASED INCIDENT INVESTIGATION METHODOLOGY 2005... · AN INHERENT SAFETY BASED INCIDENT INVESTIGATION METHODOLOGY ... Westray was a process safety incident, ... “Lessons

Documents
Technical “Large” Cyber Incident Handling Steps

Technical “Large” Cyber Incident Handling Steps

Documents
Advanced Cyber Incident Management: Designing a Framework ... faculteit/Afdelingen... · 4. Cyber Security Maturity Model 13 5. Cyber Crisis Management Process 14 6. Incident Response

Advanced Cyber Incident Management: Designing a Framework ... faculteit/Afdelingen... · 4. Cyber Security Maturity Model 13 5. Cyber Crisis Management Process 14 6. Incident Response

Documents
Election Cyber Incident Communications Plan Template

Election Cyber Incident Communications Plan Template

Documents
Cyber Incident Management Planning Guide

Cyber Incident Management Planning Guide

Documents
California Joint Cyber Incident ... - caloes.ca.gov

California Joint Cyber Incident ... - caloes.ca.gov

Documents
From Cyber Incident Response to Cyber Resilience - FIRST · Non-routine incident Routine ... decisions Crisis/Incident Management ... Customer “short term memory” –as customers

From Cyber Incident Response to Cyber Resilience - FIRST · Non-routine incident Routine ... decisions Crisis/Incident Management ... Customer “short term memory” –as customers

Documents
Cyber Security Incident Response

Cyber Security Incident Response

Documents
Cyber Security Incident Response Guide...4 Cyber Security Incident Response Guide Few organisations really understand their ‘state of readiness’ to respond to a cyber security

Cyber Security Incident Response Guide...4 Cyber Security Incident Response Guide Few organisations really understand their ‘state of readiness’ to respond to a cyber security

Documents
National Cyber Incident Response Plan - December 2016 › BackgroundData › 2016_NCIRP_National_C… · National Cyber Incident Response Plan. 7 . the National Incident Management

National Cyber Incident Response Plan - December 2016 › BackgroundData › 2016_NCIRP_National_C… · National Cyber Incident Response Plan. 7 . the National Incident Management

Documents
Cyber security Incident Management Guide 2015

Cyber security Incident Management Guide 2015

Documents