RSA PERSPECTIVE

SCENARIO SUMMARY - CYBER SIMULATION EXERCISE It must be expected that something unexpected will happen (Aristotle, 384-322BC)

Scenario Summary • An advanced coordinated cyber attack against the organization Glenshiel International Corporation (GIC) resulting in massive

corporate data breach.

• The SOC staff skills including the SOC manager were put to test to identify anomalies to minimize the breach exposure time.

• Events commenced with the company CERT/SOC that had to triage the events, leading to the identification of a breach and a response involving specialist forensic resources.

• Media gets alerted as confidential data of many customers are put on underground sites for possible sale.

• The CIO with the overall responsibility leads the response by closely monitoring the events and trying to unfold the malware presence.

• News about the data breach hit the media and public security grows while the reputation of the company is debated

• The public and internal pressure grows and the CEO is asked to brief the congress

• Media scrutinize the company allege negligence and vulnerability to lawsuits from the impacted customer increases.

Cyber War Game Simulation Objectives • Gain experience with real world situations

o Educate Executive, Line of Business, and IT participants on what is involved in the process

o Identify strengths and weaknesses in real-time

• Learn Incident Response best practices

o Gain guidance on workflow of activities involved in Incident Response

o Practices include identification, remediation and communication

• Gain catalyst to improve Incident Preparedness

o Identify common response difficulties and assess readiness level

o Gain insight without the pain of (and before) an incident

o Experience provides catalyst for participants to champion improvement

WAR Game Insight

How the incident unfolded • A Sales Director, John Doe, has called the GIC Cybersecurity team to report that his machine is acting sluggishly and that

possibly this might be due to a malware infection. He has received an email regarding Nuclear Radiation and has tried unsuccessfully to open the Excel attachment.

• Triage is performed on John’s computer and it was observed that there are suspicious files in a TEMP folder as well as suspicious processes running.

• The GIC SOC Forensics team was engaged to analyze the computer and conclude that it has been compromised. They examine web access (proxy) logs for this computer.

• While the Forensics team was doing their analysis the CERT Incident Coordinator examined email logs.

• The Incident Coordinator identifies other user from the list affected as well. The coordinator now engages the Forensics team to examine other computers.

• The forensic analysis of the other computers shows that they are infected by the same malware as was found on first computer.

• The web access logs obtained earlier also seem to indicate that something may have been uploaded from a machine.

• One of the files recovered from a computer appears to contain customer login credentials, so the coordinator obtains logs from the system.

• This showed many customer accounts logging in from Russia. The incident coordinator then escalated to the SOC manager as a critical incident.

• One of the company security providers contacted the Cybersecurity team reporting that data has been recovered from a Russian hacker web site.

• A customer who performed a google search on his own name has found his personal details in a hacker forum.

3

• Customer support began to reset accounts and one of these customers is for a journalist.

• A reporter has since approached several employees and off the record has been told that ‘hundreds of thousands’ of accounts have been compromised. Media have now approached GIC asking for comment. TV news reports about the breach have occurred.

Feedback after the role plays • “Developing an organisational culture to simulate war games and response to crisis situation is essential”

• “This was an IT lead incident – how do we get the business engaged in it”

• “I felt the stress of the situation.”

• “This workshop reflected the reality of an incident”

• “Difficulty in imagining breach risk exposure “

www.RSA.com

EMC2, EMC, the EMC logo, RSA, the RSA logo, are registered trademarks or trademarks of EMC Corporation in the United States and other countries. © Copyright 2015 EMC Corporation. All rights reserved. Published in the USA. RSA believes the information in this document is accurate as of its publication date. The information is subject to change without notice.