Planning for Contingencies

Contingency Planning (CP): planning for unexpected events

A contingency plan is the way that your team should react if there is something that
interrupts the normal course of business.

It is how organizational planners position their organizations to prepare for, detect,

react to, & recover from events that threaten the security of info resources & assets

Main goal: restoration to normal modes of operation with minimum cost &
disruption to normal business activities after an unexpected event
• Contingency Planning vs. Risk Management
• Contingency planning and risk management are closely related but different
processes.
• Contingency planning addresses the “what if” situations and develops a plan
that will work around those situations. Risk management is a proactive
approach that companies use to prevent loss or disasters.
• So rather than being reactive like a contingency plan, a risk management plan
looks to stop adverse events from happening in the first place.
 CP Components

 Business Impact Analysis(BIA)

Identifies the critical components

 Incident response planning (IRP)

focuses on immediate response

 Disaster recovery planning (DRP)

focuses on restoring operations at the primary site after
disasters occur

 Business continuity planning (BCP)

facilitates establishment of operations at an alternate site
To ensure continuity across all CP processes during planning
process, contingency planners should:

 Identify mission- or business-critical functions

 Identify resources supporting critical functions

 Anticipate potential contingencies or disasters

 Select contingency planning strategies

 Implement selected strategy

 Test & revise contingency plans

Four teams are involved in CP & contingency operations:

 CP team

 Incident recovery (IR) team

 Disaster recovery (DR) team

 Business continuity plan (BC) team

BIA
Business Impact Analysis
• Business Impact Analysis (BIA) Overview:
• Purpose: Foundation for initial planning, investigates
and assesses the impact of adverse events on the
organization.

• Differentiation from Risk Management:

• Focuses on the impact after controls have failed or been
bypassed.
• Assumes the worst has happened and evaluates the
organization's response, damage minimization, recovery, and
return to normal operations.
 BIA – Three Steps
1. Determine and identify mission/business process and recovery
criticality
• Impact of a system disruption to those critical systems
• Determine outage impacts and estimated downtime
2. Identify resource requirements to resume critical processes quickly
3. Identify recovery priorities for system resources
• Discover critical metrics to determine appropriate actions
• System resources can be linked more clearly to critical mission /business
process and functions
• Recovery in proper sequence is often needed
• Recovery Measures:
• Recovery Time Objective (RTO)
• The maximum amount of time that a system resource can remain unavailable before there is an
unacceptable impact on other system resources, supported business processes, and the maximum tolerable
downtime.
• Recovery Point Objective (RPO)
• The point in time before a disruption or system outage to which business process data can be recovered
after an outage, given the most recent backup copy of the data.
• Difference between RTO and RPO:
• Maximum Tolerable Downtime (MTD)
• The total amount of time the system owner or authorizing official is willing to accept for a
business process outage or disruption. The MTD includes all impact considerations.
• Work Recovery Time (WRT)
• The amount of effort (expressed as elapsed time) needed to make business functions work
again after the technology element is recovered. This recovery time is identified by the RTO.
• Illustrated to clarify the distinction between recovery time and recovery
point objectives .
Determining MTD and RTO
Determining RPO
• Person A is a compliance officer. He is planning to develop Backup
policies and procedures for electronic data and hard copy. What is the
most critical factor he needs to comply with
a) RPO established by the organization
b) MTD established by the organization
c) RTO established by the organization
d) WRT established by the organization
Incident Response Plan
(IRP)
What is an INCIDENT
Term Def Impact Example
Any observable occurrence in a system or - A user login
Low or none; may be routine
Event network that may or may not have security - A firewall log entry
or benign.
implications. Not all events are harmful. - A scheduled file backup
An event or series of events that actually or Medium to High; requires - Malware infection
Incident potentially jeopardize the confidentiality, investigation and possibly - Unauthorized access
integrity, or availability (CIA) of information. mitigation. - Phishing attack
- Data center fire
A severe incident causing major disruption to
Very High; can halt - Ransomware attack
business operations, IT infrastructure, or data,
Disaster operations and cause long- encrypting all systems
typically requiring disaster recovery plans and
term damage. - Natural disasters affecting
invoking business continuity procedures.
IT
Incident Response Plan (IRP):
Detailed set of processes & procedures that anticipate,
detect, & mitigate the impact of an unexpected event
that might compromise information resources & assets
Before the incident ...

 Planners develop & document the procedures that must be

performed during the incident

 These procedures are grouped & assigned to various roles

 Planning committee drafts a set of function-specific

procedures
Before the incident ...

Planners draft a set of procedures, those tasks

that must be performed in advance of the
incident, including:

 Details of data backup schedules

 Disaster recovery preparation

 Training schedules

 Testing plans

 Copies of service agreements

 Business continuity plans

How do you detect an incident?

Is an event routine system use or an actual incident?

Incident classification:
process of examining a possible incident & determining
whether or not it constitutes actual incident
Initial reports from ...

 end users,
 intrusion detection systems (IDS),
 host- & network-based anti-virus software, Sysadmins

(Example: RSA Data Loss Prevention)

... are all ways to track & detect incident candidates

Careful training allows everyone to relay vital information

to the IR team
Possible indicators of a
security incident
 Unfamiliar files
 Unknown programs or
processes
 Unusual consumption of
computing resources
 Unusual system crashes
 Activities at weird times
 Presence of new accounts
 Reported attacks
 Notification from IDS
Definite indicators of a
security incident
 Use of dormant accounts
 Changes to logs
Occurrences of
 Presence of hacker tools actual incidents:
 Notifications by partner  Loss of availability
or peer
 Loss of integrity
 Notification by hacker
 Loss of confidentiality
 Violation of policy
 Violation of law
As soon as incident is declared, the right people must be immediately notified in the right order
 Alert roster:
document containing contact information of individuals to be notified in the event of actual incident
either sequentially or hierarchically
 Alert message: scripted description of incident
 Other key personnel must also be notified only after incident has been confirmed, but before
media or other sources find out
Facts gathered from initial triage:
• The emails utilized language that made the email appear to be
urgent
• After speaking with Bob, he stated that he had a similar email and
he did enter credential, but URL did not work
As a result of the initial triage, it is determined that this is an incident
which requires the incident response team to be mobilized
As a result of an investigation the key facts are :
Origin:
• The initial email was sent to Bob 2 months ago
• The email was sent from Gmail account
• Also contained a URL same as the one set to HR
URL:
• Fake link that led to a counterfeit Microsoft 365 login page
• No payload was downloaded when the link was clicked
Other :
• All of HR received the email from Bob
• Half of HR entered their login details
• Isolated to HR department
 Incident Containment

Essential task of IR is to stop the incident or contain its

impact

Incident containment strategies focus on two tasks:

 Stopping the incident

 Recovering control of the systems

IR team can stop the incident & attempt to recover control by
means of several strategies:

 Disconnect affected communication circuits

 Dynamically apply filtering rules to limit certain types of network access

 Disable compromised user accounts

 Reconfigure firewalls to block problem traffic

 Temporarily disable compromised process or service

 Take down conduit application or server

 Stop all computers & network devices

Containment and eradications actions taken by IT:
• All HR user passwords are reset
• Proxy changed and firewall rules updated
• Apply email filters to proactive block similar phishing attempts
• Restricting access from unknown malicious IP addresses
• Communication was sent to all staff members to raise
awareness
 Incident Escalation

An incident may increase in scope or severity

to the point that the IRP cannot adequately contain the
incident

Each organization will have to determine, during the

business impact analysis, the point at which the
incident becomes a disaster

The organization must also document when to involve

outside response
 Incident Recovery

Once the incident has been contained, &

system control regained, incident recovery can
begin
 Damage Assessment
• Immediate determination of the
scope of the breach of
confidentiality, integrity, &
availability of information &
information assets is called
incident damage
assessment
Recovery Process
• Identify & resolve vulnerabilities that
allowed incident to occur & spread
• Address, install, & replace/upgrade
safeguards that failed to stop or limit the
incident, or were missing from system in
the first place
• Evaluate monitoring capabilities (if
present) to improve detection & reporting
methods, or install new monitoring
capabilities
• Restore data from backups as needed
• Restore services & processes in use where
compromised (& interrupted) services &
processes must be examined, cleaned, &
then restored
• Continuously monitor system
• Restore the confidence of the members of
the organization’s communities of interest
Before returning to routine duties, the IR team must
conduct an after-action review (AAR)

AAR: detailed examination of events that occurred

All team members:

 Review their actions during the incident

 Identify areas where the IR plan worked, didn’t work, or

should improve
Mistakes
• Failure to appoint a clear chain of command with specified individual in-
charge
• Failure to establish a central operation center
• Failure to know their enemy
• Failure to develop a comprehensive IR plan with containment strategies
• Failure to record IR activities at all phases, especially help desk tickets to
detect incident
• Failure to document the events as they occur in a timeline.
• Failure to secure and monitor networks and devices
• Failure to manage logs
Recommendations
• Acquire tools and resources that may be of value during incident handling
• Profile networks and systems
• Create a log retention policy
• Perform event correlation
• Record each and every step with time stamp
• Prioritize handling of the incidents based on the relevant factors
Obtain volatile data from the systems as evidence
Obtain system snapshots through full forensics disk images not file system
backups
Hold lesson learned meetings after the major incidents
Ransomware
Scenario 2

• A member of the HR team has recently contacted the IT Service desk,

reporting an issue with their files. Several key files used by staff within
the HR dept have been discovered with a mysterious ‘.BZEAKDE’ file
extension. This unauthorized modification has rendered these files
inaccessible to the team. Its worth noting that these files are currently
stored on-premises since the company has not yet transitioned the HR
system into the Azure cloud environment
Question 1
• Based on the information provided in the scenario up to this point
how would you classify the severity of this incident
• High
• Low
• Medium
• Need more information
 Detection and Analysis
• The suspected incident is swiftly escalated to member of the first response team who isolates the HR
server and performs an initial triage using information that is available , It is discovered that :
• The threat actors have left the ransom note, asserting that they had exfiltrated sensitive data and encrypted
vital files. The note indicated that the organization had fallen victim to the BlackCat ransomware group

• The file extension .BZEAKDE is associate with the BlackCat group

• The group is demanding a ransom of $50,000 to be paid in Bitcoin, in the next 72 hours or data will be
posted online

• The encrypted and exfiltrated files consists of personal documents, including staff contracts, medical
information, payroll information and records of internal grievances
Question 2
• Who should be part of the incident response team during a
ransomware incident?
• The IT dept only
• A cross-functional team including legal , IT HR and senior
management. This may also include any relevant or appropriate
external parties
• External cybersecurity consultants exclusively
• Only individuals from the affected dept ie HR
Detection and analysis
• It has been decided that the organization will not pay the ransom
• A virtual war room is established to allow CIRT to discuss and share the information.
The war room is restricted to only member of CIRT. All actions are documented.
• An initial assessment is conducted to identify any possible risks or issues that might
arise during the organization’s response
• The incident is classified as High
• A report is made to the National Cyber security center to inform them
• A forensically sound image of the server is required and sent to a trusted 3rd party to
conduct a digital forensic assessment to determine how the threat actors managed
to gain access to the HR server. The objectives are identified and agreed by the CIRT
 Detection and analysis
• The digital forensics assessment confirms that:
• On the HR Server the threat actors managed to exploit a known vulnerability, escalate
their privileges, and then taken a copy of username and passwords stored on the
server.
• The threat actors also managed to create their own accounts on the server to maintain
persistence until their objective was complete
• The data was exfiltrated on to a known cloud storage platform prior to deploying the
ransomware
• The threat actor had managed move laterally from a device used by a member of the
HR department. The threat actors used the RDP. This device was then subsequently
isolated, and an image was taken to be analysed
• The threat actors had managed to social engineer a staff member using a phishing
email. As a result, the staff member provided the threat actor with the domain
credentials
• IoCs confirm that only two devices have been compromised
Containment
• All confirmed or suspected compromised credentials are changed
• Remote access/connections from any external sources are reviewed
as blocked if non-essential
• Segment critical systems from the compromised environment
• A request is made to the cloud provider to delete any of the
organization's data
• The integrity of the recent backups are reviewed to ensure that
haven’t been compromised
• A communication strategy is identified and agreed by the CIRT
If your organization was to face a similar incident , at what step
would/should your organization communicate with its staff
• Detection and analysis
• Containment
• Eradication
• Recovery
• Post Incident
Eradication and Recovery
• CIRT decide that HR server will be rebuilt (rather than replaced) by IT
using known good media/images
• HR is provided with a known clean device
Post Incident Review
• Having a well-rehearsed cyber incident response plan is crucial. This should
be a living document that is updated regularly.
• A post incident review is key following any real or tabletop exercise. It is
recommended this activity is held no later than 1-2 week after an incident as
details will soon be forgotten
• Post-incident review should answer the following question at minimum:-
• What happened and when
• What went well during the response effort
• What didn’t go well during the response effort
• What does the organization need to do differently to limit the risk of this happening again?
• What security measures could the organization put into place to minimize the risk
• The output of the post incident review should be fed back into the organization’s
approach to cyber security and incident response
Exercises
1.
• Alice is an information security manager. He had requested to
document detailed information about when an incident was occurred,
how bad it was, and how it was fixed as well as effectiveness of the
incident response and any gaps that needed to be fixed . Which
document is referred is
• A) Chain of evidence
• B) Chain of custody report
• C) Firewall analysis report
• D) lessons learned report
 2.
• Alice noticed a strange pattern of traffic while looking at the proxy logs. Several
hosts on the inside were constantly talking to the external IP address over port
443. There was a report of an incident and a probe was started . After talking to
the affected clients, the analyst found that the activity began right after a new
patch installation . Based on this information, which of the following would be the
next step in the investigation
• A) Do a network scan to find any nefarious devices that might be causing the
traffic. Take those things off the network
• B) Find out what the destination IP is and who owns it and look at the processes
running on the affected hosts to see if the activity is malicious
• C) Install antivirus and validate control with effectiveness
• D)Ask the desktop support staff to bit by bit image of all of the affected
computers and reinstall the patch design soft
3.
• Alice’s team received an incident ticket from the Operation Team
regarding one system is infected with a major virus. What will be the
first step of the team to handle this situation
• A) Finding root cause of the incident
• B) Report to the senior management
• C) Confirm and validate all details associated with the tickets
• D) Disconnect the impacted system from the production
4.
• Organization has reacted to a security incident. The breach has been
mitigated, and all systems have been recovered according to SLA and
contract. What is the best action plan we can take to make sure a
similar incident does not happen in our organization
• A) Conduct a root cause analysis of the incident
• B) Inform the management of the business case
• C) Document the entire incident and share with the other department
• D) validate the results and reduce the impact
5.
• In which stage of IRP, team will immediately isolate and contain an
incident or otherwise disabling complex systems or components like
user account, server, or workstations
• A) Mitigation
• B) reporting
• C) Remediation
• D) Lesson learned
6.
• ABC Limited operates a major consulting service in Europe. They need to
comply with GDPR requirements. One day, company was hit with a
significant data breach and an incident response team, according to the
incident report, was working on the situation. An organization must
promptly report the breach details to customers and regulatory
authorities within 72 hours. In which stage of the incident Response
process, we must do reporting
• A) after confirming the incident and reducing the temporary impact,
report the breach
• B) after the successful restoration of the system, report the breach
• C)After the post-incident report, documenting the breach
• D) after the user reports an incident to the help desk, then notifying the
customer
7.
• At which stage of the incident response process does the team
confirm the incident and identify the criticality and categorization of
the incident
• Response
• Detect
• Recovery
• Reporting
• Incident management team
• Problem management team