1 / 42

Deep Impact: Explore the Wide-Reaching Impact of a Cyberattack

Deep Impact: Explore the Wide-Reaching Impact of a Cyberattack. Daniel Soo. LAB4-R04. Principal Deloitte & Touche LLP. Mary Galligan. Managing Director Deloitte & Touche LLP. Cyber security needs are evolving. RESILIENT

bradberry
Download Presentation

Deep Impact: Explore the Wide-Reaching Impact of a Cyberattack

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Deep Impact: Explore the Wide-Reaching Impact of a Cyberattack Daniel Soo LAB4-R04 Principal Deloitte & Touche LLP Mary Galligan Managing Director Deloitte & ToucheLLP

  2. Cyber security needs are evolving • RESILIENT • Establish the ability to handle critical incidents, quickly return to normal operations, and repair damage to the business VIGILANT Establish situational risk and threat awareness across the environment to detect violations and anomalies SECURE Establish risk-prioritized controls to protect against known and emerging threats, and comply with standards and regulations Organizations need to transform legacy IT security programs into cyber risk programs Business leaders are responsible for guiding response and recovery from a risk perspective Rehearsing builds threat awareness and creates “muscle memory” for adaptive response

  3. Introduction to cyber wargaming Cyber wargamingis an interactive techniquethatimmersespotential cyber-incident responders ina simulated cyber scenario to help organizations evaluatetheir cyber incident response preparedness

  4. Cyber resilience Stronger response capabilities aligned towards mitigating the highest impact risks of a cyber incident Broader consensus on the appropriate strategies and activities to execute cyber incident response Improved understanding of the people, processes, data, and tools needed to respond to a cyber incident Better identification of gaps in cyber incident response people, processes, and tools Enhanced awareness of the downstream impacts of cyber incident response decisions and actions Tighter integration between parties likely to be collectively involved in the response to a cyber incident Improved clarity regarding ownership of authority related to certain key cyber incident response decisions Reduced time-to-response through the development of cyber incident response “muscle memory” Cyber wargames drive improvements in cyber resilience, including:

  5. Session logistics Simulation 90 minutes Debrief 20 minutes Pre-Brief 10 minutes Today’s session will consists of three parts…

  6. Company profile Locations: 2,704 Employees: 50,492 Headquarters: New York City, NY Founded: April 2, 1923 YouKnight Bank (YKB) The 6th largest diversified financial services company in the United States, primarily operating in four core segments – retail banking, corporate and institutional banking, asset management, and residential mortgage banking.

  7. Company profile (cont’d) • Technology environment • Employees perform daily computing with traditional desktops and laptops • Cloud computing has not been widely deployed – plans for the capability have been proposed • Marketing and supply chain systems are managed by third parties • Transaction monitoring and the IT customer service help desk have been outsourced to India

  8. Participant roles Head of Communications & Public Relations Chief Risk Officer Chief Security Officer Chief Customer Experience Officer Players will assume the following roles within YouKnightBank: • Chief Executive Officer • Chief Financial Officer • Chief Operating Officer • Chief Information Officer • General Counsel

  9. Objectives Identify the types of information, tools, and capabilities needed to effectively support cyber incident response Explore the interaction model for third parties (e.g., law enforcement, regulators) Understand the role of executive leadership in cyber incident response

  10. How to play Make decisions. • Describe your thought process, including your assumptions, out loud • Articulate how the decision will be executed Consult others. • Engage directly with other players • Inform the facilitator if you want to speak to a non-player Review injects. • Review inject content in its entirety • Determine actions you will take and / or decisions you will make

  11. Leading practices Prioritize decision-making based on impact 1 2 3 Focus on the emerging crisis over the symptoms of the incident Act decisively – have a clear, ongoing decision-making process

  12. We are about to begin…

  13. [ YKB Commercial ]

  14. Update Clock It is now 9:15 AM on April 19th

  15. [ Incoming Ransom Video ]

  16. [ Hackme Video ]

  17. Text Spacing 10 hours until 8:00 PM deadline

  18. Text Spacing 2 hours until 8:00 PM deadline

  19. It is now 8:00 PM on April 19th

  20. Update Anim. It is now 9:00 AM on April 20th Moving forward to the next morning…

  21. [ Boardroom Video ]

  22. Logout Search all messages…<Ctrl+K> COO youknightbank.com i This message was sent with High importance. • Heads up – XChangehas now been offline for 2 hours. Until it comes back up, interbank transaction clearing and settlement will not be functional across the bank. • We have all hands on deck investigating the cause, but haven’t found anything yet. Per our continuity plan, the incident response team has been invoked; but it’s really not clear what we should be doing. Like many of our other systems, XChange appears to be operating within parameters – except that it’s not working… • As you know, XChange is a Tier-1 application and we need it to complete our end-of-day transactions. But, given how everything looks, I am looking for your input on how to proceed. Should we: • Continue our investigations and hope that we find the cause of the outage and a solution; or • Initiate disaster recovery right away. If we go down this path, we should be back online in 36 hours, but most critical systems would be offline until then (we have to fail over everything at the same time, we can’t do it in pieces). • Also, as you know, we haven’t been able to renew our incident response retainer due to the vendor’s push for indemnification. Still, we need more skilled resources to perform detailed technical investigation... Can we push through ASAP? • Tyler

  23. It is now 10:00 AM on April 20th Moving forward 1 hour…

  24. YouKnight.com/ YouKnightBank Open an Account Español YouKnightBank We gave you a chance, you didn’t take it. Now you’ve been served. Repent or more will come. Retail / Personal Corporate Asset Management Mortgage • Lose more than just your interest payments when you accept a loan from YouKnight… Secure Sign-in Save Online ID Security & Help • Get a loan, lose a house! Online ID Passcode Sign In Forgot ID Forgot Passcode Enroll #Hackme MORAL FAILURE YouKnight Bank bet on your American Dream and won. They profited billions on the subprime mortgages they sold to their NINJA customers, and what did you get? You got EVICTED.

  25. It is now 12:00 PM on April 20th Moving forward 2 hours…

  26. [ News Video ]

  27. [ Revolving Logo ]

  28. It is now 6:00 PM on April 20th Moving forward 6 hours…

  29. Logout Search all messages…<Ctrl+K> All Personnel youknightbank.com i This message was sent with High importance. Valued employee,At approximately 5:00 p.m. today, there was a water main break near your location. Because the water main break is so close to power gridlines, access to your location will be prohibited until further notice. We will provide further instructions when access to the building is reinstated. Thank you for your patience and cooperation. - Physical Security

  30. It is now 11:00 AM on April 21st Moving forward to the next day…

  31. ouKnight Bank Connectin YouKnight YouKnight Home Sign Up Shop Now Vote Message Subscribe Company YouKnight Watch video . . 20 hrs Edited What are you saving up for? A new car? A summer vacation? Stop by today to learn how you could be earning more on your savings! #moneyinthebank #savingisgaining Search for posts on this Page +357,937 votes 57,821 people commented 351,102 people subscribed to this 79,526 Reshares Roberta Landry How can you provide tips when your employees don’t even bother to show up and you can’t open your stores? #YouNotThere 450,916 people have been here +21 votes Comments 19,203 1 hrs Dave HestleI’m saving for a new house since they took mine! You’re better off not being able to get in… #YouKnightYouNever Invite friends to subscribe

  32. chatNholler #YouNotYouKnighted Marco 1642 new hollers New to chatNholler? Sign up now to get your own personalized timeline! Sign up

  33. It is now 1:00 PM on April 21st Moving forward 2 hours…

  34. CM&H LTE 1:00 PM “This is Special Agent Doug Dominose with the FBI. I’m headed to YouKnightheadquarters now - should arrive within the hour. Can you see to it that someone is available to meet with me?” i 0:03 -0:20 Delete Speaker Call Back i i i i 1 i

  35. It is now 4:00 PM on April 21st Moving forward 3 hours…

  36. Logout Search all messages…<Ctrl+K> CFO youknightbank.com i This message was sent with High importance. As you are likely aware, the media is reporting that YouKnight Bank has experienced a widespread technology outage rendering it unable to accurately and securely perform transactional duties within the interbank network. Due to the far reaching implications of the outage on members of the financial community, we will be monitoring the situation and conducting an investigation to determine if certain penalties may apply. Please provide your any input you feel will be valuable to our discovery efforts. I’ll be available at +1 (212) 555-3464 if you would like to speak by phone. Thanks, Kevin Sumner Senior Bank Examiner - Federal Reserve Bank

  37. The wargame has ended.

  38. [ Debrief Video ]

  39. Cyber wargaming lessons learned Cyber events have an accelerated rate of escalation and unfold more ambiguously than traditional crises 1 The scope of incident responders expands well beyond technologyduring cyber incident response 2 Impacts resulting from actions and decisions during cyber incident response, even at a low level, are greater and broader than those of a traditional incident 3

  40. Cyber Incident Response Success Determining legal, regulatory, and compliance issues in the midst of a crisis is a bad place to be. Prepare ahead and incorporate these considerations into the CIR plan. Educate executives on crisis communication plans and their associated responsibilities. Setting tone at the top of organizational hierarchies has cascading impacts. Executive Management Legal, Risk, & Compliance Simple, flexible and distributed plans provide guidance to responsible parties throughout the organization. Understand where external help is needed and have contracts and capabilities in place beforehand. CyberResponseTeam Cyber Incident Response Carefully select CIR team members and confirm they have the requisite skills and experience to perform responsibilities outlined in the plan. The Plan Cyber Education Supported by Technology Prevent your plans from becoming “shelf ware” by training your CIR team periodically. Organizations should embrace technologies that enable operational resiliency and proactive detection and response capabilities. Simulate the Event Operations Involve business operations in cyber Incident Response planning so that mission critical processes and systems are available when crises occur. Simulate realistic incidents regularly. By exercising the plan, organizations can build “muscle memory” and respond more effectively and consistently.

  41. Designing an effective cyber wargame Relevance to the Business Realism for the Players Readiness to Embrace Challenges Effective cyber wargame exercises involve participants that are excited to embrace cyber challenges and ready to remediate identified weaknesses. Common outcomes include the need to improve capabilities related to: Effective cyber wargame exercises leverage a carefully selected combination of high-fidelity injects designed to mimic the real world. Injects are revealed based upon player actions and decisions, typically via: Players will respond more realistically to realistic injects– leading to improved identification of strengths and weaknesses. Effective cyber wargame exercises are built from the ground up to reflect an organization’s specific business context, organizational structure, operating procedures, systems, data, etc. Exercises should be designed so that outcomes will impact how the business will make decisions moving forward. + + Cyber incident response Threat Intelligence IS risk assessment Cyberforensics Briefed actors Pre-recorded audio Live phone calls Core security services User ID management Pre-recorded video Paper content The Facilitator Report Debrief Technical resilience Business engagement Delivery Scenario Audience Objectives Business context

More Related