Scribd Logo
Upload

Welcome to Scribd!

  • Gemc Tech Irp TTX

    Uploaded by

    Whitney Kaplan
    216 views18 pages
    This document outlines a cyber incident response plan and tabletop exercise for EnerVision, Inc. It discusses the importance of having an incident response plan to ensure proper detection and response to cyber attacks. The plan should define detection and analysis capabilities as well as an inventory of response tools. It then describes the phases of incident response including preparation, detection and analysis, containment/eradication/recovery, and post-incident activities. The document provides an example tabletop exercise scenario involving a ransomware attack against a utility. The exercise guides participants through incident response injections and discussions of appropriate actions to be taken at each stage.

    Original Description:

    Cyber Incident Response Plan and Table Top Exercise

    Original Title

    Gemc Tech Irp Ttx

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document outlines a cyber incident response plan and tabletop exercise for EnerVision, Inc. It discusses the importance of having an incident response plan to ensure proper detection and response to cyber attacks. The plan should define detection and analysis capabilities as well as an inventory of response tools. It then describes the phases of incident response including preparation, detection and analysis, containment/eradication/recovery, and post-incident activities. The document provides an example tabletop exercise scenario involving a ransomware attack against a utility. The exercise guides participants through incident response injections and discussions of appropriate actions to be taken at each stage.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    216 views18 pages

    Gemc Tech Irp TTX

    Uploaded by

    Whitney Kaplan
    This document outlines a cyber incident response plan and tabletop exercise for EnerVision, Inc. It discusses the importance of having an incident response plan to ensure proper detection and response to cyber attacks. The plan should define detection and analysis capabilities as well as an inventory of response tools. It then describes the phases of incident response including preparation, detection and analysis, containment/eradication/recovery, and post-incident activities. The document provides an example tabletop exercise scenario involving a ransomware attack against a utility. The exercise guides participants through incident response injections and discussions of appropriate actions to be taken at each stage.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pptx, pdf, or txt
    of 18

    Cyber Incident Response Plan and

    Tabletop Exercise

    Elaine Johns
    EnerVision, Inc.
    September 21, 2017
    1
    Your Facilitators Today

    Elaine Johns Jacek Szamrej


    President/CEO VP, Cybersecurity
    EnerVision SEDC
    2
    What is an
    Incident
    Response Plan?
    Objectives

    Tabletop
    Exercise

    3
    Incident Response Planning
    What? Why?
    An incident response plan Ensures proper detection
    (IRP) is a set of written of attack
    instructions for detecting, Ensures proper protocol is
    responding to and limiting followed to contain
    the effects of an violation of confidentiality,
    information security event integrity or availability of
    information
    Is a PCI DSS requirement
    Is the same reason why you
    have an ERP
    4
    Incident Response Phases

    1 2 3 4
    Preparation Detection and Containment, Post-Incident
    Analysis Eradication, Activities
    and Recovery

    5
    Incident Response Phases

    http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
    6
    From SEDCs ISPL
    Information Security Incident Policy
    oIncident Response Plan
    oIncident Response Form
    oIncident Response Contact List

    7
    1. Adopt Incident Management Policy
    2. Adopt Incident Response Plan
    A. Establish Response Team and define
    roles
    IRP B. Define communication guidelines
    C. Define detection capabilities (in-
    Implementation house or contractor)
    Steps D. Define analysis capabilities (in-
    house or contractor)
    E. Define tools inventory (disk images,
    etc.)
    3. Conduct tabletop exercise

    8
    Source: SEDC ISPL
    9
    TABLETOP
    EXERCISE

    10
    Goals:
    Prepare you to conduct TTX at
    home utilities
    Tabletop
    Simulate steps for each
    Exercise (TTX) incident response phase
    Identify takeaways and next
    steps

    11
    Everyone speaks
    Respect the speaker
    TTX Ground
    No idea is dumb Rules
    Avoid Bar Discussions
    Stay on Schedule
    12
    TTX Structure
    Injects and Responses
    oOne Scribe and one Speaker selected (volunteered) per table
    o2 injects (describing incident events), introduced one at a time
    oTable discussions on what actions should be taken
    oShort description of responses written on flipchart & posted on
    wall
    oAfter each inject, 2 different tables present their responses
    Hot Wash
    oAfter exercise, group debrief using Hotwash format

    13
    Bison Valley Electric
    Cooperative

    Distribution
    electric utility with
    55,000 members
    Has an AMI system

    14
    MDM showing Number of More anomalies
    energy usage anomalies grows by BVEC receives a
    anomalies with 3 8 accounts Ransomware email
    residential accounts (4BTC ransom)

    Jan. 5 Jan. 6 Jan. 7

    TTX : Inject 1
    15
    BVEC activates Incident BVEC received another
    Response team request for 40BTC ransom
    BVEC does not pay ransom Hackers said that they will
    publish 20% of PII data of
    AMI is restored from backup
    BVEC members
    Jan. 8 Jan. 9

    TTX: Inject 2
    16
    Top 3 Top 3 Next
    Feedback
    Takeaways Steps

    HOTWASH
    17
    For your free copy of
    SEDCs Information
    Security Program Library
    (ISPL)

    https://www.sedata.com/
    cyber/

    18

    You might also like