Daniel Soo Deep Impact: Explore the Wide-Reaching Impact of a Cyberattack - PowerPoint Presentation

Daniel Soo Deep Impact: Explore the Wide-Reaching Impact of a Cyberattack LAB4-R04 PrincipalDeloitte & Touche LLP Mary Galligan Managing Director Deloitte & Touche LLP

Cyber security needs are evolving 2 Business leaders are responsible for guiding response and recovery from a risk perspective Rehearsing builds threat awareness and creates “muscle memory” for adaptive response SECURE Establish risk-prioritized controls to protect against known and emerging threats, and comply with standards and regulations VIGILANT Establish situational risk and threat awareness across the environment to detect violations and anomalies RESILIENT Establish the ability to handle critical incidents, quickly return to normal operations, and repair damage to the business Organizations need to transform legacy IT security programs into cyber risk programs

Introduction to cyber wargaming 3 Cyber wargaming is an interactive technique that immerses potential cyber-incident responders in a simulated cyber scenario to help organizations evaluate their cyber incident response preparedness

Cyber resilience 4 Cyber wargames drive improvements in cyber resilience, including: Better identification of gaps in cyber incident response people, processes, and tools Broader consensus on the appropriate strategies and activities to execute cyber incident response Stronger response capabilities aligned towards mitigating the highest impact risks of a cyber incident Improved understanding of the people, processes, data, and tools needed to respond to a cyber incident Tighter integration between parties likely to be collectively involved in the response to a cyber incident Enhanced awareness of the downstream impacts of cyber incident response decisions and actions Reduced time-to-response through the development of cyber incident response “muscle memory” Improved clarity regarding ownership of authority related to certain key cyber incident response decisions

Session logistics 5 Today’s session will consists of three parts… Simulation 9 0 minutes Pre-Brief 10 minutes Debrief 20 minutes

Company profile 6 YouKnight Bank (YKB)The 6th largest diversified financial services company in the United States, primarily operating in four core segments – retail banking, corporate and institutional banking, asset management, and residential mortgage banking . Locations: 2,704 Employees: 50,492 Headquarters: New York City, NY Founded: April 2, 1923

Company profile (cont’d) 7 Technology environmentEmployees perform daily computing with traditional desktops and laptopsCloud computing has not been widely deployed – plans for the capability have been proposedMarketing and supply chain systems are managed by third partiesTransaction monitoring and the IT customer service help desk have been outsourced to India

Participant roles 8 Players will assume the following roles within YouKnight Bank: Chief Executive OfficerChief Financial OfficerChief Operating OfficerChief Information Officer General Counsel Head of Communications & Public Relations Chief Risk Officer Chief Security Officer Chief Customer Experience Officer

Objectives 9 Understand the role of executive leadership in cyber incident response Identify the types of information, tools, and capabilities needed to effectively support cyber incident response Explore the interaction model for third parties (e.g., law enforcement, regulators)

How to play 10 Review injects. Review inject content in its entirety Determine actions you will take and / or decisions you will make Make decisions. Describe your thought process, including your assumptions, out loud Articulate how the decision will be executed Consult others. Engage directly with other players Inform the facilitator if you want to speak to a non-player

Leading practices 11 Act decisively – have a clear, ongoing decision-making process Focus on the emerging crisis over the symptoms of the incident Prioritize decision-making based on impact 1 2 3

We are about to begin…

[ YKB Commercial ]

It is now 9:15 AM on April 19th Update Clock

[ Incoming Ransom Video ]

[ Hackme Video ]

10 hours until 8:00 PM deadline Text Spacing

2 hours until 8:00 PM deadline Text Spacing

It is now 8:00 PM on April 19th

It is now 9:00 AM on April 20th Moving forward to the next morning… Update Anim.

[ Boardroom Video ]

Heads up – XChange has now been offline for 2 hours. Until it comes back up, interbank transaction clearing and settlement will not be functional across the bank. We have all hands on deck investigating the cause, but haven’t found anything yet. Per our continuity plan , the incident response team has been invoked; but it’s really not clear what we should be doing. Like many of our other systems, XChange appears to be operating within parameters – except that it’s not working… As you know, XChange is a Tier-1 application and we need it to complete our end-of-day transactions. But, given how everything looks, I am looking for your input on how to proceed. Should we: Continue our investigations and hope that we find the cause of the outage and a solution; or Initiate disaster recovery right away. If we go down this path, we should be back online in 36 hours, but most critical systems would be offline until then (we have to fail over everything at the same time, we can’t do it in pieces). Also, as you know, we haven’t been able to renew our incident response retainer due to the vendor’s push for indemnification. Still, we need more skilled resources to perform detailed technical investigation... Can we push through ASAP? TylerSearch all messages…<Ctrl+K> Logout COOyouknightbank.com This message was sent with High importance. i F ile E dit View Go M essage ToolsH elp Get Mail WriteTag Inbox Drafts Sent Follow Up All Documents Junk Trash Views Folders Archive Tools Other Mail Reply Reply To AllForward Mark As MoreFrom:Rice, Tyler (Director, Enterprise Applications) To: Chief Operations Officer Subject:URGENT: XChange offline Cc: Sender Subject Date Size Diana Carter Lunch today? Thurs 04/20/2017 7:45AM 1K Tyler Rice URGENT: FastFill offline Thurs 04/20/2017 8:15AM 2K

It is now 10:00 AM on April 20th Moving forward 1 hour…

Secure Sign-in Save Online ID Security & Help Forgot ID Forgot Passcode Enroll Online ID Passcode Sign In Lose more than just your interest payments when you accept a loan from YouKnight … YouKnight Bank bet on your American Dream and won. They profited billions on the subprime mortgages they sold to their NINJA customers, and what did you get? You got EVICTED . Open an Account Español YouKnight Bank Retail / Personal Corporate Asset Management Mortgage We gave you a chance, you didn’t take it. Now you’ve been served. Repent or more will come. YouKnight.com / YouKnight Bank # Hackme Get a loan, lose a house! MORAL FAILURE

It is now 12:00 PM on April 20th Moving forward 2 hours…

[ News Video ]

[ Revolving Logo ]

It is now 6:00 PM on April 20th Moving forward 6 hours…

Valued employee, At approximately 5:00 p.m. today, there was a water main break near your location. Because the water main break is so close to power gridlines, access to your location will be prohibited until further notice. We will provide further instructions when access to the building is reinstated. Thank you for your patience and cooperation. - Physical Security Search all messages…< Ctrl+K > Logout All Personnel youknightbank.com This message was sent with High importance. i F ile E dit V iew G o M essage T ools H elp Get Mail Write Tag Inbox Drafts Sent Follow Up All Documents Junk Trash Views Folders Archive Tools Other Mail Reply Reply To All Forward Mark As More From: Physical Security To: All Personnel Subject: URGENT: Location closed due to water main breakage Cc: Public Relations Marketing campaign update Thurs 04/20/2017 8:15AM 3K Physical Security URGENT: Location closed due to water main breakage Thurs 04/20/2017 5:30PM 2K Sender Subject Date Size

It is now 11:00 AM on April 21st Moving forward to the next day…

Home About Photos Events More Company Invite friends to subscribe 450,916 people have been here What are you saving up for? A new car? A summer vacation? Stop by today to learn how you could be earning more on your savings! # moneyinthebank # savingisgaining 20 hrs Edited +357,937 votes 79,526 Reshares Roberta Landry How can you provide tips when your employees don’t even bother to show up and you can’t open your stores? # YouNotThere +21 votes Comments 19,203 1 hrs Dave Hestle I’m saving for a new house since they took mine ! You’re better off not being able to get in… #YouKnightYouNeverYouKnight YouKnight YouKnight Home Sign Up 57,821 people commented Connectin Shop Now Vote Message Watch video Subscribe 351,102 people subscribed to this Search for posts on this Page . . ouKnight Bank

1642 new hollers New to chat N holler ? Sign up now to get your own personalized timeline! Sign up # YouNotYouKnighted Marco chat N holler Top Live Accounts Photos Videos More options Trends Venus Williams 115K Hollers #SCOTUS 305K Hollers # MyOneWordDistraction Just started trending # GilmoreGirls 89K Hollers #OITNB 264K Hollers Katie Lane @ musicmantra_KL89 • 8m Glad you decided to give yourself a “holiday,” but I cant afford a vacation cuz you still haven’t processed the check I deposited DAYS ago! @ YouKnight , get back to work! #YouNotYouKnighted #YouClosed Polo Echo Heart ExpandJames Arden @ Arden_James • 29m Hey, @ YouKnight whether you cash my paychecks or not, I still have to pay rent. Waive the fee for overdrawing on my account or I’m taking my money elsewhere! #YouPay #YouNotYouKnighted Polo Echo Heart Expand Ben Lee @bikerben003 • 42m OMG some guy is going irate at YouKnight Bank right now – only one lady working the front desk and a line almost out the door. Guy’s at the back obvi. #YouLast #YouWait #YouMad #YouNotYouKnighted Polo Echo Heart ExpandJeremy Jones MD @DrJeremyJones• 55mTechnology outage, crashing applications, website defacement… You about to go knight knight forever if you don’t get your ducks in a row. #YouFailing #YouNotYouKnighted # ClosingTime Polo Echo Heart Expand Whitney Swift @Witty_Whitney82 • 1hIf you can’t keep your site safe, why should I believe you can keep my money safe!? These days, if the hackers aren’t stealing from you, the banks are. #KnightInTinfoil #YouNoHero #YouNotYouKnighted Polo Echo Heart ExpandJacob Andrews @J_Andrew92 • 2h@YouKnight - I understand that you may be experiencing “technical difficulties” but there is no excuse for treating your customers poorly #YouRude #YouNotYouKnighted #PoorCustomerService Polo Echo Heart Expand

It is now 1:00 PM on April 21st Moving forward 2 hours…

Greeting Voicemail Edit Doug Dominose New York City, New York April 21, 2017 at 1:00 PM Jane Finley work Tuesday 0:33 Richard Gilmore home Monday 0:48 George Stephens home 04/14/17 0:21 +1 (347) 634-2012 New York City, NY 04/11/17 0:12 +1 (872) 657-8929 Chicago, IL 11/29/16 0:12 i Call Back Speaker Delete CM&H LTE i i i i i 0:03 -0:20 1 1:00 PM “This is Special Agent Doug Dominose with the FBI. I’m headed to YouKnight headquarters now - should arrive within the hour. Can you see to it that someone is available to meet with me?”

It is now 4:00 PM on April 21st Moving forward 3 hours…

As you are likely aware, the media is reporting that YouKnight Bank has experienced a widespread technology outage rendering it unable to accurately and securely perform transactional duties within the interbank network. Due to the far reaching implications of the outage on members of the financial community, we will be monitoring the situation and conducting an investigation to determine if certain penalties may apply. Please provide your any input you feel will be valuable to our discovery efforts. I’ll be available at +1 (212) 555-3464 if you would like to speak by phone. Thanks, Kevin Sumner Senior Bank Examiner - Federal Reserve Bank Search all messages…< Ctrl+K > Logout CFO youknightbank.com This message was sent with High importance. i F ile E dit V iew G o M essage T ools H elp Get Mail Write Tag Inbox Drafts Sent Follow Up All Documents Junk Trash Views Folders Archive Tools Other Mail Reply Reply To All Forward Mark As More From: Sumner, Kevin ( Federal Reserve Bank)To:Chief Financial OfficerSubject: URGENT: Outage & Interbank Impact Cc: Jan FinkleStatus Update Fri 04/21/2017 3:45PM 1K Kevin Sumner URGENT: Outage & Interbank Impact Fri 04/21/2017 4:00PM 1K Sender Subject Date Size

The wargame has ended.

[ Debrief Video ]

Cyber wargaming lessons learned 39 Cyber events have an accelerated rate of escalation and unfold more ambiguously than traditional crises Impacts resulting from actions and decisions during cyber incident response, even at a low level, are greater and broader than those of a traditional incident The scope of incident responders expands well beyond technology during cyber incident response 1 2 3

Cyber Incident Response Success 40 Simulate realistic incidents regularly. By exercising the plan, organizations can build “muscle memory” and respond more effectively and consistently. Organizations should embrace technologies that enable operational resiliency and proactive detection and response capabilities. Simple, flexible and distributed plans provide guidance to responsible parties throughout the organization. Understand where external help is needed and have contracts and capabilities in place beforehand. Determining legal, regulatory, and compliance issues in the midst of a crisis is a bad place to be. Prepare ahead and incorporate these considerations into the CIR plan. Educate executives on crisis communication plans and their associated responsibilities. Setting tone at the top of organizational hierarchies has cascading impacts. Prevent your plans from becoming “shelf ware” by training your CIR team periodically. Carefully select CIR team members and confirm they have the requisite skills and experience to perform responsibilities outlined in the plan. Involve business operations in cyber Incident Response planning so that mission critical processes and systems are available when crises occur. Cyber Incident Response Legal, Risk, & Compliance The Plan Supported by Technology Simulate the Event Operations Cyber Education Cyber Response Team Executive Management

Effective cyber wargame exercises leverage a carefully selected combination of high-fidelity injects designed to mimic the real world. Injects are revealed based upon player actions and decisions, typically via: Players will respond more realistically to realistic injects – leading to improved identification of strengths and weaknesses. Relevance to the Business Readiness to Embrace Challenges Effective cyber wargame exercises are built from the ground up to reflect an organization’s specific business context, organizational structure, operating procedures, systems, data, etc. Exercises should be designed so that outcomes will impact how the business will make decisions moving forward. Realism for the Players + + Effective cyber wargame exercises involve participants that are excited to embrace cyber challenges and ready to remediate identified weaknesses. Common outcomes include the need to improve capabilities related to: Designing an effective cyber wargame 41 Paper content Live p hone calls Pre-recorded video The Facilitator Delivery Scenario Audience Objectives Debrief Business context Report Briefed actors Pre-recorded audio IS risk a ssessment Cyber incident r esponse Core security s ervices Threat Intelligence Technical resilience Cyber forensics User ID management Business engagement