Deep breaths and lean the f**k in. A user's guide to Incident Response.

Presented at Kawaiicon 2 (2022) Rescheduled, July 1, 2022, 2:15 p.m. (30 minutes)

2020 was a whole vibe on its own, but 2021 has really bought its game in being a constant run of major cyber security events that have changed the global landscape around how we prevent and respond to these issues. From superpowers embedding themselves in ubiquitous software, relentlessly owning each other, to ransomware-as-a-service gangs fetching $5 and $11USD million a pop. Of course, in the meantime, scammers are scamming, phishing emails are relentless, and no one is actually selling new Adidas shoes for $30 from a real estate website.

The context in New Zealand over the past 12 months has reflected this. In high profile, high coverage incidents we've seen a DHB's and a hospital's online operations get crippled for months, our Reserve Bank threatened, countless data breaches and that's just the tip of the iceberg. So, what do you do when it happens to you? When you log in to your machine, and you see that angry little READ ME.txt file on your desktop? When you find your customer's creds show up in the latest breach? When you find some uninvited little webshells and another nation's flag as a banner on your site? When you've paid a $400,000 invoice to a recently changed bank account number - and now have a sick feeling in your stomach about whether that should have happened. There's really only one thing for it - take some deep breaths and lean the f**k in.

I've been working in the incident response field since Heartbleed, and I've seen a whole range of incidents, and the different ways that they're responded to. Excitingly for me, the last two or three years have seen a significant shift in the maturity of organisations' responses, particularly in both internal and public comms, and it's had a significant impact on the way that incidents are played out and recovered from.

Through this talk, I would like to cover off what we recognise as good incident response, key processes to have in place, the absolute importance of working with communications experts, and sometimes admitting to the public or your customers that you've made a boo boo, this is how bad it is, this is how we're fixing it, and this is how we're going to make sure it doesn't happen again.

Presenters:

• Nadia Yousef
  I'm Nadia Yousef, Country Manager for CISO Lens New Zealand - and the former Manager of Threat and Incident Response at CERT NZ. I've been working in cyber security incident response for enough years now that I've learned to accept that my nights and weekends are not my own. I lead New Zealand government and industry's response to several major incidents; and over the past few years have picked up insight into what IR done well looks like, and some traps that people fall into when things go sideways. I'd love to share some of those lessons with the Kawaiicon crew!

Links:

• https://kawaiicon.org/talks/IR/

Similar Presentations:

• DEF CON 30 (2022) / Hundreds of incidents, what can we share?
• 31C3 (2014) / The Invisible Committee Returns with "Fuck Off Google": Cybernetics, Anti-Terrorism, and the ongoing case against the Tarnac 10
• Wild West Hackin' Fest 2019 / Campfire Stories - 15 minutes each