1

unclassified

Dr Paulo EmpadinhasHead of Administration & Stakeholders Relations European Union Agency for Network & Information Security

4th November 2016

www.CyberRescue.co.uk

ENISA – lessons for CEOs on how to respond to attack

European Union Agency for Network and Information Security

ENISA - Lessons for CEOs on how to respond to a cyber attackDr Paulo Empadinhas | Head of Administration & Stakeholders Relations

CEOS& CYBER RECOVERY | Athens | 04 November 2016

3Presentation Title | Speaker Name ( To edit click Insert/ Header & footer)

• “Strategies for Incident Response and Cyber Crisis Cooperation”- Link to the document:

https://www.enisa.europa.eu/publications/strategies-for-incident-response-and-cyber-crisis-cooperation

• Prepared by ENISA as input for discussion for the Network and Information Security (NIS) Platform - Link to the platform:

https://resilience.enisa.europa.eu/nis-platform • Core material developed based on previous

ENISA work in the field of - CSIRTs - Critical Information Infrastructure Protection (CIIP)

• Version 1.1 of August 2016 contains some updates in the light of the NIS Directive

Background information

4Presentation Title | Speaker Name ( To edit click Insert/ Header & footer)

Basics definitions and overview of incident response capabilities

Main topics

Incident response mechanismsChallenges in incident

response

Ways of enhancing incident handling

cooperation

Incident response in cyber security strategies

5Presentation Title | Speaker Name ( To edit click Insert/ Header & footer)

• Basics definitions, such as:- Cyber/information security incident- Computer Security Incident Response Team (CSIRT), including CSIRT

communities (e.g. TF-CSIRT, TI, FIRST, CSIRT network- Constituency

• Overview of incident response capabilities- Formal capability (mandate)- Operational-technical capability

• external services• internal services

- Operational-organisational capability (e.g. human and technical, resources, infrastructure)

- Co-operational capability (e.g. cooperation with other stakeholders, also at international level)

Definitions and incidents response capabilities

6Presentation Title | Speaker Name ( To edit click Insert/ Header & footer)

• Human resources at CSIRTs- Skilled IT security personnel are hard to find

• Processes and procedures- Need for clear, concise, well-documented incident response plan

• Political and legal framework- Importance of an adequate political and legal framework that helps to

define roles and responsibilities and enhance the overall cooperation• Technology: tools and data

- Important decision between self-developed tools or services procured from vendors

Challenges in incident response

7Presentation Title | Speaker Name ( To edit click Insert/ Header & footer)

Incident response mechanisms

Typical incident response process retrieved from Good Practice Guide for Incident Management, ENISA, 2010, p. 37 - https://www.enisa.europa.eu/publications/good-practice-guide-for-incident-management

8Presentation Title | Speaker Name ( To edit click Insert/ Header & footer)

• National cyber security strategy: high-level strategic framework for a nation’s approach to cyber security- Key objectives of cyber security strategies (e.g. of Cybersecurity Strategy of the European Union)

• to develop cyber defence policies and capabilities• to achieve cyber resilience• to reduce cyber-crime• to support industry on cyber security• to secure critical information infrastructures

- Key components• setting the vision, scope, objectives and priorities• identifying and engaging stakeholders• establishing trusted information-sharing mechanisms• developing national cyber contingency plans• organising cyber security exercises• establishing baseline security requirements• establishing incident reporting mechanisms• engaging in international cooperation

- Important role of national cyber security agency/centre but also of national and governmental CSIRT

Incident response in cyber security strategies

9Presentation Title | Speaker Name ( To edit click Insert/ Header & footer)

• Cyber crisis cooperation and management - 3 levels of cyber crisis management

• Strategic• Operational• Technical

• Mutual Aid to boost preparedness- Both the public and private sectors to be involved in the mutual aid

agreements• Exercises to enhance incident handling cooperation• CSIRT training to enhance capabilities, such as:

- TRANSIT training- ENISA training material for CSIRT community

• Link to the ENISA’s Cyber Security Training material: https://www.enisa.europa.eu/topics/trainings-for-cybersecurity-specialists

Ways of enhancing incident handling cooperation

Cyber Europe 2016Cyber Exercises

Presentation Title | Speaker Name ( To edit click Insert/ Header & footer)

11

Organisation

2010 201220152014 2016

20132011

12

Cyber exercise planning training courses Support in exercise planning

European Commission, EEAS, Eurocontrol, EU Agencies, ..

Cyber Exercise Platform available for the organisation of EU Institutions, incl. Agencies, and Member States exercises Technical Playground

Support

Cyber Europe 2016Overview and status update

14

Simulation of large-scale cybersecurity incidents and EU-wide cyber crises

Business continuity and crisis management situations

Advanced technical cybersecurity incidents

Exciting scenarios, inspired by real-life events

National and international cooperation

Flexible learning experience

What is the Cyber Europe series of exercises?

15

CE2016 high-level goals:1. Test EU-level cooperation processes2. Provide opportunities to test local-level

cooperation processes3. Train EU- and national-level capabilities

Goals

16

Setup

Phase 1: Apr-Oct 2016: focus on technical knowledge enhancement Technical ‘challenge of the month’ released on a regular basis

Build up the crisis, keep participants interested, train participants

Phase 2:Oct 2016: two-days focus on cooperation and operations

17

A united EU cooperated, with the assistance of ENISA, to mitigate the largest and most sophisticated attack against Europe

Companies from the ICT Industry, Financial Institutions, Hospitals and even the Energy sector were under threat

Companies dealt with ransom-ware, cloud service attacks, DDoS, war-dialing, as well as reputation attacks Response to new attack vectors such as drones, IoT

infections and even attacks on core signaling systems such as the telecom signaling system SS7

The cyber security community in EU managed to solve difficult puzzles, and proved that cyber crisis preparedness is increased in the EU

Preliminary findings

18

It is a great opportunity to test internal business continuity and IT security policies

IT security teams will have hands-on incident handling opportunities

Can develop working relationships with competent national authorities and private stakeholders

Find out the actors at national and European level when it comes to cyber crises

Be part of the growing EU community of IT security specialists

Have fun!

Why should I participate in the next exercise?

19

PO Box 1309, 710 01 Heraklion, Greece

Tel: +30 28 14 40 9710

info@enisa.europa.eu

www.enisa.europa.eu

Thank you

21

unclassified

www.slideshare.net/kevduffey/presentations

Follow us - www.linkedin.com/company/cyber-rescue-alliance

For other presentations

Practice your Response in Executive Simulations

Bespoke Commercial Response Plan

Commercial Coach for Cyber Attack Response