Wed, May 01
|Virtual Event
Under Fire - Lessons Learned in OT Incident Response
DETAILS
May 01, 2024, 1:00 PM – 2:30 PM EDT
Virtual Event
ABOUT
Operational technology (OT) systems face rising numbers of cyber security incidents. Some well-known OT incidents were targeted attacks. More commonly IT specific incidents indirectly impact OT. Whether OT targeted, IT ransomware attacks indirectly shutting down operations, or old WIN malware on infected USB...they all cause headaches for the unprepared.
Discussing practical OT incident response approaches, leveraging existing people, processes, tools, & relationships, e.g.:
• Theory of 99: Almost All Threat Activity Happens in WIN & Linux Systems.
o There’s large overlap across bad actors’ TTPs targeting IT & OT networks. While involving OT experts is key, most IR collection & analysis in OT environments is like IR in IT environments.
o Most have existing DR & BusCon plans for OT; the win is in injecting cybersecurity.
• OT playbooks are key in IR preparation.
o Mandiant’s DFIR for OT framework guides preparation for incidents involving embedded systems. Fewer tools for OT device forensics are available than for WIN & Linux. So we use available PLC & RTU logs & what vendor software collects & analyzes. We’ve released 2 embedded DFIR tools, but OT vendors must often help with forensics analysis for proprietary PLCs.
o Often OT field SMEs do most preparation & collection steps routinely for maintenance. Writing their steps, tools, & processes in a playbook will help IR be more effective.
o Pplaybooks following these use cases are crucial:
Commodity malware in OT
Ransomware / wiper malware in OT
OT credential compromise
OT protocol attack
• Incident response training & conducting tabletop exercises are key
o Assess OT IR capabilities across IT, OT, & with OT vendors. Do you have an IR retainer with an outside provider?
I will discuss lessons learned from several recent real-world OT incidents. No identifying information will be shared, only technical details of the OT IR process.
Speaker
Chris Sistrunk
Technical Leader at Mandiant
(CS)²AI Founding Fellow
Register Here: https://attendee.gotowebinar.com/register/113978013006272341?source=05012024Orgsite