@willoram @smoothimpact 1) Make sure the company has good grasp of the actual risk the intrusion (or breach) posed, and what could have happened had the attacker had more time or succeeded with stuff they initially failed at.

@willoram @smoothimpact 2) Agree with the company on what is and isn’t acceptable risk with regard to this particular attacker, and under any circumstance, should your attacker profiling be wrong.

@willoram @smoothimpact 3) Make sure everyone agrees, that resources are made available and that the task force given the responsibility to strengthen defenses, prevent reentry and mitigate risk has the necessary mandate. Keeping the crisis mgmt organisation active during this might be necessary.

@willoram @smoothimpact 4) Make sure you really understand the offensive techniques used, the vulnerabilities exploited (in a liberal interpretation of the phrase) and the assets and identities targeted, and prioritize these for awareness, prevention, detection and response.

@willoram @smoothimpact 5) Make sure this results in a concrete plan, but make room for it being changed whenever you find something new that should be part of the plan, because that will happen.

@willoram @smoothimpact 6) Have multiple workstreams. Don’t just focus on hardening and prevention, but work on awareness, detection and response capabilities too.

@willoram @smoothimpact 7) Test everything, including using a good red team. I grew up with QA for hardware and software, and this is a rule to live by:

If it isn’t tested it doesn’t work.

@willoram @smoothimpact 8) Prioritize anything that has to do with remote access and domain administration (in a liberal meaning of the phrase).

@willoram @smoothimpact 9) Segment and 2FA as much as possible, especially for admins.

@willoram @smoothimpact 10) If they didn’t already do centralized logging and end-point agents, get it done.

@willoram @smoothimpact 11) Make sure their SOC’s OODA loop is spinning fast enough. There is little in terms of tools that will get you all the way, so some integration, development and competency build-out will be necessary.

@willoram @smoothimpact 12) Make everyone realize APTs come back. Not always, but often. And that if you are in the cross hairs of one APT, you’re more likely to be in the cross hairs of more.

@willoram @smoothimpact 13) Keep a high readiness level while all this is going on. The crisis wasn’t over when you kicked them out. The crisis is over when you think you can keep them out.

mnemonic.no/globalassets/n…

@willoram @smoothimpact 14) Make sure that for everything happening, a manager somewhere is accountable. These 60 days can’t be “best effort”, they need to be your actual best effort, or the APT will get back in there.

@willoram @smoothimpact 15) Restructure the SOC and CSIRT. Unless this is a very special organization, they were not set up to fight APTs effectively. Almost no one are.

But these guys probably need to be.

@willoram @smoothimpact 16) Establish good partnerships, but do not go for full outsourcing, because APTs can’t be fought effectively from the outside. You need the full weight of the management structure to succeed.

</thread>

@willoram @smoothimpact P.S. 17) Actually, you need to assume that you didn’t succeed in kicking the attacker out. Assume you’re still breached.

Maintain STRICT communication OPSEC.