Incident Response Day

Thursday 19 January 2017

9.30am - 5.00pm

Anglia Ruskin University, Cambridge Campus, East Road, Cambridge, CB1 1PT
The meeting will be held in the Lord Ashcroft Building, Room LAB026 (Breakout Room LAB006 for networking & refreshments).
Please enter through the Helmore Building and ask at reception.

This event is free

Hosted by the Department of Computing & Technology, Anglia Ruskin University, British Computer Society (BCS) Cybercrime Forensics Specialist Group and OWASP (Open Web Application Security Project) Cambridge Chapter.

Provisional Agenda

  • 09:30 - 10:00 Registration & Refreshments (LAB026)
  • 10:00 - 10:15 Welcome from the OWASP Cambridge Chapter Leader, Adrian Winckles, Course Leader in Information Security & Forensic Computing, Anglia Ruskin University
  • 10:45 - 11:30 “National Cyber Security Centre’s Incident Response Strategy” - Peter Yapp - Deputy Director - Incident Management - National Cyber Security Centre (NCSC)
  • 11:30 - 12:15 “Malware Red Alert: the first 24 hours” - Steve Shepherd MBE, 7Safe/PA Consulting
  • 12:15 - 13:00 “Cyber resilience and Incident Response” Tony Drewitt, Head of Consultancy, IT Governance
  • 13:00 - 13:45 Lunch & Networking (LAB006)
  • 13:45 - 14:30 Chris Dye, Glasswall TBD
  • 14:30 - 15:15 Dr Jules Disso - Nettitude TBD
  • 15:15 - 15:45 Refreshments (LAB006)
  • 15:45 - 16:15 Benn Morris - 3B Data Security LLP TBD
  • 16:15 - 16:45 Canterbury Christchurch University Speaker TBD
  • 16:45 - 17: 00 Session Wrap Up & Close

It looks increasingly likely that 2016 is going to be “Year of the Data Breach” with more and more organisation’s than ever before becoming part of the self-fulfilling prophecy, “there are two types of organization, those who know they’ve been breached and those who don’t”. So what happens if despite your best efforts your defenses are ineffective and you suffer a data breach. Your organization needs to know how to handle the breach either internally and externally, who to inform and who to call. What is needed is “incident response”, an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident). The goal is to handle the situation in a way that limits damage and reduces recovery time and costs.

Guest speakers/Biography:

Peter Yapp - Deputy Director Incident Management for the National Cyber Security Centre (NCSC)

Before joining the NCSC, Peter was Deputy Director Operations for CERT-UK. Prior to CERTUK, Peter was the Information Security Advisor for Brecon Group and before that the Managing Director for Accenture’s global Computer Incident Response Team (CIRT) running a team of 50 based at five locations around the world. While there, he set up a cyber threat intelligence team and inputted into technical, policy and training initiatives. He also contributed to the maintenance of the largest ISO27001 certification in the world.

Prior to Accenture, Peter was head of Forensics and information security consulting at Control Risks in London. Peter devised and delivered information security awareness training courses for Oil and Gas clients around the world, specialised briefings on the threat of state sponsored espionage and a computer forensics training course for CISSPs. Peter reviewed and revised information security policy documents. He carried out IS Security (and ISO27001) reviews and gap analyses (and risk assessments) for the finance and manufacturing sectors. Peter carried out numerous computer investigations into fraud, abuse and misuse.

Before joining Control Risks in 1998, Peter was a Senior Investigation officer in the National Investigation Service of H.M. Customs & Excise. During this time he represented H.M. Customs & Excise at national and international conferences and seminars, speaking at Interpol on computer crime. He was a member of the British Home Office delegation to the G8 sub group on High Tech crime. Peter trained overseas agencies around the world.

Steve Shepperd MBE - Senior Forensic Consultant - 7Safe/PA Consulting

Steve leads the 7Safe Cyber Security Incident Response offering. Steve has extensive experience in conducting and directing forensic and hi-tech investigations having been involved in the discipline since the late the 1990’s. Steve has worked within the Civil Service, law enforcement and private industry, latterly employed as a cyber security specialist for a government intelligence agency prior to joining PA Consulting. Steve has been involved as a team member and team leader in myriad digital investigations ranging from civil to criminal and national security level incidents. Steve is also the lead developer and course manager for the Certified Malware Investigator course, the Certified Data Acquisition Technician course and is the author of our new Cyber Network Investigations course.

Tony Drewitt, Head of Consultancy - IT Governance

Tony leads IT Governance’s consultancy team. He works with clients to help them implement and comply with international standards such as ISO 27001 and ISO 22301 as well as other compliance frameworks such as the NHS Information Governance Toolkit and the UK Gambling Commission’s technical security standard. He has helped one of the first companies in the UK to achieve full certification under BS25999-2 (now ISO22301) and is currently delivering a number of ISO27001 ISMS projects for companies in the UK and overseas. He is also a leading business continuity author of ITGP titles A Manager’s Guide to ISO22301; ISO 22301: A Pocket Guide, and Everything You want to Know about Business Continuity. Tony is a full member of BCI and is a certified Lead Implementer and Lead Auditor for ISO 27001 and ISO 22301. He also holds CRISC, CISMP and ITIL Foundation certificates.

Presentation Abstracts

“Malware Red Alert: the first 24 hours” - Steve Shepherd MBE, 7Safe/PA Consulting

It’s Friday at 19:30. You are the acting manager of your organisation’s Security Operations Centre. You are working the graveyard shift with a colleague when...

Your SIEM alerts you to what may be the presence of a Trojan in your system. But before you have a chance to respond, you receive an email from a hacker making demands. The threat is that highly-confidential information has been stolen from your financial database. If the hacker does not receive £2 million by midnight on Sunday, they will put this data on the web just before your firm’s annual financial report, due for release on Monday, is published. Their motive: to cause panic among investors by undermining the credibility of your growth and profit forecasts with data that the hacker claims they have found in emails and report documents.

What do you do next to thwart the attack, contain the incident and prevent, or at least minimise, damage to your brand name and reputation in the markets?

Security incidents, both potential and actual, occur on a frequent basis. It is therefore important to accurately categorize incidents and prioritise the most severe. Evaluation is based on the impact that the data breach may have on business operations, the potential reputational risk and the time and cost of resources engaged in recovery.

Of critical importance is the effective gathering of key information about the attack in real time. Focusing on quick fixes should be avoided. It is important to clearly document all information collected/actions performed for subsequent analysis in a post incident review/lessons learned session. A clear plan must be established, including timeframes and ownership, to implement any required changes that will mitigate future risk.

Steve Shepherd MBE describes for the business audience a series of real life scenarios that will serve as a warning to Board members and SOC managers alike, as he shares his thoughts on how to apply the CREST Three-Phase CSIR model and invites the audience to role play with him in responding to this incident.

If you think that you understand incident response procedures from a ‘people, process and technology’ standpoint, be prepared to challenge what you deem to be fact during Steve’s practical talk and demonstration. The emphasis will be on knowledge transfer - and why software tools are never the whole answer.

“Cyber resilience and Incident Response” Tony Drewitt, Head of Consultancy, IT Governance

Tony will introduce today’s cyber threat environment and what it means in terms of security incidents. Cyber assurance techniques will be examined from 4 different perspectives, the conventional theme’s:-

  • People,
  • Processes and
  • Technology

but also examining Digital versus Physical security dimensions.

The talk will conclude with a discussion on cyber resilience versus incident response and if incident response is a necessity, what structure should it take.


OWASP (Open Web Application Security Project is a 501(c)(3) not-for-profit worldwide charitable organization focused on improving the security of application software. Their mission is to make application security visible, so that people and organizations can make informed decisions about true application security risks. The British Computer Society (BCS) Cybercrime Forensics Special Interest Group (SIG) promotes Cybercrime Forensics and the use of Cybercrime Forensics; of relevance to computing professionals, lawyers, law enforcement officers, academics and those interested in the use of Cybercrime Forensics and the need to address cybercrime for the benefit of those groups and of the wider public.

The Department of Computing & Technology at Anglia Ruskin University is enhancing its curricula and capabilities in information security following its successful BSc(Hons) Information Security and Forensic Computing pathway. Establishing a joint professional networking group with OWASP concentrating on aspects of computing and application security is a key part of this enhancement.