Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A Basic Guide to Advanced Incident Response

A Basic Guide to Advanced Incident Response

My talk from Tech Talk Live on building an intelligence driven threat intelligence capability.


Scott J. Roberts

May 05, 2014


  1. A Basic Guide to Advanced Incident Response

  2. Hi, I’m Scott

  3. SOC Analyst & Global Threat Analyst @ Symantec

  4. Security Consultant @ Mandiant* * Acquired by FireEye

  5. SOC Technical Lead & Focused Ops Team Deputy @ ManTech

  6. Senior Intelligence Specialist @ Vigilant* * Acquired by Deloitte

  7. Bad Guy Catcher @ GitHub

  8. None
  9. What I do all Day - Identify and respond to

    Security Incidents - Collaborate with 3rd parties to respond to their incidents - Build tools to assist those above
  10. Questions? I’m not done, just feel free to ask anything

    any time
  11. I should warn you: ! I always wanted to be

    a Spy I blame watching too much James Bond as a kid…
  12. Intelligence Driven Incident Response

  13. Intelligence Cycle

  14. Intelligence Cycle

  15. Incident response Process Preparation Recovery Lessons Learned Eradication Containment Identification

  16. Utilization & Feedback Analysis Processing Dissemination Collection Requirements Intelligence Cycle

  17. F3EAD Find Analyze Disseminate Exploit Finish Fix While…

  18. Observe Act Orient Decide OODA Loop

  19. Intel To Collect

  20. Indicators - IP addresses - URLs & Domains - Malware

    - Hashes (Absolute & Fuzzy) - Capabilities (What it does, how it talks) - Certificates, Email addresses, User Agent Strings, etc
  21. Events

  22. Incidents Groups of malicious events become…

  23. Campaigns Groups of incidents become…

  24. Wikis for Great Justice - Wikis are great for dynamically

    structured data - Makes collaboration Easy - I’ve shared threat intel and incident templates (Linked at the End) - The Price is right…
  25. Developing Intelligence

  26. Online Services Malicious IP Lists IPVoid, URLVoid, & MyWOT URLQuery

    & Wepawet Virus Total & Malwr Shodan CentralOps, Robtext, & Ip2location
  27. Vendor Info - Vendor Blogs, Reports & podcasts Often have

    piles of data and indicators - Verizon’s Data Breach Investigations report is a yearly favorite - Look for resources from companies like Mandiant/FiReEye, Dell SecureWorks, AlienVault, and Crowdstrike Just watch out… they’re trying to sell you something…
  28. Make Friends

  29. Work Chat...

  30. Personal Chat...

  31. Developing Your Own Intel - Think about What is important

    to determine who might attack and then decide how it could happen - Go “hunting” - Listen to your Users - Review & Iterate on your Own Incidents
  32. Building Intelligence Driven Incident Response

  33. Get Management Buy In

  34. Network Forensics Full packet capture, flow monitoring, & intrusion detection

  35. System Forensics: OR Alive Disk forensics & memory forensics…

  36. If it isn’t measurable it didn’t happen

  37. If you didn’t write it down it didn’t happen

  38. Trust your Gut

  39. Collaboration is key Internally & Externally Tactically & Strategically

  40. Every Incident Response Starts a Vulnerability Assessment Every Vulnerability Assessment

    Starts An Incident Response For one iteration… most of the time…
  41. Every Incident Response Starts a Vulnerability Assessment Every Vulnerability Assessment

    Starts An Incident Response For one iteration… most of the time…
  42. Moscow Rules #8 Once: Accident Twice: Coincidence Three: Enemy Action

  43. Slow is smooth smooth is fast Fast is Lethal

  44. The IR Tools You Need At A Price You’ll ❤️

  45. GRR

  46. Moloch Moloch

  47. Suricata

  48. - MIG is OpSec's platform for investigative surgery of remote

    endpoints. - Platform Agnostic - By Mozilla (The Firefox people) - MIDAS is a framework for developing a Mac Intrusion Detection Analysis System - By Etsy (yes, that Etsy) & Facebook (Yes, also that Facebook) Mig Word to the Wise: These are platforms, not products… MIDAS
  49. Yara

  50. Volitility The Volatility Framework is a completely open collection of

    tools, implemented in Python […], for the extraction of digital artifacts from volatile memory (RAM) samples.
  51. Cuckoo Sandbox

  52. LogStash

  53. OSSIM

  54. + New Player: MozDef

  55. None
  56. $0 GRR Mandiant MIR Cuckoo Sandbox ThreatGrid LogStash Splunk MozDef/OSSIM

    ArcSight MIDAS/MiG Carbon Black
  57. sed/grep/jq etc. Free, Scalable, Automatable, & Chainable Command Line is

    your Friend
  58. cat *.json | jq '.[] | if .action == "user.login"

    then "\(.actor_ip), \ (.actor)" else "" end' | sort | uniq | sed -e 's/"//g' > userlogin-ip-to-user.csv
  59. python, ruby, etc - Log Parsing and Manipulation - Automating

    tasks - Modifying and Extending tools - Building tools that simply don’t exist
  60. Conclusion… -Intelligence Driven Incident Response is the new Normal -Open

    Source is making $$$ less important than Intel -Collaboration is Key -When its time to perform the time to prepare is past
  61. Thanks

  62. Resources - Links: http://git.io/v8hDCw - Blog: sroberts.github.io - GitHub for

    Ed: education.github.com - Projects: github.com/sroberts - Email: sroberts@github.com - Twitter: @sroberts