$30 off During Our Annual Pro Sale. View details »

A Basic Guide to Advanced Incident Response

A Basic Guide to Advanced Incident Response

My talk from Tech Talk Live on building an intelligence driven threat intelligence capability.

Scott J. Roberts

May 05, 2014

More Decks by Scott J. Roberts

Other Decks in Technology


  1. A Basic Guide to Advanced Incident Response

  2. Hi, I’m Scott

  3. SOC Analyst & Global Threat Analyst @ Symantec

  4. Security Consultant @ Mandiant* * Acquired by FireEye

  5. SOC Technical Lead & Focused Ops Team Deputy @ ManTech

  6. Senior Intelligence Specialist @ Vigilant* * Acquired by Deloitte

  7. Bad Guy Catcher @ GitHub

  8. None
  9. What I do all Day - Identify and respond to

    Security Incidents - Collaborate with 3rd parties to respond to their incidents - Build tools to assist those above
  10. Questions? I’m not done, just feel free to ask anything

    any time
  11. I should warn you: ! I always wanted to be

    a Spy I blame watching too much James Bond as a kid…
  12. Intelligence Driven Incident Response

  13. Intelligence Cycle

  14. Intelligence Cycle

  15. Incident response Process Preparation Recovery Lessons Learned Eradication Containment Identification

  16. Utilization & Feedback Analysis Processing Dissemination Collection Requirements Intelligence Cycle

  17. F3EAD Find Analyze Disseminate Exploit Finish Fix While…

  18. Observe Act Orient Decide OODA Loop

  19. Intel To Collect

  20. Indicators - IP addresses - URLs & Domains - Malware

    - Hashes (Absolute & Fuzzy) - Capabilities (What it does, how it talks) - Certificates, Email addresses, User Agent Strings, etc
  21. Events

  22. Incidents Groups of malicious events become…

  23. Campaigns Groups of incidents become…

  24. Wikis for Great Justice - Wikis are great for dynamically

    structured data - Makes collaboration Easy - I’ve shared threat intel and incident templates (Linked at the End) - The Price is right…
  25. Developing Intelligence

  26. Online Services Malicious IP Lists IPVoid, URLVoid, & MyWOT URLQuery

    & Wepawet Virus Total & Malwr Shodan CentralOps, Robtext, & Ip2location
  27. Vendor Info - Vendor Blogs, Reports & podcasts Often have

    piles of data and indicators - Verizon’s Data Breach Investigations report is a yearly favorite - Look for resources from companies like Mandiant/FiReEye, Dell SecureWorks, AlienVault, and Crowdstrike Just watch out… they’re trying to sell you something…
  28. Make Friends

  29. Work Chat...

  30. Personal Chat...

  31. Developing Your Own Intel - Think about What is important

    to determine who might attack and then decide how it could happen - Go “hunting” - Listen to your Users - Review & Iterate on your Own Incidents
  32. Building Intelligence Driven Incident Response

  33. Get Management Buy In

  34. Network Forensics Full packet capture, flow monitoring, & intrusion detection

  35. System Forensics: OR Alive Disk forensics & memory forensics…

  36. If it isn’t measurable it didn’t happen

  37. If you didn’t write it down it didn’t happen

  38. Trust your Gut

  39. Collaboration is key Internally & Externally Tactically & Strategically

  40. Every Incident Response Starts a Vulnerability Assessment Every Vulnerability Assessment

    Starts An Incident Response For one iteration… most of the time…
  41. Every Incident Response Starts a Vulnerability Assessment Every Vulnerability Assessment

    Starts An Incident Response For one iteration… most of the time…
  42. Moscow Rules #8 Once: Accident Twice: Coincidence Three: Enemy Action

  43. Slow is smooth smooth is fast Fast is Lethal

  44. The IR Tools You Need At A Price You’ll ❤️

  45. GRR

  46. Moloch Moloch

  47. Suricata

  48. - MIG is OpSec's platform for investigative surgery of remote

    endpoints. - Platform Agnostic - By Mozilla (The Firefox people) - MIDAS is a framework for developing a Mac Intrusion Detection Analysis System - By Etsy (yes, that Etsy) & Facebook (Yes, also that Facebook) Mig Word to the Wise: These are platforms, not products… MIDAS
  49. Yara

  50. Volitility The Volatility Framework is a completely open collection of

    tools, implemented in Python […], for the extraction of digital artifacts from volatile memory (RAM) samples.
  51. Cuckoo Sandbox

  52. LogStash

  53. OSSIM

  54. + New Player: MozDef

  55. None
  56. $0 GRR Mandiant MIR Cuckoo Sandbox ThreatGrid LogStash Splunk MozDef/OSSIM

    ArcSight MIDAS/MiG Carbon Black
  57. sed/grep/jq etc. Free, Scalable, Automatable, & Chainable Command Line is

    your Friend
  58. cat *.json | jq '.[] | if .action == "user.login"

    then "\(.actor_ip), \ (.actor)" else "" end' | sort | uniq | sed -e 's/"//g' > userlogin-ip-to-user.csv
  59. python, ruby, etc - Log Parsing and Manipulation - Automating

    tasks - Modifying and Extending tools - Building tools that simply don’t exist
  60. Conclusion… -Intelligence Driven Incident Response is the new Normal -Open

    Source is making $$$ less important than Intel -Collaboration is Key -When its time to perform the time to prepare is past
  61. Thanks

  62. Resources - Links: http://git.io/v8hDCw - Blog: sroberts.github.io - GitHub for

    Ed: education.github.com - Projects: github.com/sroberts - Email: sroberts@github.com - Twitter: @sroberts