A Basic Guide to Advanced Incident Response

Transcript

1. A Basic Guide to Advanced Incident Response

2. Hi, I’m Scott

3. SOC Analyst & Global Threat Analyst @ Symantec

4. Security Consultant @ Mandiant* * Acquired by FireEye

5. SOC Technical Lead & Focused Ops Team Deputy @ ManTech

   International

6. Senior Intelligence Specialist @ Vigilant* * Acquired by Deloitte

7. Bad Guy Catcher @ GitHub

8. None

9. What I do all Day - Identify and respond to

   Security Incidents - Collaborate with 3rd parties to respond to their incidents - Build tools to assist those above

10. Questions? I’m not done, just feel free to ask anything

    any time

11. I should warn you: ! I always wanted to be

    a Spy I blame watching too much James Bond as a kid…

12. Intelligence Driven Incident Response

13. Intelligence Cycle

14. Intelligence Cycle

15. Incident response Process Preparation Recovery Lessons Learned Eradication Containment Identification

    Then…

16. Utilization & Feedback Analysis Processing Dissemination Collection Requirements Intelligence Cycle

17. F3EAD Find Analyze Disseminate Exploit Finish Fix While…

18. Observe Act Orient Decide OODA Loop

19. Intel To Collect

20. Indicators - IP addresses - URLs & Domains - Malware

    - Hashes (Absolute & Fuzzy) - Capabilities (What it does, how it talks) - Certificates, Email addresses, User Agent Strings, etc

21. Events

22. Incidents Groups of malicious events become…

23. Campaigns Groups of incidents become…

24. Wikis for Great Justice - Wikis are great for dynamically

    structured data - Makes collaboration Easy - I’ve shared threat intel and incident templates (Linked at the End) - The Price is right…

25. Developing Intelligence

26. Online Services Malicious IP Lists IPVoid, URLVoid, & MyWOT URLQuery

    & Wepawet Virus Total & Malwr Shodan CentralOps, Robtext, & Ip2location

27. Vendor Info - Vendor Blogs, Reports & podcasts Often have

    piles of data and indicators - Verizon’s Data Breach Investigations report is a yearly favorite - Look for resources from companies like Mandiant/FiReEye, Dell SecureWorks, AlienVault, and Crowdstrike Just watch out… they’re trying to sell you something…

28. Make Friends

29. Work Chat...

30. Personal Chat...

31. Developing Your Own Intel - Think about What is important

    to determine who might attack and then decide how it could happen - Go “hunting” - Listen to your Users - Review & Iterate on your Own Incidents

32. Building Intelligence Driven Incident Response

33. Get Management Buy In

34. Network Forensics Full packet capture, flow monitoring, & intrusion detection

    systems…

35. System Forensics: OR Alive Disk forensics & memory forensics…

36. If it isn’t measurable it didn’t happen

37. If you didn’t write it down it didn’t happen

38. Trust your Gut

39. Collaboration is key Internally & Externally Tactically & Strategically

40. Every Incident Response Starts a Vulnerability Assessment Every Vulnerability Assessment

    Starts An Incident Response For one iteration… most of the time…

41. Every Incident Response Starts a Vulnerability Assessment Every Vulnerability Assessment

    Starts An Incident Response For one iteration… most of the time…

42. Moscow Rules #8 Once: Accident Twice: Coincidence Three: Enemy Action

43. Slow is smooth smooth is fast Fast is Lethal

44. The IR Tools You Need At A Price You’ll ❤️

45. GRR

46. Moloch Moloch

47. Suricata

48. - MIG is OpSec's platform for investigative surgery of remote

    endpoints. - Platform Agnostic - By Mozilla (The Firefox people) - MIDAS is a framework for developing a Mac Intrusion Detection Analysis System - By Etsy (yes, that Etsy) & Facebook (Yes, also that Facebook) Mig Word to the Wise: These are platforms, not products… MIDAS

49. Yara

50. Volitility The Volatility Framework is a completely open collection of

    tools, implemented in Python […], for the extraction of digital artifacts from volatile memory (RAM) samples.

51. Cuckoo Sandbox

52. LogStash

53. OSSIM

54. + New Player: MozDef

55. None

56. $0 GRR Mandiant MIR Cuckoo Sandbox ThreatGrid LogStash Splunk MozDef/OSSIM

    ArcSight MIDAS/MiG Carbon Black

57. sed/grep/jq etc. Free, Scalable, Automatable, & Chainable Command Line is

    your Friend

58. cat *.json | jq '.[] | if .action == "user.login"

    then "\(.actor_ip), \ (.actor)" else "" end' | sort | uniq | sed -e 's/"//g' > userlogin-ip-to-user.csv

59. python, ruby, etc - Log Parsing and Manipulation - Automating

    tasks - Modifying and Extending tools - Building tools that simply don’t exist

60. Conclusion… -Intelligence Driven Incident Response is the new Normal -Open

    Source is making $$$ less important than Intel -Collaboration is Key -When its time to perform the time to prepare is past

61. Thanks

62. Resources - Links: http://git.io/v8hDCw - Blog: sroberts.github.io - GitHub for

    Ed: education.github.com - Projects: github.com/sroberts - Email: [email protected] - Twitter: @sroberts