Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A Basic Guide to Advanced Incident Response

Scott J. Roberts
May 05, 2014
Technology
3
4.3k

A Basic Guide to Advanced Incident Response

My talk from Tech Talk Live on building an intelligence driven threat intelligence capability.

Scott J. Roberts

May 05, 2014
Tweet

More Decks by Scott J. Roberts

See All by Scott J. Roberts
Homemade Ramen & Threat Intelligence
sroberts
2
390
Introduction to Open Source Security Tools
sroberts
3
4.6k
Building Effective Threat Intelligence Sharing
sroberts
1
88
Japanese Manufacturing, Killer Robots, & Effective Incident Handling
sroberts
0
73
Crisis Communication for Incident Response
sroberts
1
250
Hipster DFIR on OSX - BSidesCincy
sroberts
3
3k
Community Intelligence & Open Source Tools
sroberts
5
1k
Responding @ Scale: osquery for Mass Incident Response and Detection
sroberts
1
12k
Hipster DFIR on OSX
sroberts
2
900

Other Decks in Technology

See All in Technology
GitHub最新情報キャッチアップ 2023年6月
dzeyelid
1
230
copilot-cli(Fargate)でRailsを運用するためのTips / JAWS-UG Okayama 2023
interu
1
360
Data-Centric AIのためのベンチマーク
x_ttyszk
1
660
Head toward Java 20 and Java 21
line_developers
PRO
0
460
複雑になったマイクロサービスを どう管理するか/how-to-manage-increasingly-complex-microservices
policemankh
0
280
GO TechTalk #19 タクシーアプリ『GO』事業成長を支えるデータ分析基盤の継続的改善!
mot_techtalk
2
1.1k
エンジニアのキャリアパスはどう描く? まつもとりーさんと考える後悔しないキャリア選択
matsumoto_r
PRO
2
340
しつこくじわじわパフォーマンスチューニング
netmarkjp
0
490
Amazon CodeCatalyst と Amazon CodeWhisperer で開発を加速しよう!
twingob
1
110
新リリース:microCMSテンプレート
microcms
1
830
Virtual Threads - 導入の背景と、効果的な使い方 -
skrb
2
340
組込みRustでも でかい?JSONを扱いたい!
ciniml
2
590

Featured

See All Featured
For a Future-Friendly Web
brad_frost
166
8k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
101
6.3k
Code Review Best Practice
trishagee
53
12k
Adopting Sorbet at Scale
ufuk
66
8k
Designing on Purpose - Digital PM Summit 2013
jponch
108
6k
Web Components: a chance to create the future
zenorocha
304
41k
Keith and Marios Guide to Fast Websites
keithpitt
407
21k
The Art of Programming - Codeland 2020
erikaheidi
37
11k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
25
5.3k
Fireside Chat
paigeccino
18
2.1k
Why You Should Never Use an ORM
jnunemaker
PRO
49
8.1k
Debugging Ruby Performance
tmm1
68
11k

Transcript

  1. A
    Basic Guide
    to
    Advanced Incident
    Response

    View Slide

  2. Hi, I’m Scott

    View Slide

  3. SOC Analyst
    &
    Global Threat Analyst
    @
    Symantec

    View Slide

  4. Security Consultant
    @
    Mandiant*
    * Acquired by FireEye

    View Slide

  5. SOC Technical Lead
    &
    Focused Ops Team Deputy
    @
    ManTech International

    View Slide

  6. Senior Intelligence
    Specialist
    @
    Vigilant*
    * Acquired by Deloitte

    View Slide

  7. Bad Guy Catcher
    @
    GitHub

    View Slide

  8. View Slide

  9. What I do all Day
    - Identify and respond to Security
    Incidents
    - Collaborate with 3rd parties to
    respond to their incidents
    - Build tools to assist those above

    View Slide

  10. Questions?
    I’m not done, just feel free
    to ask anything any time

    View Slide

  11. I should warn you:
    !
    I always wanted
    to be a Spy
    I blame watching too much James Bond as a kid…

    View Slide

  12. Intelligence Driven
    Incident Response

    View Slide

  13. Intelligence Cycle

    View Slide

  14. Intelligence Cycle

    View Slide

  15. Incident response Process
    Preparation
    Recovery Lessons Learned
    Eradication
    Containment
    Identification
    Then…

    View Slide

  16. Utilization
    &
    Feedback
    Analysis
    Processing
    Dissemination
    Collection
    Requirements
    Intelligence
    Cycle

    View Slide

  17. F3EAD
    Find
    Analyze Disseminate
    Exploit
    Finish
    Fix
    While…

    View Slide

  18. Observe
    Act Orient
    Decide
    OODA
    Loop

    View Slide

  19. Intel To Collect

    View Slide

  20. Indicators
    - IP addresses
    - URLs & Domains
    - Malware
    - Hashes (Absolute & Fuzzy)
    - Capabilities (What it does, how it talks)
    - Certificates, Email addresses, User Agent
    Strings, etc

    View Slide

  21. Events

    View Slide

  22. Incidents
    Groups of malicious events become…

    View Slide

  23. Campaigns
    Groups of incidents become…

    View Slide

  24. Wikis for Great Justice
    - Wikis are great for dynamically
    structured data
    - Makes collaboration Easy
    - I’ve shared threat intel and incident
    templates (Linked at the End)
    - The Price is right…

    View Slide

  25. Developing
    Intelligence

    View Slide

  26. Online Services
    Malicious IP Lists
    IPVoid, URLVoid, & MyWOT
    URLQuery & Wepawet
    Virus Total & Malwr
    Shodan
    CentralOps, Robtext, & Ip2location

    View Slide

  27. Vendor Info
    - Vendor Blogs, Reports & podcasts Often
    have piles of data and indicators
    - Verizon’s Data Breach Investigations
    report is a yearly favorite
    - Look for resources from companies like
    Mandiant/FiReEye, Dell SecureWorks,
    AlienVault, and Crowdstrike
    Just watch out… they’re trying to sell you something…

    View Slide

  28. Make Friends

    View Slide

  29. Work Chat...

    View Slide

  30. Personal Chat...

    View Slide

  31. Developing Your Own Intel
    - Think about What is
    important to determine
    who might attack and then
    decide how it could happen
    - Go “hunting”
    - Listen to your Users
    - Review & Iterate on your
    Own Incidents

    View Slide

  32. Building
    Intelligence
    Driven Incident
    Response

    View Slide

  33. Get Management Buy In

    View Slide

  34. Network Forensics
    Full packet capture, flow monitoring,
    & intrusion detection systems…

    View Slide

  35. System Forensics:
    OR Alive
    Disk forensics & memory forensics…

    View Slide

  36. If it isn’t measurable
    it didn’t happen

    View Slide

  37. If you didn’t write it
    down it didn’t happen

    View Slide

  38. Trust your Gut

    View Slide

  39. Collaboration is key
    Internally & Externally
    Tactically & Strategically

    View Slide

  40. Every Incident Response
    Starts a
    Vulnerability Assessment
    Every Vulnerability Assessment
    Starts An
    Incident Response
    For one iteration… most of the time…

    View Slide

  41. Every Incident Response
    Starts a
    Vulnerability Assessment
    Every Vulnerability Assessment
    Starts An
    Incident Response
    For one iteration… most of the time…

    View Slide

  42. Moscow Rules #8
    Once: Accident
    Twice: Coincidence
    Three: Enemy Action

    View Slide

  43. Slow is smooth
    smooth is fast
    Fast is Lethal

    View Slide

  44. The IR Tools
    You Need
    At A Price
    You’ll ❤️

    View Slide

  45. GRR

    View Slide

  46. Moloch
    Moloch

    View Slide

  47. Suricata

    View Slide

  48. - MIG is OpSec's platform
    for investigative surgery
    of remote endpoints.
    - Platform Agnostic
    - By Mozilla (The Firefox
    people)
    - MIDAS is a framework for
    developing a Mac
    Intrusion Detection
    Analysis System
    - By Etsy (yes, that Etsy) &
    Facebook (Yes, also that
    Facebook)
    Mig
    Word to the Wise: These are platforms, not products…
    MIDAS

    View Slide

  49. Yara

    View Slide

  50. Volitility
    The Volatility Framework is a
    completely open collection of
    tools, implemented in Python […],
    for the extraction of digital
    artifacts from volatile memory
    (RAM) samples.

    View Slide

  51. Cuckoo Sandbox

    View Slide

  52. LogStash

    View Slide

  53. OSSIM

    View Slide

  54. +
    New Player: MozDef

    View Slide

  55. View Slide

  56. $0
    GRR Mandiant MIR
    Cuckoo Sandbox ThreatGrid
    LogStash Splunk
    MozDef/OSSIM ArcSight
    MIDAS/MiG Carbon Black

    View Slide

  57. sed/grep/jq etc.
    Free, Scalable, Automatable, & Chainable
    Command Line is your Friend

    View Slide

  58. cat *.json | jq '.[] |
    if .action == "user.login"
    then "\(.actor_ip), \
    (.actor)" else "" end' | sort
    | uniq | sed -e 's/"//g' >
    userlogin-ip-to-user.csv

    View Slide

  59. python, ruby, etc
    - Log Parsing and
    Manipulation
    - Automating tasks
    - Modifying and Extending
    tools
    - Building tools that simply
    don’t exist

    View Slide

  60. Conclusion…
    -Intelligence Driven Incident
    Response is the new Normal
    -Open Source is making $$$ less
    important than Intel
    -Collaboration is Key
    -When its time to perform the time
    to prepare is past

    View Slide

  61. Thanks

    View Slide

  62. Resources
    - Links: http://git.io/v8hDCw
    - Blog: sroberts.github.io
    - GitHub for Ed: education.github.com
    - Projects: github.com/sroberts
    - Email: [email protected]
    - Twitter: @sroberts

    View Slide