Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A Basic Guide to Advanced Incident Response

A Basic Guide to Advanced Incident Response

My talk from Tech Talk Live on building an intelligence driven threat intelligence capability.

Scott J. Roberts

May 05, 2014
Tweet

More Decks by Scott J. Roberts

Other Decks in Technology

Transcript

  1. What I do all Day - Identify and respond to

    Security Incidents - Collaborate with 3rd parties to respond to their incidents - Build tools to assist those above
  2. I should warn you: ! I always wanted to be

    a Spy I blame watching too much James Bond as a kid…
  3. Indicators - IP addresses - URLs & Domains - Malware

    - Hashes (Absolute & Fuzzy) - Capabilities (What it does, how it talks) - Certificates, Email addresses, User Agent Strings, etc
  4. Wikis for Great Justice - Wikis are great for dynamically

    structured data - Makes collaboration Easy - I’ve shared threat intel and incident templates (Linked at the End) - The Price is right…
  5. Online Services Malicious IP Lists IPVoid, URLVoid, & MyWOT URLQuery

    & Wepawet Virus Total & Malwr Shodan CentralOps, Robtext, & Ip2location
  6. Vendor Info - Vendor Blogs, Reports & podcasts Often have

    piles of data and indicators - Verizon’s Data Breach Investigations report is a yearly favorite - Look for resources from companies like Mandiant/FiReEye, Dell SecureWorks, AlienVault, and Crowdstrike Just watch out… they’re trying to sell you something…
  7. Developing Your Own Intel - Think about What is important

    to determine who might attack and then decide how it could happen - Go “hunting” - Listen to your Users - Review & Iterate on your Own Incidents
  8. Every Incident Response Starts a Vulnerability Assessment Every Vulnerability Assessment

    Starts An Incident Response For one iteration… most of the time…
  9. Every Incident Response Starts a Vulnerability Assessment Every Vulnerability Assessment

    Starts An Incident Response For one iteration… most of the time…
  10. GRR

  11. - MIG is OpSec's platform for investigative surgery of remote

    endpoints. - Platform Agnostic - By Mozilla (The Firefox people) - MIDAS is a framework for developing a Mac Intrusion Detection Analysis System - By Etsy (yes, that Etsy) & Facebook (Yes, also that Facebook) Mig Word to the Wise: These are platforms, not products… MIDAS
  12. Volitility The Volatility Framework is a completely open collection of

    tools, implemented in Python […], for the extraction of digital artifacts from volatile memory (RAM) samples.
  13. cat *.json | jq '.[] | if .action == "user.login"

    then "\(.actor_ip), \ (.actor)" else "" end' | sort | uniq | sed -e 's/"//g' > userlogin-ip-to-user.csv
  14. python, ruby, etc - Log Parsing and Manipulation - Automating

    tasks - Modifying and Extending tools - Building tools that simply don’t exist
  15. Conclusion… -Intelligence Driven Incident Response is the new Normal -Open

    Source is making $$$ less important than Intel -Collaboration is Key -When its time to perform the time to prepare is past
  16. Resources - Links: http://git.io/v8hDCw - Blog: sroberts.github.io - GitHub for

    Ed: education.github.com - Projects: github.com/sroberts - Email: [email protected] - Twitter: @sroberts