Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A Basic Guide to Advanced Incident Response: Ar...

Scott J. Roberts
September 06, 2014
Technology
6
1.3k

A Basic Guide to Advanced Incident Response: ArchCon Edition

Presented at the first (and insanely awesome) ArchCon 2014 in St Louis Mo.

Scott J. Roberts

September 06, 2014
Tweet

More Decks by Scott J. Roberts

See All by Scott J. Roberts
Tortured Responders Dept - Scott & Rebekah's Edition
sroberts
0
94
Skynet the CTI Intern: Building Effective Machine Augmented Intelligence
sroberts
0
67
DRIVING INTELLIGENCE WITH MITRE ATT&CK: LEVERAGING LIMITED RESOURCES TO BUILD AN EVOLVING THREAT REPOSITORY
sroberts
0
31
Exploring Threat Intelligence: Insights and Tools from Vertex Synapse
sroberts
0
23
Homemade Ramen & Threat Intelligence
sroberts
2
490
Introduction to Open Source Security Tools
sroberts
3
4.8k
Building Effective Threat Intelligence Sharing
sroberts
1
110
Japanese Manufacturing, Killer Robots, & Effective Incident Handling
sroberts
0
110
Crisis Communication for Incident Response
sroberts
1
320

Other Decks in Technology

See All in Technology
マルチモーダル / AI Agent / LLMOps 3つの技術トレンドで理解するLLMの今後の展望
hirosatogamo
37
12k
Introduction to Works of ML Engineer in LY Corporation
lycorp_recruit_jp
0
110
Evangelismo técnico: ¿qué, cómo y por qué?
trishagee
0
360
Amazon CloudWatch Network Monitor のススメ
yuki_ink
1
200
VideoMamba: State Space Model for Efficient Video Understanding
chou500
0
190
AIチャットボット開発への生成AI活用
ryomrt
0
170
iOSチームとAndroidチームでブランチ運用が違ったので整理してます
sansantech
PRO
0
130
【Startup CTO of the Year 2024 / Audience Award】アセンド取締役CTO 丹羽健
niwatakeru
0
990
ノーコードデータ分析ツールで体験する時系列データ分析超入門
negi111111
0
410
ドメインの本質を掴む / Get the essence of the domain
sinsoku
2
150
[CV勉強会@関東 ECCV2024 読み会] オンラインマッピング x トラッキング MapTracker: Tracking with Strided Memory Fusion for Consistent Vector HD Mapping (Chen+, ECCV24)
abemii
0
220
SREが投資するAIOps ~ペアーズにおけるLLM for Developerへの取り組み~
takumiogawa
1
190

Featured

See All Featured
BBQ
matthewcrist
85
9.3k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5k
Done Done
chrislema
181
16k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
169
50k
Fireside Chat
paigeccino
34
3k
StorybookのUI Testing Handbookを読んだ
zakiyama
27
5.3k
Building a Scalable Design System with Sketch
lauravandoore
459
33k
Become a Pro
speakerdeck
PRO
25
5k
Put a Button on it: Removing Barriers to Going Fast.
kastner
59
3.5k
Art, The Web, and Tiny UX
lynnandtonic
297
20k
Music & Morning Musume
bryan
46
6.2k
Producing Creativity
orderedlist
PRO
341
39k

Transcript

  1. A Basic Guide to Advanced Incident Response

  2. Hi, I’m Scott

  3. SOC Analyst & Global Threat Analyst @ Symantec

  4. Security Consultant @ Mandiant* * Acquired by FireEye

  5. SOC Technical Lead & Focused Ops Team Deputy @ ManTech

    International

  6. Senior Intelligence Specialist @ Vigilant* * Acquired by Deloitte

  7. Bad Guy Catcher @ GitHub

  8. None

  9. What I do all Day - Identify and respond to

    Security Incidents - Collaborate with 3rd parties to respond to their incidents - Build tools to assist those above

  10. Questions? I’m not done, just feel free to ask anything

    any time

  11. I should warn you: ! I always wanted to be

    a Spy I blame watching too much James Bond as a kid…

  12. Intelligence Driven Incident Response

  13. Intelligence Cycle

  14. Intelligence Cycle

  15. Intelligence Cycle

  16. Incident response Process Preparation Recovery Lessons Learned Eradication Containment Identification

    Then…

  17. Utilization & Feedback Analysis Processing Dissemination Collection Requirements Intelligence Cycle

  18. F3EAD Find Analyze Disseminate Exploit Finish Fix While…

  19. Observe Act Orient Decide OODA Loop

  20. Intel To Collect

  21. Indicators - IP addresses - URLs & Domains - Malware

    - Hashes (Absolute & Fuzzy) - Capabilities (What it does, how it talks) - Certificates, Email addresses, User Agent Strings, etc

  22. Events

  23. Incidents Groups of malicious events become…

  24. Campaigns Groups of incidents become…

  25. Wikis for Great Justice - Wikis are great for dynamically

    structured data - Makes collaboration Easy - I’ve shared threat intel and incident templates (Linked at the End) - The Price is right…

  26. Developing Intelligence

  27. Online Services Malicious IP Lists IPVoid, URLVoid, & MyWOT URLQuery

    & Wepawet Virus Total & Malwr Shodan CentralOps, Robtext, & Ip2location

  28. Vendor Info - Vendor Blogs, Reports & podcasts Often have

    piles of data and indicators - Verizon’s Data Breach Investigations report is a yearly favorite - Look for resources from companies like Mandiant/FiReEye, Dell SecureWorks, AlienVault, and Crowdstrike Just watch out… they’re trying to sell you something…

  29. Make Friends

  30. Work Chat...

  31. Personal Chat...

  32. Trust Groups...

  33. “Gathering Intel from others gives you a view of their

    world. Gather your own raw data and generate Intel to view and learn about yours.” - @mJxG

  34. Developing Your Own Intel - Think about What is important

    to determine who might attack and then decide how it could happen - Go “hunting” - Listen to your Users - Review & Iterate on your Own Incidents

  35. “What's everyone's fascination with actionable intelligence? Your C-suite wants colorful

    charts and projects with cool acronyms.” - @infosecjerk

  36. Attribution Matters… To A Certain Extent

  37. None
  38. None
  39. None

  40. Common Tactics, Techniques, & Procedures Technical Sophistication tactical & Strategic

    Goals Related Actors & Groups Useful To Drive Response

  41. geographic Location Parent Organization including unit names Individual Actor names,

    ranks, pictures, & Physical addresses Interesting Only Academically

  42. Building Intelligence Driven Incident Response

  43. To Start: Acknowledge This is Hard

  44. Get Management Buy In

  45. Network Forensics Full packet capture, flow monitoring, & intrusion detection

    systems…

  46. System Forensics: OR Alive Disk forensics & memory forensics…

  47. OutSide Your () Walls Total Information Awareness (Home Edition!)

  48. Have A Plan

  49. Test Your Plan

  50. “When It’s time to Perform the time to prepare has

    passed.” - Steven Roberts

  51. Know When TO Ignore Your Plan

  52. “If your incident response methodology doesn't let you deviate from

    the methodology, you're doing it wrong. Agility is key.” - @smoothimpact

  53. If it isn’t measurable it didn’t happen

  54. If you didn’t write it down it didn’t happen

  55. Trust your Gut

  56. Don’t Over Think Everything

  57. Collaboration is key Internally & Externally Tactically & Strategically

  58. Every Incident Response Starts a Vulnerability Assessment Every Vulnerability Assessment

    Starts An Incident Response For one iteration… most of the time…

  59. Every Incident Response Starts a Vulnerability Assessment Every Vulnerability Assessment

    Starts An Incident Response For one iteration… most of the time…

  60. Keep Calm And ❤️
 Legal, Public Relations, & Human Relations

  61. Don’t Fud Yourself Or Your Leadership…

  62. Find YouR Organizations Battle Rhythm

  63. Moscow Rules #8 Once: Accident Twice: Coincidence Three: Enemy Action

  64. Slow is smooth smooth is fast Fast is Lethal

  65. Openness & Crisis Communications Controlling Your Message

  66. IR Tools At A Price You’ll ❤️

  67. Google Rapid Response

  68. Moloch AOL Moloch

  69. Suricata

  70. - MIG is OpSec's platform for investigative surgery of remote

    endpoints. - Platform Agnostic - By Mozilla (The Firefox people) - MIDAS is a framework for developing a Mac Intrusion Detection Analysis System - By Etsy (yes, that Etsy) & Facebook (Yes, also that Facebook) Mig Word to the Wise: These are platforms, not products… MIDAS

  71. Yelps OSXCollector And the original: OSXAuditor

  72. Yara

  73. - Combine gathers OSINT Threat Intelligence Feeds - Built with

    Alex Pinto of the MLSec Project - A tool to retrieve malware directly from the source for security researchers. The @kylemaxwell Slide… Maltrieve Combine

  74. Volatility Rekall

  75. Netflix Scumblr

  76. Virtualbox & Vagrant

  77. Cuckoo Sandbox

  78. Elastic Search LogStash & Kibana

  79. OSSIM

  80. + New Player: MozDef

  81. None

  82. $0 GRR Mandiant MIR Cuckoo Sandbox ThreatGrid LogStash Splunk MozDef/OSSIM

    ArcSight MIDAS/MiG Carbon Black Scumblr Recorded Futures

  83. sed/grep/jq etc. Free, Scalable, Automatable, & Chainable Command Line is

    your Friend

  84. cat *.json | jq '.[] | if .action == "user.login"

    then "\(.actor_ip), \ (.actor)" else "" end' | sort | uniq | sed -e 's/"//g' > userlogin-ip-to-user.csv

  85. python, ruby, etc - Log Parsing and Manipulation - Automating

    tasks - Modifying and Extending tools - Building tools that simply don’t exist

  86. […] God forbid DFIRs learned a programming language, they might

    start writing automated tools. - @postmodern_mod3

  87. Learn you a DevOps For Great Justice

  88. Conclusion… -Intelligence Driven Incident Response is the new Normal -Open

    Source is making $$$ less important than Intel -Collaboration is Key

  89. Thanks

  90. Resources Links: http://git.io/v8hDCw Projects: github.com/sroberts Email: [email protected] Twitter: @sroberts