A Basic Guide to Advanced Incident Response: ArchCon Edition

Transcript

1. A Basic Guide to Advanced Incident Response

2. Hi, I’m Scott

3. SOC Analyst & Global Threat Analyst @ Symantec

4. Security Consultant @ Mandiant* * Acquired by FireEye

5. SOC Technical Lead & Focused Ops Team Deputy @ ManTech

   International

6. Senior Intelligence Specialist @ Vigilant* * Acquired by Deloitte

7. Bad Guy Catcher @ GitHub

8. None

9. What I do all Day - Identify and respond to

   Security Incidents - Collaborate with 3rd parties to respond to their incidents - Build tools to assist those above

10. Questions? I’m not done, just feel free to ask anything

    any time

11. I should warn you: ! I always wanted to be

    a Spy I blame watching too much James Bond as a kid…

12. Intelligence Driven Incident Response

13. Intelligence Cycle

14. Intelligence Cycle

15. Intelligence Cycle

16. Incident response Process Preparation Recovery Lessons Learned Eradication Containment Identification

    Then…

17. Utilization & Feedback Analysis Processing Dissemination Collection Requirements Intelligence Cycle

18. F3EAD Find Analyze Disseminate Exploit Finish Fix While…

19. Observe Act Orient Decide OODA Loop

20. Intel To Collect

21. Indicators - IP addresses - URLs & Domains - Malware

    - Hashes (Absolute & Fuzzy) - Capabilities (What it does, how it talks) - Certificates, Email addresses, User Agent Strings, etc

22. Events

23. Incidents Groups of malicious events become…

24. Campaigns Groups of incidents become…

25. Wikis for Great Justice - Wikis are great for dynamically

    structured data - Makes collaboration Easy - I’ve shared threat intel and incident templates (Linked at the End) - The Price is right…

26. Developing Intelligence

27. Online Services Malicious IP Lists IPVoid, URLVoid, & MyWOT URLQuery

    & Wepawet Virus Total & Malwr Shodan CentralOps, Robtext, & Ip2location

28. Vendor Info - Vendor Blogs, Reports & podcasts Often have

    piles of data and indicators - Verizon’s Data Breach Investigations report is a yearly favorite - Look for resources from companies like Mandiant/FiReEye, Dell SecureWorks, AlienVault, and Crowdstrike Just watch out… they’re trying to sell you something…

29. Make Friends

30. Work Chat...

31. Personal Chat...

32. Trust Groups...

33. “Gathering Intel from others gives you a view of their

    world. Gather your own raw data and generate Intel to view and learn about yours.” - @mJxG

34. Developing Your Own Intel - Think about What is important

    to determine who might attack and then decide how it could happen - Go “hunting” - Listen to your Users - Review & Iterate on your Own Incidents

35. “What's everyone's fascination with actionable intelligence? Your C-suite wants colorful

    charts and projects with cool acronyms.” - @infosecjerk

36. Attribution Matters… To A Certain Extent

37. None
38. None
39. None

40. Common Tactics, Techniques, & Procedures Technical Sophistication tactical & Strategic

    Goals Related Actors & Groups Useful To Drive Response

41. geographic Location Parent Organization including unit names Individual Actor names,

    ranks, pictures, & Physical addresses Interesting Only Academically

42. Building Intelligence Driven Incident Response

43. To Start: Acknowledge This is Hard

44. Get Management Buy In

45. Network Forensics Full packet capture, flow monitoring, & intrusion detection

    systems…

46. System Forensics: OR Alive Disk forensics & memory forensics…

47. OutSide Your () Walls Total Information Awareness (Home Edition!)

48. Have A Plan

49. Test Your Plan

50. “When It’s time to Perform the time to prepare has

    passed.” - Steven Roberts

51. Know When TO Ignore Your Plan

52. “If your incident response methodology doesn't let you deviate from

    the methodology, you're doing it wrong. Agility is key.” - @smoothimpact

53. If it isn’t measurable it didn’t happen

54. If you didn’t write it down it didn’t happen

55. Trust your Gut

56. Don’t Over Think Everything

57. Collaboration is key Internally & Externally Tactically & Strategically

58. Every Incident Response Starts a Vulnerability Assessment Every Vulnerability Assessment

    Starts An Incident Response For one iteration… most of the time…

59. Every Incident Response Starts a Vulnerability Assessment Every Vulnerability Assessment

    Starts An Incident Response For one iteration… most of the time…

60. Keep Calm And ❤️
 Legal, Public Relations, & Human Relations

61. Don’t Fud Yourself Or Your Leadership…

62. Find YouR Organizations Battle Rhythm

63. Moscow Rules #8 Once: Accident Twice: Coincidence Three: Enemy Action

64. Slow is smooth smooth is fast Fast is Lethal

65. Openness & Crisis Communications Controlling Your Message

66. IR Tools At A Price You’ll ❤️

67. Google Rapid Response

68. Moloch AOL Moloch

69. Suricata

70. - MIG is OpSec's platform for investigative surgery of remote

    endpoints. - Platform Agnostic - By Mozilla (The Firefox people) - MIDAS is a framework for developing a Mac Intrusion Detection Analysis System - By Etsy (yes, that Etsy) & Facebook (Yes, also that Facebook) Mig Word to the Wise: These are platforms, not products… MIDAS

71. Yelps OSXCollector And the original: OSXAuditor

72. Yara

73. - Combine gathers OSINT Threat Intelligence Feeds - Built with

    Alex Pinto of the MLSec Project - A tool to retrieve malware directly from the source for security researchers. The @kylemaxwell Slide… Maltrieve Combine

74. Volatility Rekall

75. Netflix Scumblr

76. Virtualbox & Vagrant

77. Cuckoo Sandbox

78. Elastic Search LogStash & Kibana

79. OSSIM

80. + New Player: MozDef

81. None

82. $0 GRR Mandiant MIR Cuckoo Sandbox ThreatGrid LogStash Splunk MozDef/OSSIM

    ArcSight MIDAS/MiG Carbon Black Scumblr Recorded Futures

83. sed/grep/jq etc. Free, Scalable, Automatable, & Chainable Command Line is

    your Friend

84. cat *.json | jq '.[] | if .action == "user.login"

    then "\(.actor_ip), \ (.actor)" else "" end' | sort | uniq | sed -e 's/"//g' > userlogin-ip-to-user.csv

85. python, ruby, etc - Log Parsing and Manipulation - Automating

    tasks - Modifying and Extending tools - Building tools that simply don’t exist

86. […] God forbid DFIRs learned a programming language, they might

    start writing automated tools. - @postmodern_mod3

87. Learn you a DevOps For Great Justice

88. Conclusion… -Intelligence Driven Incident Response is the new Normal -Open

    Source is making $$$ less important than Intel -Collaboration is Key

89. Thanks

90. Resources Links: http://git.io/v8hDCw Projects: github.com/sroberts Email: [email protected] Twitter: @sroberts