Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up for free
Japanese Manufacturing, Killer Robots, & Effective Incident Handling
Scott J. Roberts
June 23, 2017
Technology
0
68
Japanese Manufacturing, Killer Robots, & Effective Incident Handling
The talk I did with @bfist at the SANS DFIR Summit 2017.
Scott J. Roberts
June 23, 2017
Tweet
Share
More Decks by Scott J. Roberts
See All by Scott J. Roberts
Homemade Ramen & Threat Intelligence
sroberts
2
330
Introduction to Open Source Security Tools
sroberts
3
4.4k
Building Effective Threat Intelligence Sharing
sroberts
1
80
Crisis Communication for Incident Response
sroberts
1
230
Hipster DFIR on OSX - BSidesCincy
sroberts
3
2.9k
Community Intelligence & Open Source Tools
sroberts
5
970
Responding @ Scale: osquery for Mass Incident Response and Detection
sroberts
1
11k
Hipster DFIR on OSX
sroberts
2
850
Crisis Communication for Incident Response
sroberts
2
7.4k
Other Decks in Technology
See All in Technology
金融領域のマルチプロダクトを効率よく開発・運用するためのシステム基盤と組織設計について / 2022-07-28-multi-product-platform
stajima
0
140
ログラスを支える技術的投資の仕組み / loglass-technical-investment
urmot
9
1.9k
VS Code Meetup #21 - もう一度知りたい基礎編 - ファイル操作、コーディングの基本編
74th
0
180
MySQL v5.7 勉強会/study-mysql-ver-5-7
andpad
0
2k
20220731 如何跟隨開源技術保持你的職涯發展
pichuang
0
120
ふりかえりの技術 / retrospectives
soudai
3
150
GCCP Creator @ COSCUP 2022
line_developers_tw
PRO
0
1.4k
Amplifyで Webアプリケーションの 堅固な土台をサクッと構築する方法
kawasakiteruo
0
210
サイバー攻撃を想定したクラウドネイティブセキュリティガイドラインとCNAPP及びSecurity Observabilityの未来
sakon310
4
450
DevelopersIO 2022 俺のTerraform Pipeline
takakuni
0
430
ECS on EC2 で Auto Scaling やってみる!
sayjoy
1
120
塩漬けにしているMySQL 8.0.xxをバージョンアップしたくなる、ここ数年でのMySQL 8.0の改善点 / MySQL Update 202208
yoshiakiyamasaki
1
590
Featured
See All Featured
How to train your dragon (web standard)
notwaldorf
60
3.9k
Three Pipe Problems
jasonvnalue
89
8.7k
Code Review Best Practice
trishagee
44
9.7k
The Illustrated Children's Guide to Kubernetes
chrisshort
18
40k
Designing for Performance
lara
597
63k
Clear Off the Table
cherdarchuk
79
290k
What the flash - Photography Introduction
edds
62
10k
Designing Experiences People Love
moore
130
22k
The World Runs on Bad Software
bkeepers
PRO
57
5.4k
StorybookのUI Testing Handbookを読んだ
zakiyama
6
2.5k
Fontdeck: Realign not Redesign
paulrobertlloyd
73
4.1k
Why Our Code Smells
bkeepers
PRO
324
55k
Transcript
Japanese Manufacturing, Killer Robots, & Effective Incident Handling With Scott
& Kevin
Introduction - Who We Are - What We’re About -
What We’re Gonna Share
Who We Are? Kevin aka @bfist Response Lead @ Heroku
Scott aka @sroberts SIRT Lead @ GitHub FOR578 Instructor
WHAT WE’RE ABOUT? MAKING INCIDENT RESPONSE MORE EFFICIENT WITH SCIENCE
ENGINEERING
WHAT WE’RE GONNA SHARE? A LOW COST, COLLABORATIVE METHOD FOR
MANAGING COMMON INCIDENT RESPONSE WORKFLOWS
You’ve Got 99 Problems - Moving up the Maturity Model
- Enable multiple responders - Provide easy to comms to stakeholders - Incidents come in waves - You’re poor and have no $$$
Project Management <REQUIRED MODEL SLIDE>
JIT (Just In Time) - Management Theory from Toyota -
Create as Needed/Not as Planned - Limits Inventory - Lots of IR Parallels
Introduction to Kanban - A factory floor level production management
tool - Spatial representation of tasks through a series of phases - Adapted to multiple non- manufacturing industries
Introduction to Kanban
None
None
Useful For.. - Short Term (JIT) Tasks Around Incidents -
Long Term Management Task for Projects & Continuous Output
Warning We use the same tool (Kanban) BUT… We use
kanban very differently (And that’s cool!!!)
Example
Platforms: GitHub Projects - Notes, artifacts, and boards in one
place - Assign cards to people - Easy API - No Built In Templating
GitHub Projects
Platforms: Trello - Kanban is their main product - Full
featured GUI - Card based discussions - Attachable Files - Many Integrations - Mature API
Trello
Incident Stages - Preparation. } Built Here - Identification -
Containment - Eradication - Recovery - Lessons Learned } Helps Here
Preparation - Build template Kanban boards for common incidents -
Start with a column for basic information sharing - Do you have things that need to be done in every incident?
Other Stages - Create a column for containment, eradication, and
recovery tasks. - Do you need to roll creds for this incident? - Do you need to revoke hardware tokens?
Example: Malware Incident
Lessons Learned - Create a column for lessons learned -
Dumping ground for the retro
Meat & Potatoes (And Simplicity) - 3 Columns - In
Progress - Done - Canceled - Assign People to Tasks - Canceled cards should have an explanation
Example
Example: Lost/Stolen Laptop
Workflows: System Triage - New - Live Response Requested -
Live Response Received - Analyzed - Remediated - Returned
Workflows: Compromised Resources - Malicious Activity Identified - Password Reset
- 2FA Verified - User Interviewed - Remediated
Workflows: Indicator Development - Backlog - Enriched - COA: Discovery
- Detection Created - COA: Detection Deployed - Detection Deprecated
Workflows: Intelligence Product Development - Planned - Analyzed - Drafted
- Edited - Released - Feedback Collected
Automation - Templates move you from managed to defined -
Repeatable & Consistent - Demonstrate Process - Reduce Admin Overhead
Wanna Try It? github.com/sroberts/incident-template
Bonus Content: The Five Whys - More Toyota Stuff -
Root Cause Analysis Methodology - Useful Retrospective Technique
Conclusion - Kanban helps make repeatable yet flexible processes -
Makes communications consistent - Powerful with a little automation
Thanks Made with <3 By Scott (@sroberts) & Kevin (@bfist)