Save 37% off PRO during our Black Friday Sale! »

Japanese Manufacturing, Killer Robots, & Effective Incident Handling

Japanese Manufacturing, Killer Robots, & Effective Incident Handling

The talk I did with @bfist at the SANS DFIR Summit 2017.

Ded29c7918dce50c65131df03c769004?s=128

Scott J. Roberts

June 23, 2017
Tweet

Transcript

  1. Japanese Manufacturing, Killer Robots, & Effective Incident Handling With Scott

    & Kevin
  2. Introduction - Who We Are - What We’re About -

    What We’re Gonna Share
  3. Who We Are? Kevin aka @bfist Response Lead @ Heroku

    Scott aka @sroberts SIRT Lead @ GitHub FOR578 Instructor
  4. WHAT WE’RE ABOUT? MAKING INCIDENT RESPONSE MORE EFFICIENT WITH SCIENCE

    ENGINEERING
  5. WHAT WE’RE GONNA SHARE? A LOW COST, COLLABORATIVE METHOD FOR

    MANAGING COMMON INCIDENT RESPONSE WORKFLOWS
  6. You’ve Got 99 Problems - Moving up the Maturity Model

    - Enable multiple responders - Provide easy to comms to stakeholders - Incidents come in waves - You’re poor and have no $$$
  7. Project Management <REQUIRED MODEL SLIDE>

  8. JIT (Just In Time) - Management Theory from Toyota -

    Create as Needed/Not as Planned - Limits Inventory - Lots of IR Parallels
  9. Introduction to Kanban - A factory floor level production management

    tool - Spatial representation of tasks through a series of phases - Adapted to multiple non- manufacturing industries
  10. Introduction to Kanban

  11. None
  12. None
  13. Useful For.. - Short Term (JIT) Tasks Around Incidents -

    Long Term Management Task for Projects & Continuous Output
  14. Warning We use the same tool (Kanban) BUT… We use

    kanban very differently (And that’s cool!!!)
  15. Example

  16. Platforms: GitHub Projects - Notes, artifacts, and boards in one

    place - Assign cards to people - Easy API - No Built In Templating
  17. GitHub Projects

  18. Platforms: Trello - Kanban is their main product - Full

    featured GUI - Card based discussions - Attachable Files - Many Integrations - Mature API
  19. Trello

  20. Incident Stages - Preparation. } Built Here - Identification -

    Containment - Eradication - Recovery - Lessons Learned } Helps Here
  21. Preparation - Build template Kanban boards for common incidents -

    Start with a column for basic information sharing - Do you have things that need to be done in every incident?
  22. Other Stages - Create a column for containment, eradication, and

    recovery tasks. - Do you need to roll creds for this incident? - Do you need to revoke hardware tokens?
  23. Example: Malware Incident

  24. Lessons Learned - Create a column for lessons learned -

    Dumping ground for the retro
  25. Meat & Potatoes (And Simplicity) - 3 Columns - In

    Progress - Done - Canceled - Assign People to Tasks - Canceled cards should have an explanation
  26. Example

  27. Example: Lost/Stolen Laptop

  28. Workflows: System Triage - New - Live Response Requested -

    Live Response Received - Analyzed - Remediated - Returned
  29. Workflows: Compromised Resources - Malicious Activity Identified - Password Reset

    - 2FA Verified - User Interviewed - Remediated
  30. Workflows: Indicator Development - Backlog - Enriched - COA: Discovery

    - Detection Created - COA: Detection Deployed - Detection Deprecated
  31. Workflows: Intelligence Product Development - Planned - Analyzed - Drafted

    - Edited - Released - Feedback Collected
  32. Automation - Templates move you from managed to defined -

    Repeatable & Consistent - Demonstrate Process - Reduce Admin Overhead
  33. Wanna Try It? github.com/sroberts/incident-template

  34. Bonus Content: The Five Whys - More Toyota Stuff -

    Root Cause Analysis Methodology - Useful Retrospective Technique
  35. Conclusion - Kanban helps make repeatable yet flexible processes -

    Makes communications consistent - Powerful with a little automation
  36. Thanks Made with <3 By Scott (@sroberts) & Kevin (@bfist)