BYO-IRBuild your own ‘incident response’Wim Remes - (ISC)2 - IOActive
--------RISK---------COMPANY
IFVS.WHEN
Wim Remes - wim.remes@ioactive.co.ukA B C D E F Gcompromise detectedattack occuredwindow of compromiseTHE IR TIMELINE(real...
Wim Remes - wim.remes@ioactive.co.ukA B C D E F Gcompromise detectedattack occuredwindow of compromise responseTHE IR TIME...
Wim Remes - wim.remes@ioactive.co.ukA B C D E F Gcompromise detectedattack occuredwindow of compromiseresponseTHE IR TIMEL...
Wim Remes - wim.remes@ioactive.co.ukA B C D E F Gcompromise detectedattack occuredwindow of compromise responseTHE IR TIME...
WHO’S WHO?Executive ManagementIT ManagementIT PersonnelWim Remes - wim.remes@ioactive.co.uk
WHO’S WHO?Customers/ClientsLaw Enforcement Press/Media“The Angry Mob”(Y U USE MD5?)Wim Remes - wim.remes@ioactive.co.uk
IT PersonnelCustomers/ClientsWHO’S WHO?Wim Remes - wim.remes@ioactive.co.uk
Wim Remes - wim.remes@ioactive.co.uk
IR SHOPPING LISTa. Awesome people!b. Management Support (no kidding)c. IR Process + RACId. Supporting Technologye. Trainin...
AWESOME PEOPLE(Without me, you are just aweso)Wim Remes - wim.remes@ioactive.co.uk
AWESOME PEOPLE(you already have them)Wim Remes - wim.remes@ioactive.co.uk
MANAGEMENTSUPPORTWim Remes - wim.remes@ioactive.co.uk
IR PROCESSPREPARE DETECT ANALYZE CONTAIN RECOVERPOST MORTEM
Wim Remes - wim.remes@ioactive.co.ukC,I A RC,I R,A C,IR C,I AExternal CommunicationsInitiate IR ProcessCollect EvidenceIR ...
TECHNOLOGYbecause you don’t go to war in a speedo ...
TECHNOLOGY(it’s pretty basic really ...)a. Segment your network !!b. Use PGP (and train your people to use it)c. Log every...
TRAINING & TESTWim Remes - wim.remes@ioactive.co.uk
In a real war you don’t fight soldiers withcleaning ladies, you fight with soldiers. In acyberwar, you fight hackers with ...
Upcoming SlideShare
Loading in...5
×

Build Your Own Incident Response

873

Published on

Presentation used at the (ISC)2 SecureMunich and SecureDusseldorf meetings.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
873
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
10
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Build Your Own Incident Response

  1. 1. BYO-IRBuild your own ‘incident response’Wim Remes - (ISC)2 - IOActive
  2. 2. --------RISK---------COMPANY
  3. 3. IFVS.WHEN
  4. 4. Wim Remes - wim.remes@ioactive.co.ukA B C D E F Gcompromise detectedattack occuredwindow of compromiseTHE IR TIMELINE(reality)PANIC!!!
  5. 5. Wim Remes - wim.remes@ioactive.co.ukA B C D E F Gcompromise detectedattack occuredwindow of compromise responseTHE IR TIMELINE(for the pathological optimist)
  6. 6. Wim Remes - wim.remes@ioactive.co.ukA B C D E F Gcompromise detectedattack occuredwindow of compromiseresponseTHE IR TIMELINE(how it should be)
  7. 7. Wim Remes - wim.remes@ioactive.co.ukA B C D E F Gcompromise detectedattack occuredwindow of compromise responseTHE IR TIMELINE(for the pathological liar)
  8. 8. WHO’S WHO?Executive ManagementIT ManagementIT PersonnelWim Remes - wim.remes@ioactive.co.uk
  9. 9. WHO’S WHO?Customers/ClientsLaw Enforcement Press/Media“The Angry Mob”(Y U USE MD5?)Wim Remes - wim.remes@ioactive.co.uk
  10. 10. IT PersonnelCustomers/ClientsWHO’S WHO?Wim Remes - wim.remes@ioactive.co.uk
  11. 11. Wim Remes - wim.remes@ioactive.co.uk
  12. 12. IR SHOPPING LISTa. Awesome people!b. Management Support (no kidding)c. IR Process + RACId. Supporting Technologye. Training & Test DrivesWim Remes - wim.remes@ioactive.co.uk
  13. 13. AWESOME PEOPLE(Without me, you are just aweso)Wim Remes - wim.remes@ioactive.co.uk
  14. 14. AWESOME PEOPLE(you already have them)Wim Remes - wim.remes@ioactive.co.uk
  15. 15. MANAGEMENTSUPPORTWim Remes - wim.remes@ioactive.co.uk
  16. 16. IR PROCESSPREPARE DETECT ANALYZE CONTAIN RECOVERPOST MORTEM
  17. 17. Wim Remes - wim.remes@ioactive.co.ukC,I A RC,I R,A C,IR C,I AExternal CommunicationsInitiate IR ProcessCollect EvidenceIR RACI
  18. 18. TECHNOLOGYbecause you don’t go to war in a speedo ...
  19. 19. TECHNOLOGY(it’s pretty basic really ...)a. Segment your network !!b. Use PGP (and train your people to use it)c. Log everything you could possibly needd. Full network captures are helpful!e. How far can you take FOSS?f. Complement with commercial products.g. Train, train, train, train, train, train,...(some demos)Wim Remes - wim.remes@ioactive.co.uk
  20. 20. TRAINING & TESTWim Remes - wim.remes@ioactive.co.uk
  21. 21. In a real war you don’t fight soldiers withcleaning ladies, you fight with soldiers. In acyberwar, you fight hackers with hackers.“”Thank youWim Remes - wim.remes@ioactive.co.uk
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×