Building an Incident Response Team


Published on

Presented by: Slade Griffin, Contextual Security Solutions

Abstract: This session will present Mr. Griffin’s observations made while working directly with utilities as they developed and built incident response processes and the teams to support them. Topic covered will be the architectural development of visibility into different types of networks using different technologies. Having the technology to gain visibility into your networks is less than half the battle, the next step is to properly tune down the “noise” to determine whether an incident is happening.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

Building an Incident Response Team

  1. 1. Who should be on your IR team
  2. 2. About me
  3. 3. What’s the Incident Response Process ( or Cycle) Why have processes or procedures? Document walk through Agenda
  4. 4. Preparation Identification ContainmentEradication Recovery Lessons Learned Incident Response Process (SANS)
  5. 5. Preparation Detection and Analysis Containment, Eradication, and Recovery Post-incident Activity Incident handling checklist Recommendations Incident Response Process (NIST 800-61)
  6. 6. Create Policy and Plan Develop Procedures Set External Communication Guidelines Select Team Structure Establish Internal and External Relationships Determine Services Training the team Incident Response (NRECA)
  7. 7. Dec 22 12:28:08 sshd[10926]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ds178- Dec 22 12:29:20 sshd[10926]: Accepted password for <$user>from port 49154 ssh2 Dec 22 12:29:38 sshd[10926]: pam_unix(sshd:session): session opened for user <$user>by (uid=0) Log example
  8. 8. I need a volunteer who doesn’t have an IR plan. (I know you’re in here somewhere) Requirements and Real Life