In this brief presentation, Chris Gerritz (co-founder and CPO of Infocyte) shares insights on finding and responding to hidden attackers within your network.
Learn about cybersecurity incident response, forensic triage, and the differences between telemetry and protection.
This presentation originally took place at Check Point Software's 2019 CPX 360 conference in Las Vegas.
2. 2019 – Incident Response Readiness
Detection: How it starts. You detect malicious activity via real-time monitoring,
proactive hunting, assessments, or external reporting.
1. Triage Determine scope of breach, gather information for quick
decision making
2. Containment Active enumeration and mapping of network
3. Investigation Analyze evidence and determine root cause
4. Certification Triage network again to verify clean state
5. Learning Implement controls based on lessons learned
Incident Response Steps
Not
addressed in
today’s
standards
4. 2019 – Incident Response Readiness
Triage
Goal: Properly scope and understand the security incident to
enable initial decision making and containment actions
Speed is of utmost importance
• Gather data (logs, forensic data, memory, etc.)
• Inspect ALL systems (where else is the infection?)
Decision Time: Wipe and Reload? Call in the investigators?
5. 2019 – Incident Response Readiness
Telemetry vs Protection
Prevention and real-time detection
solutions (AV/IDS) categorize and
alert on categorized events,
discarding the rest.
Response requires much more data
to determine state and activity of
systems.
Detection
A hunt/IR solution triages
the gap for leads and
conclusions
Good
Bad
Original Diagram Source: Crowdstrike’s Blog on Machine Learning
6. 2019 – Incident Response Readiness
Triage Technique: Forensic State Analysis
Threat Hunting technique that applies phased analysis to collected
forensic data to reduce the data set to a manageable level:
1. Enrichment - Reputation & threat intel lookups
2. Triage – Algorithms & methods to categorize interesting things
a. Data Stacking
b. Anomaly/Outlier Identification
3. Advanced Analysis
a. Static/Dynamic Analysis of Interesting Samples
b. TTP Pattern Matching (dig into logs)
7. 2019 – Incident Response Readiness
Analysis: Forensic State Analysis (Forensic Triage)
Utilizing data stacking and hunt analysis methods:
1. Review all running processes and loaded modules current look
2. Review all autorun entries and locations future look
3. Review all execution & forensic artifacts historical look
4. Identify any evidence of host manipulation or indications of generic
compromise
5. Review recent privileged account usage
8. 2019 – Incident Response Readiness
Detection: How it starts. You detect malicious activity via real-time monitoring,
proactive hunting, external reports, etc.
1. Triage Determine scope of breach, gather information for quick
decision making
2. Containment Active enumeration and mapping of network
3. Investigation Analyze evidence and determine root cause
4. Certification Triage network again to determine clean state
5. Learning Implement controls based on lessons learned
Incident Response Steps
9. 2019 – Incident Response Readiness
Certification
Goal: Ensure containment and mitigations worked and no
infection or backdoors remain
Utilize same techniques as triage step
• Don’t just rely on alerting/behavior tools -- adversary might be
holding out on a dormant/inactive system
• Once investigator has secured evidence, you can be more
thorough and invasive in your hunt
10. Infocyte HUNT™
Cloud-Delivered Threat Hunting & Incident Response
Waiting for an alert to tell you about a problem?
Discover, Hunt, and Respond across cloud and
traditionally networked endpoints and servers.
Agentless or Agent-based
The premier hunt platform for:
Threat Hunting – Be proactive with turn-key
forensics-based threat discovery
Incident Response – Automates forensic triage and
artifact analysis w/ timelining (“Activity Trace”)
Compromise Assessments – The most effective and
comprehensive threat assessment platform
available
Command™ Analysis Support
Activity Trace™
Incyte™ Threat Intel & ML
Agentless
Forensic State Analysis (FSA)
Agent-based