SlideShare a Scribd company logo

Cybersecurity Incident Response Readiness: How to Find and Respond to Attackers in your Network

Download as PPTX, PDF
Infocyte
Infocyte

According to recent reports, nearly 1/3rd of all US Businesses experienced a cybersecurity related breach last year. With hackers increasingly targeting US businesses and insiders mishandling or misusing their privileges and access, its' imperative that all organizations have incident response (IR) capabilities at the ready. We're talking about real capabilities that include: threat visibility, centralized logging, root cause analysis, and assessment. While we can agree IR capabilities are important, most businesses do not and may never have on-staff responders or organized security operations - if you are one of these, this talk is for you. In this talk, Chris explores the processes, procedures, and best practices surrounding Incident Response (IR) as it relates to cybersecurity: Finding, containing, investigating, and eliminating attackers from within your network. Learn more about cyber threat hunting, incident response, and how a strong incident response process will help your organization stay better protected from cyber attackers. This presentation, reviewing Cybersecurity Incident Response (IR) Readiness, was originally shared during the 2019 DataConnectors Houston Cybersecurity Conference.

Technology
1 of 18
IR Readiness How to Find and Respond to Attackers in your Network Chris Gerritz
Incident Response Process & Procedures
2019 – Incident Response Readiness Detection: How it starts. You detect malicious activity via real-time monitoring, proactive hunting, external reports, etc. 1. Triage Determine scope of breach, gather information for quick decision making 2. Containment Active enumeration and mapping of network 3. Investigation Analyze evidence and determine root cause 4. Certification Triage network again to determine clean state 5. Learning Implement controls based on lessons learned Incident Response Steps Not addressed in today’s standards
Triage
2019 – Incident Response Readiness Triage Goal: Properly scope and understand the security incident to enable initial decision making and containment actions Speed is of utmost importance • Gather data (logs, forensic data, memory, etc.) • Inspect ALL systems with forensic triage tools (where else is the infection?) Decision Time: Wipe and Reload? Call in the experts?
2019 – Incident Response Readiness MITRE’s ATT&CK Model Applies to IR Triage Used to characterize and describe post-compromise adversary behavior. Details the post-compromise tactics, techniques, and procedures (TTPs) persistent threats use to execute their objectives while operating inside a network.
2019 – Incident Response Readiness Triage: Data Collection Methods • Centralized Logging – Syslog/beats (servers), EDR/Sysmon (endpoints)  Splunk/ELK • Query - Ask specific questions or look for a specific IOC – Active: Reach down to the endpoint directly (i.e. OSQuery) – Historical: Search pre-collected logs or data • Forensic Collection & Inspection – Collect artifacts and information related to system state (Forensic Triage) – i.e. process lists, autoruns, shimcache entries, forensic artifacts, etc.
2019 – Incident Response Readiness Triage: Logs are not sufficient for triage • Log analysis techniques challenges for rapid response: – Logs often don’t go back far enough or have limited coverage – Search queries can be expensive – requires searches which are overly specific – Requires very experienced security personnel versed in both TTPs of attackers and the network’s unique logging capabilities to do accurate behavior matching • X type of attack produces Y behavior, which will be expressed in these logs as Z • Deploying new monitoring tools has limited effect – Looks forward at new activity, not backwards
Containment and Investigation
2019 – Incident Response Readiness Containment Goal: Stem the bleeding and restore operations. The follow on investigation can be initiated in parallel with getting back to business • Neutralizing the threat’s access via: – IP blocks – Locking or resetting stolen accounts – Removing infected systems from the network – Updating antivirus / prevention signatures
2019 – Incident Response Readiness Investigation Goal: Determine Root Cause and potentially who was responsible for the incident/attack In-depth forensics knowledge required! • Many states, like Texas, require state certifications to act as an investigator of computer crimes and attacks • Internal resources with sufficient skill or time are generally not available (Expensive!)
2019 – Incident Response Readiness Certification Goal: Ensure containment and mitigations worked and no infection or backdoors remain Utilize same techniques as triage step • Don’t just rely on alerting/behavior tools -- adversary might be holding out on a dormant/inactive system;
2019 – Incident Response Readiness Learning Goal: Prevent a similar attack from succeeding in the future or help bring the perpetrator to justice Utilize lessons learned from the investigation to implement new controls • Review logging and other telemetry collection • Review security policies such as privileged user management • Review security tooling
2019 – Incident Response Readiness Detection: How it starts. You detect malicious activity via real-time monitoring, proactive hunting, external reports, etc. 1. Triage Determine scope of breach, gather information for quick decision making 2. Containment Active enumeration and mapping of network 3. Investigation Analyze evidence and determine root cause 4. Certification Triage network again to determine clean state 5. Learning Implement controls based on lessons learned Incident Response Steps
IR Triage Threat Hunting w/ Forensic State Analysis
2019 – Incident Response Readiness Analysis Technique: Forensic State Analysis Threat Hunting technique that applies phased levels of analysis to collected data to reduce the data set to a manageable level: 1. Enrichment - Reputation & threat intel lookups 2. Triage – Algorithms & methods to categorize interesting things a. Data Stacking b. Anomaly/Outlier Identification 3. Advanced Analysis a. Static/Dynamic Analysis of Interesting Samples b. TTP Pattern Matching (dig into logs)
Infocyte HUNT™ The Leading Cloud-based Threat Hunting & Incident Response Solution Waiting for an alert to tell you about a problem?  Discover, Hunt, and Respond across networked endpoints and servers.  Agentless or Agent-based Deployment Models The premier hunt platform for:  Threat Hunting - Turn-key forensics-based threat hunting and incident response  Incident Response – Automates forensic triage and artifact analysis  Assessments – The most effective and comprehensive threat assessment platform available
QUESTIONS Chris Gerritz Co-Founder, Infocyte cgerritz@Infocyte.com Twitter: @gerritzc @InfocyteInc Visit our Booth! www.infocyte.com

Recommended

Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
 
Crowdstrike .pptx
Crowdstrike .pptxCrowdstrike .pptx
Crowdstrike .pptx
uthayakumar174828
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You Buy
Fidelis Cybersecurity
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Hunting
n|u - The Open Security Community
 
The New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentThe New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise Assessment
Infocyte
 
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl
 
Detecting modern PowerShell attacks with SIEM
Detecting modern PowerShell attacks with SIEMDetecting modern PowerShell attacks with SIEM
Detecting modern PowerShell attacks with SIEM
Justin Henderson
 
AWS vs Azure vs Google Cloud Storage Deep Dive
AWS vs Azure vs Google Cloud Storage Deep DiveAWS vs Azure vs Google Cloud Storage Deep Dive
AWS vs Azure vs Google Cloud Storage Deep Dive
RightScale
 

Recommended

Threat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement MatriceThreat Hunting Procedures and Measurement Matrice
Threat Hunting Procedures and Measurement Matrice
Vishal Kumar
 
Crowdstrike .pptx
Crowdstrike .pptxCrowdstrike .pptx
Crowdstrike .pptx
uthayakumar174828
 
Critical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You BuyCritical Capabilities for MDR Services - What to Know Before You Buy
Critical Capabilities for MDR Services - What to Know Before You Buy
Fidelis Cybersecurity
 
SIEM and Threat Hunting
SIEM and Threat HuntingSIEM and Threat Hunting
SIEM and Threat Hunting
n|u - The Open Security Community
 
The New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise AssessmentThe New Pentest? Rise of the Compromise Assessment
The New Pentest? Rise of the Compromise Assessment
Infocyte
 
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl
 
Detecting modern PowerShell attacks with SIEM
Detecting modern PowerShell attacks with SIEMDetecting modern PowerShell attacks with SIEM
Detecting modern PowerShell attacks with SIEM
Justin Henderson
 
AWS vs Azure vs Google Cloud Storage Deep Dive
AWS vs Azure vs Google Cloud Storage Deep DiveAWS vs Azure vs Google Cloud Storage Deep Dive
AWS vs Azure vs Google Cloud Storage Deep Dive
RightScale
 
SEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxSEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptx
AmrMousa51
 
Threat Hunting on AWS using Azure Sentinel
Threat Hunting on AWS using Azure SentinelThreat Hunting on AWS using Azure Sentinel
Threat Hunting on AWS using Azure Sentinel
Ashwin Patil, GCIH, GCIA, GCFE
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation finalRizwan S
 
(SEC323) New: Securing Web Applications with AWS WAF
(SEC323) New: Securing Web Applications with AWS WAF(SEC323) New: Securing Web Applications with AWS WAF
(SEC323) New: Securing Web Applications with AWS WAF
Amazon Web Services
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
Nishanth Kumar Pathi
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
hashnees
 
Skybox security
Skybox security Skybox security
Skybox security
Alejandro Cadarso
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)
Osama Ellahi
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE - ATT&CKcon
 
Using Amazon VPC Flow Logs for Predictive Security Analytics (NET319) - AWS r...
Using Amazon VPC Flow Logs for Predictive Security Analytics (NET319) - AWS r...Using Amazon VPC Flow Logs for Predictive Security Analytics (NET319) - AWS r...
Using Amazon VPC Flow Logs for Predictive Security Analytics (NET319) - AWS r...
Amazon Web Services
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Got SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For YouGot SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For You
Anton Chuvakin
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management Program
Sasha Nunke
 
Workshop Trend Micro
Workshop Trend MicroWorkshop Trend Micro
Workshop Trend Micro
Aymen Mami
 
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
MITRE - ATT&CKcon
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWS
Amazon Web Services
 
DDoS Protection
DDoS ProtectionDDoS Protection
DDoS Protection
Amazon Web Services
 
Netpluz Managed SOC - MSS Service
Netpluz Managed SOC - MSS Service Netpluz Managed SOC - MSS Service
Netpluz Managed SOC - MSS Service
Netpluz Asia Pte Ltd
 
IBM Qradar & resilient
IBM Qradar & resilientIBM Qradar & resilient
IBM Qradar & resilient
Prime Infoserv
 
Cyber Incident Response Triage - CPX 360 Presentation
Cyber Incident Response Triage - CPX 360 PresentationCyber Incident Response Triage - CPX 360 Presentation
Cyber Incident Response Triage - CPX 360 Presentation
Infocyte
 
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
abhichowdary16
 

More Related Content

What's hot

SEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxSEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptx
AmrMousa51
 
Threat Hunting on AWS using Azure Sentinel
Threat Hunting on AWS using Azure SentinelThreat Hunting on AWS using Azure Sentinel
Threat Hunting on AWS using Azure Sentinel
Ashwin Patil, GCIH, GCIA, GCFE
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation finalRizwan S
 
(SEC323) New: Securing Web Applications with AWS WAF
(SEC323) New: Securing Web Applications with AWS WAF(SEC323) New: Securing Web Applications with AWS WAF
(SEC323) New: Securing Web Applications with AWS WAF
Amazon Web Services
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
Nishanth Kumar Pathi
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
hashnees
 
Skybox security
Skybox security Skybox security
Skybox security
Alejandro Cadarso
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
Splunk
 
SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)
Osama Ellahi
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE - ATT&CKcon
 
Using Amazon VPC Flow Logs for Predictive Security Analytics (NET319) - AWS r...
Using Amazon VPC Flow Logs for Predictive Security Analytics (NET319) - AWS r...Using Amazon VPC Flow Logs for Predictive Security Analytics (NET319) - AWS r...
Using Amazon VPC Flow Logs for Predictive Security Analytics (NET319) - AWS r...
Amazon Web Services
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
Splunk
 
Got SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For YouGot SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For You
Anton Chuvakin
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management Program
Sasha Nunke
 
Workshop Trend Micro
Workshop Trend MicroWorkshop Trend Micro
Workshop Trend Micro
Aymen Mami
 
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
MITRE - ATT&CKcon
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWS
Amazon Web Services
 
DDoS Protection
DDoS ProtectionDDoS Protection
DDoS Protection
Amazon Web Services
 
Netpluz Managed SOC - MSS Service
Netpluz Managed SOC - MSS Service Netpluz Managed SOC - MSS Service
Netpluz Managed SOC - MSS Service
Netpluz Asia Pte Ltd
 
IBM Qradar & resilient
IBM Qradar & resilientIBM Qradar & resilient
IBM Qradar & resilient
Prime Infoserv
 

What's hot (20)

SEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptxSEIM-Microsoft Sentinel.pptx
SEIM-Microsoft Sentinel.pptx
 
Threat Hunting on AWS using Azure Sentinel
Threat Hunting on AWS using Azure SentinelThreat Hunting on AWS using Azure Sentinel
Threat Hunting on AWS using Azure Sentinel
 
SIEM presentation final
SIEM presentation finalSIEM presentation final
SIEM presentation final
 
(SEC323) New: Securing Web Applications with AWS WAF
(SEC323) New: Securing Web Applications with AWS WAF(SEC323) New: Securing Web Applications with AWS WAF
(SEC323) New: Securing Web Applications with AWS WAF
 
SIEM Architecture
SIEM ArchitectureSIEM Architecture
SIEM Architecture
 
McAfee SIEM solution
McAfee SIEM solution McAfee SIEM solution
McAfee SIEM solution
 
Skybox security
Skybox security Skybox security
Skybox security
 
Threat Hunting
Threat HuntingThreat Hunting
Threat Hunting
 
SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)SIEM (Security Information and Event Management)
SIEM (Security Information and Event Management)
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
 
Using Amazon VPC Flow Logs for Predictive Security Analytics (NET319) - AWS r...
Using Amazon VPC Flow Logs for Predictive Security Analytics (NET319) - AWS r...Using Amazon VPC Flow Logs for Predictive Security Analytics (NET319) - AWS r...
Using Amazon VPC Flow Logs for Predictive Security Analytics (NET319) - AWS r...
 
Threat Hunting with Splunk
Threat Hunting with SplunkThreat Hunting with Splunk
Threat Hunting with Splunk
 
Got SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For YouGot SIEM? Now what? Getting SIEM Work For You
Got SIEM? Now what? Getting SIEM Work For You
 
Planning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management ProgramPlanning and Deploying an Effective Vulnerability Management Program
Planning and Deploying an Effective Vulnerability Management Program
 
Workshop Trend Micro
Workshop Trend MicroWorkshop Trend Micro
Workshop Trend Micro
 
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
MITRE ATT&CKcon 2018: ATT&CK: All the Things, Neelsen Cyrus and David Thompso...
 
Introduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWSIntroduction to Threat Detection and Remediation on AWS
Introduction to Threat Detection and Remediation on AWS
 
DDoS Protection
DDoS ProtectionDDoS Protection
DDoS Protection
 
Netpluz Managed SOC - MSS Service
Netpluz Managed SOC - MSS Service Netpluz Managed SOC - MSS Service
Netpluz Managed SOC - MSS Service
 
IBM Qradar & resilient
IBM Qradar & resilientIBM Qradar & resilient
IBM Qradar & resilient
 

Similar to Cybersecurity Incident Response Readiness: How to Find and Respond to Attackers in your Network

Cyber Incident Response Triage - CPX 360 Presentation
Cyber Incident Response Triage - CPX 360 PresentationCyber Incident Response Triage - CPX 360 Presentation
Cyber Incident Response Triage - CPX 360 Presentation
Infocyte
 
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
abhichowdary16
 
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentBlackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Christopher Gerritz
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
Saqib Raza
 
Irm 5-malicious networkbehaviour
Irm 5-malicious networkbehaviourIrm 5-malicious networkbehaviour
Irm 5-malicious networkbehaviour
Kasper de Waard
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
Marlabs
 
Incident response
Incident responseIncident response
Incident response
Anshul Gupta
 
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
CompTIA
 
Intelligence Driven Threat Detection and Response
Intelligence Driven Threat Detection and ResponseIntelligence Driven Threat Detection and Response
Intelligence Driven Threat Detection and Response
EMC
 
Review on Computer Forensic
Review on Computer ForensicReview on Computer Forensic
Review on Computer Forensic
Editor IJCTER
 
Building a Successful Threat Hunting Program
Building a Successful Threat Hunting ProgramBuilding a Successful Threat Hunting Program
Building a Successful Threat Hunting Program
Carl C. Manion
 
CyberOps.pptx
CyberOps.pptxCyberOps.pptx
CyberOps.pptx
AhmedRobaid1
 
What's behind a cyber attack
What's behind a cyber attackWhat's behind a cyber attack
What's behind a cyber attack
Andreanne Clarke
 
CASE STUDY: How to Defend the Compromised Network?
CASE STUDY: How to Defend the Compromised Network?CASE STUDY: How to Defend the Compromised Network?
CASE STUDY: How to Defend the Compromised Network?
PECB
 
What to do when get hacked or suffer a cyber breach
What to do when get hacked or suffer a cyber breachWhat to do when get hacked or suffer a cyber breach
What to do when get hacked or suffer a cyber breach
East Midlands Cyber Security Forum
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdf
ssuser4237d4
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdf
ssuser4237d4
 
The tops for collecting network based evidenceyou think that your.pdf
The tops for collecting network based evidenceyou think that your.pdfThe tops for collecting network based evidenceyou think that your.pdf
The tops for collecting network based evidenceyou think that your.pdf
noelbuddy
 
Cervone uof t - nist framework (1)
Cervone uof t - nist framework (1)Cervone uof t - nist framework (1)
Cervone uof t - nist framework (1)
Stephen Abram
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John Lado
Mark John Lado, MIT
 

Similar to Cybersecurity Incident Response Readiness: How to Find and Respond to Attackers in your Network (20)

Cyber Incident Response Triage - CPX 360 Presentation
Cyber Incident Response Triage - CPX 360 PresentationCyber Incident Response Triage - CPX 360 Presentation
Cyber Incident Response Triage - CPX 360 Presentation
 
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
11-Incident Response, Risk Management Sample Question and Answer-24-06-2023.ppt
 
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise AssessmentBlackhat 2018 - The New Pentest? Rise of the Compromise Assessment
Blackhat 2018 - The New Pentest? Rise of the Compromise Assessment
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Irm 5-malicious networkbehaviour
Irm 5-malicious networkbehaviourIrm 5-malicious networkbehaviour
Irm 5-malicious networkbehaviour
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Incident response
Incident responseIncident response
Incident response
 
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
Adding Analytics to your Cybersecurity Toolkit with CompTIA Cybersecurity Ana...
 
Intelligence Driven Threat Detection and Response
Intelligence Driven Threat Detection and ResponseIntelligence Driven Threat Detection and Response
Intelligence Driven Threat Detection and Response
 
Review on Computer Forensic
Review on Computer ForensicReview on Computer Forensic
Review on Computer Forensic
 
Building a Successful Threat Hunting Program
Building a Successful Threat Hunting ProgramBuilding a Successful Threat Hunting Program
Building a Successful Threat Hunting Program
 
CyberOps.pptx
CyberOps.pptxCyberOps.pptx
CyberOps.pptx
 
What's behind a cyber attack
What's behind a cyber attackWhat's behind a cyber attack
What's behind a cyber attack
 
CASE STUDY: How to Defend the Compromised Network?
CASE STUDY: How to Defend the Compromised Network?CASE STUDY: How to Defend the Compromised Network?
CASE STUDY: How to Defend the Compromised Network?
 
What to do when get hacked or suffer a cyber breach
What to do when get hacked or suffer a cyber breachWhat to do when get hacked or suffer a cyber breach
What to do when get hacked or suffer a cyber breach
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdf
 
Cyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdfCyber Threat Hunting Workshop.pdf
Cyber Threat Hunting Workshop.pdf
 
The tops for collecting network based evidenceyou think that your.pdf
The tops for collecting network based evidenceyou think that your.pdfThe tops for collecting network based evidenceyou think that your.pdf
The tops for collecting network based evidenceyou think that your.pdf
 
Cervone uof t - nist framework (1)
Cervone uof t - nist framework (1)Cervone uof t - nist framework (1)
Cervone uof t - nist framework (1)
 
IT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John LadoIT Security and Management - Semi Finals by Mark John Lado
IT Security and Management - Semi Finals by Mark John Lado
 

More from Infocyte

Digital Forensics and Incident Response (DFIR) Training Session - January
Digital Forensics and Incident Response (DFIR) Training Session - JanuaryDigital Forensics and Incident Response (DFIR) Training Session - January
Digital Forensics and Incident Response (DFIR) Training Session - January
Infocyte
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte
 
Infocyte Mid-market Threat and Incident Response Report Webinar
Infocyte Mid-market Threat and Incident Response Report WebinarInfocyte Mid-market Threat and Incident Response Report Webinar
Infocyte Mid-market Threat and Incident Response Report Webinar
Infocyte
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
Infocyte
 
Threat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident ResponseThreat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident Response
Infocyte
 
Infocyte - Q4 Partner Webinar
Infocyte - Q4 Partner WebinarInfocyte - Q4 Partner Webinar
Infocyte - Q4 Partner Webinar
Infocyte
 
Cyber Threat Hunting - Hunting in Memory at Scale
Cyber Threat Hunting - Hunting in Memory at ScaleCyber Threat Hunting - Hunting in Memory at Scale
Cyber Threat Hunting - Hunting in Memory at Scale
Infocyte
 
Infocyte - Q3 Partner Update
Infocyte - Q3 Partner UpdateInfocyte - Q3 Partner Update
Infocyte - Q3 Partner Update
Infocyte
 

More from Infocyte (8)

Digital Forensics and Incident Response (DFIR) Training Session - January
Digital Forensics and Incident Response (DFIR) Training Session - JanuaryDigital Forensics and Incident Response (DFIR) Training Session - January
Digital Forensics and Incident Response (DFIR) Training Session - January
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
 
Infocyte Mid-market Threat and Incident Response Report Webinar
Infocyte Mid-market Threat and Incident Response Report WebinarInfocyte Mid-market Threat and Incident Response Report Webinar
Infocyte Mid-market Threat and Incident Response Report Webinar
 
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local GovernmentTIG / Infocyte: Proactive Cybersecurity for State and Local Government
TIG / Infocyte: Proactive Cybersecurity for State and Local Government
 
Threat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident ResponseThreat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident Response
 
Infocyte - Q4 Partner Webinar
Infocyte - Q4 Partner WebinarInfocyte - Q4 Partner Webinar
Infocyte - Q4 Partner Webinar
 
Cyber Threat Hunting - Hunting in Memory at Scale
Cyber Threat Hunting - Hunting in Memory at ScaleCyber Threat Hunting - Hunting in Memory at Scale
Cyber Threat Hunting - Hunting in Memory at Scale
 
Infocyte - Q3 Partner Update
Infocyte - Q3 Partner UpdateInfocyte - Q3 Partner Update
Infocyte - Q3 Partner Update
 

Recently uploaded

みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
Neo4j
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 

Recently uploaded (20)

みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
GraphSummit Singapore | Enhancing Changi Airport Group's Passenger Experience...
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 

Cybersecurity Incident Response Readiness: How to Find and Respond to Attackers in your Network

  • 1. IR Readiness How to Find and Respond to Attackers in your Network Chris Gerritz
  • 3. 2019 – Incident Response Readiness Detection: How it starts. You detect malicious activity via real-time monitoring, proactive hunting, external reports, etc. 1. Triage Determine scope of breach, gather information for quick decision making 2. Containment Active enumeration and mapping of network 3. Investigation Analyze evidence and determine root cause 4. Certification Triage network again to determine clean state 5. Learning Implement controls based on lessons learned Incident Response Steps Not addressed in today’s standards
  • 5. 2019 – Incident Response Readiness Triage Goal: Properly scope and understand the security incident to enable initial decision making and containment actions Speed is of utmost importance • Gather data (logs, forensic data, memory, etc.) • Inspect ALL systems with forensic triage tools (where else is the infection?) Decision Time: Wipe and Reload? Call in the experts?
  • 6. 2019 – Incident Response Readiness MITRE’s ATT&CK Model Applies to IR Triage Used to characterize and describe post-compromise adversary behavior. Details the post-compromise tactics, techniques, and procedures (TTPs) persistent threats use to execute their objectives while operating inside a network.
  • 7. 2019 – Incident Response Readiness Triage: Data Collection Methods • Centralized Logging – Syslog/beats (servers), EDR/Sysmon (endpoints)  Splunk/ELK • Query - Ask specific questions or look for a specific IOC – Active: Reach down to the endpoint directly (i.e. OSQuery) – Historical: Search pre-collected logs or data • Forensic Collection & Inspection – Collect artifacts and information related to system state (Forensic Triage) – i.e. process lists, autoruns, shimcache entries, forensic artifacts, etc.
  • 8. 2019 – Incident Response Readiness Triage: Logs are not sufficient for triage • Log analysis techniques challenges for rapid response: – Logs often don’t go back far enough or have limited coverage – Search queries can be expensive – requires searches which are overly specific – Requires very experienced security personnel versed in both TTPs of attackers and the network’s unique logging capabilities to do accurate behavior matching • X type of attack produces Y behavior, which will be expressed in these logs as Z • Deploying new monitoring tools has limited effect – Looks forward at new activity, not backwards
  • 10. 2019 – Incident Response Readiness Containment Goal: Stem the bleeding and restore operations. The follow on investigation can be initiated in parallel with getting back to business • Neutralizing the threat’s access via: – IP blocks – Locking or resetting stolen accounts – Removing infected systems from the network – Updating antivirus / prevention signatures
  • 11. 2019 – Incident Response Readiness Investigation Goal: Determine Root Cause and potentially who was responsible for the incident/attack In-depth forensics knowledge required! • Many states, like Texas, require state certifications to act as an investigator of computer crimes and attacks • Internal resources with sufficient skill or time are generally not available (Expensive!)
  • 12. 2019 – Incident Response Readiness Certification Goal: Ensure containment and mitigations worked and no infection or backdoors remain Utilize same techniques as triage step • Don’t just rely on alerting/behavior tools -- adversary might be holding out on a dormant/inactive system;
  • 13. 2019 – Incident Response Readiness Learning Goal: Prevent a similar attack from succeeding in the future or help bring the perpetrator to justice Utilize lessons learned from the investigation to implement new controls • Review logging and other telemetry collection • Review security policies such as privileged user management • Review security tooling
  • 14. 2019 – Incident Response Readiness Detection: How it starts. You detect malicious activity via real-time monitoring, proactive hunting, external reports, etc. 1. Triage Determine scope of breach, gather information for quick decision making 2. Containment Active enumeration and mapping of network 3. Investigation Analyze evidence and determine root cause 4. Certification Triage network again to determine clean state 5. Learning Implement controls based on lessons learned Incident Response Steps
  • 15. IR Triage Threat Hunting w/ Forensic State Analysis
  • 16. 2019 – Incident Response Readiness Analysis Technique: Forensic State Analysis Threat Hunting technique that applies phased levels of analysis to collected data to reduce the data set to a manageable level: 1. Enrichment - Reputation & threat intel lookups 2. Triage – Algorithms & methods to categorize interesting things a. Data Stacking b. Anomaly/Outlier Identification 3. Advanced Analysis a. Static/Dynamic Analysis of Interesting Samples b. TTP Pattern Matching (dig into logs)
  • 17. Infocyte HUNT™ The Leading Cloud-based Threat Hunting & Incident Response Solution Waiting for an alert to tell you about a problem?  Discover, Hunt, and Respond across networked endpoints and servers.  Agentless or Agent-based Deployment Models The premier hunt platform for:  Threat Hunting - Turn-key forensics-based threat hunting and incident response  Incident Response – Automates forensic triage and artifact analysis  Assessments – The most effective and comprehensive threat assessment platform available
  • 18. QUESTIONS Chris Gerritz Co-Founder, Infocyte cgerritz@Infocyte.com Twitter: @gerritzc @InfocyteInc Visit our Booth! www.infocyte.com