SlideShare a Scribd company logo

Incident response before:after breach

Sumedt Jitpukdebodin
Sumedt Jitpukdebodin

This document discusses incident response procedures before and after a hacking incident. It defines key terms like incident, incident response, and outlines the main steps of incident response including preparation, detection and analysis, containment, eradication, recovery and post-incident activities. Specific topics covered include what to look for to detect incidents, centralizing logs, forensic investigation, and lessons learned.

Technology
1 of 44
Download to read offline
Incident Response Operation Before/After Hacked Sumedt Jitpukdebodin Senior Security Researcher @ I-SECURE Co. Ltd. LPIC-1, NCLA, C|EHv6, eCPPT, eWPT, CompTIA Security+, IWSS, CPTE
# whoami • Name: Sumedt Jitpukdebodin • Jobs: Security Consultant, Senior Security Researcher @ I- SECURE • Website: www.r00tsec.com, www.techsuii.com • Admin: @2600thailand, @OWASPThailand • Book: Network Security Book • Hobby: Writing, Hacking, Researching, Gaming, etc. • My article: please search google with my name.
Hacker
SOC(Security Operation Center)
Attacker And Defender Catch me if you can
# id • Hack is easy, defend is so f*cking hard. • Surfaces • 0day • Social Engineering • Etc.
Incident Response
# man ir
Definition • Event - Activity that we monitor (Log) • Incident - the damage event. • Incident Response(IR) - Actions taken subsequent to an incident to understand the incident and take remedial action
Top Priority for IR. • Identify the problems • Fix the problems. • Recovery system back to normal.
Step of IR. Source:: http://www.emrisk.com/sites/default/files/images/newsletters/Incident%20Response%20Cycle.png
Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
What to look for • Look for abnormalities • Performance issues, off peak activity • Redirect some client. • Example Indicators • new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns • Example Sources • Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic • Potential Issue • File/ Folder Encryption • BIOS Password Protection • Whole Disk Encryption/ Risk
What to look for • Look for abnormalities • Performance issues, off peak activity • Redirect some client. • Example Indicators • new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns • Example Sources • Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic • Potential Issue • File/ Folder Encryption • BIOS Password Protection • Whole Disk Encryption/ Risk
What to look for • Look for abnormalities • Performance issues, off peak activity • Redirect some client. • Example Indicators • new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns • Example Sources • Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic • Potential Issue • File/ Folder Encryption • BIOS Password Protection • Whole Disk Encryption/ Risk
What to look for • Look for abnormalities • Performance issues, off peak activity • Redirect some client. • Example Indicators • new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns • Example Sources • Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic • Potential Issue • File/ Folder Encryption • BIOS Password Protection • Whole Disk Encryption/ Risk
Before Breach Source:: http://jokideo.com/wp-content/uploads/2013/03/Funny-cat-Come-on-birdy.jpg
Centralized Log Diagram Source:: http://www.sysadmin.in.th/course/LogFiles/Centralized_Logs_Server_by_SysAdmin.jpg
# whereis logs • Device Log • Server Log • Application Log
# ls /var/log/ • web_server/{access.log,error.log} • audit/audit.log • syslog • openvpn.log
# cat /var/log/apache2/access.log
# cat /var/log/syslog
Devices • Firewall • IDS/IPS • Next Generation Firewall • Mail Gateway • Etc.
Centralized Log • Syslog-ng(rsyslog) • Splunk • Graylog2 • logstrash • Scribe
Example of Splunk
SIEM(“Security Information and Event Management") • Arcsight • Log Correlation Engine By Tenable • Splunk • OSSIM ** • Alienvault ** • LOGalyze ** • Etc.
Log Correlation Engine By Tenable Source:: http://www.tenable.com/blog/log-correlation-engine-36-now-with-its-own-gui
Arcsight Source:: http://blog.rootshell.be/2013/06/26/out-of-the-box-siem-never/
Arcsight Dashboard Source:: http://www.observeit.com/images/content/features_siem14.jpg
False Positive
SQL Injection Case • Alert: SQL Injection • Attacker: China • Log From: Web Application Firewall
SQL Injection Case
After Breach Source:: http://www.dumpaday.com/wp-content/uploads/2013/01/funny- cat-bath.jpg
Forensic
Forensic • Containment • Ensure that the system(s) and network are protected from further risk. • Isolate the compromised system(s) • Eradication • How they got in • Where they went • What they did • The removal of malware • Patching Vulnerability • Identifying vulnerability • Improve network and system countermeasures
Forensic • Containment • Ensure that the system(s) and network are protected from further risk. • Isolate the compromised system(s) • Eradication • How they got in • Where they went • What they did • The removal of malware • Patching Vulnerability • Identifying vulnerability • Improve network and system countermeasures
Recovery(Restore/Rebuild) • Restore status of service to normal • System owners decide based on advice from incident handling team - Business Decision. • Monitor the service after recovery • Performance • Anomalies
Lesson Learned • Detail of incident report • Communicate to others on the team • Apply fixes in environment • Conduct a performance analysis of the overall incident and improve operations • “Not!!!!” Blaming people • Review/Rewrite Policy • Determines cost of incident • Apply lesson learned to the entire entity • Budget for, install, and maintain protection software
Incident response before:after breach

Recommended

PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to be
Michael Gough
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Scott Hurrey
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE - ATT&CKcon
 

Recommended

PHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On LabPHDays 2018 Threat Hunting Hands-On Lab
PHDays 2018 Threat Hunting Hands-On Lab
Teymur Kheirkhabarov
 
Windows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to beWindows Incident Response is hard, but doesn't have to be
Windows Incident Response is hard, but doesn't have to be
Michael Gough
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows Environment
Teymur Kheirkhabarov
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Scott Hurrey
 
How to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your NetworkHow to Hunt for Lateral Movement on Your Network
How to Hunt for Lateral Movement on Your Network
Sqrrl
 
A Threat Hunter Himself
A Threat Hunter HimselfA Threat Hunter Himself
A Threat Hunter Himself
Teymur Kheirkhabarov
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
Codemotion
 
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE ATT&CKcon 2.0: Prioritizing ATT&CK Informed Defenses the CIS Way; Phili...
MITRE - ATT&CKcon
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
IBM Qradar & resilient
IBM Qradar & resilientIBM Qradar & resilient
IBM Qradar & resilient
Prime Infoserv
 
Threat Hunting Web Shells Using Splunk
Threat Hunting Web Shells Using SplunkThreat Hunting Web Shells Using Splunk
Threat Hunting Web Shells Using Splunk
jamesmbower
 
Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines
Florian Roth
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE - ATT&CKcon
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
Ransomware Resistance
Ransomware ResistanceRansomware Resistance
Ransomware Resistance
Florian Roth
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
Michael Gough
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
Hossam .M Hamed
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
Bernardo Damele A. G.
 
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
Michael Gough
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query Language
Ross Wolf
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Michael Gough
 
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & ProfitsWeaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Harsh Bothra
 
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Harry McLaren
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
Hossein Yavari
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
Michael Gough
 
Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
Lumension
 
Locking down server and workstation operating systems
Locking down server and workstation operating systemsLocking down server and workstation operating systems
Locking down server and workstation operating systems
Ben Rothke
 

More Related Content

What's hot

Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
Will Schroeder
 
IBM Qradar & resilient
IBM Qradar & resilientIBM Qradar & resilient
IBM Qradar & resilient
Prime Infoserv
 
Threat Hunting Web Shells Using Splunk
Threat Hunting Web Shells Using SplunkThreat Hunting Web Shells Using Splunk
Threat Hunting Web Shells Using Splunk
jamesmbower
 
Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines
Florian Roth
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE - ATT&CKcon
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
Dhruv Majumdar
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
Christopher Gerritz
 
Ransomware Resistance
Ransomware ResistanceRansomware Resistance
Ransomware Resistance
Florian Roth
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
Michael Gough
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
Hossam .M Hamed
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
Bernardo Damele A. G.
 
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
Michael Gough
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query Language
Ross Wolf
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Michael Gough
 
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & ProfitsWeaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Harsh Bothra
 
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Harry McLaren
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
Hossein Yavari
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
Michael Gough
 

What's hot (20)

Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
 
Derbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active DirectoryDerbycon - The Unintended Risks of Trusting Active Directory
Derbycon - The Unintended Risks of Trusting Active Directory
 
IBM Qradar & resilient
IBM Qradar & resilientIBM Qradar & resilient
IBM Qradar & resilient
 
Threat Hunting Web Shells Using Splunk
Threat Hunting Web Shells Using SplunkThreat Hunting Web Shells Using Splunk
Threat Hunting Web Shells Using Splunk
 
Maturity Model of Security Disciplines
Maturity Model of Security Disciplines Maturity Model of Security Disciplines
Maturity Model of Security Disciplines
 
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
MITRE ATT&CKcon 2.0: Prioritizing Data Sources for Minimum Viable Detection; ...
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - GerritzBSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
BSidesLV 2016 - Powershell - Hunting on the Endpoint - Gerritz
 
Ransomware Resistance
Ransomware ResistanceRansomware Resistance
Ransomware Resistance
 
You can detect PowerShell attacks
You can detect PowerShell attacksYou can detect PowerShell attacks
You can detect PowerShell attacks
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
 
SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)SQL injection: Not Only AND 1=1 (updated)
SQL injection: Not Only AND 1=1 (updated)
 
Sqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar UsersSqrrl and IBM: Threat Hunting for QRadar Users
Sqrrl and IBM: Threat Hunting for QRadar Users
 
Finding attacks with these 6 events
Finding attacks with these 6 eventsFinding attacks with these 6 events
Finding attacks with these 6 events
 
The Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query LanguageThe Hunter Games: How to Find the Adversary with Event Query Language
The Hunter Games: How to Find the Adversary with Event Query Language
 
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows toolIntroducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
Introducing ArTHIR - ATT&CK Remote Threat Hunting Incident Response Windows tool
 
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & ProfitsWeaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
Weaponizing Recon - Smashing Applications for Security Vulnerabilities & Profits
 
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies Security Operations, MITRE ATT&CK, SOC Roles / Competencies
Security Operations, MITRE ATT&CK, SOC Roles / Competencies
 
Malware Static Analysis
Malware Static AnalysisMalware Static Analysis
Malware Static Analysis
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
 

Viewers also liked

Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
Lumension
 
Locking down server and workstation operating systems
Locking down server and workstation operating systemsLocking down server and workstation operating systems
Locking down server and workstation operating systems
Ben Rothke
 
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton ChuvakinUsing Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Anton Chuvakin
 
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?SolarWinds Patch Manager - How does it compare to SCCM Patch Management?
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?
SolarWinds
 
Anton Chuvakin FTP Server Intrusion Investigation
Anton Chuvakin FTP Server Intrusion InvestigationAnton Chuvakin FTP Server Intrusion Investigation
Anton Chuvakin FTP Server Intrusion Investigation
Anton Chuvakin
 
Server Management
Server ManagementServer Management
Server Management
Dell World
 
How to Audit Firewall, what are the standard Practices for Firewall Audit
How to Audit Firewall, what are the standard Practices for Firewall AuditHow to Audit Firewall, what are the standard Practices for Firewall Audit
How to Audit Firewall, what are the standard Practices for Firewall Audit
keyuradmin
 
Firewall Penetration Testing
Firewall Penetration TestingFirewall Penetration Testing
Firewall Penetration Testing
Chirag Jain
 
Save water Save Life!
Save water Save Life!Save water Save Life!
Save water Save Life!
Srishtii Sharma
 
Fortigate Training
Fortigate TrainingFortigate Training
Fortigate Training
NCS Computech Ltd.
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & Build
Sameer Paradia
 
AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...
AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...
AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...
Amazon Web Services
 
Water conservation ppt
Water conservation pptWater conservation ppt
Water conservation pptbinnyaji
 

Viewers also liked (15)

Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
Beyond Windows Patching: Dealing with the New Imperative to Patch Adobe, Appl...
 
Locking down server and workstation operating systems
Locking down server and workstation operating systemsLocking down server and workstation operating systems
Locking down server and workstation operating systems
 
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton ChuvakinUsing Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
Using Logs for Breach Investigations and Incident Response by Dr Anton Chuvakin
 
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?SolarWinds Patch Manager - How does it compare to SCCM Patch Management?
SolarWinds Patch Manager - How does it compare to SCCM Patch Management?
 
Anton Chuvakin FTP Server Intrusion Investigation
Anton Chuvakin FTP Server Intrusion InvestigationAnton Chuvakin FTP Server Intrusion Investigation
Anton Chuvakin FTP Server Intrusion Investigation
 
Server Management
Server ManagementServer Management
Server Management
 
How to Audit Firewall, what are the standard Practices for Firewall Audit
How to Audit Firewall, what are the standard Practices for Firewall AuditHow to Audit Firewall, what are the standard Practices for Firewall Audit
How to Audit Firewall, what are the standard Practices for Firewall Audit
 
Wsus best practices
Wsus best practicesWsus best practices
Wsus best practices
 
Firewall Penetration Testing
Firewall Penetration TestingFirewall Penetration Testing
Firewall Penetration Testing
 
Save water
Save waterSave water
Save water
 
Save water Save Life!
Save water Save Life!Save water Save Life!
Save water Save Life!
 
Fortigate Training
Fortigate TrainingFortigate Training
Fortigate Training
 
Security Operation Center - Design & Build
Security Operation Center - Design & BuildSecurity Operation Center - Design & Build
Security Operation Center - Design & Build
 
AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...
AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...
AWS re:Invent 2016: How to Manage Inventory, Patching, and System Images for ...
 
Water conservation ppt
Water conservation pptWater conservation ppt
Water conservation ppt
 

Similar to Incident response before:after breach

2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
APNIC
 
All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!
Xavier Mertens
 
All your logs are belong to you!
All your logs are belong to you!All your logs are belong to you!
All your logs are belong to you!
Security BSides London
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
Chris Gates
 
IT security for all. Bootcamp slides
IT security for all. Bootcamp slidesIT security for all. Bootcamp slides
IT security for all. Bootcamp slidesWallarm
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
ShivamSharma909
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
ShivamSharma909
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysis
Charles Lim
 
SECURITY OPERATION CENTER CONTENT.pptx
SECURITY OPERATION CENTER CONTENT.pptxSECURITY OPERATION CENTER CONTENT.pptx
SECURITY OPERATION CENTER CONTENT.pptx
FarzanMansoor1
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail You
Michael Gough
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
Andrew McNicol
 
Honeypots for Active Defense
Honeypots for Active DefenseHoneypots for Active Defense
Honeypots for Active Defense
Greg Foss
 
Perforce on Tour 2015 - How are You Protecting Your Source Code?
Perforce on Tour 2015 - How are You Protecting Your Source Code?Perforce on Tour 2015 - How are You Protecting Your Source Code?
Perforce on Tour 2015 - How are You Protecting Your Source Code?
Perforce
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark Arts
Spyglass Security
 
Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019
Paul Haskell-Dowland
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
Claus Cramon Houmann
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
newbie2019
 
Application Security within Agile
Application Security within AgileApplication Security within Agile
Application Security within Agile
Netlight Consulting
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
Claus Cramon Houmann
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
Ramin Farajpour Cami
 

Similar to Incident response before:after breach (20)

2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection2023 NCIT: Introduction to Intrusion Detection
2023 NCIT: Introduction to Intrusion Detection
 
All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!All Your Security Events Are Belong to ... You!
All Your Security Events Are Belong to ... You!
 
All your logs are belong to you!
All your logs are belong to you!All your logs are belong to you!
All your logs are belong to you!
 
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINEPENETRATION TESTING FROM A HOT TUB TIME MACHINE
PENETRATION TESTING FROM A HOT TUB TIME MACHINE
 
IT security for all. Bootcamp slides
IT security for all. Bootcamp slidesIT security for all. Bootcamp slides
IT security for all. Bootcamp slides
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysis
 
SECURITY OPERATION CENTER CONTENT.pptx
SECURITY OPERATION CENTER CONTENT.pptxSECURITY OPERATION CENTER CONTENT.pptx
SECURITY OPERATION CENTER CONTENT.pptx
 
When Security Tools Fail You
When Security Tools Fail YouWhen Security Tools Fail You
When Security Tools Fail You
 
Pentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated TestingPentesting Tips: Beyond Automated Testing
Pentesting Tips: Beyond Automated Testing
 
Honeypots for Active Defense
Honeypots for Active DefenseHoneypots for Active Defense
Honeypots for Active Defense
 
Perforce on Tour 2015 - How are You Protecting Your Source Code?
Perforce on Tour 2015 - How are You Protecting Your Source Code?Perforce on Tour 2015 - How are You Protecting Your Source Code?
Perforce on Tour 2015 - How are You Protecting Your Source Code?
 
Hunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark ArtsHunting: Defense Against The Dark Arts
Hunting: Defense Against The Dark Arts
 
Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019Ethical hacking 101 - Singapore RSA 2019
Ethical hacking 101 - Singapore RSA 2019
 
Defending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricalityDefending Enterprise IT - beating assymetricality
Defending Enterprise IT - beating assymetricality
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handling
 
Application Security within Agile
Application Security within AgileApplication Security within Agile
Application Security within Agile
 
Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2Presentation infra and_datacentrre_dialogue_v2
Presentation infra and_datacentrre_dialogue_v2
 
Malware Analysis
Malware AnalysisMalware Analysis
Malware Analysis
 

More from Sumedt Jitpukdebodin

How to create your own hack environment
How to create your own hack environmentHow to create your own hack environment
How to create your own hack environment
Sumedt Jitpukdebodin
 
Phishing
PhishingPhishing
Phishing
Sumedt Jitpukdebodin
 
Which side are you
Which side are youWhich side are you
Which side are you
Sumedt Jitpukdebodin
 
Endpoint is not enough
Endpoint is not enoughEndpoint is not enough
Endpoint is not enough
Sumedt Jitpukdebodin
 
Antivirus is hopeless
Antivirus is hopelessAntivirus is hopeless
Antivirus is hopeless
Sumedt Jitpukdebodin
 
Purple team is awesome
Purple team is awesomePurple team is awesome
Purple team is awesome
Sumedt Jitpukdebodin
 
R u hacked
R u hackedR u hacked
R u hacked
Sumedt Jitpukdebodin
 
Web architecture mechanism and threats
Web architecture mechanism and threatsWeb architecture mechanism and threats
Web architecture mechanism and threats
Sumedt Jitpukdebodin
 
Fundamental of malware analysis
Fundamental of malware analysisFundamental of malware analysis
Fundamental of malware analysis
Sumedt Jitpukdebodin
 
Security awareness training
Security awareness trainingSecurity awareness training
Security awareness training
Sumedt Jitpukdebodin
 
Hacking with paper
Hacking with paperHacking with paper
Hacking with paper
Sumedt Jitpukdebodin
 
DDoS handlering
DDoS handleringDDoS handlering
DDoS handlering
Sumedt Jitpukdebodin
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?
Sumedt Jitpukdebodin
 
Web Architecture - Mechanism and Threats
Web Architecture - Mechanism and ThreatsWeb Architecture - Mechanism and Threats
Web Architecture - Mechanism and Threats
Sumedt Jitpukdebodin
 

More from Sumedt Jitpukdebodin (14)

How to create your own hack environment
How to create your own hack environmentHow to create your own hack environment
How to create your own hack environment
 
Phishing
PhishingPhishing
Phishing
 
Which side are you
Which side are youWhich side are you
Which side are you
 
Endpoint is not enough
Endpoint is not enoughEndpoint is not enough
Endpoint is not enough
 
Antivirus is hopeless
Antivirus is hopelessAntivirus is hopeless
Antivirus is hopeless
 
Purple team is awesome
Purple team is awesomePurple team is awesome
Purple team is awesome
 
R u hacked
R u hackedR u hacked
R u hacked
 
Web architecture mechanism and threats
Web architecture mechanism and threatsWeb architecture mechanism and threats
Web architecture mechanism and threats
 
Fundamental of malware analysis
Fundamental of malware analysisFundamental of malware analysis
Fundamental of malware analysis
 
Security awareness training
Security awareness trainingSecurity awareness training
Security awareness training
 
Hacking with paper
Hacking with paperHacking with paper
Hacking with paper
 
DDoS handlering
DDoS handleringDDoS handlering
DDoS handlering
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?
 
Web Architecture - Mechanism and Threats
Web Architecture - Mechanism and ThreatsWeb Architecture - Mechanism and Threats
Web Architecture - Mechanism and Threats
 

Recently uploaded

From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
Product School
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
g2nightmarescribd
 

Recently uploaded (20)

From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
Generating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using SmithyGenerating a custom Ruby SDK for your web service or Rails API using Smithy
Generating a custom Ruby SDK for your web service or Rails API using Smithy
 

Incident response before:after breach

  • 1. Incident Response Operation Before/After Hacked Sumedt Jitpukdebodin Senior Security Researcher @ I-SECURE Co. Ltd. LPIC-1, NCLA, C|EHv6, eCPPT, eWPT, CompTIA Security+, IWSS, CPTE
  • 2. # whoami • Name: Sumedt Jitpukdebodin • Jobs: Security Consultant, Senior Security Researcher @ I- SECURE • Website: www.r00tsec.com, www.techsuii.com • Admin: @2600thailand, @OWASPThailand • Book: Network Security Book • Hobby: Writing, Hacking, Researching, Gaming, etc. • My article: please search google with my name.
  • 6. # id • Hack is easy, defend is so f*cking hard. • Surfaces • 0day • Social Engineering • Etc.
  • 9. Definition • Event - Activity that we monitor (Log) • Incident - the damage event. • Incident Response(IR) - Actions taken subsequent to an incident to understand the incident and take remedial action
  • 10. Top Priority for IR. • Identify the problems • Fix the problems. • Recovery system back to normal.
  • 11. Step of IR. Source:: http://www.emrisk.com/sites/default/files/images/newsletters/Incident%20Response%20Cycle.png
  • 12. Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
  • 13. Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
  • 14. Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
  • 15. Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
  • 16. Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
  • 17. Step of IR. • Preparation • Skill, Procedure , Log, Tools, Forms, Policies, Checklists, etc. • Detection(Identification) & Analysis • From Best Practise, Researching and Lesson Learned • Containment • Eradication • Remediation • Post-Incident Activities(Lesson Learned) • What are they doing • Where are they doing • What backdoor have they left • Develop Attack Signatures.
  • 18. What to look for • Look for abnormalities • Performance issues, off peak activity • Redirect some client. • Example Indicators • new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns • Example Sources • Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic • Potential Issue • File/ Folder Encryption • BIOS Password Protection • Whole Disk Encryption/ Risk
  • 19. What to look for • Look for abnormalities • Performance issues, off peak activity • Redirect some client. • Example Indicators • new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns • Example Sources • Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic • Potential Issue • File/ Folder Encryption • BIOS Password Protection • Whole Disk Encryption/ Risk
  • 20. What to look for • Look for abnormalities • Performance issues, off peak activity • Redirect some client. • Example Indicators • new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns • Example Sources • Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic • Potential Issue • File/ Folder Encryption • BIOS Password Protection • Whole Disk Encryption/ Risk
  • 21. What to look for • Look for abnormalities • Performance issues, off peak activity • Redirect some client. • Example Indicators • new accounts, new directories, new file in website, file system changes, crashes, unusual system usage patterns • Example Sources • Access Log, IDS, IPS, Firewall, System Log, Suspicious Traffic • Potential Issue • File/ Folder Encryption • BIOS Password Protection • Whole Disk Encryption/ Risk
  • 23. Centralized Log Diagram Source:: http://www.sysadmin.in.th/course/LogFiles/Centralized_Logs_Server_by_SysAdmin.jpg
  • 24. # whereis logs • Device Log • Server Log • Application Log
  • 25. # ls /var/log/ • web_server/{access.log,error.log} • audit/audit.log • syslog • openvpn.log
  • 28. Devices • Firewall • IDS/IPS • Next Generation Firewall • Mail Gateway • Etc.
  • 29. Centralized Log • Syslog-ng(rsyslog) • Splunk • Graylog2 • logstrash • Scribe
  • 31. SIEM(“Security Information and Event Management") • Arcsight • Log Correlation Engine By Tenable • Splunk • OSSIM ** • Alienvault ** • LOGalyze ** • Etc.
  • 32. Log Correlation Engine By Tenable Source:: http://www.tenable.com/blog/log-correlation-engine-36-now-with-its-own-gui
  • 36. SQL Injection Case • Alert: SQL Injection • Attacker: China • Log From: Web Application Firewall
  • 40. Forensic • Containment • Ensure that the system(s) and network are protected from further risk. • Isolate the compromised system(s) • Eradication • How they got in • Where they went • What they did • The removal of malware • Patching Vulnerability • Identifying vulnerability • Improve network and system countermeasures
  • 41. Forensic • Containment • Ensure that the system(s) and network are protected from further risk. • Isolate the compromised system(s) • Eradication • How they got in • Where they went • What they did • The removal of malware • Patching Vulnerability • Identifying vulnerability • Improve network and system countermeasures
  • 42. Recovery(Restore/Rebuild) • Restore status of service to normal • System owners decide based on advice from incident handling team - Business Decision. • Monitor the service after recovery • Performance • Anomalies
  • 43. Lesson Learned • Detail of incident report • Communicate to others on the team • Apply fixes in environment • Conduct a performance analysis of the overall incident and improve operations • “Not!!!!” Blaming people • Review/Rewrite Policy • Determines cost of incident • Apply lesson learned to the entire entity • Budget for, install, and maintain protection software