Uploaded bywremes
2,452 views

Build Your Own Incident Response

The document discusses building an incident response program and timeline. It recommends having the right people, management support, a documented incident response process, supporting technology like logging and network segmentation, and ongoing training and testing. It also identifies different roles involved in incident response, such as IT personnel, management, law enforcement and press. The overall message is that organizations need to prepare and plan their incident response capabilities in advance through people, processes, technology and training in order to effectively respond when an incident occurs.

Embed presentation

Downloaded 13 times
BYO-IR Build your own ‘incident response’ Wim Remes - (ISC)2 - IOActive
--------RISK--------- COMPANY
IF VS. WHEN
Wim Remes - wim.remes@ioactive.co.uk A B C D E F G compromise detected attack occured window of compromise THE IR TIMELINE(reality) PANIC!!!
Wim Remes - wim.remes@ioactive.co.uk A B C D E F G compromise detected attack occured window of compromise response THE IR TIMELINE(for the pathological optimist)
Wim Remes - wim.remes@ioactive.co.uk A B C D E F G compromise detected attack occured window of compromise response THE IR TIMELINE(how it should be)
Wim Remes - wim.remes@ioactive.co.uk A B C D E F G compromise detected attack occured window of compromise response THE IR TIMELINE(for the pathological liar)
WHO’S WHO? Executive Management IT Management IT Personnel Wim Remes - wim.remes@ioactive.co.uk
WHO’S WHO? Customers/Clients Law Enforcement Press/Media “The Angry Mob” (Y U USE MD5?) Wim Remes - wim.remes@ioactive.co.uk
IT Personnel Customers/Clients WHO’S WHO? Wim Remes - wim.remes@ioactive.co.uk
Wim Remes - wim.remes@ioactive.co.uk
IR SHOPPING LIST a. Awesome people! b. Management Support (no kidding) c. IR Process + RACI d. Supporting Technology e. Training & Test Drives Wim Remes - wim.remes@ioactive.co.uk
AWESOME PEOPLE (Without me, you are just aweso) Wim Remes - wim.remes@ioactive.co.uk
AWESOME PEOPLE (you already have them) Wim Remes - wim.remes@ioactive.co.uk
MANAGEMENT SUPPORT Wim Remes - wim.remes@ioactive.co.uk
IR PROCESS PREPARE DETECT ANALYZE CONTAIN RECOVER POST MORTEM
Wim Remes - wim.remes@ioactive.co.uk C,I A R C,I R,A C,I R C,I A External Communications Initiate IR Process Collect Evidence IR RACI
TECHNOLOGY because you don’t go to war in a speedo ...
TECHNOLOGY (it’s pretty basic really ...) a. Segment your network !! b. Use PGP (and train your people to use it) c. Log everything you could possibly need d. Full network captures are helpful! e. How far can you take FOSS? f. Complement with commercial products. g. Train, train, train, train, train, train,... (some demos) Wim Remes - wim.remes@ioactive.co.uk
TRAINING & TEST Wim Remes - wim.remes@ioactive.co.uk
In a real war you don’t fight soldiers with cleaning ladies, you fight with soldiers. In a cyberwar, you fight hackers with hackers.“ ”Thank you Wim Remes - wim.remes@ioactive.co.uk

More Related Content

KEY
Morph V3.1
byg2ixOne
 
PPTX
Intro to Malware Analysis
bywremes
 
ODP
Open Source Security
bywremes
 
PDF
Distributed Denial Of Service Introduction
bywremes
 
PDF
SIEM brown-bag presentation
bywremes
 
PDF
Crème Brulée :-)
bywremes
 
PPSX
Ahmed Anver Manatunga
byAhmed Anver Manatunga
 
PDF
Vinnes jayson koken
bywremes
 
Morph V3.1
byg2ixOne
 
Intro to Malware Analysis
bywremes
 
Open Source Security
bywremes
 
Distributed Denial Of Service Introduction
bywremes
 
SIEM brown-bag presentation
bywremes
 
Crème Brulée :-)
bywremes
 
Ahmed Anver Manatunga
byAhmed Anver Manatunga
 
Vinnes jayson koken
bywremes
 

Similar to Build Your Own Incident Response

PDF
Luncheon 2016-07-16 - Topic 1 - Incident Response Things I wish I Had Known ...
byNorth Texas Chapter of the ISSA
 
PPTX
Cybersecurity Crisis Management Introduction
byNaor Penso
 
PDF
AusCERT 2023 - Non-linear, decentralised and multi-stakeholder incident respo...
byPukhraj Singh
 
PPTX
chapter on Incident Response Management.
bySuhail Qadir Mir
 
PPTX
Ch2-Incident Response Process.pptxIncident Response Process
bySuhail Qadir Mir
 
PDF
Ch5-Incident Response Management.pdfncident Response Management.
bySuhail Qadir Mir
 
PPTX
"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin
byAnton Chuvakin
 
PDF
Sans survey - maturing - specializing-incident-response-capabilities-needed-p...
byCMR WORLD TECH
 
PPTX
How to Build a Successful Incident Response Program
byResilient Systems
 
PDF
Incident response before:after breach
bySumedt Jitpukdebodin
 
PDF
Incident Response: Don't Mess It Up, Here's How To Get It Right
byResilient Systems
 
PPTX
Incident_Response_for_Management_Presentation.pptx
byssuser2a8bb7
 
PPTX
Building & Updating an Incident Response Plan - Jason Smith Session - 2018 Ch...
byInternetwork Engineering (IE)
 
PPTX
By Popular Demand: Co3's Latest and Greatest Features
byResilient Systems
 
PPTX
Tying cyber attacks to business processes, for faster mitigation
byMaytal Levi
 
PPTX
Zero Day Response: Strategies for the Security Innovation in Corporate Defens...
byAnton Chuvakin
 
PDF
Incident Response: How To Prepare
byResilient Systems
 
PDF
Cisco Connect Vancouver 2017 - Embedding IR into the DNA of the business
byCisco Canada
 
PDF
Spo2 w23 a
bySelectedPresentations
 
PDF
CNIT 121: 2 IR Management Handbook
bySam Bowne
 
Luncheon 2016-07-16 - Topic 1 - Incident Response Things I wish I Had Known ...
byNorth Texas Chapter of the ISSA
 
Cybersecurity Crisis Management Introduction
byNaor Penso
 
AusCERT 2023 - Non-linear, decentralised and multi-stakeholder incident respo...
byPukhraj Singh
 
chapter on Incident Response Management.
bySuhail Qadir Mir
 
Ch2-Incident Response Process.pptxIncident Response Process
bySuhail Qadir Mir
 
Ch5-Incident Response Management.pdfncident Response Management.
bySuhail Qadir Mir
 
"You Got That SIEM. Now What Do You Do?"  by Dr. Anton Chuvakin
byAnton Chuvakin
 
Sans survey - maturing - specializing-incident-response-capabilities-needed-p...
byCMR WORLD TECH
 
How to Build a Successful Incident Response Program
byResilient Systems
 
Incident response before:after breach
bySumedt Jitpukdebodin
 
Incident Response: Don't Mess It Up, Here's How To Get It Right
byResilient Systems
 
Incident_Response_for_Management_Presentation.pptx
byssuser2a8bb7
 
Building & Updating an Incident Response Plan - Jason Smith Session - 2018 Ch...
byInternetwork Engineering (IE)
 
By Popular Demand: Co3's Latest and Greatest Features
byResilient Systems
 
Tying cyber attacks to business processes, for faster mitigation
byMaytal Levi
 
Zero Day Response: Strategies for the Security Innovation in Corporate Defens...
byAnton Chuvakin
 
Incident Response: How To Prepare
byResilient Systems
 
Cisco Connect Vancouver 2017 - Embedding IR into the DNA of the business
byCisco Canada
 
Spo2 w23 a
bySelectedPresentations
 
CNIT 121: 2 IR Management Handbook
bySam Bowne
 

More from wremes

PPT
Brucon presentation
bywremes
 
ODP
Pareto chart using Openoffice.org
bywremes
 
DOCX
Secure Abu Dhabi talk
bywremes
 
PDF
SOPA 4 dummies
bywremes
 
PDF
Fosdem10
bywremes
 
PDF
Collaborate, Innovate, Secure
bywremes
 
PDF
OSSEC @ ISSA Jan 21st 2010
bywremes
 
PDF
Ossec Lightning
bywremes
 
PDF
10 things we're doing wrong with SIEM
bywremes
 
PDF
Data Driven Infosec Services
bywremes
 
PDF
And suddenly I see ... IDC IT Security Brussels 2011
bywremes
 
PDF
In the land of the blind the squinter rules
bywremes
 
PDF
Blackhat Workshop
bywremes
 
PDF
Teaser
bywremes
 
Brucon presentation
bywremes
 
Pareto chart using Openoffice.org
bywremes
 
Secure Abu Dhabi talk
bywremes
 
SOPA 4 dummies
bywremes
 
Fosdem10
bywremes
 
Collaborate, Innovate, Secure
bywremes
 
OSSEC @ ISSA Jan 21st 2010
bywremes
 
Ossec Lightning
bywremes
 
10 things we're doing wrong with SIEM
bywremes
 
Data Driven Infosec Services
bywremes
 
And suddenly I see ... IDC IT Security Brussels 2011
bywremes
 
In the land of the blind the squinter rules
bywremes
 
Blackhat Workshop
bywremes
 
Teaser
bywremes
 

Recently uploaded

PDF
How to Evaluate a High Performance Database
byScyllaDB
 
PDF
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
PDF
CompTIA Cybersecurity Analyst (CySA+) CS0-003: Unit 5
byVICTOR MAESTRE RAMIREZ
 
PPTX
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
PDF
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
API-First Architecture in Financial Systems
bycyy111112
 
PPTX
MGw_MRS Benfits seu beficios de redes 4g
byJoaquimBarros18
 
PDF
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
PPTX
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
PPTX
How to make Ai agents using Google Gemini AI.pptx
bypkluffy111
 
PDF
WHITE PAPER_ Ransomware Payment Policy and Resilience Strategy_ A Framework f...
byssuser0d171c
 
PDF
HCSP-Presales-Campus Network Planning and Design V2.0
byVeronica916344
 
PDF
Exam Prep Plan Overview: Amazon Web Services (AWS) Certified
byVICTOR MAESTRE RAMIREZ
 
PPTX
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
PDF
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
PPTX
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
PDF
Day 4 - Access, Deployments, and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PDF
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
PPTX
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
DOCX
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 
How to Evaluate a High Performance Database
byScyllaDB
 
10 Things AI-First Apps Do Differently by iProgrammer Solutions
byiProgrammer Solutions Private Limited
 
CompTIA Cybersecurity Analyst (CySA+) CS0-003: Unit 5
byVICTOR MAESTRE RAMIREZ
 
Building Cyber Resilience for 2026: Best Practices for a Secure, AI-Driven Bu...
byYasir Naveed Riaz
 
Day 5 - Red Team + Blue Team in the Cloud - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
API-First Architecture in Financial Systems
bycyy111112
 
MGw_MRS Benfits seu beficios de redes 4g
byJoaquimBarros18
 
DevFest El Jadida 2025 - Product Thinking
byElmehdi AMLOU
 
Gemini vs ChatGPT : Comparing Top AI Models
byDigicarrom
 
How to make Ai agents using Google Gemini AI.pptx
bypkluffy111
 
WHITE PAPER_ Ransomware Payment Policy and Resilience Strategy_ A Framework f...
byssuser0d171c
 
HCSP-Presales-Campus Network Planning and Design V2.0
byVeronica916344
 
Exam Prep Plan Overview: Amazon Web Services (AWS) Certified
byVICTOR MAESTRE RAMIREZ
 
From Backup to Resilience: How MSPs Are Preparing for 2026
byMSP360
 
Internet_of_Things_IoT_for_Next_Generation_Smart_Systems_Utilizing.pdf
byRoshanSyed12
 
Software Analysis &Design ethiopia chap-2.pptx
byAbbas484771
 
Day 4 - Access, Deployments, and Monitoring - 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
Lab 1.5 - Sharing Secrets with GPG ~ 2nd Sight Lab Cloud Security Class
by2nd Sight Lab
 
wob-report.pptxwob-report.pptxwob-report.pptx
byssuser0d171c
 
iRobot Post‑Mortem and Alternative Paths - Discussion Document for Boards and...
byDave Litwiller
 

Build Your Own Incident Response

  • 1.
    BYO-IR Build your own‘incident response’ Wim Remes - (ISC)2 - IOActive
  • 2.
  • 3.
  • 4.
    Wim Remes -wim.remes@ioactive.co.uk A B C D E F G compromise detected attack occured window of compromise THE IR TIMELINE(reality) PANIC!!!
  • 5.
    Wim Remes -wim.remes@ioactive.co.uk A B C D E F G compromise detected attack occured window of compromise response THE IR TIMELINE(for the pathological optimist)
  • 6.
    Wim Remes -wim.remes@ioactive.co.uk A B C D E F G compromise detected attack occured window of compromise response THE IR TIMELINE(how it should be)
  • 7.
    Wim Remes -wim.remes@ioactive.co.uk A B C D E F G compromise detected attack occured window of compromise response THE IR TIMELINE(for the pathological liar)
  • 8.
    WHO’S WHO? Executive Management ITManagement IT Personnel Wim Remes - wim.remes@ioactive.co.uk
  • 9.
    WHO’S WHO? Customers/Clients Law EnforcementPress/Media “The Angry Mob” (Y U USE MD5?) Wim Remes - wim.remes@ioactive.co.uk
  • 10.
    IT Personnel Customers/Clients WHO’S WHO? WimRemes - wim.remes@ioactive.co.uk
  • 11.
    Wim Remes -wim.remes@ioactive.co.uk
  • 12.
    IR SHOPPING LIST a.Awesome people! b. Management Support (no kidding) c. IR Process + RACI d. Supporting Technology e. Training & Test Drives Wim Remes - wim.remes@ioactive.co.uk
  • 13.
    AWESOME PEOPLE (Without me,you are just aweso) Wim Remes - wim.remes@ioactive.co.uk
  • 14.
    AWESOME PEOPLE (you alreadyhave them) Wim Remes - wim.remes@ioactive.co.uk
  • 15.
    MANAGEMENT SUPPORT Wim Remes -wim.remes@ioactive.co.uk
  • 16.
    IR PROCESS PREPARE DETECTANALYZE CONTAIN RECOVER POST MORTEM
  • 17.
    Wim Remes -wim.remes@ioactive.co.uk C,I A R C,I R,A C,I R C,I A External Communications Initiate IR Process Collect Evidence IR RACI
  • 18.
    TECHNOLOGY because you don’tgo to war in a speedo ...
  • 19.
    TECHNOLOGY (it’s pretty basicreally ...) a. Segment your network !! b. Use PGP (and train your people to use it) c. Log everything you could possibly need d. Full network captures are helpful! e. How far can you take FOSS? f. Complement with commercial products. g. Train, train, train, train, train, train,... (some demos) Wim Remes - wim.remes@ioactive.co.uk
  • 20.
    TRAINING & TEST WimRemes - wim.remes@ioactive.co.uk
  • 21.
    In a realwar you don’t fight soldiers with cleaning ladies, you fight with soldiers. In a cyberwar, you fight hackers with hackers.“ ”Thank you Wim Remes - wim.remes@ioactive.co.uk