build your own incident response
Post on 26-May-2015
843 Views
Preview:
DESCRIPTION
TRANSCRIPT
BYO-IR
Build your own ‘incident response’Wim Remes - (ISC)2 - IOActive
--------RISK---------
COMPANY
IFVS.
WHEN
Wim Remes - wim.remes@ioactive.co.uk
A B C D E F G
compromise detected
attack occured
window of compromise
THE IR TIMELINE(reality)
PANIC!!!
Wim Remes - wim.remes@ioactive.co.uk
A B C D E F G
compromise detected
attack occured
window of compromise response
THE IR TIMELINE(for the pathological optimist)
Wim Remes - wim.remes@ioactive.co.uk
A B C D E F G
compromise detected
attack occuredwindow of compromise
response
THE IR TIMELINE(how it should be)
Wim Remes - wim.remes@ioactive.co.uk
A B C D E F G
compromise detected
attack occured
window of compromise response
THE IR TIMELINE(for the pathological liar)
WHO’S WHO?
Executive Management
IT Management
IT Personnel
Wim Remes - wim.remes@ioactive.co.uk
WHO’S WHO?
Customers/Clients
Law Enforcement Press/Media
“The Angry Mob”(Y U USE MD5?)
Wim Remes - wim.remes@ioactive.co.uk
IT Personnel
Customers/Clients
WHO’S WHO?
Wim Remes - wim.remes@ioactive.co.uk
Wim Remes - wim.remes@ioactive.co.uk
IR SHOPPING LIST
a. Awesome people!b. Management Support (no kidding)c. IR Process + RACId. Supporting Technologye. Training & Test Drives
Wim Remes - wim.remes@ioactive.co.uk
AWESOME PEOPLE(Without me, you are just aweso)
Wim Remes - wim.remes@ioactive.co.uk
AWESOME PEOPLE(you already have them)
Wim Remes - wim.remes@ioactive.co.uk
MANAGEMENT SUPPORT
Wim Remes - wim.remes@ioactive.co.uk
IR PROCESS
PREPARE DETECT ANALYZE CONTAIN RECOVER
POST MORTEM
Wim Remes - wim.remes@ioactive.co.uk
C,I A R
C,I R,A C,I
R C,I A
External Communications
Initiate IR Process
Collect Evidence
IR RACI
TECHNOLOGY
because you don’t go to war in a speedo ...
TECHNOLOGY(it’s pretty basic really ...)
a. Segment your network !! b. Use PGP (and train your people to use it)c. Log everything you could possibly needd. Full network captures are helpful!e. How far can you take FOSS?f. Complement with commercial products.g. Train, train, train, train, train, train,...
(some demos)
Wim Remes - wim.remes@ioactive.co.uk
TRAINING & TEST
Wim Remes - wim.remes@ioactive.co.uk
In a real war you don’t fight soldiers with cleaning ladies, you fight with soldiers. In acyberwar, you fight hackers with hackers.“
”Thank you
Wim Remes - wim.remes@ioactive.co.uk
top related