build your own incident response

Report

Tags:

Post on 26-May-2015

843 Views

Category:

Technology

1 Downloads

Preview:

Click to see full reader

DESCRIPTION

Presentation used at the (ISC)2 SecureMunich and SecureDusseldorf meetings.

TRANSCRIPT

BYO-IR

Build your own ‘incident response’Wim Remes - (ISC)2 - IOActive

--------RISK---------

COMPANY

IFVS.

WHEN

Wim Remes - wim.remes@ioactive.co.uk

A B C D E F G

compromise detected

attack occured

window of compromise

THE IR TIMELINE(reality)

PANIC!!!

Wim Remes - wim.remes@ioactive.co.uk

A B C D E F G

compromise detected

attack occured

window of compromise response

THE IR TIMELINE(for the pathological optimist)

Wim Remes - wim.remes@ioactive.co.uk

A B C D E F G

compromise detected

attack occuredwindow of compromise

response

THE IR TIMELINE(how it should be)

Wim Remes - wim.remes@ioactive.co.uk

A B C D E F G

compromise detected

attack occured

window of compromise response

THE IR TIMELINE(for the pathological liar)

WHO’S WHO?

Executive Management

IT Management

IT Personnel

Wim Remes - wim.remes@ioactive.co.uk

WHO’S WHO?

Customers/Clients

Law Enforcement Press/Media

“The Angry Mob”(Y U USE MD5?)

Wim Remes - wim.remes@ioactive.co.uk

IT Personnel

Customers/Clients

WHO’S WHO?

Wim Remes - wim.remes@ioactive.co.uk

Wim Remes - wim.remes@ioactive.co.uk

IR SHOPPING LIST

a. Awesome people!b. Management Support (no kidding)c. IR Process + RACId. Supporting Technologye. Training & Test Drives

Wim Remes - wim.remes@ioactive.co.uk

AWESOME PEOPLE(Without me, you are just aweso)

Wim Remes - wim.remes@ioactive.co.uk

AWESOME PEOPLE(you already have them)

Wim Remes - wim.remes@ioactive.co.uk

MANAGEMENT SUPPORT

Wim Remes - wim.remes@ioactive.co.uk

IR PROCESS

PREPARE DETECT ANALYZE CONTAIN RECOVER

POST MORTEM

Wim Remes - wim.remes@ioactive.co.uk

C,I A R

C,I R,A C,I

R C,I A

External Communications

Initiate IR Process

Collect Evidence

IR RACI

TECHNOLOGY

because you don’t go to war in a speedo ...

TECHNOLOGY(it’s pretty basic really ...)

a. Segment your network !! b. Use PGP (and train your people to use it)c. Log everything you could possibly needd. Full network captures are helpful!e. How far can you take FOSS?f. Complement with commercial products.g. Train, train, train, train, train, train,...

(some demos)

Wim Remes - wim.remes@ioactive.co.uk

TRAINING & TEST

Wim Remes - wim.remes@ioactive.co.uk

In a real war you don’t fight soldiers with cleaning ladies, you fight with soldiers. In acyberwar, you fight hackers with hackers.“

”Thank you

Wim Remes - wim.remes@ioactive.co.uk

top related

build your own pc.pdf
Documents
build own robot arm
Documents
own your own impact: incident response at airbnb...
Technology
own the build
Technology
build own patio
Documents
build your own marimba
Documents
build your own institute
Documents
build your own content center library -...
Documents
build your own ups
Documents
build oar own
Documents
build your own robot
Documents
build your own coscup
Presentations & Public Speaking
build your own crossbow
Documents
build your own astrolabe
Documents
build your own cloud
Technology
build your own pc
Documents
build your own storage
Documents
build your own hero
Documents
build your own website
Internet
build your own angularjs
Documents