ciso conversant group€¦ · look at event logs eventvwr examine network configuration arp...

CISO

Conversant Group

• The OODA Loop• The Incident Response Process• Sources & Resources• Key Takeaways

• Deck Provided

• Some Slides are Lists

• != Every Tool Available

SETTING EXPECTATIONS

Source: https://en.wikipedia.org/wiki/John Boyd (military strategist)

OBSERVE ORIENT

ACT DECIDE

• USAF Fighter Pilot in Korean War

• Processing and Reacting to an Adversary

• Feed-Forward Loop

• Iterative

Source: https://en.wikipedia.org/wiki/John Boyd (military strategist)

Source: https://en.wikipedia.org/wiki/OODA loop

OBSERVE

•External Information

•Changing Circumstances

•Your Process

•The Enemy’s Reaction

OUTCOME: What Is Our SITUATION?

OBSERVE

OBSERVE


•New Information

•Culture

•Experience

• Lessons Learned

•Your Own Predilections

•Analyze & Synthesize

OUTCOME: What Are Our OPTIONS?

ORIENT

OBSERVE ORIENT


•Build a Hypothesis

•Work Your Script (‘Guidance & Control’)–Policies / Procedures

–BIA/RA/ERP/BCP/DRP

– IR Plan

•Make a Decision

OUTCOME: What Is Our Best ACTION Now?

DECIDE

OBSERVE ORIENT

DECIDE


ACT

•Carry Out Your Hypothesis

•Work Within Your ‘Guidance’

• “Some action NOW is usually betterthan the perfect action later”

• Like Agile development

OUTCOME: Execute Our RESPONSE

John Boyd

OBSERVE ORIENT

ACT DECIDE

“Get inside youradversaries' OODAloop to disorientthem.”

• Situational Awareness: Observe, Orient, Decide, then ACT

• Accounts for our experience, predispositions, and what the bad guys are doing

• Feed-Forward Loop : Iterative & “agile” – short ‘sprints’

• Works within your guidance (e.g., IR Plan)

• Disrupt the Enemy’s OODA Loop

Eradication Recovery Lessons LearnedContainmentPreparation Identification

Eradication Recovery Lessons LearnedContainmentPreparation Identification

--------------------------------------

Eradication RecoveryLessons LearnedContainmentIdentification

• IR Plan

• Checklists

• Jump Bag

OBSERVE DECIDE

• Asset Inventory(Open-AudIT)

• Business Impact Analysis

• Risk Assessment• Identify IRT

Members

• Policies

• OOB Communications(ProtonMail, Zoom, WhatsApp)

• Use Cases

•Documentation

•Processes

•Tools & Equipment

• IRT Members

•Training

•Risk Appetite

ORIENT ACT

• Processes• Training & Tabletops• Ticketing System

(The Hive Project)• Call Trees

Preparation“The thing (check)lists solve for -

. the beast they tame - is complexity.”

. . . – Adam Savage

By Atul Gawande

•Monitor

•Detect

•Triage

•Classify

• IRT Activation CriterionSECURITY

EVENTSECURITY

INCIDENT

Preparation Eradication RecoveryLessons LearnedContainment

• Incident Response Plan

• Notes (Hard & Soft)

• Hot Washes

OBSERVE DECIDE

• SEIM (Security Onion)

• AV (ClamAV, Barkly)

• Logging (Kiwi)

• Honeypot (Honeyd)

• Ticketing (The Hive Project)

• IRT Communication(ProtonMail, WhatsApp, Zoom)

ORIENT ACT

• Asset Inv (Open-AudIT)

• Vuln Scan (BURP, OpenVAS, Maltego)

• Packet Analysis (Wireshark)

Identification“Prevention is great, but

detection is a must.” . .. – Dr Eric Cole

BIA

RA

RISK

APPETITE

Microsoft Windows [Version 10.0.16299.1087](c) 2017 Microsoft Corporation. All rights reserved.

C:\Users\youruid>

Look at event logs eventvwr

Examine network configuration arp -a,netstat -nr

List network connections and related details netstat -nao,netstat -vb,net session,net use

List users and groups lusrmgr,net users,net localgroup administrators,net group administrators

Look at scheduled jobs schtasks

Look at auto-start programs msconfig

List processes taskmgr,wmic process list full

List services net start,tasklist /svc

Check DNS settings and the hosts file ipconfig /all,more%SystemRoot%System32Driversetchosts,ipconfig /displaydns

Verify integrity of OS files (affects lots of files!) sigverif

Research recently-modified files (affects lots of files!) dir /a/o-d/p %SystemRoot%System32

Avoid using Windows Explorer, as it modifies useful file system details; use command-line.

Do not forget PowerShell! Source: https://zeltser.com/security-incident-survey-cheat-sheet/

Look at event log files in directories (locations vary) /var/log/,/var/adm/,/var/spool/

List recent security events wtmp, who,last, lastlog

Examine network configuration arp -an,route print

List network connections and related details netstat -nap (Linux),netstat -na (Solaris),

lsof -i

List users more /etc/passwd

Look at scheduled jobs more /etc/crontab,ls /etc/cron.*,ls /var/at/jobs

Check DNS settings and the hosts file more /etc/resolv.conf,more /etc/hosts

Verify integrity of installed packages (affects lots of files!) rpm -Va (Linux),pkgchk (Solaris)

Look at auto-start services chkconfig –list (Linux),ls /etc/rc*.d (Solaris),

smf (Solaris 10+)

List processes ps aux (Linux, BSD),ps -ef (Solaris),

lsof +L1

Find recently-modified files (affects lots of files!) ls -lat /,find / -mtime -2d -ls

Source: https://zeltser.com/security-incident-survey-cheat-sheet/

Validate a person fred smith “@company.com”fred smith + email (or) email address

fred smith + linkedinfred smith site: linkedin.com

Restrict use to a specific file suffix filetype:ext:

Find metadata about a URL info:URL

Find web pages with specific terms in the title intitle:

Restrict results to a word in the URL inurl:

Find pages that point to a specific URL link:

Restrict results to that particular domain site:

Source: Blue Team Handbook: Incident Response Edition

By Ben Clark

ByBen Clark & Alan J White

By Don Murdoch

IdentificationPreparation Eradication RecoveryLessons Learned

• Patch Management (PDQ Deploy)

• Communicate & Train

• Document

• Chain of Custody

OBSERVE DECIDE

• Threat Intelligence (Cisco Talos)

• IOCs

• Notes

• IRP

• Playbook(s)

• Policies

• Forensics

• Identify impacted system(s)

• Isolate

•Patch

•Communicate & Train

•Document

ORIENT ACT

• Malware Analysis (REMunx)

• Forensics

–SANS SIFT

–Google GRR

–VirusTotal, app.any.run

Containment

ContainmentIdentificationPreparation RecoveryLessons Learned

• Forensics / Live Disk(Kali Live USB)

• AV (Clam AV / Barkly)

OBSERVE DECIDE

• Notes

• Asset Inventory(Open-AudIT)

• Notes

• IRP & Policies

• Playbook

• Email/Teleconference

•Eliminate the Root Cause

• Stabilize Environment for Recovery

• “Do No Harm”ORIENT ACT

• Logs (Kiwi)

• ‘Risk Register’

Eradication

ContainmentIdentificationPreparation EradicationLessons Learned

• Data Recovery (Unitrends)

• Restore System(s)

OBSERVE DECIDE

• Checklists

• BIA

• BCP

• DRP

• Notes

• DRP

• BCP

•Restore Data

•Reestablish Systems

•Return to Normal Operations

ORIENT ACT

• DRP

• BCP

Recovery

ContainmentIdentificationPreparation Eradication Recovery

• Revise IR Plan

• Update IOCs

• New tools?

• Risk Assessment

OBSERVE DECIDE

• Notes

• Logs

• Meeting Minutes•Consolidate Notes

• Identify Errors, Oversights, & Inefficiencies

• Improve the Process

•Reduce Risk ORIENT ACT

• Lessons Learned Meetings

• Software(CornerThought, LessonFlow)

Lessons Learned

• There is not always a clear line between an event & an incident

• Use Checklists!

• References Help

• CLI … not cyber sexy, but really effective

OBSERVE

ORIENT

DECIDE

ACT

•Asset Inventory•BIA•Risk Assessment•Select IRT Team

•IPS,IDS,SEIM,UBA•Anti-Virus (+NGAV)•Log / Vuln Analysis•Honeypot

•IOCs•Threat Intelligence

•Notes•Asset Inventory

•Checklists•BIA•BCP•DRP

•Hard copy notes•Logs

Preparation Identification Containment Eradication RecoveryLessons Learned

•Training/Books•Tabletops•Checklists•Ticketing

•Asset Inventory•Threat Intelligence•IOCs / News•Chg/Cfg Mgmt

•Forensics•ID Devices

•IOCs•Logs•Risk Register

•DRP•BCP

•LL meetings

•Policies•Use Cases•Email accounts•Teleconference

•IRP / Playbook(s)•Policies

•BIA•DRP •Meeting Minutes

•IR Plan•Jump Bag

•IRP •Notes (hard & soft)•Hot Washes

•Patch Mgmt•Comm & Train•Block IP / Sinkhole•Chain of Custody

•Kali Live Disk•AV/NGAV

•Data Recovery•Restore System(s)

•Revise IR Plan•Update IOCs•New tools?•Risk Assessment

Email / Teleconference

•Hard Copy Notes•IRP•Playbook

•Triage•Categorization•Create Ticket

OBSERVE

ORIENT

DECIDE

ACT

•IRP•Open-AudIT

•Security Onion•Nagios Core•Kiwi•Honeyd

•REMunx•SANS Sift•VirusTotal•app.any.run

•Open-AudIT•Risk Register

•Checklists•BIA•BCP•DRP

•Hard copy notes•Logs

Preparation Identification Containment Eradication RecoveryLessons Learned

•The Hive Project •Cisco Talos•Maltego / Burp•Wireshark•MX Toolbox

•IOCs•Playbook

•IOCs•Logs

•DRP•BCP

•LL meetings

•ProtonMail•WhatsApp•Zoom

•IRP•Playbook

•BIA•DRP

•Meeting Minutes

•Jump Bag •Checklists

•IRP•Notes (hard & electronic)

•PDQ Deploy•Comm & Train•Cisco OpenDNS•Sinkhole

•Clam AV / Barkly•Kali Live Disk

•Unitrends•Acronis

•Revise IR Plan•Update IOCs•New tools?

•Notes•Logs

•The Hive Project•Gmail•Zoom

6 Phases In The Incident Response Plan, David Ellis.https://www.securitymetrics.com/blog/6-phases-incident-response-plan

Awesome Incident Response Tools, awesome-incident-response GitHub repository.https://github.com/meirwah/awesome-incident-response

Best Incident Response Software, https://www.g2.com/categories/incident-response

Critical Log Review Checklist for Security Incidents, L Zeltser & Dr. A. Chuvakin.https://zeltser.com/security-incident-log-review-checklist/

Good Practice Guide for Incident Management, ENSIA. https://www.enisa.europa.eu/publications/good-practice-guide-for-incident-management

Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities, NIST 800-84. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-84.pdf

John Boyd (Wikipedia). https://en.wikipedia.org/wiki/John Boyd (military strategist)

Incident Handling Annual Testing and Training, Kurtis Holland (SANS). https://www.sans.org/reading-room/whitepapers/incident/incident-handling-annual-testing-training-34565

Insider’s Guide to Incident Response, AT&T / AlienVault. https://www.alienvault.com/resource-center/ebook/insider-guide-to-incident-response

Meet ‘Bro’: The Best Keept Secret in Network Security, Greg Bell, July 14, 2018. https://www.darkreading.com/operations/meet-bro-the-best-kept-secret-of-network-security/a/d-id/1332028

Popular Computer Forensics Top 21 Tools, Infosec Institute. https://resources.infosecinstitute.com/computer-forensics-tools

Power to the Edge, Alberts and Hayes, 2003. http://www.dodccrp.org/files/Alberts Power.pdf

The Beginner’s Guide to Open Source Incident Response Tools and Resources, James Fritz, Feb 21, 2017.https://www.alienvault.com/blogs/security-essentials/beginners-guide-to-open-source-incident-response-tools-and-resources

The OODA Loop (Wikipedia).https://en.wikipedia.org/wiki/OODA loop

The Incident Handler’s Handbook, Patrick Kral. 2012. https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901

Tips for Starting an Incident Response Team, Lenny Zelster. https://zeltser.com/security-incident-response-program-tips/

Top 20 Free Digital Forensic Investigation Tools for SysAdmins, Andrew Tabona, Jul 20, 2018. https://techtalk.gfi.com/top-20-free-digital-forensic-investigation-tools-for-sysadmins/

Conversant Group Incident Response

https://www.conversantgroup.com/security/IR/

PREPARATION

IR Plans

NIST Computer Security Incident Handling Guide, SP 800-61r2, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

Computer Security Incident Handling Guide (NIST 800-61), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

Good Practice Guide for Incident Management, https://www.enisa.europa.eu/publications/good-practice-guide-for-incident-management

Insider’s Guide to Incident Response, https://www.alienvault.com/resource-center/ebook/insider-guide-to-incident-response

The Incident Handler’s Handbook, https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901

Tips for Starting an Incident Response Team, https://zeltser.com/security-incident-response-program-tips/

Asset Management

Creator, https://www.zoho.com/creator/apps/it-asset-tracker.html

Open-AudIT, https://www.open-audit.org/

PDQ Inventory, https://www.pdq.com

Spiceworks https://www.spiceworks.com/free-asset-management-software/

SysAid, https://www.capterra.com/p/107225/SysAid/

PREPARATION

Out Of Bounds Communications

Secure Email

CounterMail, https://countermail.com/

Hushmail, https://www.hushmail.com/

ProtonMail, https://protonmail.com/

Mailfence, https://mailfence.com/

Teleconferencing

Google Hangouts, https://hangouts.google.com/

Zoom, https://zoom.us

Uber Conference, https://www.uberconference.com/

Texting

WhatsApp ⚫ Line

Viber ⚫ Signal

PREPARATION

Ticketing

The Hive Project ,https://thehive-project.org/

Snipe-IT, https://snipeitapp.com/

Spiceworks, https://www.spiceworks.com/free-asset-management-software/

Use Cases

2018 Popular SIEM Starter Use Cases, https://securityboulevard.com/2018/07/2018-popular-siem-starter-use-cases/

Targeted SOC Use Cases for Effective Incident Detection and Response, https://digital-forensics.sans.org/media/Targeted-SOC-Use-Cases-for-effective-Incident-Detection-and-Response-Angelo-Perniola-David-Gray.pdf

Top 10 SIEM Use Cases to Implement, https://www.logpoint.com/en/understand/top-10-use-cases-implement/

Top 6 SIEM Use Cases, https://resources.infosecinstitute.com/top-6-seim-use-cases/

PREPARATION

Testing

Incident Handling Annual Testing and Training, https://www.sans.org/reading-room/whitepapers/incident/incident-handling-annual-testing-training-34565

Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities, NIST 800-84. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-84.pdf

TrainingNational CyberSecurity Awareness Month (NSCAM)

Stay Safe Online, https://staysafeonline.org/ncsam/

DHS, https://www.dhs.gov/publication/national-cyber-security-awareness-month-resources

Cybrary, https://www.cybrary.it/

ICS CERT Virtual Learning, https://ics-cert-training.inl.gov/learn

SANS Cyber Aces, https://www.cyberaces.org/

TED Talks, https://www.springboard.com/blog/12-must-watch-cybersecurity-ted-talks/

Open Security Training, http://opensecuritytraining.info/Training.html

Open Cyber Challenge Platform, https://opencyberchallenge.net/

PREPARATION

Checklists

Incident Response Jumpkit Checklist

Critical Log Review Checklist for Security Incidents

Cheat Sheets

DDOS incident cheat sheet

Security-incident-questionnaire-cheat-sheet

Security-incident-survey-cheat-sheet

Forms

Incident Response Reporting Form

IR Chain of Evidence

IDENTIFICATION

Threat Intelligence

Hslatman’s Github: A curated list of Awesome Threat Intelligence Resources, https://github.com/hslatman/awesome-threat-intelligence

Cisco Talos, https://www.talosintelligence.com/

HoneyDB, https://riskdiscovery.com/honeydb/

Malware Domains, http://www.malwaredomains.com/

Talos Aspis, https://www.talosintelligence.com/aspis/

Threatfeeds.io, https://threatfeeds.io

Honeypots

GitHub list of Honeypots, https://github.com/paralax/awesome-honeypots

Honeyd, http://www.honeyd.org/

Valhala https://sourceforge.net/projects/valhalahoneypot/

HoneyTrap https://github.com/honeytrap/honeytrap

IDENTIFICATION

SEIM

Google Chronicle, https://chronicle.security/

Open Source SIEM, https://www.alienvault.com/products/ossim

OSSSEC, https://ossec.github.io/

Securicata, https://suricata-ids.org/

Security Onion, https://securityonion.net/

SNORT, https://www.snort.org/

Notebooks

Post-It Easel Pads, (~$30)

Rocketbook Everlast Reusable Smart Notebook, (~$30)

Before After

actual raw and processed images

Network Monitoring

Cacti, https://www.cacti.net/index.php

Icinga 2, https://icinga.com/products/icinga-2/

Nagios Core, https://www.nagios.org/projects/nagios-core/

Prometheus, https://prometheus.io/

Logs

Critical Log Review Checklist for Security Incidents, https://zeltser.com/security-incident-log-review-checklist/

Flutentd, https://www.fluentd.org/

Greylog, https://github.com/Graylog2/graylog2-server

LOGalyze, http://www.logalyze.com/

Logstash, https://www.elastic.co/products/logstash

LogWatch, https://logpacker.com/

Kiwi Syslog ($), https://www.solarwinds.com/kiwi-syslog-server

NTP

Google Public NTP, https://developers.google.com/time/

NIST Internet Time Servers, https://tf.nist.gov/tf-cgi/servers.cgi

NTP Pool Project, https://www.pool.ntp.org/zone/us

Time Tools, https://timetoolsltd.com/information/public-ntp-server/

US Navy NTP Network Time Servers, https://tycho.usno.navy.mil/NTP/

Vulnerability Scanner

Burp Suite (Community Edition), https://portswigger.net/burp/communitydownload

Nessus (Community), http://repository.slacky.eu/slackware-12.1/network/nessus/2.2.11/

OpenVAS, www.openvas.org/ (+Succubus) https://www.seccubus.com/

OWASP ZAP, https://www.owasp.org/index.php/OWASP Zed Attack Proxy Project

Forensics

CentralOps, https://centralops.net/co/

Google, https://google.com

Google GRR, https://grr-doc.readthedocs.io/en/v3.3.0/index.html

HPING, www.hping.org/

Maltego Classic, https://www.paterva.com/web7/buy/maltego-clients/maltego.php

MXBox Tools, https://mxtoolbox.com/NetworkTools.aspx

Masscan, https://github.com/robertdavidgraham/masscan

Nmap, https://nmap.org/

Open Source Intelligence (OSINT) Framework; https://osintframework.com/

SHODAN, https://www.shodan.io/

VirusTotal; virustotal.com ; >> How to Generate MD5Sum Hash and Submit to VirusTotal, https://youtu.be/yNjyQ00-EfQ

Wireshark, https://www.wireshark.org/

Playbooks

How to build an incident response playbook, S. Williams-Shaw, Swimlane. https://swimlane.com/blog/incident-response-playbook/

The Société Générale Incident Réponse Methodologies, https://github.com/certsocietegenerale/IRM/tree/master/EN

Incident Response Consortium, https://www.incidentresponse.com/playbooks/

MITRE Cyber Exercise Playbook, https://www.mitre.org/sites/default/files/publications/pr 14-3929-cyber-exercise-playbook.pdf

CLI

ENSIA Good Practice Guide, https://www.enisa.europa.eu/publications/good-practice-guide-for-incident-management p68

Command Line for Windows Forensics, https://resources.infosecinstitute.com/commandline-malware-and-forensics/

VM

Virtual Box, https://www.virtualbox.org/

VMware Workstation Player, https://www.vmware.com/products/workstation-player.htm

Forensics

App.any.run, https://app.any.run/

CAINE http://www.caine-live.net/

Cuckoo Sandbox, https://cuckoosandbox.org/

Fireeye Flare https://www.fireeye.com/blog/threat-research/2017/07/flare-vm-the-windows-malware.html

FTK Disk Imager Lite, https://accessdata.com/product-download/ftk-imager-lite-version-3.1.1

Ghidra, https://www.nsa.gov/resources/everyone/ghidra/

Hybrid Analysis, https://www.hybrid-analysis.com/

Mandiant Redline, https://www.fireeye.com/services/freeware/redline.html

Open Computer Forensics Architecture http://sourceforge.net/projects/ocfa/

REMunx https://remnux.org/; How to Dynamically Analyze Files Using Munin, https://youtu.be/2WyPK0RXGHE

SANS SIFT https://digital-forensics.sans.org/community/downloads/

The Sleuth Kit http://www.sleuthkit.org/; (+ Autopsy GUI) https://www.sleuthkit.org/autopsy/

Windows Forensic Toolchest ($), http://www.foolmoon.net/security/wft/

------------------------- -----------------------

Working Group on Digital Evidence, https://swgde.org/

Patch ManagementConnectWise Automate (Formerly LabTech [$$]), http://www.labtechsoftware.com/

PDQ Deploy ($), https://www.pdq.com

DNS Sinkholes

Brakmic Malware Sinkhole List in github; https://github.com/brakmic/Sinkholes

Bootable ISOs (USB or DVD)

BItDefender, http://download.bitdefender.com/rescue cd/latest/

GMER, http://www.gmer.net/

Kali Linux Live, https://docs.kali.org/downloading/kali-linux-live-usb-install

Trend Micro RescueDisk, https://www.trendmicro.com/en us/forHome/products/free-tools/rescue-disk.html

Anti-VirusArmadito Antivirus, https://armadito.com/

Avast Free Antivirus, https://www.tomsguide.com/us/avast-free-antivirus,review-2208.html

Barkly (AlertLogic [$$]), https://www.alertlogic.com/

Bitdefender Antivirus Free Edition, https://www.tomsguide.com/us/bitdefender-antivirus-free,review-3523.html

ClamAV, http://www.clamwin.com/

ClamWIn, http://www.clamwin.com/

Microsoft Windows Defender, https://support.microsoft.com/en-us/help/14210/security-essentials-download

Open Antivirus Project, http://www.openantivirus.org/index.php

Business Impact Analysis

https://www.ready.gov/business-impact-analysis

Disaster Recovery Plan

https://www.ready.gov/business/implementation/IT

https://blogs.technet.microsoft.com/mspfe/2012/03/08/a-microsoft-word-document-template-for-disaster-recovery-planning/

https://education.alberta.ca/media/3272748/3-it-disaster-recovery-workbook-and-template.docx

https://www.cisco.com/en/US/technologies/collateral/tk869/tk769/white paper c11-453495.pdf

Business Continuity Plan

https://www.ready.gov/business/implementation/continuity

https://mema.maryland.gov/Documents/FEMA Small Business Continuity Plan Template.docx

https://www.bdc.ca/en/articles-tools/entrepreneur-toolkit/templates-business-guides/pages/business-continuity-guide-templates-entrepreneurs.aspx

Data Backup & Recovery

Acronis (BMR ($$)), https://www.acronis.com

BorgBackup, https://www.borgbackup.org/

UrBackup, https://www.urbackup.org/

Unitrends ($$$), https://www.unitrends.com/

Veeam, https://www.veeam.com/

6 Phases In The Incident Response Plan, David Ellis.https://www.securitymetrics.com/blog/6-phases-incident-response-plan

CornerThought ($?), https://www.lessonslearnedsolutions.com/

LessonFlow ($?), https://www.lessonslearnedsolutions.com/

Blue Team Handbook: Incident Response Edition: A condensed field guide for the Cyber Security Incident Responder., Don Murdoch. ISBN: 978-1500734756

Blue Team Handbook: SOC, SIEM, and Threat Hunting (V1.02): A Condensed Guide for the Security Operations Team and Threat Hunter, Don Murdoch. ISBN: 978-1091493896

The Blue Team Field Manual, Ben Clark & Alan J White. ISBN: 978-1541016361

The Checklist Manifesto, Atul Gawande. ISBN: 978-0312430009

The Red Team Field Manual, Ben Clark. ISBN: 978-1494295509

Computer Incident Response and Forensics Team Management, Leighton Johnson. ISBN: 978-1597499965

Crafting the InfoSec Playbook, Brandon Enright, Jeff Bollinger, and Matthew Valites. ISBN: 978-1491949405

Cybersecurity Incident Response, Eric C. Thompson. ISBN: 978-1484238691

Intelligence-Driven Incident Response, Scott J. Roberts. ISBN: 978-1491934944

Security Operations Center - SIEM Use Cases and Cyber Threat Intelligence, Arun E. Thomas. ISBN: 978-1986862011

The Practice of Network Security Monitoring, Richard Bejtlich. ISBN: 978-1593275099

CyberSecurity Cannon, https://cybercanon.paloaltonetworks.com/

❑ Create your own IR Plan (BIA?)

❑ Setup alternate emails

❑ Setup alternate teleconference line

❑ Identify Key Firm Stakeholders

❑ Start Developing Use Cases

❑ Start Building your Jumpkit

❑ Find a Partner & Augment your Team

• Scheduled CSIRT Training

• Specific IR skill training

• Learn the RIGHT Tools

•Get the Right People on the Bus

•Develop IR Policies

•Continue to Build Skills

•Continuous Improvement

• The OODA Loop• The IR Process• Sources & Resources• Key Takeaways

(Processing Adversary & Situation)

(Processes & Tools)

(Where You Go)

(Things You Should Be Doing)

sceniccitysummit.com/feedback