Build Your Own Incident Response

BYO-IR

Build your own ‘incident response’Wim Remes - (ISC)2 - IOActive

--------RISK---------

COMPANY

IFVS.

WHEN

Wim Remes - [email protected]

A B C D E F G

compromise detected

attack occured

window of compromise

THE IR TIMELINE(reality)

PANIC!!!


A B C D E F G

compromise detected

attack occured

window of compromise response

THE IR TIMELINE(for the pathological optimist)


A B C D E F G

compromise detected

attack occuredwindow of compromise

response

THE IR TIMELINE(how it should be)


A B C D E F G

compromise detected

attack occured

window of compromise response

THE IR TIMELINE(for the pathological liar)

WHO’S WHO?

Executive Management

IT Management

IT Personnel


WHO’S WHO?

Customers/Clients

Law Enforcement Press/Media

“The Angry Mob”(Y U USE MD5?)


IT Personnel

Customers/Clients

WHO’S WHO?



IR SHOPPING LIST

a. Awesome people!b. Management Support (no kidding)c. IR Process + RACId. Supporting Technologye. Training & Test Drives


AWESOME PEOPLE(Without me, you are just aweso)


AWESOME PEOPLE(you already have them)


MANAGEMENT SUPPORT


IR PROCESS

PREPARE DETECT ANALYZE CONTAIN RECOVER

POST MORTEM


C,I A R

C,I R,A C,I

R C,I A

External Communications

Initiate IR Process

Collect Evidence

IR RACI

TECHNOLOGY

because you don’t go to war in a speedo ...

TECHNOLOGY(it’s pretty basic really ...)

a. Segment your network !! b. Use PGP (and train your people to use it)c. Log everything you could possibly needd. Full network captures are helpful!e. How far can you take FOSS?f. Complement with commercial products.g. Train, train, train, train, train, train,...

(some demos)


TRAINING & TEST


In a real war you don’t fight soldiers with cleaning ladies, you fight with soldiers. In acyberwar, you fight hackers with hackers.“

”Thank you
