incident response with modest resources€¦ · #legalsec19 ir process: observe orient decide act...
TRANSCRIPT
#LegalSEC19
Incident Response With
Modest Resources
How to Address an Event … without Creating One
#LegalSEC19
SPEAKER
CISO
Conversant Group
Shayne Champion
#LegalSEC19
#LegalSEC19
Agenda
• The OODA Loop
• The Incident Response Process
• Key Takeaways
• Sources & Resources
• Deck Provided
• Some Slides are Lists
• != Every Tool Available
SETTING EXPECTATIONS
#LegalSEC19
OODA LOOP
#LegalSEC19
OODA LOOP
OBSERVE ORIENT
ACT DECIDE
Source: https://en.wikipedia.org/wiki/John_Boyd_(military_strategist)
• USAF Fighter Pilot in Korean War
• Processing and Reacting to an Adversary
• Feed-Forward Loop
• Iterative
• “Get inside your adversaries' OODA loop to disorient them”
#LegalSEC19
OODA LOOP
Source: https://en.wikipedia.org/wiki/John_Boyd_(military_strategist)#/media/File:OODA.Boyd.svg
#LegalSEC19
OBSERVE
Source: https://en.wikipedia.org/wiki/OODA_loop
• External Information
• Changing Circumstances
• Your Process
• The Enemy’s Reaction
OUTCOME: What Is Happening Around Us?
OBSERVE
#LegalSEC19
ORIENT
Source: https://en.wikipedia.org/wiki/OODA_loop
• New Information
• Culture
• Experience
• Your Own Predilections
• Lessons Learned
• Analyze & Synthesize
OUTCOME: What Do We Need To Do NEXT?
OBSERVE ORIENT
#LegalSEC19
DECIDE
Source: https://en.wikipedia.org/wiki/OODA_loop
• Build a Hypothesis
• Work Your Script (‘Guidance & Control’)
• Make a Decision
OUTCOME: How We Are Handling This
OBSERVE ORIENT
DECIDE
#LegalSEC19
ACT
OBSERVE ORIENT
DECIDE
Source: https://en.wikipedia.org/wiki/OODA_loop
• Carry Out Your Hypothesis
• Work Within Your ‘Guidance’
• “Some action NOW is usually betterthan the perfect action later”
• Like Agile development
OUTCOME: Execute Our PlanACT
#LegalSEC19
• Situational Awareness: Observe, Orient, Decide, then ACT
• Accounts for our experience, predispositions, and what the bad guys are doing
• Feed-Forward Loop : Iterative &“agile” – short ‘sprints’
• Works within the constraints of your guidance (e.g., IR Plan)
REVIEW: OODA LOOP
#LegalSEC19
INCIDENT RESPONSE
PROCESS
#LegalSEC19
INCIDENT RESPONSE (IR) PROCESS
Eradication RecoveryLessons LearnedContainmentPreparation Identification
#LegalSEC19
INCIDENT RESPONSE (IR) PROCESS
Eradication RecoveryLessons LearnedContainmentPreparation Identification
?
#LegalSEC19
INCIDENT RESPONSE (IR) PROCESS
Eradication RecoveryLessons LearnedContainmentPreparation Identification
#LegalSEC19
INCIDENT RESPONSE (IR) PROCESS
Eradication RecoveryLessons LearnedContainmentIdentificationPreparation
-------------------------------------------
#LegalSEC19
IR Process:
OBSERVE
ORIENT
DECIDE
ACT
• Asset Inventory(Open-AudIT)
• Identify IRT Members
• Policies
• OOB Communications(ProtonMail, Zoom, WhatsApp)
• Use Cases
• Processes & Training
• Ticketing System(The Hive Project)
• Call Trees
• IR Plan
• Checklists
• Jump Bag
• Documentation
• Processes
• Threshold
• IRT Members
• Training
• Tools & Equipment
#LegalSEC19
PREPARATION: Great Reference
By Atul Gawande
#LegalSEC19
IR Process:
OBSERVE
ORIENT
DECIDE
ACT
• SEIM (Security Onion)
• AV (ClamAV, Barkly)
• Logging (Kiwi)
• Honeypot (Honeyd)
• Ticketing (The Hive Project)
• IRT Communication(Gmail, Zoom)
• Asset Inv (Open-AudIT)
• Vuln Scan (BURP, OpenVAS, Maltego)
• Packet Analysis (Wireshark)
• Incident Response Plan
• Notes (Hard & Soft)
• Hot Washes
• Monitor
• Detect
• Triage
• Classify
• Activate IRT
“Prevention is great,
but detection is a
must.” – Dr Eric Cole
#LegalSEC19
IDENTIFICATION: Secret (Cheap!) Weapon
Microsoft Windows [Version 10.0.16299.1087](c) 2017 Microsoft Corporation. All rights reserved.
C:\Users\youruid>
#LegalSEC19
Look at event logs eventvwr
Examine network configuration arp -a,netstat -nr
List network connections and related details netstat -nao,netstat -vb,net session,net use
List users and groups lusrmgr,net users,net localgroup administrators,net group administrators
Look at scheduled jobs schtasks
Look at auto-start programs msconfig
List processes taskmgr,wmic process list full
List services net start,tasklist /svc
Check DNS settings and the hosts file ipconfig /all,more%SystemRoot%System32Driversetchosts,ipconfig
/displaydns
Verify integrity of OS files (affects lots of files!) sigverif
Research recently-modified files (affects lots of files!) dir /a/o-d/p %SystemRoot%System32
Avoid using Windows Explorer, as it modifies useful file system details; use command-line.
IDENTIFICATION: Windows CLI
Source: https://zeltser.com/security-incident-survey-cheat-sheet/
Do not forget PowerShell!
#LegalSEC19
IDENTIFICATION: Linux CLILook at event log files in directories (locations vary) /var/log/,
/var/adm/,/var/spool/
List recent security events wtmp, who,last, lastlog
Examine network configuration arp -an,route print
List network connections and related details netstat -nap (Linux),netstat -na (Solaris),
lsof -i
List users more /etc/passwd
Look at scheduled jobs more /etc/crontab,ls /etc/cron.*,ls /var/at/jobs
Check DNS settings and the hosts file more /etc/resolv.conf,more /etc/hosts
Verify integrity of installed packages (affects lots of files!) rpm -Va (Linux),pkgchk (Solaris)
Look at auto-start services chkconfig –list (Linux),ls /etc/rc*.d (Solaris),
smf (Solaris 10+)
List processes ps aux (Linux, BSD),ps -ef (Solaris),
lsof +L1
Find recently-modified files (affects lots of files!) ls -lat /,find / -mtime -2d -ls
Source: https://zeltser.com/security-incident-survey-cheat-sheet/
#LegalSEC19
IDENTIFICATION: Google foo
Validate a person fred smith “@company.com”fred smith + email (or) email address
fred smith + linkedinfred smith site: linkedin.com
Restrict use to a specific file suffix filetype:ext:
Find metadata about a URL info:URL
Find web pages with specific terms in the title intitle:
Restrict results to a word in the URL inurl:
Find pages that point to a specific URL link:
Restrict results to that particular domain site:
Source: Blue Team Handbook: Incident Response Edition
#LegalSEC19
IDENTIFICATION: Great References
By Ben Clark
ByBen Clark & Alan J White
By Don Murdoch
#LegalSEC19
IR Process:
OBSERVE
ORIENT
DECIDE
ACT
• Threat Intelligence (Cisco Talos)
• IOCs
• Notes
• IRP
• Playbook(s)
• Policies
• Malware Analysis (REMunx)
• Forensics
–SANS SIFT
–VirusTotal, app.any.run
• Patch Management (PDQ Deploy)
• Communicate & Train
• Document
• Chain of Custody
• Forensics
• Identify impacted system(s)
• Isolate
• Patch
• Communicate & Train
• Document
#LegalSEC19
IR Process:
OBSERVE
ORIENT
DECIDE
ACT
• Notes
• Asset Inventory
• Notes
• IRP & Policies
• Playbook
• Email/Teleconference
• Logs (Kiwi)
• ‘Risk Register’
• Forensics (Kali Live USB)
• AV (Clam AV / Barkly)
• Eliminate the Root Cause
• Stabilize Environment for Recovery
• “Do No Harm”
#LegalSEC19
IR Process:
OBSERVE
ORIENT
DECIDE
ACT
• Checklists
• BIA
• BCP
• DRP
• Notes
• DRP
• BCP
• DRP
• BCP
• Data Recovery (Unitrends)
• Restore System(s)
• Restore Data
• Reestablish Systems
• Return to Normal Ops
#LegalSEC19
IR Process:
OBSERVE
ORIENT
DECIDE
ACT
• Notes
• Logs
• Meeting Minutes
• Lessons Learned Meetings
• Software(CornerThought, LessonFlow)
• Revise IR Plan
• Update IOCs
• New tools?
• Risk Assessment
• Consolidate Notes
• Identify Errors, Oversights, & Inefficiencies
• Improve the Process
• Reduce Risk
#LegalSEC19
• There is not always a clear line between an event & an incident
• Use Checklists
• References Help
• CLI … not cyber sexy, but really effective
REVIEW: INCIDENT RESPONSE PROCESS
#LegalSEC19
KEY TAKEAWAYS
#LegalSEC19
THINGS TO DO NEXT WEEK
• Create your own IR Plan (BIA?)
• Setup alternate emails
• Setup alternate teleconference line
• Identify Key Firm Stakeholders
• Start Developing Use Cases
• Start Building your Jumpkit
• Find a Partner & Augment your Team
#LegalSEC19
STRATEGIC THINGS TO DO
• Scheduled CSIRT Training
• Learn the RIGHT Tools
• Get the Right People on the Bus
• Setup Alternate Teleconference Line
• Develop IR Policies
• Continue to Build Skills
• Continuous Improvement
#LegalSEC19
REVIEW
#LegalSEC19
WHAT WE COVERED TODAY
• The OODA Loop
• The Incident Response Process
• Key Takeaways
• Sources & Resources
(Processing Adversary & Situation)
(Processes & Tools)
(Things You Should Be Doing)
(Where You Go)
#LegalSEC19
OBSERVE
ORIENT
DECIDE
ACT
•Asset Inventory•Select IRT Team
•IPS,IDS,SEIM,UBA•Anti-Virus (+NGAV)•Log / Vuln Analysis•Honeypot
•IOCs•Threat Intelligence
•Notes•Asset Inventory
•Checklists•BIA•BCP•DRP
•Hard copy notes•Logs
Preparation Identification Containment Eradication RecoveryLessons Learned
•Training/Books•Tabletops•Checklists•Ticketing
•Asset Inventory•Threat Intelligence•IOCs / News•Chg/Cfg Mgmt
•Forensics•ID Devices
•IOCs•Logs•Risk Register
•DRP•BCP
•LL meetings
•Policies•Use Cases•Email accounts•Teleconference
•IRP / Playbook(s)•Policies
•BIA•DRP
•Meeting Minutes
•IR Plan•Jump Bag
•IRP •Notes (hard & soft)•Hot Washes
•Patch Mgmt•Comm & Train•Block IP / Sinkhole•Chain of Custody
•Kali Live Disk•AV/NGAV
•Data Recovery•Restore System(s)
•Revise IR Plan•Update IOCs•New tools?•Risk Assessment
Email / Teleconference
•Hard Copy Notes•IRP•Playbook
Incident Response Actions
•Triage•Categorization•Create Ticket
#LegalSEC19
OBSERVE
ORIENT
DECIDE
ACT
•IRP•Open-AudIT
•Security Onion•Nagios Core•Kiwi•Honeyd
•REMunx•SANS Sift•VirusTotal•app.any.run
•Open-AudIT•Risk Register
•Checklists•BIA•BCP•DRP
•Hard copy notes•Logs
Preparation Identification Containment Eradication RecoveryLessons Learned
•The Hive Project •Cisco Talos•Maltego / Burp•Wireshark•MX Toolbox
•IOCs•Playbook
•IOCs•Logs
•DRP•BCP
•LL meetings
•ProtonMail•WhatsApp•Zoom
•IRP•Playbook
•BIA•DRP
•Meeting Minutes
•Jump Bag •Checklists
•IRP•Notes (hard & electronic)
•PDQ Deploy•Comm & Train•Cisco OpenDNS•Sinkhole
•Clam AV / Barkly•Kali Live Disk
•Unitrends•Acronis
•Revise IR Plan•Update IOCs•New tools?
•Notes•Logs
Incident Response Tools
•The Hive Project•Gmail•Zoom
#LegalSEC19
Sources
• 6 Phases In The Incident Response Plan, David Ellis.https://www.securitymetrics.com/blog/6-phases-incident-response-plan
• Awesome Incident Response Tools, awesome-incident-response GitHub repository.https://github.com/meirwah/awesome-incident-response
• Best Incident Response Software, https://www.g2.com/categories/incident-response
• Critical Log Review Checklist for Security Incidents, L Zeltser & Dr. A. Chuvakin.https://zeltser.com/security-incident-log-review-checklist/
• Good Practice Guide for Incident Management, ENSIA. https://www.enisa.europa.eu/publications/good-practice-guide-for-incident-management
• Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities, NIST 800-84. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-84.pdf
• John Boyd (Wikipedia). https://en.wikipedia.org/wiki/John_Boyd_(military_strategist)
• Incident Handling Annual Testing and Training, Kurtis Holland (SANS). https://www.sans.org/reading-room/whitepapers/incident/incident-handling-annual-testing-training-34565
• Insider’s Guide to Incident Response, AT&T / AlienVault. https://www.alienvault.com/resource-center/ebook/insider-guide-to-incident-response
#LegalSEC19
Sources
• Meet ‘Bro’: The Best Keept Secret in Network Security, Greg Bell, July 14, 2018. https://www.darkreading.com/operations/meet-bro-the-best-kept-secret-of-network-security/a/d-id/1332028
• Popular Computer Forensics Top 21 Tools, Infosec Institute. https://resources.infosecinstitute.com/computer-forensics-tools
• Power to the Edge, Alberts and Hayes, 2003. http://www.dodccrp.org/files/Alberts_Power.pdf
• The Beginner’s Guide to Open Source Incident Response Tools and Resources, James Fritz, Feb 21, 2017.https://www.alienvault.com/blogs/security-essentials/beginners-guide-to-open-source-incident-response-tools-and-resources
• The OODA Loop (Wikipedia).https://en.wikipedia.org/wiki/OODA_loop
• The Incident Handler’s Handbook, Patrick Kral. 2012. https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
• Tips for Starting an Incident Response Team, Lenny Zelster. https://zeltser.com/security-incident-response-program-tips/
• Top 20 Free Digital Forensic Investigation Tools for SysAdmins, Andrew Tabona, Jul 20, 2018. https://techtalk.gfi.com/top-20-free-digital-forensic-investigation-tools-for-sysadmins/
#LegalSEC19
RESources
Conversant Group Incident Response
https://www.conversantgroup.com/security/IR/
#LegalSEC19
RESources
PREPARATION
• IR Plans
–NIST Computer Security Incident Handling Guide, SP 800-61r2, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
– Computer Security Incident Handling Guide (NIST 800-61), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
–Good Practice Guide for Incident Management, https://www.enisa.europa.eu/publications/good-practice-guide-for-incident-management
– Insider’s Guide to Incident Response, https://www.alienvault.com/resource-center/ebook/insider-guide-to-incident-response
– The Incident Handler’s Handbook, https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
– Tips for Starting an Incident Response Team, https://zeltser.com/security-incident-response-program-tips/
• Asset Management
– Creator, https://www.zoho.com/creator/apps/it-asset-tracker.html
–Open-AudIT, https://www.open-audit.org/
– PDQ Inventory, https://www.pdq.com
– Spiceworks https://www.spiceworks.com/free-asset-management-software/
– SysAid, https://www.capterra.com/p/107225/SysAid/
#LegalSEC19
RESources
PREPARATION
• Out Of Bounds Communications
– Secure Email
•CounterMail, https://countermail.com/
•Hushmail, https://www.hushmail.com/
•ProtonMail, https://protonmail.com/
•Mailfence, https://mailfence.com/
– Teleconferencing
•Google Hangouts, https://hangouts.google.com/
•Zoom, https://zoom.us
•Uber Conference, https://www.uberconference.com/
– Texting
•WhatsApp ⚫ Line
•Viber ⚫ Signal
#LegalSEC19
RESources
PREPARATION
• Ticketing
– The Hive Project ,https://thehive-project.org/
– Snipe-IT, https://snipeitapp.com/
– Spiceworks, https://www.spiceworks.com/free-asset-management-software/
• Use Cases
– 2018 Popular SIEM Starter Use Cases, https://securityboulevard.com/2018/07/2018-popular-siem-starter-use-cases/
– Targeted SOC Use Cases for Effective Incident Detection and Response, https://digital-forensics.sans.org/media/Targeted-SOC-Use-Cases-for-effective-Incident-Detection-and-Response-Angelo-Perniola-David-Gray.pdf
– Top 10 SIEM Use Cases to Implement, https://www.logpoint.com/en/understand/top-10-use-cases-implement/
– Top 6 SIEM Use Cases, https://resources.infosecinstitute.com/top-6-seim-use-cases/
#LegalSEC19
RESources
PREPARATION
• Testing
– Incident Handling Annual Testing and Training, https://www.sans.org/reading-room/whitepapers/incident/incident-handling-annual-testing-training-34565
– Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities, NIST 800-84. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-84.pdf
• Training– National CyberSecurity Awareness Month (NSCAM)
• Stay Safe Online, https://staysafeonline.org/ncsam/
• DHS, https://www.dhs.gov/publication/national-cyber-security-awareness-month-resources
– Cybrary, https://www.cybrary.it/
– ICS CERT Virtual Learning, https://ics-cert-training.inl.gov/learn
– SANS Cyber Aces, https://www.cyberaces.org/
– TED Talks, https://www.springboard.com/blog/12-must-watch-cybersecurity-ted-talks/
– Open Security Training, http://opensecuritytraining.info/Training.html
– Open Cyber Challenge Platform, https://opencyberchallenge.net/
#LegalSEC19
RESources
PREPARATION
• Checklists
– Incident Response Jumpkit Checklist
– Critical Log Review Checklist for Security Incidents
• Cheat Sheets
– DDOS incident cheat sheet
– Security-incident-questionnaire-cheat-sheet
– Security-incident-survey-cheat-sheet
• Forms
– Incident Response Reporting Form
– IR Chain of Evidence
#LegalSEC19
RESources
IDENTIFICATION
• Threat Intelligence
– Hslatman’s Github: A curated list of Awesome Threat Intelligence Resources, https://github.com/hslatman/awesome-threat-intelligence
– Cisco Talos, https://www.talosintelligence.com/
– HoneyDB, https://riskdiscovery.com/honeydb/
– Malware Domains, http://www.malwaredomains.com/
– Talos Aspis, https://www.talosintelligence.com/aspis/
– Threatfeeds.io, https://threatfeeds.io
• Honeypots
– GitHub list of Honeypots, https://github.com/paralax/awesome-honeypots
– Honeyd, http://www.honeyd.org/
– Valhala https://sourceforge.net/projects/valhalahoneypot/
– HoneyTrap https://github.com/honeytrap/honeytrap
#LegalSEC19
RESources
IDENTIFICATION
• SEIM
– Open Source SIEM, https://www.alienvault.com/products/ossim
– OSSSEC, https://ossec.github.io/
– Securicata, https://suricata-ids.org/
– Security Onion, https://securityonion.net/
– SNORT, https://www.snort.org/
• Notebooks
– Post-It Easel Pads, (~$30)
– Rocketbook Everlast Reusable Smart Notebook, (~$30)
Before After
actual raw and processed images
#LegalSEC19
RESources
IDENTIFICATION
• Network Monitoring
– Cacti, https://www.cacti.net/index.php
– Icinga 2, https://icinga.com/products/icinga-2/
– Nagios Core, https://www.nagios.org/projects/nagios-core/
– Prometheus, https://prometheus.io/
• Logs
– Critical Log Review Checklist for Security Incidents, https://zeltser.com/security-incident-log-review-checklist/
– Flutentd, https://www.fluentd.org/
– Greylog, https://github.com/Graylog2/graylog2-server
– LOGalyze, http://www.logalyze.com/
– Logstash, https://www.elastic.co/products/logstash
– LogWatch, https://logpacker.com/
– Kiwi Syslog ($), https://www.solarwinds.com/kiwi-syslog-server
#LegalSEC19
RESources
IDENTIFICATION
• NTP
– Google Public NTP, https://developers.google.com/time/
– NIST Internet Time Servers, https://tf.nist.gov/tf-cgi/servers.cgi
– NTP Pool Project, https://www.pool.ntp.org/zone/us
– Time Tools, https://timetoolsltd.com/information/public-ntp-server/
– US Navy NTP Network Time Servers, https://tycho.usno.navy.mil/NTP/
• Vulnerability Scanner
– Burp Suite (Community Edition), https://portswigger.net/burp/communitydownload
– Nessus (Community), http://repository.slacky.eu/slackware-12.1/network/nessus/2.2.11/
– OpenVAS, www.openvas.org/ (+Succubus) https://www.seccubus.com/
– OWASP ZAP, https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project
#LegalSEC19
RESources
IDENTIFICATION
• Forensics
– CentralOps, https://centralops.net/co/
– HPING, www.hping.org/
– Maltego Classic, https://www.paterva.com/web7/buy/maltego-clients/maltego.php
– MXBox Tools, https://mxtoolbox.com/NetworkTools.aspx
– Masscan, https://github.com/robertdavidgraham/masscan
– Nmap, https://nmap.org/
– Open Source Intelligence (OSINT) Framework; https://osintframework.com/
– SHODAN, https://www.shodan.io/
– VirusTotal; virustotal.com ; >> How to Generate MD5Sum Hash and Submit to VirusTotal, https://youtu.be/yNjyQ00-EfQ
– Wireshark, https://www.wireshark.org/
#LegalSEC19
RESources
CONTAINMENT
• Playbooks
–How to build an incident response playbook, S. Williams-Shaw, Swimlane. https://swimlane.com/blog/incident-response-playbook/
– The Société Générale Incident Réponse Methodologies, https://github.com/certsocietegenerale/IRM/tree/master/EN
– Incident Response Consortium, https://www.incidentresponse.com/playbooks/
–MITRE Cyber Exercise Playbook, https://www.mitre.org/sites/default/files/publications/pr_14-3929-cyber-exercise-playbook.pdf
• CLI
– ENSIA Good Practice Guide, https://www.enisa.europa.eu/publications/good-practice-guide-for-incident-management p68
– Command Line for Windows Forensics, https://resources.infosecinstitute.com/commandline-malware-and-forensics/
• VM
– Virtual Box, https://www.virtualbox.org/
– VMware Workstation Player, https://www.vmware.com/products/workstation-player.htm
#LegalSEC19
CONTAINMENT
• Forensics
– App.any.run, https://app.any.run/
– CAINE http://www.caine-live.net/
– Cuckoo Sandbox, https://cuckoosandbox.org/
– Fireeye Flare https://www.fireeye.com/blog/threat-research/2017/07/flare-vm-the-windows-malware.html
– FTK Disk Imager Lite, https://accessdata.com/product-download/ftk-imager-lite-version-3.1.1
– Ghidra, https://www.nsa.gov/resources/everyone/ghidra/
– Hybrid Analysis, https://www.hybrid-analysis.com/
– Mandiant Redline, https://www.fireeye.com/services/freeware/redline.html
– Open Computer Forensics Architecture http://sourceforge.net/projects/ocfa/
– REMunx https://remnux.org/; How to Dynamically Analyze Files Using Munin, https://youtu.be/2WyPK0RXGHE
– SANS SIFT https://digital-forensics.sans.org/community/downloads/
– The Sleuth Kit http://www.sleuthkit.org/; (+ Autopsy GUI) https://www.sleuthkit.org/autopsy/
– Windows Forensic Toolchest ($), http://www.foolmoon.net/security/wft/
RESources
------------------------- -----------------------
Working Group on Digital Evidence, https://swgde.org/
#LegalSEC19
CONTAINMENT
• Patch Management
– ConnectWise Automate (Formerly LabTech [$$]), http://www.labtechsoftware.com/
– PDQ Deploy ($), https://www.pdq.com
• DNS Sinkholes
– Brakmic Malware Sinkhole List in github; https://github.com/brakmic/Sinkholes
RESources
#LegalSEC19
ERADICATION
• Bootable ISOs (USB or DVD)
– BItDefender, http://download.bitdefender.com/rescue_cd/latest/
– GMER, http://www.gmer.net/
– Kali Linux Live, https://docs.kali.org/downloading/kali-linux-live-usb-install
– Trend Micro RescueDisk, https://www.trendmicro.com/en_us/forHome/products/free-tools/rescue-disk.html
RESources
#LegalSEC19
ERADICATION
• Anti-Virus
– Armadito Antivirus, https://armadito.com/
– Avast Free Antivirus, https://www.tomsguide.com/us/avast-free-antivirus,review-2208.html
– Barkly (AlertLogic [$$]), https://www.alertlogic.com/
– Bitdefender Antivirus Free Edition, https://www.tomsguide.com/us/bitdefender-antivirus-free,review-3523.html
– ClamAV, http://www.clamwin.com/
– ClamWIn, http://www.clamwin.com/
– Microsoft Windows Defender, https://support.microsoft.com/en-us/help/14210/security-essentials-download
– Open Antivirus Project, http://www.openantivirus.org/index.php
RESources
#LegalSEC19
RECOVERY
• Business Impact Analysis
– https://www.ready.gov/business-impact-analysis
• Disaster Recovery Plan
– https://www.ready.gov/business/implementation/IT
– https://blogs.technet.microsoft.com/mspfe/2012/03/08/a-microsoft-word-document-template-for-disaster-recovery-planning/
– https://education.alberta.ca/media/3272748/3-it-disaster-recovery-workbook-and-template.docx
– https://www.cisco.com/en/US/technologies/collateral/tk869/tk769/white_paper_c11-453495.pdf
• Business Continuity Plan
– https://www.ready.gov/business/implementation/continuity
– https://mema.maryland.gov/Documents/FEMA_Small_Business_Continuity_Plan_Template.docx
– https://www.bdc.ca/en/articles-tools/entrepreneur-toolkit/templates-business-guides/pages/business-continuity-guide-templates-entrepreneurs.aspx
RESources
#LegalSEC19
RECOVERY
• Data Backup & Recovery
– Acronis (BMR ($$)), https://www.acronis.com
– BorgBackup, https://www.borgbackup.org/
– UrBackup, https://www.urbackup.org/
– Unitrends ($$$), https://www.unitrends.com/
– Veeam, https://www.veeam.com/
RESources
#LegalSEC19
LESSONS LEARNED
– 6 Phases In The Incident Response Plan, David Ellis.https://www.securitymetrics.com/blog/6-phases-incident-response-plan
– CornerThought ($?), https://www.lessonslearnedsolutions.com/
– LessonFlow ($?), https://www.lessonslearnedsolutions.com/
RESources
#LegalSEC19
• BOOKS
– Blue Team Handbook: Incident Response Edition: A condensed field guide for the Cyber Security Incident Responder., Don Murdoch. ISBN: 978-1500734756
– Blue Team Handbook: SOC, SIEM, and Threat Hunting (V1.02): A Condensed Guide for the Security Operations Team and Threat Hunter, Don Murdoch. ISBN: 978-1091493896
– The Blue Team Field Manual, Ben Clark & Alan J White. ISBN: 978-1541016361
– The Checklist Manifesto, Atul Gawande. ISBN: 978-0312430009
– The Red Team Field Manual, Ben Clark. ISBN: 978-1494295509
– Computer Incident Response and Forensics Team Management, Leighton Johnson. ISBN: 978-1597499965
– Crafting the InfoSec Playbook, Brandon Enright, Jeff Bollinger, and Matthew Valites. ISBN: 978-1491949405
– Cybersecurity Incident Response, Eric C. Thompson. ISBN: 978-1484238691
– Intelligence-Driven Incident Response, Scott J. Roberts. ISBN: 978-1491934944
– Security Operations Center - SIEM Use Cases and Cyber Threat Intelligence, Arun E. Thomas. ISBN: 978-1986862011
– The Practice of Network Security Monitoring, Richard Bejtlich. ISBN: 978-1593275099
– CyberSecurity Cannon, https://cybercanon.paloaltonetworks.com/
RESources
#LegalSEC19
423.602.7789
@TNfoSec
https://www.linkedin.com/in/shaynechampion
Questions?