#LegalSEC19

Incident Response With

Modest Resources

How to Address an Event … without Creating One

#LegalSEC19

SPEAKER

CISO

Conversant Group

Shayne Champion

#LegalSEC19

#LegalSEC19

Agenda

• The OODA Loop

• The Incident Response Process

• Key Takeaways

• Sources & Resources

• Deck Provided

• Some Slides are Lists

• != Every Tool Available

SETTING EXPECTATIONS

#LegalSEC19

OODA LOOP

#LegalSEC19

OODA LOOP

OBSERVE ORIENT

ACT DECIDE

Source: https://en.wikipedia.org/wiki/John_Boyd_(military_strategist)

• USAF Fighter Pilot in Korean War

• Processing and Reacting to an Adversary

• Feed-Forward Loop

• Iterative

• “Get inside your adversaries' OODA loop to disorient them”

#LegalSEC19

OODA LOOP

Source: https://en.wikipedia.org/wiki/John_Boyd_(military_strategist)#/media/File:OODA.Boyd.svg

#LegalSEC19

OBSERVE

Source: https://en.wikipedia.org/wiki/OODA_loop

• External Information

• Changing Circumstances

• Your Process

• The Enemy’s Reaction

OUTCOME: What Is Happening Around Us?

OBSERVE

#LegalSEC19

ORIENT

Source: https://en.wikipedia.org/wiki/OODA_loop

• New Information

• Culture

• Experience

• Your Own Predilections

• Lessons Learned

• Analyze & Synthesize

OUTCOME: What Do We Need To Do NEXT?

OBSERVE ORIENT

#LegalSEC19

DECIDE

Source: https://en.wikipedia.org/wiki/OODA_loop

• Build a Hypothesis

• Work Your Script (‘Guidance & Control’)

• Make a Decision

OUTCOME: How We Are Handling This

OBSERVE ORIENT

DECIDE

#LegalSEC19

ACT

OBSERVE ORIENT

DECIDE

Source: https://en.wikipedia.org/wiki/OODA_loop

• Carry Out Your Hypothesis

• Work Within Your ‘Guidance’

• “Some action NOW is usually betterthan the perfect action later”

• Like Agile development

OUTCOME: Execute Our PlanACT

#LegalSEC19

• Situational Awareness: Observe, Orient, Decide, then ACT

• Accounts for our experience, predispositions, and what the bad guys are doing

• Feed-Forward Loop : Iterative &“agile” – short ‘sprints’

• Works within the constraints of your guidance (e.g., IR Plan)

REVIEW: OODA LOOP

#LegalSEC19

INCIDENT RESPONSE

PROCESS

#LegalSEC19

INCIDENT RESPONSE (IR) PROCESS

Eradication RecoveryLessons LearnedContainmentPreparation Identification

#LegalSEC19

INCIDENT RESPONSE (IR) PROCESS

Eradication RecoveryLessons LearnedContainmentPreparation Identification

?

#LegalSEC19

INCIDENT RESPONSE (IR) PROCESS

Eradication RecoveryLessons LearnedContainmentPreparation Identification

#LegalSEC19

INCIDENT RESPONSE (IR) PROCESS

Eradication RecoveryLessons LearnedContainmentIdentificationPreparation

-------------------------------------------

#LegalSEC19

IR Process:

OBSERVE

ORIENT

DECIDE

ACT

• Asset Inventory(Open-AudIT)

• Identify IRT Members

• Policies

• OOB Communications(ProtonMail, Zoom, WhatsApp)

• Use Cases

• Processes & Training

• Ticketing System(The Hive Project)

• Call Trees

• IR Plan

• Checklists

• Jump Bag

• Documentation

• Processes

• Threshold

• IRT Members

• Training

• Tools & Equipment

#LegalSEC19

PREPARATION: Great Reference

By Atul Gawande

#LegalSEC19

IR Process:

OBSERVE

ORIENT

DECIDE

ACT

• SEIM (Security Onion)

• AV (ClamAV, Barkly)

• Logging (Kiwi)

• Honeypot (Honeyd)

• Ticketing (The Hive Project)

• IRT Communication(Gmail, Zoom)

• Asset Inv (Open-AudIT)

• Vuln Scan (BURP, OpenVAS, Maltego)

• Packet Analysis (Wireshark)

• Incident Response Plan

• Notes (Hard & Soft)

• Hot Washes

• Monitor

• Detect

• Triage

• Classify

• Activate IRT

“Prevention is great,

but detection is a

must.” – Dr Eric Cole

#LegalSEC19

IDENTIFICATION: Secret (Cheap!) Weapon

Microsoft Windows [Version 10.0.16299.1087](c) 2017 Microsoft Corporation. All rights reserved.

C:\Users\youruid>

#LegalSEC19

Look at event logs eventvwr

Examine network configuration arp -a,netstat -nr

List network connections and related details netstat -nao,netstat -vb,net session,net use

List users and groups lusrmgr,net users,net localgroup administrators,net group administrators

Look at scheduled jobs schtasks

Look at auto-start programs msconfig

List processes taskmgr,wmic process list full

List services net start,tasklist /svc

Check DNS settings and the hosts file ipconfig /all,more%SystemRoot%System32Driversetchosts,ipconfig

/displaydns

Verify integrity of OS files (affects lots of files!) sigverif

Research recently-modified files (affects lots of files!) dir /a/o-d/p %SystemRoot%System32

Avoid using Windows Explorer, as it modifies useful file system details; use command-line.

IDENTIFICATION: Windows CLI

Source: https://zeltser.com/security-incident-survey-cheat-sheet/

Do not forget PowerShell!

#LegalSEC19

IDENTIFICATION: Linux CLILook at event log files in directories (locations vary) /var/log/,

/var/adm/,/var/spool/

List recent security events wtmp, who,last, lastlog

Examine network configuration arp -an,route print

List network connections and related details netstat -nap (Linux),netstat -na (Solaris),

lsof -i

List users more /etc/passwd

Look at scheduled jobs more /etc/crontab,ls /etc/cron.*,ls /var/at/jobs

Check DNS settings and the hosts file more /etc/resolv.conf,more /etc/hosts

Verify integrity of installed packages (affects lots of files!) rpm -Va (Linux),pkgchk (Solaris)

Look at auto-start services chkconfig –list (Linux),ls /etc/rc*.d (Solaris),

smf (Solaris 10+)

List processes ps aux (Linux, BSD),ps -ef (Solaris),

lsof +L1

Find recently-modified files (affects lots of files!) ls -lat /,find / -mtime -2d -ls

Source: https://zeltser.com/security-incident-survey-cheat-sheet/

#LegalSEC19

IDENTIFICATION: Google foo

Validate a person fred smith “@company.com”fred smith + email (or) email address

fred smith + linkedinfred smith site: linkedin.com

Restrict use to a specific file suffix filetype:ext:

Find metadata about a URL info:URL

Find web pages with specific terms in the title intitle:

Restrict results to a word in the URL inurl:

Find pages that point to a specific URL link:

Restrict results to that particular domain site:

Source: Blue Team Handbook: Incident Response Edition

#LegalSEC19

IDENTIFICATION: Great References

By Ben Clark

ByBen Clark & Alan J White

By Don Murdoch

#LegalSEC19

IR Process:

OBSERVE

ORIENT

DECIDE

ACT

• Threat Intelligence (Cisco Talos)

• IOCs

• Notes

• IRP

• Playbook(s)

• Policies

• Malware Analysis (REMunx)

• Forensics

–SANS SIFT

–VirusTotal, app.any.run

• Patch Management (PDQ Deploy)

• Communicate & Train

• Document

• Chain of Custody

• Forensics

• Identify impacted system(s)

• Isolate

• Patch

• Communicate & Train

• Document

#LegalSEC19

IR Process:

OBSERVE

ORIENT

DECIDE

ACT

• Notes

• Asset Inventory

• Notes

• IRP & Policies

• Playbook

• Email/Teleconference

• Logs (Kiwi)

• ‘Risk Register’

• Forensics (Kali Live USB)

• AV (Clam AV / Barkly)

• Eliminate the Root Cause

• Stabilize Environment for Recovery

• “Do No Harm”

#LegalSEC19

IR Process:

OBSERVE

ORIENT

DECIDE

ACT

• Checklists

• BIA

• BCP

• DRP

• Notes

• DRP

• BCP

• DRP

• BCP

• Data Recovery (Unitrends)

• Restore System(s)

• Restore Data

• Reestablish Systems

• Return to Normal Ops

#LegalSEC19

IR Process:

OBSERVE

ORIENT

DECIDE

ACT

• Notes

• Logs

• Meeting Minutes

• Lessons Learned Meetings

• Software(CornerThought, LessonFlow)

• Revise IR Plan

• Update IOCs

• New tools?

• Risk Assessment

• Consolidate Notes

• Identify Errors, Oversights, & Inefficiencies

• Improve the Process

• Reduce Risk

#LegalSEC19

• There is not always a clear line between an event & an incident

• Use Checklists

• References Help

• CLI … not cyber sexy, but really effective

REVIEW: INCIDENT RESPONSE PROCESS

#LegalSEC19

KEY TAKEAWAYS

#LegalSEC19

THINGS TO DO NEXT WEEK

• Create your own IR Plan (BIA?)

• Setup alternate emails

• Setup alternate teleconference line

• Identify Key Firm Stakeholders

• Start Developing Use Cases

• Start Building your Jumpkit

• Find a Partner & Augment your Team

#LegalSEC19

STRATEGIC THINGS TO DO

• Scheduled CSIRT Training

• Learn the RIGHT Tools

• Get the Right People on the Bus

• Setup Alternate Teleconference Line

• Develop IR Policies

• Continue to Build Skills

• Continuous Improvement

#LegalSEC19

REVIEW

#LegalSEC19

WHAT WE COVERED TODAY

• The OODA Loop

• The Incident Response Process

• Key Takeaways

• Sources & Resources

(Processing Adversary & Situation)

(Processes & Tools)

(Things You Should Be Doing)

(Where You Go)

#LegalSEC19

OBSERVE

ORIENT

DECIDE

ACT

•Asset Inventory•Select IRT Team

•IPS,IDS,SEIM,UBA•Anti-Virus (+NGAV)•Log / Vuln Analysis•Honeypot

•IOCs•Threat Intelligence

•Notes•Asset Inventory

•Checklists•BIA•BCP•DRP

•Hard copy notes•Logs

Preparation Identification Containment Eradication RecoveryLessons Learned

•Training/Books•Tabletops•Checklists•Ticketing

•Asset Inventory•Threat Intelligence•IOCs / News•Chg/Cfg Mgmt

•Forensics•ID Devices

•IOCs•Logs•Risk Register

•DRP•BCP

•LL meetings

•Policies•Use Cases•Email accounts•Teleconference

•IRP / Playbook(s)•Policies

•BIA•DRP

•Meeting Minutes

•IR Plan•Jump Bag

•IRP •Notes (hard & soft)•Hot Washes

•Patch Mgmt•Comm & Train•Block IP / Sinkhole•Chain of Custody

•Kali Live Disk•AV/NGAV

•Data Recovery•Restore System(s)

•Revise IR Plan•Update IOCs•New tools?•Risk Assessment

Email / Teleconference

•Hard Copy Notes•IRP•Playbook

Incident Response Actions

•Triage•Categorization•Create Ticket

#LegalSEC19

OBSERVE

ORIENT

DECIDE

ACT

•IRP•Open-AudIT

•Security Onion•Nagios Core•Kiwi•Honeyd

•REMunx•SANS Sift•VirusTotal•app.any.run

•Open-AudIT•Risk Register

•Checklists•BIA•BCP•DRP

•Hard copy notes•Logs

Preparation Identification Containment Eradication RecoveryLessons Learned

•The Hive Project •Cisco Talos•Maltego / Burp•Wireshark•MX Toolbox

•IOCs•Playbook

•IOCs•Logs

•DRP•BCP

•LL meetings

•ProtonMail•WhatsApp•Zoom

•IRP•Playbook

•BIA•DRP

•Meeting Minutes

•Jump Bag •Checklists

•IRP•Notes (hard & electronic)

•PDQ Deploy•Comm & Train•Cisco OpenDNS•Sinkhole

•Clam AV / Barkly•Kali Live Disk

•Unitrends•Acronis

•Revise IR Plan•Update IOCs•New tools?

•Notes•Logs

Incident Response Tools

•The Hive Project•Gmail•Zoom

#LegalSEC19

Sources

• 6 Phases In The Incident Response Plan, David Ellis.https://www.securitymetrics.com/blog/6-phases-incident-response-plan

• Awesome Incident Response Tools, awesome-incident-response GitHub repository.https://github.com/meirwah/awesome-incident-response

• Best Incident Response Software, https://www.g2.com/categories/incident-response

• Critical Log Review Checklist for Security Incidents, L Zeltser & Dr. A. Chuvakin.https://zeltser.com/security-incident-log-review-checklist/

• Good Practice Guide for Incident Management, ENSIA. https://www.enisa.europa.eu/publications/good-practice-guide-for-incident-management

• Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities, NIST 800-84. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-84.pdf

• John Boyd (Wikipedia). https://en.wikipedia.org/wiki/John_Boyd_(military_strategist)

• Incident Handling Annual Testing and Training, Kurtis Holland (SANS). https://www.sans.org/reading-room/whitepapers/incident/incident-handling-annual-testing-training-34565

• Insider’s Guide to Incident Response, AT&T / AlienVault. https://www.alienvault.com/resource-center/ebook/insider-guide-to-incident-response

#LegalSEC19

Sources

• Meet ‘Bro’: The Best Keept Secret in Network Security, Greg Bell, July 14, 2018. https://www.darkreading.com/operations/meet-bro-the-best-kept-secret-of-network-security/a/d-id/1332028

• Popular Computer Forensics Top 21 Tools, Infosec Institute. https://resources.infosecinstitute.com/computer-forensics-tools

• Power to the Edge, Alberts and Hayes, 2003. http://www.dodccrp.org/files/Alberts_Power.pdf

• The Beginner’s Guide to Open Source Incident Response Tools and Resources, James Fritz, Feb 21, 2017.https://www.alienvault.com/blogs/security-essentials/beginners-guide-to-open-source-incident-response-tools-and-resources

• The OODA Loop (Wikipedia).https://en.wikipedia.org/wiki/OODA_loop

• The Incident Handler’s Handbook, Patrick Kral. 2012. https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901

• Tips for Starting an Incident Response Team, Lenny Zelster. https://zeltser.com/security-incident-response-program-tips/

• Top 20 Free Digital Forensic Investigation Tools for SysAdmins, Andrew Tabona, Jul 20, 2018. https://techtalk.gfi.com/top-20-free-digital-forensic-investigation-tools-for-sysadmins/

#LegalSEC19

RESources

Conversant Group Incident Response

https://www.conversantgroup.com/security/IR/

#LegalSEC19

RESources

PREPARATION

• IR Plans

–NIST Computer Security Incident Handling Guide, SP 800-61r2, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

– Computer Security Incident Handling Guide (NIST 800-61), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

–Good Practice Guide for Incident Management, https://www.enisa.europa.eu/publications/good-practice-guide-for-incident-management

– Insider’s Guide to Incident Response, https://www.alienvault.com/resource-center/ebook/insider-guide-to-incident-response

– The Incident Handler’s Handbook, https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901

– Tips for Starting an Incident Response Team, https://zeltser.com/security-incident-response-program-tips/

• Asset Management

– Creator, https://www.zoho.com/creator/apps/it-asset-tracker.html

–Open-AudIT, https://www.open-audit.org/

– PDQ Inventory, https://www.pdq.com

– Spiceworks https://www.spiceworks.com/free-asset-management-software/

– SysAid, https://www.capterra.com/p/107225/SysAid/

#LegalSEC19

RESources

PREPARATION

• Out Of Bounds Communications

– Secure Email

•CounterMail, https://countermail.com/

•Hushmail, https://www.hushmail.com/

•ProtonMail, https://protonmail.com/

•Mailfence, https://mailfence.com/

– Teleconferencing

•Google Hangouts, https://hangouts.google.com/

•Zoom, https://zoom.us

•Uber Conference, https://www.uberconference.com/

– Texting

•WhatsApp ⚫ Line

•Viber ⚫ Signal

#LegalSEC19

RESources

PREPARATION

• Ticketing

– The Hive Project ,https://thehive-project.org/

– Snipe-IT, https://snipeitapp.com/

– Spiceworks, https://www.spiceworks.com/free-asset-management-software/

• Use Cases

– 2018 Popular SIEM Starter Use Cases, https://securityboulevard.com/2018/07/2018-popular-siem-starter-use-cases/

– Targeted SOC Use Cases for Effective Incident Detection and Response, https://digital-forensics.sans.org/media/Targeted-SOC-Use-Cases-for-effective-Incident-Detection-and-Response-Angelo-Perniola-David-Gray.pdf

– Top 10 SIEM Use Cases to Implement, https://www.logpoint.com/en/understand/top-10-use-cases-implement/

– Top 6 SIEM Use Cases, https://resources.infosecinstitute.com/top-6-seim-use-cases/

#LegalSEC19

RESources

PREPARATION

• Testing

– Incident Handling Annual Testing and Training, https://www.sans.org/reading-room/whitepapers/incident/incident-handling-annual-testing-training-34565

– Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities, NIST 800-84. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-84.pdf

• Training– National CyberSecurity Awareness Month (NSCAM)

• Stay Safe Online, https://staysafeonline.org/ncsam/

• DHS, https://www.dhs.gov/publication/national-cyber-security-awareness-month-resources

– Cybrary, https://www.cybrary.it/

– ICS CERT Virtual Learning, https://ics-cert-training.inl.gov/learn

– SANS Cyber Aces, https://www.cyberaces.org/

– TED Talks, https://www.springboard.com/blog/12-must-watch-cybersecurity-ted-talks/

– Open Security Training, http://opensecuritytraining.info/Training.html

– Open Cyber Challenge Platform, https://opencyberchallenge.net/

#LegalSEC19

RESources

PREPARATION

• Checklists

– Incident Response Jumpkit Checklist

– Critical Log Review Checklist for Security Incidents

• Cheat Sheets

– DDOS incident cheat sheet

– Security-incident-questionnaire-cheat-sheet

– Security-incident-survey-cheat-sheet

• Forms

– Incident Response Reporting Form

– IR Chain of Evidence

#LegalSEC19

RESources

IDENTIFICATION

• Threat Intelligence

– Hslatman’s Github: A curated list of Awesome Threat Intelligence Resources, https://github.com/hslatman/awesome-threat-intelligence

– Cisco Talos, https://www.talosintelligence.com/

– HoneyDB, https://riskdiscovery.com/honeydb/

– Malware Domains, http://www.malwaredomains.com/

– Talos Aspis, https://www.talosintelligence.com/aspis/

– Threatfeeds.io, https://threatfeeds.io

• Honeypots

– GitHub list of Honeypots, https://github.com/paralax/awesome-honeypots

– Honeyd, http://www.honeyd.org/

– Valhala https://sourceforge.net/projects/valhalahoneypot/

– HoneyTrap https://github.com/honeytrap/honeytrap

#LegalSEC19

RESources

IDENTIFICATION

• SEIM

– Open Source SIEM, https://www.alienvault.com/products/ossim

– OSSSEC, https://ossec.github.io/

– Securicata, https://suricata-ids.org/

– Security Onion, https://securityonion.net/

– SNORT, https://www.snort.org/

• Notebooks

– Post-It Easel Pads, (~$30)

– Rocketbook Everlast Reusable Smart Notebook, (~$30)

Before After

actual raw and processed images

#LegalSEC19

RESources

IDENTIFICATION

• Network Monitoring

– Cacti, https://www.cacti.net/index.php

– Icinga 2, https://icinga.com/products/icinga-2/

– Nagios Core, https://www.nagios.org/projects/nagios-core/

– Prometheus, https://prometheus.io/

• Logs

– Critical Log Review Checklist for Security Incidents, https://zeltser.com/security-incident-log-review-checklist/

– Flutentd, https://www.fluentd.org/

– Greylog, https://github.com/Graylog2/graylog2-server

– LOGalyze, http://www.logalyze.com/

– Logstash, https://www.elastic.co/products/logstash

– LogWatch, https://logpacker.com/

– Kiwi Syslog ($), https://www.solarwinds.com/kiwi-syslog-server

#LegalSEC19

RESources

IDENTIFICATION

• NTP

– Google Public NTP, https://developers.google.com/time/

– NIST Internet Time Servers, https://tf.nist.gov/tf-cgi/servers.cgi

– NTP Pool Project, https://www.pool.ntp.org/zone/us

– Time Tools, https://timetoolsltd.com/information/public-ntp-server/

– US Navy NTP Network Time Servers, https://tycho.usno.navy.mil/NTP/

• Vulnerability Scanner

– Burp Suite (Community Edition), https://portswigger.net/burp/communitydownload

– Nessus (Community), http://repository.slacky.eu/slackware-12.1/network/nessus/2.2.11/

– OpenVAS, www.openvas.org/ (+Succubus) https://www.seccubus.com/

– OWASP ZAP, https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

#LegalSEC19

RESources

IDENTIFICATION

• Forensics

– CentralOps, https://centralops.net/co/

– HPING, www.hping.org/

– Maltego Classic, https://www.paterva.com/web7/buy/maltego-clients/maltego.php

– MXBox Tools, https://mxtoolbox.com/NetworkTools.aspx

– Masscan, https://github.com/robertdavidgraham/masscan

– Nmap, https://nmap.org/

– Open Source Intelligence (OSINT) Framework; https://osintframework.com/

– SHODAN, https://www.shodan.io/

– VirusTotal; virustotal.com ; >> How to Generate MD5Sum Hash and Submit to VirusTotal, https://youtu.be/yNjyQ00-EfQ

– Wireshark, https://www.wireshark.org/

#LegalSEC19

RESources

CONTAINMENT

• Playbooks

–How to build an incident response playbook, S. Williams-Shaw, Swimlane. https://swimlane.com/blog/incident-response-playbook/

– The Société Générale Incident Réponse Methodologies, https://github.com/certsocietegenerale/IRM/tree/master/EN

– Incident Response Consortium, https://www.incidentresponse.com/playbooks/

–MITRE Cyber Exercise Playbook, https://www.mitre.org/sites/default/files/publications/pr_14-3929-cyber-exercise-playbook.pdf

• CLI

– ENSIA Good Practice Guide, https://www.enisa.europa.eu/publications/good-practice-guide-for-incident-management p68

– Command Line for Windows Forensics, https://resources.infosecinstitute.com/commandline-malware-and-forensics/

• VM

– Virtual Box, https://www.virtualbox.org/

– VMware Workstation Player, https://www.vmware.com/products/workstation-player.htm

#LegalSEC19

CONTAINMENT

• Forensics

– App.any.run, https://app.any.run/

– CAINE http://www.caine-live.net/

– Cuckoo Sandbox, https://cuckoosandbox.org/

– Fireeye Flare https://www.fireeye.com/blog/threat-research/2017/07/flare-vm-the-windows-malware.html

– FTK Disk Imager Lite, https://accessdata.com/product-download/ftk-imager-lite-version-3.1.1

– Ghidra, https://www.nsa.gov/resources/everyone/ghidra/

– Hybrid Analysis, https://www.hybrid-analysis.com/

– Mandiant Redline, https://www.fireeye.com/services/freeware/redline.html

– Open Computer Forensics Architecture http://sourceforge.net/projects/ocfa/

– REMunx https://remnux.org/; How to Dynamically Analyze Files Using Munin, https://youtu.be/2WyPK0RXGHE

– SANS SIFT https://digital-forensics.sans.org/community/downloads/

– The Sleuth Kit http://www.sleuthkit.org/; (+ Autopsy GUI) https://www.sleuthkit.org/autopsy/

– Windows Forensic Toolchest ($), http://www.foolmoon.net/security/wft/

RESources

------------------------- -----------------------

Working Group on Digital Evidence, https://swgde.org/

#LegalSEC19

CONTAINMENT

• Patch Management

– ConnectWise Automate (Formerly LabTech [$$]), http://www.labtechsoftware.com/

– PDQ Deploy ($), https://www.pdq.com

• DNS Sinkholes

– Brakmic Malware Sinkhole List in github; https://github.com/brakmic/Sinkholes

RESources

#LegalSEC19

ERADICATION

• Bootable ISOs (USB or DVD)

– BItDefender, http://download.bitdefender.com/rescue_cd/latest/

– GMER, http://www.gmer.net/

– Kali Linux Live, https://docs.kali.org/downloading/kali-linux-live-usb-install

– Trend Micro RescueDisk, https://www.trendmicro.com/en_us/forHome/products/free-tools/rescue-disk.html

RESources

#LegalSEC19

ERADICATION

• Anti-Virus

– Armadito Antivirus, https://armadito.com/

– Avast Free Antivirus, https://www.tomsguide.com/us/avast-free-antivirus,review-2208.html

– Barkly (AlertLogic [$$]), https://www.alertlogic.com/

– Bitdefender Antivirus Free Edition, https://www.tomsguide.com/us/bitdefender-antivirus-free,review-3523.html

– ClamAV, http://www.clamwin.com/

– ClamWIn, http://www.clamwin.com/

– Microsoft Windows Defender, https://support.microsoft.com/en-us/help/14210/security-essentials-download

– Open Antivirus Project, http://www.openantivirus.org/index.php

RESources

#LegalSEC19

RECOVERY

• Business Impact Analysis

– https://www.ready.gov/business-impact-analysis

• Disaster Recovery Plan

– https://www.ready.gov/business/implementation/IT

– https://blogs.technet.microsoft.com/mspfe/2012/03/08/a-microsoft-word-document-template-for-disaster-recovery-planning/

– https://education.alberta.ca/media/3272748/3-it-disaster-recovery-workbook-and-template.docx

– https://www.cisco.com/en/US/technologies/collateral/tk869/tk769/white_paper_c11-453495.pdf

• Business Continuity Plan

– https://www.ready.gov/business/implementation/continuity

– https://mema.maryland.gov/Documents/FEMA_Small_Business_Continuity_Plan_Template.docx

– https://www.bdc.ca/en/articles-tools/entrepreneur-toolkit/templates-business-guides/pages/business-continuity-guide-templates-entrepreneurs.aspx

RESources

#LegalSEC19

RECOVERY

• Data Backup & Recovery

– Acronis (BMR ($$)), https://www.acronis.com

– BorgBackup, https://www.borgbackup.org/

– UrBackup, https://www.urbackup.org/

– Unitrends ($$$), https://www.unitrends.com/

– Veeam, https://www.veeam.com/

RESources

#LegalSEC19

LESSONS LEARNED

– 6 Phases In The Incident Response Plan, David Ellis.https://www.securitymetrics.com/blog/6-phases-incident-response-plan

– CornerThought ($?), https://www.lessonslearnedsolutions.com/

– LessonFlow ($?), https://www.lessonslearnedsolutions.com/

RESources

#LegalSEC19

• BOOKS

– Blue Team Handbook: Incident Response Edition: A condensed field guide for the Cyber Security Incident Responder., Don Murdoch. ISBN: 978-1500734756

– Blue Team Handbook: SOC, SIEM, and Threat Hunting (V1.02): A Condensed Guide for the Security Operations Team and Threat Hunter, Don Murdoch. ISBN: 978-1091493896

– The Blue Team Field Manual, Ben Clark & Alan J White. ISBN: 978-1541016361

– The Checklist Manifesto, Atul Gawande. ISBN: 978-0312430009

– The Red Team Field Manual, Ben Clark. ISBN: 978-1494295509

– Computer Incident Response and Forensics Team Management, Leighton Johnson. ISBN: 978-1597499965

– Crafting the InfoSec Playbook, Brandon Enright, Jeff Bollinger, and Matthew Valites. ISBN: 978-1491949405

– Cybersecurity Incident Response, Eric C. Thompson. ISBN: 978-1484238691

– Intelligence-Driven Incident Response, Scott J. Roberts. ISBN: 978-1491934944

– Security Operations Center - SIEM Use Cases and Cyber Threat Intelligence, Arun E. Thomas. ISBN: 978-1986862011

– The Practice of Network Security Monitoring, Richard Bejtlich. ISBN: 978-1593275099

– CyberSecurity Cannon, https://cybercanon.paloaltonetworks.com/

RESources

#LegalSEC19

shayne.champion@conversantgroup.com

423.602.7789

@TNfoSec

https://www.linkedin.com/in/shaynechampion

Questions?