2020-041- Conor Sherman, IR stories, cost of not prepping for an incident
Play • 1 hr 18 min

“Between stimulus and response there is a space. In that space is our power to choose our response. In our response lies our growth and our freedom. --Victor Frankl

https://smile.amazon.com/Mans-Search-for-Meaning-audiobook/dp/B0006IU470

 

https://twitter.com/conordsherman

 

Conor Sherman - IR stories and more 

Security Strategy and Incident Response, eZCater

Confident Defense Podcast - https://www.confidentdefense.com/podcast

https://www.linkedin.com/in/conordsherman/

 

Agenda: 

Bio (How did I get here?)

 

Prior preparation and planning prevents poor performance - https://military.wikia.org/wiki/7_Ps_(military_adage) 

Discover Unique malware

FIN 6 - https://www.zdnet.com/article/cybercrime-group-fin6-evolves-from-pos-malware-to-ransomware/

FIN 7 - https://threatpost.com/fin7-retools/149117/ 

CCPA - https://oag.ca.gov/privacy/ccpa

CIS 20 is ‘reasonable security program’ per California AG - https://www.prnewswire.com/news-releases/california-attorney-general-concludes-that-failing-to-implement-the-center-for-internet-securitys-cis-critical-security-controls-constitutes-a-lack-of-reasonable-security-300223659.html 

IBM breach cost: “Cost Of  A data Breach” (Search This)

https://newsroom.ibm.com/2020-07-29-IBM-Report-Compromised-Employee-Accounts-Led-to-Most-Expensive-Data-Breaches-Over-Past-Year 

 

Cloud Infra Compliance- 

Governance as Code - https://www.cio.com/article/3277611/governance-as-code-keeping-pace-with-the-rate-of-change-in-the-cloud.html 

“In the future, governance as code will be the backbone driving our IT systems and services. It will enable us to deliver consistent, efficient and highly repeating business outcomes at the lowest possible cost, with the maximum availability and security, while also allowing our people to expand into new and higher value-add roles across business.”

 

Detection as Code 

“Freedom within Limits” - Security as Solutions Engineers

https://www.howwemontessori.com/how-we-montessori/2020/02/freedom-within-limits-what-it-looks-like-in-our-home-with-three-children.html 

 

Sigma: https://github.com/Neo23x0/sigma 

“Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. The rule format is very flexible, easy to write and applicable to any type of log file.”

 

Japan CIRT event ID whitepaper: https://www.jpcert.or.jp/english/pub/sr/DetectingLateralMovementThroughTrackingEventLogs_version2.pdf 

https://jpcertcc.github.io/ToolAnalysisResultSheet/

 

https://shield.mitre.org/ 

“Shield is an active defense knowledge base MITRE is developing to capture and organize what we are learning about active defense and adversary engagement. Derived from over 10 years of adversary engagement experience, it spans the range from high level, CISO ready considerations of opportunities and objectives, to practitioner friendly discussions of the TTPs available to defenders.”

IR Playbooks -  

process of creating them (probably the hardest)

Implementation

Tabletop exercise (length, stakeholders, crafting a scenario to compare against)

 

What if an org has nothing? “We just blow up the environment and start over."

 

RTO/RPO metrics: How long can you survive as a company with an outage? How long does it take to get back online and operational? What’s your appetite for the risk of that?

 

Lots of dependencies to creating 

 

https://swimlane.com/blog/incident-response-playbook

 

Tabletop discussion -

 

sponsors involved

Initiating condition

Threat modeling

Process steps

Best practices and local policies

End state - what is the goal? (eradicate infection, back to operating status)

Relation to governance/regulatory reqs. (do we have to report? What do we report? Fallout from incident, etc)

Lessons Learned

 

https://sbscyber.com/resources/7-steps-to-building-an-incident-response-playbook (seems like there are different methodologies)

 

Why are the things that will give organizations the biggest benefit over time the cause of the most consternation?

 

Check out our Store on Teepub! https://brakesec.com/store

Join us on our #Slack Channel! Send a request to @brakesec on Twitter or email bds.podcast@gmail.com

#AmazonMusic: https://brakesec.com/amazonmusic 

#Brakesec Store!: https://brakesec.com/teepub 

#Spotify: https://brakesec.com/spotifyBDS #Pandora: https://brakesec.com/pandora 

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel:  http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site:  https://brakesec.com/bdswebsite

#iHeartRadio App:  https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon

https://brakesec.com/BDSPatreon

#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

#cybersecurity #informationsecurity #leadership #podcasts #CPEs #CISSP

More episodes
Search
Clear search
Close search
Google apps
Main menu