Next-Gen DFIR: Mass Exploits & Supplier Compromise

Presented at Black Hat USA 2021, Aug. 4, 2021, 1:30 p.m. (40 minutes).

<div><span>There’s been a spike in major incidents and widespread DFIR disasters involving both service providers (such as MSPs and cloud providers) as well as software providers (such as SolarWinds, Microsoft, and Accellion). Responders have little visibility and often find out about vulnerabilities, exploits, and backdoors far too late. <br> </span></div><div><span>In this fast-paced talk, we'll dissect real “next-gen” DFIR cases and how to adapt your response processes to meet today’s global threats. This will include a walkthrough of a SolarWinds case, including threat intelligence and threat hunting, which were the keys to an effective response. We'll analyze a recent Exchange exploitation case where multiple cybercriminal gangs hacked into the server, both before and after the vulnerability was made public. We'll discuss the FBI's court-approved removal operation and the implications of pre-emptive access by law enforcement to private servers on a mass scale. Finally, we’ll analyze an MSP hacking case, where criminals leveraged the Revil ransomware to hold over 100 clinics hostage. </span></div><div><span><br></span></div><div><span>We are on the precipice of seeing major changes to standard response best practices. All of us need to expand DFIR processes to account for mass 0-day exploits and supplier compromises. This includes strategies for threat intelligence, methods for obtaining early information about a potential incident, obtaining and vetting IoCs, risk evaluation strategies, and more. We also need to integrate threat hunting into response operations and prepare for potential unexpected law enforcement access to systems. Join us and get practical strategies for adapting your DFIR response best practices to reflect today’s increasingly interconnected threat landscape. </span></div>

Presenters:

  • Sherri Davidoff - CEO, LMG Security
    <p><span>Sherri Davidoff (@SherriDavidoff and @LMGsecurity) is the CEO of LMG Security and the author of "</span><em><span data-ccp-charstyle="Hyperlink">Data Breaches</span></em><span data-contrast="auto"><em>." </em></span><span data-contrast="auto">As a recognized expert in cybersecurity and data breach response, Sherri has been called a "security badass" by The New York Times. She has conducted cybersecurity training for many distinguished organizations, including the Department of Defense, the American Bar Association, FFIEC/FDIC, and many more. She is a faculty member at the Pacific Coast Banking School, and an instructor for Black Hat, where she teaches her "Data Breaches" course. She is also the co-author of </span><em><span data-ccp-charstyle="Hyperlink">Network Forensics: Tracking Hackers Through Cyberspace</span></em><span data-contrast="auto"> (Prentice Hall, 2012), and has been featured as the protagonist in the book</span><span data-contrast="auto">, Breaking and Entering: The Extraordinary Story of a Hacker Called "Alien"</span><span data-contrast="auto">. Sherri is a GIAC-certified forensic examiner (GCFA) and penetration tester (GPEN) and holds her degree in Computer Science and Electrical Engineering from MIT. Her latest book, Ransomware Response, will be published early next year.</span></p>
  • Matt Durrin - Incident Response Technical Lead , LMG Security
    Matt Durrin is the Incident Response team lead at LMG Security. He is an instructor at the international Black Hat USA conference, where he teaches “Data Breaches” He regularly conducts cybersecurity webinars and seminars for hundreds of attendees in all sectors, including banking, retail, health care, government, and more. A seasoned forensics professional, Matt specializes in incident response, ransomware cases, cryptojacking, and banking trojans. Matt holds a Bachelor’s Degree in Computer Science from the University of Montana and previously worked as a “blue team” field technician/system administrator for over 10 years. His malware research was recently featured on NBC Nightly News.

Links:

Similar Presentations: