Incident Response Workshop

Presented at BruCON 0x08 (2016), Oct. 27, 2016, 1:30 p.m. (240 minutes).

This workshop will confront participants with a state-of-the-art security incident. During the workshop, they will learn how to deal with this situation step-by-step by challenging them in their knowledge of various infosecurity topics. The goal of this workshop is to provide the participants with a structured approach on how to spot malware and how to deal with incidents caused by modern adversaries. Virtual machines will be provided so that the participants can practice at their own pace and even continue at a later point in time. Two instructors will be assisting the students towards the full mapping of the incident and will provide a typical solution at the end of the workshop. The situation that the students will have to handle is as follows: “You are part of your company’s Incident Response team. On some idle Friday afternoon, your manager barges in. He has just been notified by the authorities that they have compromised a Command-and-Control server and that they have found systems communicating to that server originating from your company. The board of directors is breathing down his neck to find out what has happened and has asked him to contain this problem as soon as possible. How come we haven’t noticed this? What systems have been compromised? What data is exfiltrated? Are there still active connections? You immediately coordinate with the authorities and receive an extract of the information they have pulled from the compromised server. And so you quest begins…” The students will work in teams of 2 and will have 4 hours to find out what has happened and to verify if there is still any active connections. During the workshop, the instructors will switch between guiding the participants and challenging them by assuming various positions in the company.

Presenters:

  • Erik Van Buggenhout
    Erik is a co-founder of the Belgian cyber security company NVISO, where he is responsible for the Cyber Resiliency service line. He coordinates the delivery (read: finds people to do work for him while he enjoys a Duvel in the sunshine) of highly technical services such as penetration testing, digital forensics, incident response and malware analysis. Next to his activities at NVISO, Erik is also an Instructor for the SANS Institute where he teaches the SANS "SEC 560 - Network Penetration Testing and Ethical Hacking" and "SEC 542 - Web Application Penetration Testing". During these classes, Erik entertains students with his own success and failure stories experienced by "one of his friends / colleagues.
  • Maxim Deweerdt - NVISO
    Max is one of Erik’s minions who has to work day and night to ensure Erik can drink his Duvel in the sun without interruption. During these devilishly long workdays, he focusses on Incident Response and Forensics and occasionally rocks some penetration testing. Max has several SANS certifications and is currently pursuing a track to become a SANS mentor. Rumor has it that Max lost his hair due to his incredible brain size and that sleep needs him, not the other way around. He is actively looking forward to cause you a lot of stress while you are embedding yourself in the jolly world of incident response and digital forensics.

Links:

Similar Presentations: