Sniper Incident Response

Presented at CactusCon 11 (2023), Jan. 28, 2023, 10 p.m. (60 minutes).

Analyzing systems 1 at a time is a slow process. What do you do when you have to look at 300 hosts? Or 5,000? A new way of quickly looking at data needs to be found. Thats where Sniper Incident Response comes in. Sniper Incident Response prioritizes the 4 Big Questions that every investigator needs to answer during an engagement. What did they take? Are they still here? Where did they go? How did they get in? Prioritizing these questions with a hunt plan will drive the investigation forward and help you become an infosec ninja. This talk will break down each question and show the audience key artifacts that can be quickly examined to answer the most critical questions in a fast and repeatable process. We will start out by answering "What did they take" This portion covers data exfiltration and the artifacts left behind by threat actors when they access, acquire and exfiltrate data. Next is "Are they still here". This portion is all about identifying persistence and the artifacts left behind. "Where did they go" covers lateral movement, the artifacts, and tools used by threat actors. Finally, "How did they get in" walks through the process of identifying patient 0. I will wrap up the talk with a few real-world case studies where this methodology was applied and show how it was leveraged during an active incident response engagement.

Presenters:

  • Chris Brewer - Consulting Director at Unit 42
    Chris Brewer is an expert in digital forensics and incident response who has over two decades of experience as an IT professional, focusing on computer security, data centers, and servers. He is also an experienced IT security instructor who has taught at the National Computer Forensics Institute and has conducted training for various law enforcement and government agencies worldwide. Chris also has, • Directly led DFIR teams across the world on over 300 engagements • Led internal threat intelligence effort for investigations • Led client/counsel engagements • Led proactive advisement matters • Developed custom tabletop scenarios for clients • Negotiated ransom payments with groups such as Conti, Lockbit, and others • Led a variety of casework, ransomware, eCommerce, web compromise, • Presented on panels and webinars for external and internal clients Prior to his security consulting career, Chris was a system administrator for over a decade at IBM and American Express. https://www.linkedin.com/in/cebrewer/

Links:

Similar Presentations: