Leveraging Endpoints to Boost Incident Response Capabilities

Presented at DeepSec 2018 „I like to mov &6974,%bx“, Unknown date/time (Unknown duration).

In our day to day we constantly see how most of the organisations fail to respond properly to real incidents and a lot of times this is due to the lack of visibility on endpoints.

The aim of this talk is to help the Blue teams to understand what they can do in order to improve their detection mechanisms, and at the same time to show what is important when responding to a real incident.

We have built a lab with an Active Directory and other common crown jewels found in most organisations. From this point of consideration we have chosen some of the attacks and techniques that we've faced during incident response cases, from Threat Financial groups to some APTs ones. Next, we have ingested the logs produced on the different endpoints and used different incident response techniques to find multiples IOCs that would detect the different attacks.


Presenters:

  • Francisco Galian - Nirvan and IBM X-Force IRIS, Telefonica UK (O2)
    Francisco Galian, SME on Incident Response & Digital Forensics. Leading the response during security incidents, compromised networks and data breaches. Helping customers in a proactive way by providing trainings, table top exercises and active threat assessments. Previous roles include assessing security on a Critical National Infrastructure, consultancy and being main developer of Threat Intel solutions like malware sandboxes. Mauro Silvas interests can be summarized by two words: challenges and scripting. He loves challenges, and scripts every repetitive task he can. In his current position he leads a team responsible for threat hunting within a telco environment. He has also developed a training program for it that includes simulation of incidents and puts the team into several roles present in order to enable it to understand the nuances of an incident. That includes red teaming (aka pentesting). In his past positions he has focused mainly on Incident Response and Forensic Investigations. He was also involved in the development of a Threat Intel gathering tool called IntelMQ. Mauro always tries to streamline his team's work by automating everything that can be automated. He'd also represented his previous employers at several conferences and led a nation wide cybersecurity exercise.
  • Mauro Silva - Nirvan and IBM X-Force IRIS, Telefonica UK (O2)
    Francisco Galian, SME on Incident Response & Digital Forensics. Leading the response during security incidents, compromised networks and data breaches. Helping customers in a proactive way by providing trainings, table top exercises and active threat assessments. Previous roles include assessing security on a Critical National Infrastructure, consultancy and being main developer of Threat Intel solutions like malware sandboxes. Mauro Silvas interests can be summarized by two words: challenges and scripting. He loves challenges, and scripts every repetitive task he can. In his current position he leads a team responsible for threat hunting within a telco environment. He has also developed a training program for it that includes simulation of incidents and puts the team into several roles present in order to enable it to understand the nuances of an incident. That includes red teaming (aka pentesting). In his past positions he has focused mainly on Incident Response and Forensic Investigations. He was also involved in the development of a Threat Intel gathering tool called IntelMQ. Mauro always tries to streamline his team's work by automating everything that can be automated. He'd also represented his previous employers at several conferences and led a nation wide cybersecurity exercise.

Links:

Similar Presentations: