IR-3017 The ABCs of Containment, Eradication, and Recovery

Presented at Texas Cyber Summit 2019, Oct. 12, 2019, 2 p.m. (60 minutes)

In the physical realm, a successful hunt ends with either a kill or a capture. While some might enjoy the thrill of the hunt, no one really wants to walk away empty handed. Why do we treat hunting in the digital realm differently? The Containment, Eradication, and Recovery phase of the Incident Response Lifecycle is the digital equivalent of the kill or capture in the physical world. Proper execution of this phase is necessary for a successful hunt, and it’s as easy as remembering your ABCs. You’ve stalked and located your prey, evil has been found, are you prepared to take it out? Containment, Eradication, and Recovery is a key phase of the NIST Incident Response Lifecycle that often doesn't receive the attention it deserves. Focus is mainly placed on detection and analysis. After an incident, organizations are often left with a report detailing attacker activity with a few remediation suggestions at best, leaving them on their own to figure out what to do next. Any incident involving a determined human adversary (aka "advanced persistent threat") requires simultaneous disruption of three key areas known as "the ABCs" (Accounts, Backdoors, Command and Control). We'll cover a three-phased approached that addresses the ABCs and has been proven successful in use across many of the most high profile incidents over the last decade. Starting with a high level strategic overview of this methodology before getting into the technical details on how to address the ABCs during each phase of this approach using freely available tools.

Presenters:

• Josh Bryant - Tanium
  Josh Bryant is currently a Director of Technical Account Management at Tanium where he helps very large enterprise customers gain high speed visibility and control over their endpoints. As one of the Subject Matter Experts on Tanium’s Threat Response module, he helps customers quickly hunt for, detect, and respond to advanced threats. Prior to joining Tanium, he was a Cybersecurity Architect at Microsoft where he focused on delivering Cybersecurity services ranging from Tactical and Strategic Recovery to Advanced Threat Analytics implementations, Risk Assessments, and more, to customers in a variety of industries around the world. Josh is also a Master Sergeant in the Illinois Air National Guard, where he manages a team of Systems Administrators that maintain an Air Operations Center. He has over 20 years in IT specializing in Cybersecurity and Messaging, and spent some of his Active Duty U.S. Air Force time as a Network Security Manager, performing vulnerability assessments and penetration testing.

Links:

• https://texascybersummitii2019.sched.com/event/WEqn/ir-3017-the-abcs-of-containment-eradication-and-recovery

Similar Presentations:

• DeepSec 2018 „I like to mov &6974,%bx“ / Security Response Survival Skills
• DeepSec 2015 „DeepSec No. 9“ / Practical Incident Handling (closed)
• Diana Initiative 2019 / Your Mom Doesn't Work Here...But She Probably Should