Tailoring Evidence Preservation for Incident Objectives - Shelly Giesbrecht

want to say thank you to besides vancouver for allowing me to uh to speak again um i really appreciate it i love talking about stuff like this and this is something that i've been thinking about a lot this talk is really important to me from perspective of what i do as an incident responder so really excited to be to be presenting this for the first time at besides vancouver for this year

a little bit about me for those of you who have not met me my name is shelly giesbrecht i am an incident responder at crowdstrike specifically i am the practice lead for canada so i i run the canadian team as well as doing some of our other global projects and i've been doing this for a while um i started out doing help desk many many years ago learning how to support folks at that level um and i love lego and that's important because i think that from the perspective of incident response lego shows us how to build things and put pretty things together with a manual incident response is like if somebody has taken all those pieces

broken them in and says build it again but do it without the manual so we help businesses put their lego back together if you will um and sometimes we have a couple pieces left over but that i think is is my best job and and i love talking to clients that's what i do that's one of the reasons that uh that i work in as a response because i like to be customer facing and help folks at their worst business days um as you can tell i love a bow tie and i'm a proud dog mama which hopefully we'll bring in a little bit later today is about talking about our worst nightmare in incident response so for

your organization what your worst nightmare is um and the reason this talk is really important to me is because i talk to a lot of clients every year i talk to you know several hundred clients about the things that are going on in their environment hopefully from a from a proactive side but a lot of times it's that after the incident we go in and we help we try to figure out what's gone on and all sorts of industries big and small companies but one of the most disappointing aspects of my work is not being able to meet customer objectives in their investigation and that largely is in part due to missing evidence things that they just don't

have and there's a few different reasons for why that might happen um when we're dealing with ransomware for instance that can be because the stuff has you know been damaged or perhaps it's been overwritten and or taken deleted by the threat actor all those things happen absolutely um but the really the biggest reason why we can't meet customer objectives generally speaking when we're talking about missing evidence is because it doesn't exist they don't have it they don't collect it um and and that can be a real a real problem when we're trying to meet those objectives so today we're gonna talk about you know what's the worst nightmare what does that look like um and then we're gonna

say you know starting from the bottom and that doesn't mean um you know we're gonna you know i took it from from the drake song so there we go but what it really means is is we might find ourselves in an incident and what i'm suggesting is we start there and we move backwards and figure out what we needed um and that was really based on what sort of organization that you are um and and that so um the thing you're going to hear a lot today is it depends because in in response to digital forensics that's our general answer to most questions is when we get asked it depends uh and last but not least um we're going

to talk a little bit about finding your allies how do you once you figure out what you need how do you how do you get those things and where do you find those allies to help you do that and talk about that a little bit briefly all right how do we begin let's say it's friday might be four o'clock dfir friday as we like to call it you've been breached you've had data stolen perhaps and you don't know what was taken maybe you've got a ransom note that said we're going to publish your data in three days if you don't pay us or you got a notification from from a government agency from a police

law enforcement organization maybe i've heard of uh oh by the way i saw your data being advertised on such it's such a dark web forum you might want to do something about that the other option is maybe you got ransomed you're hard down your systems are encrypted you don't know how to recover so those are those worst nightmare scenarios and by the way the spider on the agenda slide that's my worst nightmare so i like to include those spiders absolutely my worst nightmare um but these situations we get into as as organizations we need to understand what your worst nightmare is and so that's kind of what i want you to do as we're going along today is think about

what for your organization would be the worst incident that could happen there are a lot of incidents that could happen we can't prepare entirely for every single one of them but if we pair for the worst case scenario we may then be able to be much more effective in other scenarios as well okay so the first thing that i'm going to ask as an instant responder well there's a few other questions i'm going to ask but one of the first things i'm going to ask as an instant responder when i come in is do you have any logs do you have anything that we can look at um do you have pcapp do you have netflow do

you have edr data do you have web blogs what do you have that'll help us out to help you answer the questions that you need to answer

and there are some other real questions obviously that we're going to ask and i love this comic i'm going to come ask a series of scary questions and when i'm done let's see if you can guess why i'm asking them all right one of those big questions is what are your objectives um and that's a really big one and that's something that we help customers with you know on a daily basis i say what i'm hearing is your objectives might be this and i try to help shape those but a lot of times those objectives tend to be things like you know what was taken how did they get in are they still here all of those things

right but some of the questions that's a really important one and then some of those additional questions that i'm going to ask are you know in your organization is there protected information phi pci pfi you know regular old pii um is there something that we need to be concerned about um that may have left your organization that may need to be protected that may need to have notifications made right what notifications would need to happen based on the information that you have do you know that as an organization what and and what sort of obligations do you have not only for those for those notifications but what sort of contractual obligations do you have for

instance if you're hard down and you have product to ship do you know what those obligations are and then what are your most critical assets if you're hard down your most critical assets are probably the ones that need to come up first do you know what priority that is do you know where those sit do you know who the owners of those data are all those things and how long can you be down so some organizations can be down for days at a time because having internet access or having systems down maybe isn't the core of their business for other businesses if they're down for even hours that can be millions of dollars lost so it really

depends and it's something that your organization needs to know again it depends so the answers really again are varied and different a love office space it really depends on who you are what industry what your actual business is what your business model is again do you need the internet for work could be down for days and it doesn't really matter to you may need to be up right away what are your local provincial federal laws that are applicable to your organization what organizations uh have do you have obligations to contractually that sort of thing where else do you do business um so if you've lost some data and you do business in in europe as well

gdpr may be maybe a thing for you there might be some other things the singapore laws are very very strict if you're doing if you're doing business over in asia that might be something you need to be aware of if data goes missing from there or if you're hard down in that environment business partners contracts your customers obviously all of these things are things that we need to understand right again it depends it really depends on your organization and many many other things so this is how this typically goes uh when we uh when we're planning for instant response we go out and we read a lot of things we ask some questions we might even have some trusted advisors

in and say what are the best practices for us to best understand how we might respond to an incident what do we need and there's a lot of answers out there around you know you can go to nist and and i'm going to say i'm going to call it a few other things in in this organization in in this presentation but i everybody gives good information everybody is out there giving the best information that they can trying to make your organization help your organization be better at responding what i'm saying is still do all of that look for all that information but then as an organization look at it and figure out what makes the most sense for your

organization so go out there and check those best practices but generally then what happens is they go they take those at face value and go well that's the best practice they say we should go out we should spend three million dollars on a sim we should keep everything for a year and we're going to keep all of the things or we're going to we're going to keep this thing because it says this thing is the most important and maybe that's firewall logs who knows but we also need to check our budget maybe we can't afford a three million dollar sim so okay so maybe we only have this much money and we can only do this thing okay well then

we're gonna go okay well from that we're gonna go well here's the best practices and we we think those are okay and we've got this much money and so we're going to go and we're going to collect what is recommended and what we can afford right so we're going to figure out how we're going to do that and collect that and then we're going to keep for let's say this says we're going to keep it for a year so we're going to keep it for a year because that makes sense we're going to keep it for a year um there's another way that this is done and this is something that i see really frequently is one

uh we have no idea what we will need if our worst nightmare comes true we have no idea what we're going to need so we've made no plan for that um and uh when i say for instance do your active directory logs get sent somewhere centrally no do your firewall logs get sent somewhere centrally no they're just on the local appliance okay so that's the default settings that's the default settings which means you have no log retention right so they're not kept for any length of time they probably rolled over because they are no longer available uh and we're really working on thoughts and prayers at that point we're hoping the worst doesn't happen um and when it does

we're working on those prayers to hope that we still have a job at the end of it um so i think when we think about this scenario this is this is the worst case scenario of the worst case scenario right when we get into that worst case scenario we're having all these people ask us questions about how we're going to respond how we're going to recover and we go well we're not really sure um and and those are when those those conversations around you know how are we going to actually um be a business next week if we don't know the answer to these questions come in so this is what i'm suggesting now and i

will say that this this presentation is not around recovery necessarily i'm not going to answer all the questions what i'm specifically talking about is what happens when the worst case scenario of your organization happens and you needed to do an investigation or you needed to recover quickly what are some of the questions that you would need to know right away so what i'm suggesting is we go back to the bottom we take that worst case scenario we start there we say here for our organization is the worst case scenario that could happen we figure out what that looks like for us i'm going to go through a few things after this a few different scenarios

hopefully hopefully flesh that out a little bit but we understand what that that worst case scenario might look like and then we say when that worst case scenario happens our objectives in the in the investigation that follows in the in the months or hopefully days or weeks that follow that our objectives for getting back to business would be this finesse those and then figure out from those objectives what would we need to collect as a business from an investigative perspective from a recovery perspective to understand how we might get to where we need to be to answer those objectives and then how are we going to get there so the how piece is going to be a little

bit around you know how do we do those things how do we collect those things where are we going to put them all those sorts of things but also around the little bit around budget but i'm not going to talk early about budget today but understand that that's a big component in this as well so again what kind of organization are you this all of these questions are really going to depend on what organization you are what are your objectives what's your industry what's your vertical what's your risk profile all of those things we have to be thinking about and i'm not going to answer those questions today i'm just going to hopefully poke you

along your way to being able to think about those things with your team and understand maybe what those things you are and so you can start planning for that um we go through you know again hundreds of investigations a year and every time that i have to say to a client i just can't answer this question for you because this thing didn't exist and i wish that it did but we can't go back and make it um it is very frustrating for us it's very frustrating for them it's frustrating for any folks that they have to notify for instance if they have data stolen so we want to make sure that we're thinking about those things first and working

backwards starting from the bottom if you will so i'm going to generalize a lot here and say that there are three types of organizations there's probably many more than this but i'm going to start with this three data rich so these are organizations where it doesn't really matter whether things go down as long as the data is safe as long as the data didn't leave as long as the data wasn't damaged and as long as that data is secure and safe we don't have to worry that uh that the that we the internet is down that we're down for days at a time maybe even because that data is safe we can continue going and it's okay

then there's the asset rich and this is a little bit of a misnomer but when i say asset rich what i mean is that for these organizations as long as their infrastructure is running as long as everything's continuing to go that the data on it is maybe transient it doesn't really matter what that data is or rather that date is perhaps damaged as long as the assets are up and running and things are still moving money is still flowing products still shipping that's the most important thing but then we have that hybrid which is both of those things are important we have to have the data the data is very important maybe it's some sort of protected

information but also having those assets up and running is critical to the organization obviously that is really a big generalization and there's a lot of different there's a lot of gray area in there but we're going to deal with those things today so let's start with a data rich organization and i've chosen something really sort of um out there we've had a lot of supply chain attacks in in the last year um a year and a half even um so i wanted to choose something that i think was was a little germane to that so data rich organizations let's talk about a software development company you are a software development company and your worst case scenario is that the threat

actor a threat actor has gotten in touch with you in some way and they have threatened the release of the entire source code of your super mega popular software that you get millions and millions of dollars from subscriptions and license sales every year and if it goes out into public i mean your business is finished additionally they've also stolen your customer data and they're threatening to release that as well so not only do we have a threat to you know what is the core of your business your source code but also you know there's a lot of brand and reputation issue that's going to go on with regards to customer data possibly being leaked so

i've listed some objectives that we might want to think about we're going to go to that and we're going to this is our worst case scenario so what would happen if that happened what objectives would be the most important and when i think about customers that i speak to on a regular basis the biggest question and that particularly this is for the lawyers the biggest question is what was taken and how much was taken um and a lot of times you get those conversations with well the threat actor says they have 1.2 terabytes but we don't have that much data you know well maybe you do maybe you don't um it you know really depends on how aware

that particular person that you're talking to is of what their estate really looks like um but also we've known threat actors to be a little fast and loose with with the truth as well so uh and they don't always tell you what the proof of life they may not always send you everything you know proof of whatever they've taken so it's difficult what have they taken and that's very very important for notifications so how much and and what was taken means who do we have to notify how many people do we have to notify if it's customer data for instance are there any regulators that need to know all of those things um is very important

with that question so that's why that's bolded because for a company that particularly has had data taken um anything with protected information that's associated with that that question is number one really and then obviously we get the ones of how did it happen are they still in our environment and the who needs to know and i talked a little bit about that regulators notifications all of those things customers how do we who needs to know about how what this happened so from there if we understand what those objectives look like we want to understand then you know what do we collect data exfiltration is one of the most difficult things to prove and one of the

reasons for that is because one of the best ways to prove data exfiltration happened is pcap exactly what has flowed out packet by packet what has flowed out of the network is the best way for me as an instant responder to tell you what has left your network and what i will tell you also as an instant responder of many years is that i have seen pcapp probably i can count on one hand companies that have had full pcap for any length of time it's expensive it's it's it's difficult to store all of those things um it takes up a lot of room uh and so that's that's a difficult thing but we can also talk

about things like netflow for instance um which is a lot easier and i'm not going to debate the the the merits of one thing over another but network data is the best way for me to tell you uh what has left your environment but we've also used great things like for instance what file and folders were were touched process execution i worked with company recently who was storing all process execution 4688 events in their splunk which was fantastic because what we were able to do is actually go into their splunk look at process execution events for the thread actors using rclone we're able to see the process execution uh string so our clone was executed we could see what

folder that they were attempting to copy out to the file transfer file the site that they were using and that was very very helpful and being able to answer that question of what was taken not necessarily how much but the what was taken was much easier to answer when that was when that was placed so that's something to think about how would we get that information what for instance events would would help us do that and how would we collect that so again more logs also really important but sort of in that priority we're going to start at the network data and last but not least is how so how long do we have to have this data so

if we collect the pcap data how long should we keep that for again difficult to store because it's huge um and and how long do we want to store that data for um again it depends on your industry how long do you how how long you need to keep things for whether it's logs whether it's peak update or whether it's whatever are really going to depend on your risk your vertical your ability to store that from a budgetary and from a storage perspective how will we how will we collect it so that's another thing if you're a very distributed organization perhaps collecting that data is going to be a lot more difficult so we have to

understand how we're going to collect it and then where are we going to store it we're going to store it essentially we're going to store it in the cloud are we going to have a managed service provider help us with that those are always interesting questions because for instance when we're working with managed service providers and is how do we get that data back if we want to use that for an investigation and that's something that i've run into a little bit that has been difficult with organizations using managed managed providers that data may not be all that easy to look at and to get for an investigation if you need it and also you know how long do we keep it

for you know how long do we need it is there any any regulatory or or or laws that say we have to keep it for a certain amount of time is it that year that nist tells us or is it less for our organization how far do we want to be able to look back again it depends all right how about organizations that are data rich and i chose a manufacturer for this and by this i'm seeing a manufacturer that manufactures something for someone else let's say you go to a manufacturer and i say i have this here's my designs i am the owner of the intellectual property and i'm just getting them to build that thing for me um so they're

they're they're somebody that doesn't really care about the data the data goes missing not their problem not their data all they're doing is they're building stuff but if they can't build things if they can't ship out product then they're losing millions of dollars so maybe a threat actor brings you hard down with some sort of ransomware encrypting your systems and you're no longer able to produce the things ship product and you're losing money every day so your biggest objective isn't necessarily the what was taken because you don't care about the data it's not your data you want to get back up and running but you might also be interested in the other things like how did it happen did

they move laterally what did they do in our environment because you want to make sure that it doesn't happen again obviously so this sort of thing is happening so there are all those objectives we still want to think about but probably the primary one there is we need to get back up and running as quickly as possible so from that perspective you're probably what is going to be what's our most critical assets what needs to come back up and running and how do we list that um that priority list what's what's on our priority list what needs to come up first critical assets might be critical because they need to come up first or because

um because of the data they hold so in this case we're not going to talk about the data but but they want to make sure what's coming up first and what's that recovery list like is what are the dependencies for that so we need to know things like who owns that process who owns that server who owns that that appliance so we can make sure that things come up in the right way that they're tested all those things we need to understand that what and again all of the logs right if something was down if we had a ransomware event we definitely want some for instance authentication logs understanding you know what accounts they were using well what what did they

what how did they move laterally from system to system was there you know anything used from process education uh process execution perspective like did they use ps exec to move from system to system to help deploy that that ransomware for instance what other files and folders they touch might be important might not be who knows in this case um but the big house on this list is probably the how long can we be down before you know our business is at a critical place that we can no longer recover from and then again with that recovery priority list what should be recovering first second third fourth how do we get back to business really really quickly

but we still want to answer those questions around for an investigation perspective um you know how do we how do we understand what our critical assets are how do we collect that information and for some organizations that is very difficult um how do we understand what those recovery priorities are you know that again is conversations with with stakeholders business owners server owners etc and so forth for that data where do we store it whether it's logs or whether it's in a critical asset list where are we going to store it where we can get to it when we need it that's an interesting one from the perspective of in an incident and you're hard down if your list of

what your critical assets are as well as your recovery priority list is on a system that was encrypted you're out of luck you've done all this work and now you can't even use it and again with logs and whatnot how long do we keep it for um and and what's important to our industry because there may be some uh things that are germane to a manufacturer vertical that may not be to a software development company so data rich organizations uh sorry this should be data and asset rich organizations this i didn't catch that when i was building my slides so data and asset rich organizations and i've chosen a healthcare provider for this one and we think about that the data is

important right patient data phi really important that would be our number one thing right if data was lost you know myself as as as a consumer of a health care provider i want to make sure my data is safe but what about if all their systems are hard down isn't that more important if their systems are hard down they're not able to service their customers and that might be more critical right might depend on the healthcare provider so again the question is you know the answer really is it depends it depends even within the healthcare vertical whether data or assets might be more important but i think they're likely to be at least not necessarily equally

important but there's going to be some balance there so the objectives are really going to follow back again to all the things we talked about previously um but those two big ones are going to be you know if data was taken what was taken and how much was taken because that's critical for notifications uh not just in canada but also into the us um and and the number of places around the world healthcare information very very protected and we want to make have make notifications if we need to to the folks that that need to be they need to be notified so that's a huge piece those are also really protected by deadlines right so the lawyers are very interested

in how much was taken what was taken because they need to be able to answer those questions within a specific period of time but also we need to get back up and running there is patient care to be done and uh and so without critical systems we don't we aren't able to service those customers that are most in need so we want to make sure that we understand what are our critical assets how do they get back up um and and where do we go from here right so there's a balance there and there may be two maybe work streams in this particular vertical this particular type of organization that might need to be followed so that's something to be

thinking about when you're considering that worst case scenario and how do we balance that out right so those are the those are the conversations we want to have beforehand so we can understand what that priority list looks like so yes probably losing all that data you know if i was going to say a big a big hospital for instance losing all that data it's going to be really important it's definitely going to be a work stream but likely there's going to be people whose voices about patient care are going to be much louder in that conversation again depending on the organization but a big hospital that's probably going to be patient care is going to be number

one so that's probably going to win out on that pendulum of what's the most important so again i'm going to say this the cardinal rule of all of this is it depends your organization and applying sort of this look at what's your worst case scenario and what your objectives might be in that are going to really depend on so many things that are really very focused on your organization um as as an organization at crowdstrike from a you know what's our worst case scenario we actually you know have a few obviously but we have a very large um obviously product environment with a lot of intellectual property so that would be very very important for us but

we also are an instant response firm that collects a lot of data from a lot of different companies so um you know from a data perspective that would be very difficult we also have a managed service um so if our systems went down hard we would not be able to help our customers and so we there's we're kind of one of those mixed hybrid organizations right we have a few different things that we'd really be thinking about and what i want you to be thinking about is your organization and what that worst case scenario and what that objective looks like for you so we thought about this we've gone through we've decided what our worst case

scenario is we understand what our objectives might be in that situation we think we know what we're going to collect how long we need to keep it how we're going to collect it and this is kind of where that whole budget conversation comes in and i'm not going to belabor it really but the other piece is support so when we think about here are the things that we would need in a worst-case scenario you need to have allies to help you push that agenda and depending on your organization depending on your vertical your size all those things your allies are going to be different there's going to be a few similarities but they are going to be

different so looking at that a little bit we've got the data rich for instance when data goes missing the first people that care besides yourself as the security operations person for instance is the legal team and usually the privacy officers right they sends them into quite a tizzy and a lot of the times when we talk to um to security teams to it teams who call us for an instant response one of our first questions is have you spoken to your internal legal team or have you engaged external counsel and when the question when the answer is no um that's a little concerning for us and the reason for that is is because in this day and age

any data going missing is going to set off alarm bells for any person um with a legal degree so if you haven't engaged those folks in your organization legal team privacy officer those might be the same people um i highly recommend you're doing that as soon as possible in fact in the planning process include them in this planning process because their worst case scenario might be different from yours and they may have a good reason for that and that might be your organization's worst case scenario that you really hadn't thought of the other people that might be really interested and this is not an all-encompassing list on any of these is the data owners for instance if you have

data going missing those data owners one might be your best source of information about what that data was um and where it was but also they're the owners of that information and they're pretty protective of it so if it goes missing um they're going to be really concerned or if it's damaged or otherwise they're going to be really concerned about that and want to be involved in any of that process which means that if you're looking for support on how to protect that how to make sure that it is you know if it goes out the door what it was how it was taken etc those three groups particularly are going to be hardcore on your side to help you get

what you need to the what and the how um collect that data store it understand what you need how long you need to keep it from an asset perspective again legal team they're going to want to know for sure if you're hard down and you're losing money the other people on that side is is any of the finance folks i should have included those but any finance folks um if you're losing money uh that your cfo is going to be on your side for understanding how to best get you guys back up and running as quickly as possible asset owners are big for that as well anybody in the production or operation side i was particularly

going to be interested in making sure that we can ship product out those sales folks they're going to be right in your back pocket helping you push this forward right they want to make sure that their customers get their orders so if you're hard down and you can't ship product those guys aren't getting their bonuses so you know find your allies if you need help to push your agenda forward these are the folks you want to talk to and again with those asset and data rich organizations all of the above particularly in in my scenario with the health care provider your legal and your privacy team are going to be your best allies in understanding how to get from d to a

from worst case scenario back to uh back to the how right okay i'm going to recap a little bit here when we look at situations a lot of times we look forward we plan and i think that's a big thing in interior response we talk about how we look forward um what's our plan um and and how do we understand you know if we had an incident we do this and then we do this and then we do this and again what i'm suggesting is in this scenario is that we look at that worst case scenario first for your organization is it something that has to do with data is it something that has to

do with being down is it something in between that and if it is something between that what's your priorities there understanding um what that worst case scenario looks like for your organization and then saying okay if we had that situation happen what would be our organization's number one objective in in getting to where we needed to be and and then and then what are the following priorities after that um and i think what's important about that is from an incident response perspective my priorities um or my objectives generally tend to be investigative um so i'm gonna want to know the what the why the who all the things not necessarily the why necessarily but but the what and

the how and and the who we really try to sew up um but from your organization's perspective that might be important but getting back up and running for instance might be more important um so my my priorities might not be your priorities and it's really important to understand when i come in and i ask some questions i don't want my priorities to take over what yours should be i want you guys to have thought about that i want it to be in your you know if i say hey what's your objectives i want you to be able to just state those out for me and make sure that they are reflective of your risk your organization your vertical your

obligations and then we want to make sure that you can meet those objectives so how do you meet those objectives from the priority list we're going to try to meet this one first obviously and then go to the second one understand what we need from an evidentiary perspective what we need from a recovery perspective with those critical assets that's their priority etc and so forth and then how do we make that happen so here's the thing we found out that we needed but how do we make that happen and smaller organizations that can be more difficult obviously we may need external help for that um to help some of those things happen there may not be

budget for everything which means we need to prioritize what that uh what the most important thing is so we can help you know help find a way to get to the best answer for larger organizations that tends to be a little easier question or a little easier answer a lot smaller nations not so not as much um and then the last thing is like i said find your allies make sure that you understand who the people whether they're in your organization or not your best friend might be law enforcement might be an external legal counsel might be a trusted advisor that you bring in to help find these things and and help push this agenda

as a consultant i know and i've heard time and time again that um my word saying the same thing as the it guy that's been there for 15 years has been saying for the last 15 years me saying it as an outside consultant somehow carries greater weight um with the executive team frustrating but but usually true so if you need that trusted advisor to come in and help you push that agenda you know find those allies legal team privacy team make those folks part of of your team communications folks i didn't mention those but those are fantastic as well and help make that happen if you do that you will be able to weather that worst

case scenario far better you'll be able to understand you know what that worst case scenario looks like how we're going to get to a place of recovery how we're going to get to a place of resolution that much better and hopefully then be able to handle the less than worst case scenarios with that same plan headed forward all right i want to say thank you to the besides vancouver folks for letting me speak today i really appreciate it and thank you for all the folks that showed up to listen um i forgot to put my contact information on my slide deck i reckon i realized um you can reach me on twitter at nerdiocity or um uh my

uh linkedin is uh uh shelly eastbrook on linkedin so please feel free to to uh to reach out this is the obligatory photo of my dogs um that's ruby and that's annie and i thank you all for being here today i appreciate the time and i'm not sure if there's a way to answer questions but if there is i absolutely am willing to do so

i'm looking through the questions and see what i can answer

uh okay so there's a question that was assuming we don't have any way for ssl intercept or decryption is pcap still valuable to have if it's just source destination information um i would say it depends again with the source destination information you might be better with netflow less less volume and and still be able to see netflow i love i'm a big fan of um because you've got your source and destination information as well as your bite sent received which is going to be you know pretty much uh as good as that encrypted peak app if you're not able able to decrypt that um and and at least give you an idea of of what the

connections were and and how much data has been sent um and and and if that's if that's what you're dealing with i would kind of recommend netflow over pcapp um but but certainly um you know there's always value in in in in pcapp um depending if you're able to to uh to have that decryption point

and let's see wondering how many noon exploits were also generated from the 30 gigs of ms code supposedly lapses i honestly have no idea um it it's i think it's going to be interested to see going forward as well how how much we see um and i i mean unfortunately there always seems to be a new zero day coming out whether it's microsoft source code or otherwise but you know here's my patch often patch frequently patch every day recommendation last one was curious what would be recommended free or affordable selection that allows for collection of netflow and pcapp for a small business uh good question um there's a few um i would really start with um the

um uh what am i trying to think about the top of my head um the uh shoot uh there is a distribution of linux distribution that um that uh that has a whole bunch of different things in it and for whatever reason it's eluding me right now um but um there's a um a free version of why am i wow am i i'm just losing my losing my mind right now um i will post it on my on my uh blog it's uh www.nerdycity.com um when i my brain recovers and for some reason i can't think of the name of it off the top of my head um but uh um there's there's a great free

distribution you can set up that will help collect heat net flow and and and you can do some pcap data as well um and i'm thinking it's yeah no it's it's gone from my head i don't know why um but uh there there are some options out there um i will uh welcome maybe that there's probably a few out there that might be one of them um but yes i don't know why my brain's not functioning today um yeah security onion thank you gabriel um security ending was what i was thinking about this so so there's a few um the security engine um has a few tools kind of mixed into it that you're able to set

up and do some some some capture has a few other tools on there as well and it is very very helpful and and free and there's a lot of resources out there that you can use to you know sort of set that up and you can put it in a vm and do some collection there um it's it's what i have used at my house for a number of years and until i started doing a little bit more but

awesome any additional questions

when tyler said security editing as well eric said circada yes there's a few different security hazards sorakada on it um uh so absolutely those are great answers thank you guys so much for that i don't know why my brain wasn't working but um appreciate everyone's time today thank you so much have a great rest of the day enjoy the rest of b-sides and again thank you to besides for having me

you