Implementing Advanced Incident Response Techniques

I would say good morning but of course I didn't get here in time good night right okay I'm Stephen strong I'm it's lovely to be back at Belfast I'm having grown up and and been in Lisbon oh my my young in formative years it's nice to get back in the province also it's really handy talking in Belfast because if I was talking in England I would have to talk slower because English people are slightly slower but back in ordinary I can crack on at a good speed because I've got 68 slides to crack through right okay what are gonna talk about I'm kotoba advanced instant response I'm also gonna walk around lots of apologies I go to talk

about advanced into response this is based upon my experience of doing I are in fairly large and small organizations for people who are struggling to try and kick bad guys out of their environment why are they struggling because they're in this they're in this circle of despair they're constantly looking the fact that oh look something's got hacked quick bit of googling doesn't really do much good have a quick telephone call while you're updating your CV check it out monster jobs see what's going on there it's sending lots of emails lots of panic and then somebody just goes are just [ __ ] this will just wipe the system it's God your problems gonna wait tell

the execs it's all gone away it's hunky-dory everything else and then you just pray it doesn't happen again and then two weeks later exactly the same thing happens and I've been into organizations doing this I've seen there was one insurance organization that we're rebuilding 50 machines a month in their circle of despair and they're going it's okay we could deal with it's a 50 machines month that's I'd say two hours of machine that's a hundred hundred hours a month that's two weeks of somebody's time is spent just rebuilding machines if you've just lost a person's worth stuff so they're like okay so sort of say that if you keep doing the same thing over and over again

you're gonna get the same problems no they don't change things same time now if you look at sort of instant response text bookings response talks about six stages of in so response from sands and the next sort of four stages of interest in response and those are all great but they're all books and they're all things that don't need to translate in sort of real compromises and some of them really struggle to scale to big compromises now people say you know what's a big compromise if you're a small business by machines is a big compromise if you're a fairly you knows you know medium 500 people company a large compromises party about maybe 40 or 50 machines if you're

an international corporation I'm talking thousands of machines so when you start looking at thousands of servers trying to work out which one of the individual stages of the instant respond you're at just really scale so what you do need doing this time you're gonna do its response you understand two things one what you're trying to do and what the business is trying to do and that sounds really basic but if you're not working in cohorts with the business to actually get the business operational then you're gonna struggle because you're not talking the same language that the exact you talking okay so when we talk about this tomorrow I do insert response I go into large

organizations as a consultant and I'm usually going in to try and get them back from being really badly hosed and I'm talking like really like proper as a consultant when you mute the phone and you go you know cancel the next six months we're in this for a while when you look at organizations who turns out you know Steve we find we found mini cats running in our environment you go well many cats us bad having mini cats rolling in your on work like that then you get still go Steve go go we found mini cats on our server ignore Amina let it go we found out running as a service on our server now for those people don't

know mini cats will allow you to pull passwords out of memory and sort of steal hashes and basically walk around a network like you own it so when you find out running as a service on a domain controller it's kind of kind of bad you know and then you find some organizations I went into one place that had it pretty much running on every domain controller in their organization they were just so badly owned and I said really what we need to do is we need to come with we need to come up with a UFP all right ufp you're a Trekkie do you mean the United Federation of Planets I don't know you need an unfuck plan because

basically your network it's fat and they're like oh oh well how do it and then it's amazing once you start talking to the execs about the ufp they actually quite like it and I actually and I'm quite bold and brash when I'm talking to execs about how we're gonna fix things when I talk about you we need to put together and you have to pay think alright well what's in it I said to come up with the ufp you have to be realistic about your incident this is not CSI we really sing about the incident you need to understand like what's happening what the guy guys are doing what the situation is in the environment what are the bad guys

actually trying to do what are they trying to achieve in your environment and therefore how will that impact the business because the business kind of survive you might have the best intern response plan but if you cannot sell your product maintain your operational livelihood you're gonna go into business you have to understand waters achievable once you've got that you've got to understand the limitations of the plan and there I say it the people I worked with one organization they said we're gonna fix this were you gonna come up with a 90 day plan to fix this Network it took them 42 days to write the 90 day plan which didn't leave the much time left to actually implement and one of

them was rebuild all the domain controllers setting on what with who you know with the same admins who sort of helped generate this problem so actually understand what you're gonna do and getting somebody at executive level to champion what you're gonna do to actually push it to the right level is key to this whilst a lot of its technical a lot of its actually leveraging the board to do what you need them to do to understand to free up the cash to create the people able to do what you want okay and then also having a realistic time frame I have to sat down with companies and I said them you know how long are you gonna be

compromised form they're going well well we work at this manner then you start getting our gang shots and you get project managers on board now people might go I got where we're like insert responders why do we need project managers because this is a big project you're gonna rebuild 300 servers and change you know forty thousand people's usernames and passwords or whatever that's that's a big change project unity project managers project errs you need lots of charge of these lots of flow diagrams and all icons you go that's not in response that's how you get things done in business anyway so you cannot be a big downturn your letting you go 18 months and the boss goes seriously you

[ __ ] me 18 months right well we can shorten this people or money no like no well you can't do well we have no money you may have no people 18 months oh no I can't no you know and you're actually star thing is you start talking the right language to business which is here's the project here's the risk of running for the next 18 months you'll run compromised unlike what would work we can't accept that well then throw money on it and then you just say there's your plan I'll walk away right so when we talk about you don't understand the attacker you don't even understand everything about the attacker but you should understand what he's

trying to get to what he's trying to under what extreme steal the time frame he's working at whether you know where he's possibly targeting is he going after intellectual property is he going after services is it going after your customers what does he after because if you don't want to buy guys after how do you know where to look for him because always assume that you don't find all the bad guy stuff now ultimately the boss thinks that the bad guys look like this he thinks we're always like this which is sort of maybe an overestimation of our capabilities when artifact the bad guys are using more like this and we're usually more like this and most instant

response teams you look at then you guys are going in I just saw you look at the forensics guy how's it going it's just got a stack of hard drives what's that oh that's from the last three cases that he's working on okay he's been asked to image in other 40 machines it's people are you know living quite literally everything's on partner so let's look at actually this list over the attacker let's get some basics order all right under estimating the attacker is one of the biggest things that we do okay there's one thing that we should do respect your attacker all right because if you underestimate them then you're doing yourself a disservice because you

think well in any instance Ponder do you get to spend 40 hours a week doing instant response does your forensics guy get to do 40 hours a week no he's got performance things he's got staff meetings he's got a charming he's got one-to-one meeting with his boss and he's gonna doctor's appointment and he's got the going this car fixed you know actually worked out how much time he actually gets on the job it's very small so you assume that the attacker is better better motivated than half of your team that he's better skilled needs more time and more capacity also I hate the word script kiddies using the word script kiddies introduces something that you're saying

oh this is just somebody who doesn't know what they're doing just remember this person who doesn't know what they're doing beat your network you go past your defenses everything that you've spent you look at your whole IT team in the hiding securities Aviva we are some of the best people in industry and there's a script kiddie on our network how did this script can you get in if you're the best people in the industry hey it's kind of odd so you're almost undermine your own your own credibility with a board if you start told my script kiddies I'll also that I hate the fact that they'll Pressler bring out the script Gideon of age you know 20 18 17 one of

the recent ones you the TalkTalk attacker there was a quote by ian levy of the NCSC saying that the attacker was using a tool that was older than he was it's kind of embarrassing out isn't in the attack and the tool were both older than the operator and yet they still managed to get past you there so if you don't underestimate the attacker also think when you're on the network don't Telegraph what you're doing because oftentimes the attackers will watch the security people they'll watch what they're doing they will target the security people do you think of what attackers come after insert responders why wouldn't you you have great access to the whole network your pori system

and admin level accounts on the whole network you've got all evidence so why wouldn't they come after you and how do they find out who you are who's on LinkedIn okay it's quite easy to find out then you just to look up for usernames you can identify the good guys so when you think about if you're on the network here's a really simple thing I told Matt which is telegraphing your response here I have these are sort of like day markers okay simple day markers so I have a user users working quite happily and it collects a lot of phishing email so he gets breached in the sort of the mid afternoon he goes home the attacker

comes in and uses the machine overnight also a key a key okay then after that the user comes back in notice there's some weird stuff raises the ticket with IT boosting up attacker comes in that night carries on doing more hockey hockey hockey the next day however user comes in key user comes in admin logs in okay this is your detection time if you consistently do that with an attacker who's consistent trying to break into your environment he knows it's got about two days on your machine before you detect him before Navman comes in and goes this looks here they announce out the admin goes away talks to his friends because warehouse more analysis the attacker

comes in this night sees the fact that the admin was logged in user comes back in uses the machine normally attacker comes in the next day and takes the machine offline that is your response time that's how long you spend so the attacker knows that he's got free good day's work he doesn't have to rush does he's not thinking armed at any point sim he's gonna pull the plug if you're consistently doing this he knows he's got three days on your machine and three days to play around that's if you've detected him now we have a long history and if you read the EM trends reports it's it's a long and bad history I would

encourage you to download the EM trends reports from Andean where they talk about the dwell time the 12-time is a time between compromise and detection yeah it's kind of hard isn't it I mean it wasn't as bad as used to be it used to be 416 days that was like a phenomenal amount that meant the attacker was actually a senior member of IT he knew more about the network than most of your instrument you sounded IT staff she's got about and sort of and these days this sort of split out into the Americas in EMEA we're actually going up because we're finding more old stuff let's look like that so if you southern said to some sort of you know

if you'll assist admin or developer hey you go find five months access on the network what could you do you could practically build a whole nother network on your network and you know what that's what some of them do in the building the whole infrastructure so while I say this it's because one of my big bug bears about instant response teams is the time it takes them to detect the attack and the time it takes it to reported to management and the time for management to do something and that's the problem anybody see per se before let's see we talk about the inner loops and I love who delivers the loops are so applicable in everyday life okay Colonel John Boyd

originally came up with this um and it's the reason why the Americans actually go to the f-14 I've brought in the f-15 and f-16 because they're smaller faster more agile they said you know in there and this is it's very much a military type concept in the battle space if somebody can think and move faster than you they were faster tempo they will outmaneuver you okay let me break into the root of it sir what's happening orientate decide and act really simple in instant response terms see something happening on your network and go mm-hmm okay the orientate that is going that's an indication of somebody doing this attack deciding to do something is saying we

should remove this machine we should block this IP address we should analyze this mower and then acting is actually doing it so if you can see things faster if you can respond faster you have a better loop and that means you can be better than other people all right Chuck Norris 78 years old he could come in this group and just whip our ass all of us at once with one hand why can he do that it's because he has a little loop that is so tight he's the noodle soup of the piercing right Chuck here boom you're gonna swing a shot at Chuck by the time you started to move your shoulder he knows exactly

where you're aiming for he's moved and he's already slapped you the chops which means he is now disrupted your whole four process okay I go back to the two of these all right if you're in the Middle East you're in the middle of trying to do the act and he gives you a slap in the chops then you end up having to go right back to go like oh I know where is it we're not I gotta find Chuck because I've just got to pick yourself off the floor and work out where Chuck is before he gets another blow raining down on me so I have this problem and that's exactly what the attackers do

I've seen attackers do this I've seen the attackers in the middle of the incident when you got really close to them and they went and popped a lot of like finance machines just because the executives go oh Roland's pursued and they get all panicky and it misdirects them it's a classic maneuver so that's Google Chuck so this is my sort of my incident this is a classic sort of timeline textbook sort of timeline where you get your initial breach you get various sort of missed opportunities and then somebody actually detects the bad guy and what people forget is they think oh we find the bad guy for some reason there's an assumption that people stop

hacking when they've been detected and so they end up you know that they work out what's actually going on that you scope out the compromise how bad is that how many machines have been compromised work out what the impact is because just saying oh this machine is compromising that machine what data have we lost what reporting do we need to do what do we need to do to plan to rebuild over that all takes time been planning the remediation activity if you're trying to rebuild 500 machines that's a huge amount of planning activity where do you get the extra hardware how do you deal with all this and not all needs to be scoped out before you brief the staff

before you finally execute the plan look what's happening all the same time what's the bag I do when he's just please just go is access and people often forget about that it's not just a case if we find the bad guy we just start cleaning up its fact that the bad guy will continue to maneuver continue to maneuver their we change this around sliding this is what's more realistic what actually happens is you don't miss the opportunity to detect it once you met miss it several times all these other things this remediation stuff actually doesn't happen because what happens is the attacker comes in and when you're scoping the compromise you find more stuff because you're applying

you know high quality indicators of compromise you find some hour you look at the machines you like oh we find another 50 machines and one of those machines has three pieces of malware so you had lines that power and you go oh we found another 40 machines and you keep going and going and going through this and you get execs who suddenly become stuck all right then debates stuff because you're in a constant scoping and defining it I call this mrs. Daylon when I'm applying these these new indicators are compromised I call this the new intelligence procrastination loop or nipple okay and the reason thing executives they can go around the nipple for like months all right because

they're almost like and this is that back to the OODA loop because they're constantly going whoo that's bad that's bad that's bad the attacker is upsetting them stopping that decision-making process and they say well we'll just wait until we find out this will just scope this out we'll just so that I watch one business do this for six months I said you've got to treat this like a cancer because it's eating its way through your network every day you're losing 10 or 15 machines at what point do you stop or we pointy to go hang on we only have four laptops that aren't infected you know and that's what's gonna end up us now we look at

response options people pay a lot of times people say well we'll scope out the whole compromise and then we'll employ machines that's awesome until you realize it is literally a third of your network and you're working at will how are we gonna do this what's the plan what there's lots of there's a few different options and I'll show you the ones that I've used some of them are are more common than others whack-a-mole oh that classic one oh yeah there we go

literally the definition of whack-a-mole for instant response interesting I can only play that once when I written with the presentation if you get a gift to loop ten times certainly that gift to loop ten times PowerPoint crashes I think there's something wrong in there anyway so what you get is you are not constantly rebuilding these machines and you and the business accepts this oh we'll rebuild those rebuild those and rebuild that oh it's just malware's like no this is not this where is this mold coming from doing some analysis I said don't let waka mol become your business as usual because it does you're sort of resigning yourself to losing permanently and that's a bad position to be most of

the interest on so companies will say let's do a mass simultaneous no disconnect okay this map it was a vast Linnaeus system remediation I come up with terms for these best I could come up with basically you identify everything all the sea twos all the IP addresses all the domains all the malware and then on a known day in the future you end up doing a massive block now that's okay but that's a lot of work all right I'm not a word because it gets bigger and bigger and bigger the longer you go on you're going around the nipple lots and lots and lots which is great fun but at some point you're gonna have to

unplug all these things you're gonna have to pull these things and if you miss a single machine the attacker comes back in which is difficult and also this can be six months or nine months away because you also cut there's no point in remediating until you can actually fix the problem because if you've got a 2008 I'm r2r RDS server on your network and you say we're gonna replace it with the 2008 already a server like why because you've taken one vulnerable machine and you're putting it about another one back in so if you have sitting organizations where we need say let's do the remediation let's also plan to get off the old 2003 boxes letting you get you

get a couple of 2012 and putting the two-factor authentication and that's upgrade the sharepoint service and the email service and everything of eighteen months and they go oh and all that takes time you got to build all that securely and who's gonna build it the admins most of which are probably popped so you're not getting popped out men's building a new network which is itself gonna be hot that's difficult okay really difficult and also once the attacker learns of this okay and keeping up second this is really really difficult because if one single thing comes out the attacker knows about it you're screwed I am if he knows that I've seen this I saw one

organization massive it was about four hundred machines massive remediation and the attacker was fully aware when it was gonna be there's lots of people good we're not talking about it being remediation day we're talking about our day you know I'm a big day and lots of emails and calendar bookings and everything else okay so the point where when it came around the attacker turned all of his domains that were gonna be blocked onto one two seven zero zero one it's like I know what you're doing no okay so that's difficult really difficult the other problem is with this is and it's keeping the exact focused because they watch you know if it's gonna be eighteen months for you to get

ready to do this you're gonna lose machines over the next eighteen months which means you know getting them to just stay focused and say strong in that is difficult because I'm like oh we should fix this and fix this maybe we should do this which means they get distracted okay I've seen people doing this as well it's rebuilding rebuild the network with Walt you ever try to rebuild a network on what if you have are like a major apt in your environment your admins who built the original network were the ones who probably resulted in getting compromised patching password management you know old machines swapping configurations that doesn't help and if you're building a new network under pressure from the

execs they're gonna rush it and on water infrastructure the same switches the same server hardware the same desktops okay it's really easy to cross contaminate so it's really really difficult and in the meantime what are you gonna do hounds are taking to rebuild the network two weeks five weeks six months what's the attacker doing difficult and a solution that what with with like a set to synchronize where you end up with like finance or something gets popped and the execs get old master its finances its PII its financial data or we need to do a declaration we need to clean this up then I say upgrade the whole section start singing our email saying you know we're due for a hardware

refresh and we've selected your department to get this so if the attacker is monitoring what's going on you have reason to uplift them all at once and that works quite well especially if you're waiting six months eight months to do the main sort of remediation because this times when you have to and then possibly my favorite one is harm because harm was done when I was working with an organization and they had a they had to use a couple of descriptive phrases they had a noodle loop like a duck's arse it was so tight they could detect an attacker in their environment within 30 minutes and that was like awesome now they had literally on the Thursday

kicked out a Chinese apt and then again big remediation Chinese EBT yeah that on Friday a Russian one came in you know when we're working the weekend ok but we sort of said look we as we said the execs the attacker has a foothold now we can do we can plan on you know let's see where they are let's start doing the indicators of compromise let's do this the methodical way let's plan for a master mediation in six months time or do you want to try something nice of us I was working with a guy who's based out of Austin ok I'm Austin people they can get really easy to wind up I'm because they just spent so the

Vita several years being kicked around by attackers I was like you know I said there's another plan here I said do you want to [ __ ] with the attacker [ __ ] you what we're gonna do it sounds quite simple what we're gonna do is every single time a machine gets popped we're gonna pull okay we're gonna then pull every machine that machine is talked to and we're gonna pull what I said and this is no ifs and buts this needs top-level buy-in to the point where you're walking up to people saying compliments of the CTO my laptop another you know quite literally welcome to people sense you see those two servers yes fix up a novel that fast no

discussion everything gets pulled your IT team will hate you to a certain degree your instant response team will be less in Christ to say the least but it's possible and what you do is basically the machine gets compromised you pull them out where you analyze it you block it immediately that malware is off the machine as soon as you detect it it's analyzed as soon as you can literally the guys is constantly live analysis here's the siege of here's an IPO here's the domain you block block block all of the accounts will not laptop all the blocked you do some very quick analysis to work out where the attacker came from if it's inside the

organization that machine gets exactly the same every account any bit of our locked immediately it's harsh but it does actually work okay and basically comes down to your antenna I run the bad guy you're saying the fact that every time the bad guy uses an account we're gonna take it off him he's use the sysadmin account to install the Manwe we're gonna reset that account and as a result he is losing his infrastructure he's losing the accounts and it worked after about two and a half weeks we started seeing phishing coming from the same attacker right X you kicked him out now we were lucky because the attacker did a technique where he was popping a

box over you know no one in Austin couple in San Francisco a couple in Canada a couple of London couple in Paris a couple in you know various parts of Europe etc he was only doing two or three boxes per site so the IT team although they were they were heavily loaded it wasn't all one site at once had they've had a whole site we couldn't cope but because it was late basically three weeks of sustained effort that worked ok and it was it's a good it's a good thing too bad it's a good one to offer they say look we can detect them we can do this let's try it for a couple of weeks before we lose the network it's

an option so they go so that's the options that I've sort of I've used harm is definitely the most fun I mean if you like ins response and I I personally I I do like into I like a good incident and I do get kind of I only sleep for about four hours a night normally but when it instance Ron it's like oh baby get the skittles get that get that red I'm weird weird with three days without sleep it's like great so so so harm is good second sector synchronize clean up is good mash remediation is always there but never be doing rap whack-a-mole please all blend them together to come up with it but always remember when

you're doing this and when you are cleaning up I'm always end up like do share your Intel if you do the harm one you can shell that Intel faster you know do get that information out to help other people the more you share the better we are against the bad guys ultimate aloneness comes down to briefing the execs because an exec so the key bit to this because to getting them on board is getting their trust okay and I've been playing quite hardball with a lot of the executives I work with because I've spent a lot of years working up that level of trust so when I phone a lot to say you know Joe

um yeah we need to have a talk I have a plan that you need to read is like oh is it is it a bad plan I sense at least a double whiskey and sit down and I've got that level of trust because I have briefed executives the same way consistently for many many years okay I do treat them like kids okay and if anybody who's got that some of you may have kids you it's only you my brothers and sisters you can't tell your brother your little brother at seven o'clock you're going to bed he ain't gonna do that you start telling about five o'clock you start warming about the fact that bedtimes coming soon

exactly the same we're seeing some unusual activity just to get heads up this looks a bit we start warming them up you don't walk in and go yeah all our secret databases they're all owned yeah same thing you're warm on slowly ok don't surprise them cuz rising executives get some get some floppy and you don't own the floppy ok so treat them like kids give them something to focus on execs love making decisions they think that's their job I have a decision maker if there's no decision for him to make he will find one I mean and I literally watch a briefing going on where they didn't give the executive anything to put any input

on and they ended up talking about there's a machine that was compromised over in Singapore and they talk about they you know how are we gonna get the image back how are we doing this exactly starts going off on me or which carrier we're using whatever using FedEx or DHL no I quite often like FedEx you know maybe we should focus not like seriously the execs deciding on Howard hosting a hard drive all right give him something to focus on things meaningful and I was gonna get involved okay and also this this kind of rapport takes time to build and some people have some people can do it some people can't you may have some really great geeks who are

just not people people alright don't put them in front of the exact because that's not their strength he's right there this was given to me by c-level exactly he said here's what he said here's how I like to be briefed it's beautiful work so nicely alright he says tell me what happened what's the bad guy done like four bullet points and I know those things off the back of my head when I'm going into the meeting and I think any questions that he could ask about those four bullet points so I'm ready for anything then I tell what we're doing about it what's the plan what do we currently we're looking at this we're doing this we're talking of

this we're analyzing this this is the stuff happening now then I tell what's happening next all right so he knows once you finish this you can do this and this that's cool ant a nice logical brief so when he leaves he knows that something bad happened you're dealing with it now and you've got other things you're gonna do you have more ideas you're handling it right and then in subsequent ones we tell him what the attacker has done since it's always important to update the boss as to what the attackers done because he's you know we just cleaning this up no no the attackers done this and this and this and here's what we're doing as a result

so you look as though you're dealing with it and you're handing over that and you tell them what you're doing after that now sometimes you may turn around you and say you know this is not working fast enough you know we need to do in response faster okay and doing these responses faster but but it's not an easy thing to do you can't just you can't just magically enhance things and that's one of the problems that exec sort of have is how do you how do you sort of break up into response into stages that you can focus upon because you can't go to the boss and say I need two million to improve my instruments

ponce program okay be like for what parties know improve morale so I need to identify tools I need to involve identify training technologies that we could use so what they do is work out what and how and how the organization will benefit because if you can't prove that you're never gonna get your business case and if you can say this incident took us six months what if we had the following we could've done listen to that shows a business benefit that's a risk reduction thing and that's what business understands without that they don't first of all as he always say you can't manage what you don't measure which means having a few metrics is a

horrible word I know but sort of do so what kind of metrics have we got there's a lots of time stamps a joint you if you want the slides afterward you can get one and give you the same yarn lots of time stamps some of them are useful some not I sort of think these ones are kind of cool knowing when you were hacked knowing when somebody stole notification when you got your logs when you finally cleaned it up when you detected the malware and when you started working your way around it so if I take my plan let me just go back to this whole big sort of overall timeline okay and I'm gonna change some headings

a little bit I'm gonna focus in on what the stages are because by breaking down into the response by looking at the weaknesses and how you can improve your business practices then you get better and it's a really sort of horrible procedural type thing oh my god it's techies but you can't get techy stuff without a business case and if you can show your bottlenecks then you can do things so the starter detection time malicious visibility if you have crappy visible if you have no logs you will see nothing if you've seen nothing there are no incidents you're awesome all right how many instance are we out none right we really weren't all right we have no

logs so we have no incidents okay directly proportional okay if you can actually if you if you have like as talking about with the entrance stuff if it's four hundred and sixteen days between you know are the attack of brick in your network and you're detecting him he has time to bill out an infrastructure he has time to harden himself and have multiple TC to not just the DNS see to in the web and the HTTP see multiple of those okay so try improve your malicious visibility oops try and improve your detection time hang on this one detection time because automation is where you need you can't I went I've been into organizations and say how do you detect bad guys oh

they're the sysadmin comes in and morning and reads the logs was he doing Monday then comes dinner each or three days worth of logs over the weekend and then I looked at their their their logging system and they were using a dot Cisco mars-like you do realize you only have seven days worth of like logs in there no like what you know the guy went on holiday for two weeks came back no laws that's like how are you detecting this so automation is cool and also you heard a night shift syndrome I mean if you're on if you're on it there's obviously your shift which is the best shift and then you have all those other shifts that are all sitting

there all crap aren't they you know you give things the night shift and nothing ever gets detected nothing ever gets done okay there you go what are that they sleep all night is that only it's a whole night shift is so night shift syndrome means you as a manager you end up looking at the team to say why are these guys find everything and these guys find nothing all right so automation getting your indicators are compromised your watch place all through to your detection tools so you're getting faster notification then when you sort of done that then you look at your investigation your impact scoping time your investigation says you should have the ability to pull a file

from a desktop I'm be able to stick it into your own internal cuckoo box or whatever fast don't be oh can you just unplug that laptop and post it to me and then in a week's time when it arrives I'll image the I limits the hard drive and then I'll start and do some end case stuff I've seen people doing that or say oh we really felt were much faster we now drive to get the laptop all right you know there's a network between you and them use the network so automate this okay getting better logs getting in faster working with the business units to understand your network this sounds really stupid but you're into responders

actually understand your network because you've done they helped me have a network diagram I'm being laughed at so then did you just give up have you put your own network diagram together I mean I've seen I've seen actually what at one point in an incident we started analyzing the attackers exported nmap scans because it was the best way of mapping out the network because it told us when he was in there and told us what he was looking for because there's all in the scans which you can see leaving so understanding exactly olds they're having enough staff to scope here at your brief scope your impact will help lots of really good fast sensor responders will help you on it working

out what's actually happened the business impact scoping time but that means you've got actually talked to the business horrible concept talking to people in the business game asking them how do you rebuild this machine your servers been popped how longs it take you to rebuild it one week five weeks six weeks I say Warner an organization they were like we can't rebuild that why not we haven't got the source code anymore whoops like what what should we do well we've seen it on BitTorrent all right what so we're all winners we're gonna download it and see but if we look for critic for it cracks and hacks and backdoors and if it looks okay we're

gonna use that that was their instrument sponsor anyway so talking to them making sure that they business units know how to rebuild the systems have rebuild plans etc it means they are bad faster at scoping the impact being able to work better with executives given the executives I'm building up a good relationship with them so they've got good trust so you can walk in and go bill here's the issue here's what you need to do trust me we need to rip these five machines out now those ones we can do next week having that okay having those clear briefings that you built up over a series of weeks and months okay working out how to do the remediation

which means you've got to have good business impact assessments a good IT department who are pro security actually having the right tools secure laptops because of all of your IT department are popped what are you building the new network on what are you building the new machines on you finally I saw one existed they were like we're building a Microsoft red forest right also what are you building on them what Joe here's building it but Joe's been popped for six weeks yeah yeah but he's building a new network from the popped machine all the new passwords the planning and the organization is all on that machine so make sure you have good relate liaison between the business units between the

IT and the insert respondent finally preparation preparation remediation time is is getting it they're having people that have capacity and having the ability to go and grab your land say right you're having planning exercises as to how you rebuild this is also read the remediation itself have lots of smaller incidents yet the security people are involved in little incidents to get them used to how you do this how you coordinate how you do live bridges and if you do that you end over this massive instant response timeline that you can actually breakdown it actually Maps quite well into the nest attack detection analysis and your containment eradication recovery and you can break it down to

looking into bottlenecks advanced incident response is actually using the same tools and the techniques it's using them better and half times it's not the tools sort of techniques it's the people it's the process and it's the communications start tracking what you've got look at your baseline look at the places that you're getting bottlenecks start equipment logs training put those to the executives and say here is your bottleneck here is the risk you're running give it to them in terms they understand then you get the tools then you have the capability then you can respond to incidents faster remember that the bad guys are constantly evolving be aware of you dilute okay get that as tight as

possible if you can detect a bad guy in half an hour on a desktop you have a noodle loop which means you can kick him out before he gets bedded in any questions hi I started a temp IQ wait a second yes that's most of them yeah okay so okay the free stuff very quickly point your administrator I love this people go how do I secure my windows and I tell open up Google okay and type in secure active directory all right the top hit from Microsoft is how you build a secure infrastructure then Google Microsoft red forest then Google Paul's privileged access workstation and lapse and if you start and plan on that and plan on are taking

about 12 to 18 months then you can build a secure infrastructure that will be resilient in eighteen months time and in the meantime continue fighting fires and that's about the only thing then you can do but build a property once yes does it new fresh harder for your DC's you trusted media downloaded from Microsoft or or whatever your whatever operates this music deployed that's properly securely two-factor authentication for everybody and separate lap to all that kind of job probably do it once and you should never have to do it again ping me a DM on Twitter something if you're on the slides for those people who go to selflessness okay thank you very much