Fight The Fight – Orchestrating And Automating Your Incident Response

uh yeah so uh uh my name is peter morton i'm a uh practice lead for grant thornton here in canada uh i'm on the east coast in halifax uh been doing this for about 25 years um learned a lot of different things uh through my trials and tribulations and uh left to speak about them at various conferences and so on uh so just right off the bat uh you know like everybody else i'm i'm not a lawyer but uh you know uh i do these presentations on for myself and for others and uh i don't endorse any products i and i don't obviously speak for my employer i speak for myself so just to get that

out of the way so just a couple things i wanted to kind of go over initially um and i do quite a bit of incident response and and uh it's funny because there's a lot of things that we see we've seen over the past 10 years that are still there and there's a lot of new things um and i kind of wanted to kind of lead into this with a little bit of info on what's going on what i'm seeing now the first one is really interesting uh when we look at like things like ransomware as a service because um malware as a service is not something new uh we've seen it many many for many many

years um allowing essentially people that don't have necessarily a very strong coding background or or a good coding background to still be effective as criminals being able to leverage the coding that's been done by other other criminals out there and be able to purchase ransomware as a service um obviously lowers the bar of entry space into this area so what ends up happening is it it's you know it becomes very commoditized and and we start to see this more and more because it's so easy to to get a hold of now um other things we do we see quite a bit of uh what's being referred to more and more as island hopping um or the use of a uh

a weak third party um to make their way into a uh you know a more maybe a more secure party through trust relationship so we saw that you know back in 2014 with target um i was listening to a presentation earlier there was a mention of the rsa breach uh that happened a long time ago with uh with the the thought of being able to breach uh us government uh um contractors um so again another another thing we're having to look at is now you know when we're trying to figure out where the breach started you know it could be outside of the walls of the actual organization um the good old covet 19 pandemic

obviously what i refer to as a increasingly permeable perimeter so obviously we've had to make a lot of changes to the way we work um i've worked with a lot of companies that had like you know two to three year cloud projects to move things to the cloud to go to office 365 or to google or what have you and and with the pandemic they've turned that around in six months so obviously you know a lot less preparation a lot less focus on and security and now that things are in the cloud obviously they're accessible by anybody as opposed to uh for example an on-prem service so um areas like shadow i.t and so on

obviously i've brought a lot a lot more a lot more emphasis on this um the whole concept of counter incident response as well so a lot of really strong uh techniques to um to really hide the incident um so uh whether it's basic obfuscation of what's going on all the way to things like you know sandbox evasion timestamp manipulation and and really a lot of it i've seen is just a lot of complexity so complexity on top of complexity and what ends up happening is you know as as paul mentioned as blue teamers you know our job is to make get things back to normal and get the organization operating again and in some cases

that doesn't really lend us a lot of time to figure out what's going on because we're you know we've got that person on our back that's telling us you know we got to get back to normal we have to get back to normal um and which in many cases forces people to pay ransoms for example and ransomware attacks um a good example here was the uk national cyber security center uh ransomware attack uh where they ended up paying the ransom didn't really take the time to under identify the root cause of the attack and um and and basically uh they ended up getting uh reinfected again i just saw this just a little while ago in an incident i was

working on or or i was asked to work on where we asked you know how did the security if you figured out what the attack vector was and they said no we haven't but uh you know we have we have an organization around so this has made things a lot more difficult for us in the incident response space uh we know that as well you know this isn't uh you know just the small organizations being hit i mean there are huge organizations even in in the security space that are being targeted and hit with this so you know i i don't think this is anything to say that uh you know if you're a bank

or or a security company or or a social media organization even with large security teams i mean like i said complexity has its uh has its value when it when when breaches are occurring right so where i'm kind of going with this is you know obviously the thing that we're always trying to do is reduce that dwell time so for those who don't know what dwell time is i mean it's a bit of a marketing term but essentially what it is the time from intrusion to containment so essentially when an attacker gets in the environment the amount of time that they're running around in your network without you knowing is basically what we consider the dwell

time so obviously the longer they're in your network the longer they get to know what's going on there the longer they have time to um to basically um obtain what their target is um the longer time they have to potentially exfiltrate um build back doors that kind of thing so uh the average we're seeing here is uh you know about 100 days it's it's gotten better over time but it's still quite high uh you know if we remember the marriott breach that happened a number of years ago that was a four-year dwell time so in some cases you know these attackers are sitting idle in the network uh without us knowing for quite a long

time right so um what i want to talk to you more and more in this presentation is not necessarily just intrusion it's other pieces of the puzzle like containment which are really really important so as we know most organizations will have some kind of incident response life cycle they'll have some kind of um process they want to follow i put up the one here from nist because it's fairly well known um so obviously the goals of this process are to minimize the damage of the attack um minimize the time to recover from the attack um and basically create instructions and defensive measures that would prevent the attack in the future so that essentially you know you want to make

sure that the organization is not limping at the end and you want to learn from what's gone what's gone on in during the attack so we typically will follow this kind of uh this kind of life cycle for instance response now where i want to focus on is this this concept of containment so you know in the security world i mean we all suffer from a bit of shiny ball syndrome we all like our technology and so on and and we tend to really focus on detection we tend to focus on like you know if we could figure out that they're doing something we can catch them we can you know if we if we can figure out

there in the network we can do something and and don't get me wrong that's all important and that's all as important as all the other steps in in your incident response process but where i'm seeing more and more that i'm being kind of like i said at the beginning where i've had the person on my back is around containment and and specifically the problem i'm seeing is you know when you think you've you've found that um you found that source in the network of the attack you figured out you know what they're doing it's the time to contain all that to get closer like while properly doing your incident response it's the time to get closer to to back

going back to normal operations so um what i like to refer to as essentially stopping the bleeding right so essentially being able to reconfigure our network to be able to start processes up and this phase can really kill a security team because in a lot of cases it this is like for example with ransomware as you know as you think you've caught it and it's spreading more and more your security team is now focused on just dealing with that um and uh you know that that can take your security team off of other things it can also be a bit of a smoke screen for other attacks that might be occurring on the average what we see and you can

see healthcare kind of rated the top uh the average 73 days to contain a breach so that's like you know in certain cases for organizations that can be a death to an organization i did an instant response in a ransomware case for a number of hospitals and i mean they had to shut down like cancer treatment wings and move them to other hospitals and you know the longer it takes to contain the thing and to kind of bring your organization back to a normal state can be very very detrimental to the organization obviously so that's where i want to focus on essentially is that containment piece so companies that contain a breach in less than 30 days

can save more than a million dollars in comparison to those that take longer so the quicker that we can contain the breach the quicker that the organization is not hemorrhaging money and resources now again i also don't want to take away from the other pieces of the puzzle in instant response they're all important but um like i said i want to focus this talk more so on the containment side of things so if we look at containment obviously you know if we have a server in the organization that's compromised the security teams got to isolate that server from the network what's involved in doing that now that's a simple case of one server but what is involved in actually doing

that what's involved in isolating that does the organization prepared do they know exactly what's involved you know if they have a database server that's been that they want to contain as part of a breach you know is that documented most people document you know certain processes in their incident response but do you have playbooks for specific types of breaches or specific types of incidents right the security team also has to adjust for example routing policies so that they can now distribute the server that's been affected they can distribute the load to other servers for example now when you look at that is that documented does the team know how to do that really quickly um does it involve a

third party do you have a another company that manages your upstream routers for example your firewalls you know are they involved so you know having this stuff documented can be like a lifesaver at the end of the day right um and the other thing is how much are you enabling your frontline people to do some of this work like let's say you're an organization that has five security people dedicated security people and you have a major incident like your five security people like for them to sit back and start to deal with containment while everything else is going crazy might not be the best use of their time so how much can you enable your tier one

your front line people to help contain what's going on during the incident so a lack of solid containment processes could lead with a threat still being present and spreading in the environments that's as i said you know if you don't understand or you don't have a way to quickly contain you know it could take longer and longer and longer for that breach to to basically subside so to do this we like to focus on automation so uh obviously automating things may may have a good effect on decreasing the average response time so if you can automate mundane and time-consuming security tasks that allows you to allocate your it your your senior it people and your

security team's time to higher level duties that are part of that breach right or even just keep the organization like when you're having a breach like the organization's like you know these people were there before the breach to do other things so now when they're dealing with the breach who's actually operating the i.t for the organization at that time right so so having some kind of automation will really assist you in that in that process and that's where we come into this whole concept of soar now i know i know there's a lot of people that are at the conference today that work for security companies and soar over the last couple years has really taken off

um no pun intended with the picture on the screen it's really taken off and a lot of security companies are starting to buy up companies that focused on soar or what we refer to as security orchestration automation response so you're starting to see a lot of organizations out there you know splunk rapid seven other companies that are starting to integrate soar into their products because in many cases they're already ingrained into your organization monitoring what's going on identifying vulnerabilities that kind of thing right so what is soar so at the end of the day soar is essentially a number of processes um to assist in the incident response um and it starts with that orchestration piece where you're

essentially uh connecting all these despair technologies in your organization as well as security tools and using that information to essentially improve the speed at which you respond to an incident so that could be like threaten tel threat until data that could be like uh emails received by other systems that could be like uh information like ip's host names uh iocs all that kind of information that will help you kind of better understand what's going on so that you can start to act a little quicker that is part of that security orchestration piece after that we have this piece uh we refer to as automation so at that point like based on this intelligence you're getting from the

orchestration side of things you know what can we do to automate processes so that can be things like uh like i said d provisioning users you know you think there's a user involved as as part of the breach well i want to de-provision that user i want to kick off some sandboxing some malware analysis i want to kick off some you know some querying of logs i want to kick off some um some passive monitoring i want to gather up some p caps any things that you would actually use a human that are very um kind of automated in style instead of having a human basically go and sit there and do these things well let's have them as part of your

playbook process so when something happens these automated processes happen in the background and we can reap the benefits of them without having to actually sit in front of a screen and perform them and then the last piece is that response piece so that's you know uh integrating data from other security tools um maybe that's opening a ticket in something like servicenow to uh to create a case related to the incident uh maybe that's taking the data that you've you've taken so maybe it's iocs or ttps that you've you've gathered during the incident and converting that into threat intelligence so that the cycle can restart itself so all these things that we used to have you know people doing

and i'm not saying that because people were doing this they shouldn't be she should be part of organization this allows us to take those people and put them onto more complex jobs and more jobs more jobs that require you know really deep human intervention as opposed to things that were very much automated um and in the past right so if you look at it from a technology perspective and again i'm not endorsing any of this these are just general types of technology that are used we can see at the top there we have um we have some tools like uh you know firewall logs and dhcp logs um that are being fired into various sims or

log management tools you know whether it's uh splunk or sumo logic or what have you um we have those being consumed then we also have things like um enrichment so that data being enriched by various uh endpoint tools um anti-malware tools uh maybe you've got some uh web-based uh gateway tools like a blue coat box or or what have you um and then we have some automated things that are also happening so some things like um automatically invoked a remediation as well as some manual so that could be basically opening up tickets uh that could be essentially performing some kind of forensics um some uh you know some endpoint blocking some you know that kind of thing so you can

see here that all these all these these uh companies all these security companies are players in that sore environment and then essentially we usually have some kind of tool to bring them all together so i'll give you an example here's just rapid sevens product but there's other ones you know splunk has a product called phantom they they've all all these companies have kind of been buying up these independent uh soar companies and integrating them into their products so you could see here for example um this is a rapid sevens product and they have a playbook here that is uh basically quarantining an asset by using a product like carbon black which is obviously not a rapid seven

product but it's about integrating all of your disparate security tools so as you can see here in this process i have quarantined asset request i have isolation of the sense the carbon black sensor so that carbon black response endpoint i have the the information on the quarantine and then whether or not the host should be back allowed back on the network so with something like the rapid7 product it allows you to basically build this workflow that is essentially your playbook and then execute them when something happens so as there's an asset request coming in all these things get kicked off and these things could have been manual steps in the past but it allows us allows our security people

to now be tasked with doing the more complex jobs [Music] so that being said a lot of the space i work in so my specialties and around critical infrastructure industrial control systems ot environments and so on now in a lot of cases for those of you who work in the space we know that it's not always perfect you know you know we we love we you know if i if i go back a couple slides we love it when organizations look like this but they don't always look like this and there's a lot of reasons for that and a lot of circumstances where organizations are just not going to have all the red bells and whistles that we

want them to have in the environment so that could be things like environments where you know an enterprise tool is not deployed uh i know that sounds really scary but it does happen where you go and the for example your corporate i.t environment has something really great has a crowdstrike or it has a sentinel one or whatever it is as an edr tool but in your production network in in my case it could be a manufacturing network it could be some kind of uh ot network doesn't have any of that for many many reasons and maybe the minimal thing they have is maybe a bit of white listing which you know maybe doesn't suit your

needs so you could also have things like legacy environments you know that don't support some of the new edr tools what about large cloud environments where you don't have anything deployed because they're temporary you could have in many cases a recently acquired network so maybe you've taken on a network and your plan is over the next year to bring them up to speed with new tools uh you may have a decentralized uh log collection you could have air gap networks i mean as their gaps as we know networks can be but at the end of the day like the thing is you know you can have a network that just doesn't suit um the requirements that you would have

in a corporate it environment and that's where some of these tools and i've put a bunch of them here again um just uh some examples here things like chef um salt stack and puppet and so on um may be it will be a short term or even maybe a long-term solution to that problem so i'm going to use the example of ansible i'm a pretty big fan of it because it you know i've exceeded a lot of environments because it isn't necessarily just a security tool a lot of organizations that are going to things like devops in the cloud they tend to use ansible to do deployments so it's it's in a lot of cases

a tool that an organization may already have and they may have people that have a skill set in that um it's agentless which is great i don't have to worry about deploying something to the machine and it failing how many times have we deployed like a needy iron for some reason uh they're missing something stupid like net or the thing just doesn't deploy or maybe they're not on a high-speed network that's good enough to do that um it's python based um you know i haven't been as a true software developer probably for 20 years now so something that is scripted is really easy for me um it's deployed with things like ssh which is pretty common for example in

the linux environment or windows remote management it does support other things like ruby it supports powershell and a bunch of other secondary languages um it's modular it's push-based um and it also supports a number of environments for management of network and storage devices so it will also support things like cisco devices and f5 devices so if you want to make changes to your rules on your f5 uh and your f5 gateways you can do that with ansible as well and and from an adoption perspective it's pretty simple to put into your environment so how does it really work well it's pretty simple you've got a management note of some sort and then you've got um

an inventory of all your systems and that could be based on ip host name what have you then you have a bunch of playbooks that provide what you really want to do those systems and you essentially launch those playbooks against the inventory and you know you have you have uh changes to those systems so what those playbooks look like um and they're essentially it's essentially in yamo uh format it essentially um defines a set of activities or tasks you want to run on that host so a task can be things like execute a script a command run a script if it's linux install a package down restart a host you could pretty much do almost everything you can do with the

command line in the linux box through um through an ansible yaml playbook it's it's pretty remarkable so the one thing i do want to bring into into account is the use of the attack framework so whenever i'm building my playbooks um in an ansible i tried to follow uh what uh attack is gonna tell me i try to follow some kind of framework because what i'm trying to do is take attack techniques and essentially i'm trying to convert them to responses based in in a playbook and ansible so for example if an attacker for you know apt xxx whatever is typically going to do this type of process on my machine what i'm going to do is i'm going to try

to create an ansible playbook to reverse that or to quarantine based on that technique that way you're actually doing this based on real world attacks and not just things that you think an attacker might want to do and and attack's great for that because it's constantly being updated right um so as you can see i mean there's there's uh techniques across the board and what we want to do is essentially try to build our our playbooks to to take care of those various techniques so from a use case perspective i kind of broke this up into two things there's the initial triage which is part in my mind part of that containment so that could be gathering information

from systems that i don't necessarily have um uh that i don't necessarily have data from um so that i can actually start to perform my containment so if for example i don't collect logs in a sim or i don't have a log management system um but i'm dealing with like a lot of hosts well maybe i want to start by collecting some some initial data to start to be able to do my containment and i gave a list here i'm going to go into some details of some of the use cases so here's a good example attack technique uh commonly used in uh carbonac lazarus you know dooku and so on and so forth is to create a new service um to be able

to uh you know hide themselves as a machine boots up that kind of thing well maybe i want to create a play a playbook item that will go and check for that service based on ttps and um at a minimum um stop that service in windows or disable it or what have you and this is something like as opposed to a a very skilled security person having to go in and do this you know how about having a tier one person be able to do this in an automated fashion click a button and it turns the service down and then the security guy can go and then basically do further clean up afterwards right so if we base it on the attack

techniques we're we're closer to the typical techniques that we want to do we want to use as part of our containment process so here's a scenario and this is fictitious okay so these companies don't exist so take take for example we have a company called meditek that buys a company called bio life vaccines because they're they're creating covet 19 vaccines when they buy bio life they realize that bio biolife has a very large covet 19 research environment where they're doing all kinds of testing and so on um and that environment is very much it's aws based and it's a lot of linux like lots hundreds and hundreds right uh you end up finding out that there is

very minimal knowledge uh because they've you've laid off a lot of the people because of the the amalgamation of two companies uh it was built quickly during the pandemic so there's no edr it's very flat um there's no centralized authentication um but they do have access via ssh with keys and and there's it's basically a lot of linux boxes with apache web servers so we have this guy here uh very nice steven smith he's assisted men and uh when meditek bought biolife they basically said hey you know what we're not going to promote you because we're going to promote some guy from biolife so he's really disgruntled after 10 years you know he's he's he wants to get back

to the organization so his plan is to create a number of backdoor accounts on some key linux servers hosted in that environment that's storing ip intellectual property for meditek and then he's going to install a vulnerability to create a back door in the web servers to be able to access the data from outside of the aws environment so how do we deal with this there's hundreds of servers we have no edr we do have the name of the account that he used so we do have that but we have to be able to make sure that we're you know we can completely contain this right so we have a a uh playbook for um insider threat access and i won't

go through all of it but what you can see here is we have some processes around information gathering um as well as some contained processes that we can actually automate with ansible so collecting some telemetry we want to look at processes we want to see if that web server is running um we we want to be able to disable that account that he created and we also want to basically see has he has he um has he changed to root has he elevated his privileges and if he has well we probably want to change the password uh because there's a good chance he knows the root password as well or he's changed it to something he knows

so what do we do we bring ansible into this so as you can see here we have a really really simple ansible uh playbook on the left and essentially what that's going to do is you can see here there's a grep statement it's going to grip for jsmith which is the account he created in the password file okay and then essentially what it's going to do is it's going to tell you whether that account exists or not now on the right side you can see the output now i've only run it against a couple hosts but imagine you have 300 linux machines you can run this ansible script the simple simple ansible script against those 300 machines and you can

see in green 2.140 the user account exists and in 2.141 the user account doesn't exist so i can run this and i can output this to a file and in a matter of a minute you know depending on the latency of the network minute maybe two minutes i could come back and get a list of 300 servers and they'll tell me which ones have this account so right off the bat i'm getting into my containment i'm starting to understand how bad it is and and what i have to do to to basically ensure myself that that steven you know evil stephen can't get into these systems right so at that point i'm going to disable

these accounts right so so as you can see here i'm going to use the in this case on the linux box i'm going to use a user the user mod command and i'm going to basically do a minus l minus e1 jsmith and you can see on the right hand side here i've run this now because um i'm running it against those two servers one that had the account one that didn't you could see that only one of the systems was updated and that was what 2.140. um and you could see down at the bottom when i try to log in as jsmith obviously it's telling me my account is expired now some will say well why don't you just

remove the account well there's some forensics we might want to do maybe we want to take stephen to court i don't know so we don't necessarily want to maybe not remove the account we just want to disable at this point so we have a bit of forensic evidence and we can see here in my secure log i could see where jsmith's account has been expired so i'm able to do this against those hundreds of servers maybe more quickly than stephen can actually do anything else to turn that around on me maybe i figured out that he has changed the root password and i want to change the password to my 300 linux boxes in the cloud

but i don't have to do that manually and i don't have centralized authentication so um there there is no there is no you know in the windows active directory world i'm not integrated with active directory or what have you so in this case i can do a really quick ansible playbook that essentially as you can see at the bottom here ansible playbook change password.yaml and then i'm going to basically pass an extra variable called new password and then input the new password and then essentially i run that and it updates the password across all my 300 servers in a matter of minutes and you can see here in this in the logs at the bottom

you can see where i've actually changed the root password on that system so as you can see this is a really good way um and and i'm not saying hey go out there and get rid of your edr tool or your automation that you have but in a pinch where you might be stuck ansible could be a really big savior savior for you it has saved my life in many times when i go to a clients that i have to do incident response and i don't have anything available to me there's it's something i can pull out of my toolbox really really quickly so some other really good automated use cases so for example if you're going to collect

logs from a remote host um the first thing you could do for example is run this really quick ansible script that is essentially going to take your inventory file and your inventory file is going to list all of your hosts that are in scope and it's going to create a directory for artifacts for each for each host and i tend to run this on a cron job so essentially like every night if a new system's been added to the inventory it's adding that host to the directory where artifacts will be stored when you once you pull them from those hosts so essentially maybe you want to get a process listing i know that seems pretty trivial but if

you have 300 servers and you don't have an automated way of doing it you can do that with ansible so essentially i'm going to run a pscf and i'm going to register the result as ps result i'm going to essentially start by writing a remote process collection results to a local artifact so essentially what i'm doing is i'm running that ps ef command and i'm writing that back to a local file and then basically i'm running a process to make that that local file human readable again and essentially what you get is what you see on the right at the bottom you get a nice process listing um and then maybe you want to do you know you want

to run a little script against those process listings grepping out for certain things so for example if you know there's an evil process called evil process and you have a directory of all of these processes that were that were just pulled you could write a quick script to do a grep against all of those files and identify which hosts have evil process writing so you can see it's it's kind of in between sims and edrs but but it's it's um it's a little bit more basic but it will it will save you in a lot of cases right maybe you want to pull apache logs from a web server well you can do that as

well maybe you're not collecting them in a sim or in a log management system in this case i can do the same thing i can go uh do a cd to the directory where the apache logs are i can essentially basically do a find and cut out what i need and then essentially write them back to a loc the local control host and then i can search those again so it's kind of like a very very um basic version of sim so i could basically write some some some scripts after that to search through those logs if i needed to maybe i need to stop a service so example here here's an inventory file on the top left

you can see there i have a bunch of scada servers and and i can use uh i can use different ways of of of not having to type out all those servers so for example i have scada 99 to 101 dash node.example.com or i have database servers or web servers by ip address so in this case i'm going to do an ansible web server so i'm going to refer to my web servers and i'm going to do a minus m service minus a and i'm going to essentially stop the httpd service so for example if you're being hit um by uh denial service and you want to stop all of your httpd servers for some

reason um you can do that within a matter of minutes and affect hundreds of posts if you need to here's a really good one let's say you're running something like uh firewall d or ip tables or or a host based firewall and you want to basically put in blocks into that host-based firewall same thing you can add a block now in this case you can see here i'm adding a rich rule to firewall d to block everything uh uh in in 19198.20.2.0 in that slash 24 block i want to block those things and then right after that i want to do a reload on the firewall and you can see here i processed that that change through ansible

and in the bottom right you can see where that rule family has been added rejecting anybody from that block of ips so again when you're thinking about containment this is a great way of doing it i want to contain i'm getting hit with with ransomware i'm being hit with an attack i want to contain a bunch of very very critical servers with ip into a network i can affect you i can affect a firewall rule on a flat network so unless you have a flat network and you have no firewalls segmenting the network well how are you going to quarantine those systems so they don't get attacked well i can use you know something like

firewall d really really quickly right so in in wrapping that up and and i'll have some time for some questions you know a couple things to think about like don't forget how critical triage and more so containment is in the phase of the incident um you know that is really going to reduce the dwell time at the end of the day because and and it's not only that but it's also the um how um you know how how your coverage of that containment is at the end of the day if it's if you're not if you're not sure that you've closed off all the servers in the problem or you know you you don't know that you've

you've been able to remove all of the accounts affected like those can be enough to keep the attacker in the network for a longer period of time right uh remember the important role that automation can play in your ir plan it it adds speed to your containment when you're dealing with a large number of hosts and it's great if you're a for example a consultant incident responder it's a great tool to have when you're getting into an environment where you don't have a lot of information you don't know what's what ansible can be something where you can use to contain yourself really really quickly right now i've only shown you what ansible can do with

linux now it will uh it will now work on windows you can you can actually execute powershell scripts with ansible um so for example if you want to write a powershell script with a bunch of uh containment processes and execute them the ansible you can do that um it'll also let you uh interact with firewalls and network devices so if you want to add a rules to uh an asa firewall or you want to add rules to a palo alto device you can do that um and the other thing i i also mention here is mapping your things back to the attack framework that way you know you're coming up with containment playbooks that reflect

uh real world uh adversary ttps um so at the end of the day you know when when you're building those playbooks you know that they're in response to the actual things that an attacker is going to do on your network and not just things that you as a blue teamer may think of right um and it's always being updated so you're you know you're you're you know when the solarwinds attack came out and you had to build containment against that you know you want to try to always uh build your containment against real world threats and uh and attacks right so with that uh i leave my uh my information up on the screen i

i thank paul and they the great group i i so so wish that kova didn't exist and i would have been there in dublin with everybody uh because it would have been a great time but um if virtual is the way to go then i i'm more than happy to have done this and uh i'm pretty active on twitter um so if you want to follow me on twitter um as well as i do post quite a bit on my website in terms of um things that i'm thinking about and so on and so forth with regards to security so um with that i'm gonna hand it back over to uh to paul thank you so much peter great insight

and definitely not something i'd ever thought of if you used an ansible in an incident response um scenario a couple of questions coming in from the audience uh particularly around soar platforms one question and i guess there may be hinting at the uh the gartner hype cycle sort of thing you know where potentially it might still be on that um you know towards the top towards the left of that cycle you know maybe peak of inflated expectations or you know do you think we're at that trough of disillusionment stage or do you think we're starting to edge into slope of enlightenment when it comes to solar platforms um uh yeah i think you know like i'm not

you know like most the security people in this on the in this session here i mean you know a lot of it is it's great marketing uh and when you look at companies like um like i said like phantom and those companies that i think the thought was very could have been very different than what some of these bigger companies are making it into um that being said like you know i think soar has its value i think a lot of managed service providers are kind of using that as a as a really good selling tool um so so what i like to say is it's not necessarily sore it's the playbooks that are the key piece of it

right so if soar provides the technology you need to actually execute those playbooks in a in a s in a speedy amount of time then then at the then at the end of the day that's great but as you can see here now again ansible is not perfect it was never developed to be a a an instant response tool but you can see you can do some pretty cool things with it um you know and and and i'm not saying you shouldn't be looking at a sore tool but i'm not saying you shouldn't be looking but like i said either or will work um i still think it's it is in the a bit of

the hype stage um but i still think it is uh it is going to be valuable in the future and another question is you know how should companies get their response ready to engage early and get response times down you know you mentioned that 12-time and the containment sort of considerations and so the damage can be minimized and investigations carried out you know how how low can you get external engagements down from a third-party engagement when we're all remote at the minute i would well i in terms of the question about third parties what did you mean specifically about that well the the question as well as third-party engagement i'm guessing you know if you have vendor dependencies and from

an incident response perspective right i mean i mean obviously you gotta hold your third parties accountable right at the end of the day you have to make sure that um you know it's i always i used to joke you know working for industry where i'd say you know if those third parties don't want to meet your security expectations make sure management um you you have the the authority to hit the big red button at the end of the day right so um you know the amount of third-party uh or you know third-party risk that's been brought on especially during covid um you know is is really big the other thing you can look at is if you have a

really key third party and a great relationship with them you know build them as part of your response right you know share share the things you have with them like there's no reason why you can't uh if you have a good way of of containing there's no reason why you can't be doing that with that third party right but at the end of the day like i said you got to hold them accountable and and insurance cyber insurance is not necessarily what's going to save the day when it comes to this because you could still be left with a big mess to fig figure out even though you got to pay out from insurance right so

so at the end of the day like i said it's important to hold them accountable include them in your process don't just assume that they are they know what they're doing and and treat them as i know it's gonna sound bad but treat them as a as a hostile network at the end of the day thank you very much peter i've been great insight