Bsides DFW 2013 David Balcar

well the theme was you know incident response the good the bad the ugly so basically the bad parts of instant response you know the good parts of it you know what can you do what can you do quickly and then the ugly stuff what's really happening out there in the trenches and that's why i really like to tell stories of engagements that i've done and whatnot so you get a real sense of wow this really does happen out there and a lot of people don't they don't see that they miss it they can take those things that i've talked about in the in the presentation whether it's training or practice and which i really emphasize so they can

make their own ir teams much much better well my most interesting story would probably be a data breach of a large casino the perpetrators came through their their remote access boxes their citrix boxes basically and took over their entire network but only the parts of the network i wouldn't say the whole network just the parts of the network that had to deal with the credit cards so it was almost like they had a playbook i mean it's like they had the instruction manual from the manufacturer of the actual system i mean because they went after very specific pieces of their as400 infrastructure their point of sale system their hotel management system and they knew exactly when to get in and

get out so it was very very very well coordinated that's for sure okay so we got some free tools do tools solve everything no so there's free tools and there's paid tools so these are just free tools my number one favorite tool up here that i use for an incident response what do you think it might be you got it because what's my biggest thing i'm a forensics guy i need timelines i need to know who what when where when did it start when did it end okay because one big thing when i'm looking at incident responses i talked to this one company and they're like yes we've been dealing with this incident response for six months

i'm like what are you doing for six months dude you need to get it in and get it out three days a week and be done if it's taking you longer than that there's something wrong the biggest thing is just have an incident response team or plan because if you're not prepared you you know we always hear prepare for this prepare for that prepare for hurricane prepare for a tornado prepare for a fire and we practice that right our kids go to school they practice fire drills our firefighters practice going to battle of fire but our incident response teams never practice you know they do their day-to-day job they might be a security admin they

might be a server admin they might be a web developer or they might be that person sitting on the help desk and most companies do not i'd say almost all companies do not bring their ir teams together once a quarter at least just so they can practice and you know they should drill just like anybody else drills i don't know i wish i knew i talked to people for years and i get the same response just the blank look glazed is like what we're supposed to practice this stuff but my guy should know this you know tools that's always the biggest one is you go into an instant response and the company already has some of the

tools that maybe you might recommend or whatnot and they don't know how to use them because they're setting up on a shelf somewhere and they've never taken them off they've bought them they've got it put in the budget they're like oh we need this forensics tool or we need this management tool and they either don't put them in or they've never practiced with them so when the time comes if there's an incident they're they're stuck because now they're having to open up the book they're learning the software and they're going to miss a lot of stuff um it's kind of the shock and awe you know they're initially shocked and wow wow you know i don't want that to happen to

us how did that happen how do we prevent just that and my thing is i don't want to prevent just that it's the everything else because your incident might not be like the other ones it's just like when we're doing pen testing we're going to look at one scenario but that one exploit might not work so we re-engineer it we come in a different door we might have to do social engineering or whatnot and that's the same thing with the attackers that are going to cause you to have an incident they're doing the same thing they're doing lots of reconnaissance and they're going to come at you multiple different ways to get in and if you're

not if you don't have an incident response plan around different things you'll never be able to respond to it you'll be flailing in the wind