Marriage of Threat Intelligence and Incident Response

so next on the stage is Amy Murdock he's going to be talking about the greatest buzzword of 2018 threat hunting and how you can get in on the action in a talk called the marriage of threat intelligence and incident response let's give him a nice hand thank you so before and I want to obviously say thanks to besides Pittsburgh it's my first time being here and so you know being an attendee and a speaker the first time is pretty awesome so thank you everyone for that I wish it wasn't at this venue because I'm already down like 40 bucks in the casino so it's yeah thank you for that yeah so yeah this this talk is throw intelligence and it's

a response and how we can utilize that natural threat honey so before I actually begin since we are at 331 I like to have fun at my talks if you ever been in any of my talks I like to have fun like to have some crowd participation so after this gentleman sits down anytime that somebody comes in because they're late we're gonna point at him and laugh does that work stand by haha so all right let's get started oh yeah that's the second part of that I forgot so my marketing our marketing department actually like redid my slides because they look like crap because I do them and they said hey can we take a crack at

your slides and I was like yeah so they made some like really cool that I wouldn't have done alright so let's get this out of the way this is about me I am the security program manager at M arcade technologies I've been doing this for about twenty years most of my focus in my career has been on security operations threat intelligence and Incident Response you know your career is great everyone likes to have a good career but I don't identify myself as my career identify as a father as a husband as a former Marine and as a gamer okay yeah because I'm a super nerd oh yeah and at bow dock if you want to follow me on

Twitter but I don't I just like retweeting everyone else's so it doesn't matter so what are we gonna talk about today we're gonna focus on what threat hunting is and it's nothing new I mean yeah it's an awesome buzzword for 2018 if you want to sell some stuff but it's been going over all its we've been doing threat hunting for a long time it just didn't have that cool name so we're gonna kind of get into how all that ties into play with incident response with threat intelligence and how to bring all that together so you can go back to your organization and go hey I want to do some threat hunting because it's really

cool sound good I hope so because you're here so threat hunting is the new hotness for 2018 sorry threat intelligence you're not hot anymore now it's threat hunting so from a show of hands who has heard of threatening ooh you like that ooh so how many now is the same show of hands how many heard of threat hunting before he's 17 few of us right ish right but it wasn't called threatening it's just part of our job when we tried to figure out if we had an intruder in the environment but marketing gets a hold of things and says we can sell so much service and product if we actually label it a name to me

threatening starts with your incident response program now I've given a lot of talks on Incident Response and I've given a lot of tabletop tabletop plays for Incident Response and what drives me nuts is haha is we have tabletop exercises that we do in our organization how many here if you want to raise your hand do a tabletop exercise in your organization good it's a lot better it actually grows every year and that's awesome now for those of you who raised your hand helped you include more than just IT functions in your table exercises awesome if you're not it's probably not your fault you've probably tried to get business units and HR in the c-suite and everyone else

involved but they're what thank you they're too busy I don't have time for that that's an IT function that's not us that's the absolute wrong answer it is critical to have groups like HR legal corporate communications operations senior executive management now for those of you who have not done a tabletop exercise anyone why do you think that's important to have a group these people in the room when you're doing it's and response talks if they're not in the room nobody cares it's absolutely right we as IT folks information security or different IT silos we are not responsible for instant response we have this much to do with it if you really look what Incident Response means we have this much to do

with it everything else is the business side and we're gonna talk more about that but when we come dints in a response raise your hand if you want if not that's fine how many people in your organization or an organization maybe you worked at before did not have a formal incident response planning and I understand there's probably people I'm not raising my hand and that's fine you'd be surprised the amount of organizations that do not have an actual incident response plan not only do they die one they don't think it's important no I didn't think it's important they're companies which names you would be like oh I know them very large name-brand organizations that think an incident

response is something that falls in line with disaster recovery how many how many people here think that's would agree with that and it's a response falls in line with zest for recovery good no one so what I'm going to get ready to show you is a traditional Incident Response model probably as everyone has seen this before right classic phases preparation detection analysis containment eradication recovery post incident activity this is the incident response model 101 I agree with this for the context of this talk however when we're talking about threat hunting I have a little bit different approach to it okay never mind again marketing to my slides and I thought I had something different I

don't that's cool so the way I look at it is actually starting with detection as the first stage in instant response we're gonna go through all these stages you can kind of get an understanding of why so detection analysis and threat intelligence containment hunting eradication post incident preparation I know it seems a little weird so bear with me until the end to get into the guts of what we're gonna do here let's start with detection detection is pretty simple that is like the easiest part of what we're gonna do in this entire process of threat hunting we're gonna identify a security event now notice I said security event aha it's a security event we don't know if it's an incident

yet it could be you know Jamie blocked his password because he changed it and his phone is going crazy trying to authenticate is that a security incident if that's what happened behind it no it's an event so we need to identify the event determine if it's an incident now most importantly and if anyone's been through a true incident this next step is actually extremely hard to do record all the steps tools and analysis or post incident activities now who here has been involved in an incident before like a legit ohshit incident right how many of you remember to write down everything that you did couple that is extremely hard to do because when you're trying to

15 different things communicate with 30 different people and identify what the next step should be it's hard to actually write everything down now if you're in a room and you have the incident the core team of Incident Response together like the IT silos and security it's a little easier because you can go you guess what your job is you're gonna write everything down you know ascribe this guy knows what I'm talking about so what do we what do we use for identifying a potential incident well is our monitoring detection systems we reuse our sim we're gonna use our local movement detection platforms we're gonna use whatever we at our disposal to say hey this is something you might want

to look at in that space in detection we're gonna get one of the key things we're gonna utilize throughout the entire process indicators are compromised is everyone familiar with the term indicators compromise okay cool I can skip that so we have all this stuff now we know something happened but we don't know exactly if it's an incident or not well we have some basic indicators to compromise and those come from the details when we start our analysis we're gonna have hopefully you know some basic things like source and destination addresses ports any other signs like hashes signatures for different detection platforms domain names blah blah blah blah blah the list goes on right well we need to look into

each one of these because even though the source IP address might be 10.1.1.10 server over here okay well let's look at that server because it's part of this potential incident and let's see what else is going on with it outside of what we know it's talking to let's not miss any other data when you run through an incident if you haven't done one before the biggest mistake you can make is assuming that your analysis is complete you have to run everything to ground I've been involved in instance before for clients and they said I said what have you done and they give me the whole list this address was talking to this and we know it's doing this we know

it's bad and we know it's talking to this bad stuff cool have you seen what else is talking to know why not because I'm not seeing it on my it's not showing a red on this dashboard okay well you know it's an involved in an incident of some kind why aren't you looking to see if there's anything else is communicating with so when you go through and you do all this analysis and you're looking at these different things communication strains potential droppers anything it is you want to document all that information it's going to become key when you start creating and indicators compromise to go hunting it's also going to be key when you do your after-action report and

whenever you do a write-up so hopefully you're updating your playbooks if you have any to next time be able to just run through it we're also going to look at we're going to investigate other results so how many here calls somebody in the security community and go hey man have you seen this before I highly suggest that any time you're asked that again you raise your hand I mean look to your neighbor right now look to the left come on yell seriously look to the left I'll stand here all night look to the right these are your peers the easier peers these are people you should be able to call and say hey have you seen

any an increase in activity of oh three sixty five compromises from Africa why I didn't want to name a specific country but yes you know you should be able to reach out to somebody in the community and ask that so that's where this comes from and further investigating any other results from other searches and now obviously you don't have to say hey guess what right now we're in the middle of the breach and we have PII flowing out the door like it's water you don't have to say that all you have to say is hey have you seen this before you know let's utilize the skillsets in our community how many people have heard of threat intelligence everybody right

their intelligence last year was the new hotness now it's threat hunting next year it'll be no threat something anyway every time I give a presentation on threat hunting I lead off with both threat intelligence I weed off with threat intelligence is more than just ones and zeros and it truly is threat intelligence is any threat torn organization whether it's cyber whether it's physical whether it's business related whether it's brand reputation that is a threat however the purpose of this could talk we're only going to focus on the ones and zeros but just keep that in the back your mind for intelligence is any threat to an organization so when we start looking at this and we're using it as

part of our exercise for threat hunting in our exit in their intelligence if you haven't done if you don't think you've done it before I guarantee you have how many people have used Google to look something up that they're working on everyone raises their hand yep that's threat intelligence congratulations from now all threat intelligence experts it's called open source intelligence Osen open source intelligence just like it sounds is anything that you can that is readily and publicly available for you to gain information on my favorite source of assent has been and continues to be so far Twitter Twitter's awesome it's not as awesome as it used to be back in the early 2000s when you know

I'm going to attack Bank of America on this date because they you know screwed up my checking account that stuff used to be plastered all over Twitter so you kind of knew who was doing what who was just trying to make a name for themselves all the fun stuff so you actually track threat actors unfortunately they kind of evolved have gotten smarter they went down to the dark web more but still there's still a lot of good stuff and open source intelligence you can get so if you've looked up is this IP malicious you've done threat intelligence I mean that's it's that it literally is that simple it's not like you have to spend your

time in a dark room creating a false persona to get invited to a forum on the dark web that will actually get you somewhere else we can go for hire a hacker and get even more information now that's like legit hardcore threat intelligence but you can do threat intelligence without having that anyone familiar with that screen one two three four phew yeah so and and this is not product placement any way shape or form this is a free service offered by alienvault it's called otx it is a great resource for threat intelligence so what I have here is something I was looking at and this is legit this is something I actually worked on and I went to otx and

I said huh what is this host name because I saw communications paths to it I put in the host name and it pops up does this thing have a laser see if I screw anything up so I look up the host name and I see it has a pulse if you're not familiar with otx a pulse means somebody's created something that includes whatever that search term was so I go to the pulse and then I start getting all this information here so those are md5 hashes that are associated with this pulse if you can't read that up there very well the pulse is basically it's this botnet miner for cryptocurrency and it has a reference and then it has tags and you

can see in the blue and it says indicators to compromise somewhere around there indicators compromised 51 well on this specific pulse there's 51 md5 hashes sometimes those are also IP addresses domain names it depends on you know what they found and who found them so I said huh there's a reference on this I want to see you know what somebody wrote up about this and I'm not gonna read this whole thing but this goes into what this botnet does how it operates and one of the most important things is I think it's there doo doo doo doo no it's down there right there infected with NSA Arsenal spread the recipe for four or five that's some

awesome information to have if you're defending and you're trying to contain right you know exactly what port that this specific button at anyway this specific cryptocurrency miner is trying to utilize so we put that away there's also some other information there again this would open source intelligence and it took me a whole two or three minutes to get this information because I knew where to go and look so again we sought we have a host name we knew was doing something bad we gathered some intelligence and discovered it was on this nasty botnet so what would get old Ilan do this is where we play this is where we play participation so based on what we just

saw so we have SMB port 4 4 5 in fact with an essay or arsenal now Ilana wants to know what do we do now block block 4 4 5 what else

boom utilize what we saw those hashes and 4 4 5 look for any other communications what else could we do

close you can't chuck the computer in space but you can nuke it from orbit any way else going going

you get my empty bottle I don't have any swag sorry yeah we can grab that computer we know that in this scenario that we've seen it communicating we know some bad shit's going on so let's focus on that computer we have patient potentially patient zero so in this rough scenario we've looked something popped up said hey this is bad we've done some intelligence on it we've analyzed it now we need to start the process of stopping the bleeding if you've been in an incident before you know that it does not go this fast however for the sake of time we're skipping really passed through this this is the hard part you have to balance business needs with what your gut tells

you your gut might say and it's a as a security purist right but we're gonna block four four five right now however and this is where it comes into play that senior executives all these other business units have to be involved we can say block four or four or five but if there is a comission critical business application that utilizes port 445 whose decision is it to make that or who makes that decision for us it ain't us whoever makes the most money is usually correct but it's gonna be somebody who has the authority to say we're gonna block this or we're not gonna block this we're gonna assume the risk and here's why that's why it's

critical for yeah man stop reading my slides ahead of time now I'm just kidding but you're absolutely right you know there's a lot of factors that go into this excuse me so I'm impression let's alright so now I'm good it's increment it's critical to have business units involved I can't say we have to block four four five we're going to do it right now but I can as the security expert in my organization say here's the risk if we don't here's what we know about the specific attack vector here's what we know about the specific cryptocurrency mining botnet if we choose to assume the risk and not block four or four or five here's what can

happen then it becomes a business decision we have to empower business makers to make the right decision and if they don't that's when we kind of throw our hands in the air and we get really mad and we say we're screwed and go drink does everyone understand that part no Cheers no the business part because that's crew divided worked in a lot of organizations that didn't know to make the right decision because the right technical folks didn't give them the right advice they just said you have to you have to you have to without providing them the risk if they don't so communicating risk is how you actually speak business because if you say everything from a

security perspective they're gonna be like no but if we tell them what the actual risk is they're gonna listen hopefully so let's have some fun now we're gonna start talking about actual threat hunting or as I like to call it the stuff we normally do anyway threat hunting we're gonna detect the intruder we've done that right we've gone through our detection phase we're going to prevent them from getting a stronger foothold we're gonna talk a little bit about that put your thinking caps on because I'm going to be asking you some questions about that and then most importantly we want them out of our network as soon as we can get as much information as we can to contain them to

figure out how they got in how to correctly get them out and then execute that to eradicate that's important however it's gentleman pointer that brought up a good point we're gonna hit here in a and you have to balance that with how much you want the intruder to actually know what that you know right so that's that's a game of chess that we're going to talk about who is familiar with TTP not OPP TTP all right good a bunch of us that's awesome so as tactics techniques proceed it's what an attacker does this is standard methodology attackers most attackers have the same TTP most of its in business I mean the the days of you

know teenager in the mom's basement are pretty much over for real attackers you know for those of us who have gray in our hair we remember when that was like a big problem and that I wish that was the biggest problem right now we have sophisticated States we have criminal organizations we have all this other stuff it is literally a business the reason TTP's exist is to model who's doing what from a threat actor perspective and we're going to talk a little bit about something that I love very shortly but the might the main thing to get out of this is TTP that's how we identify attackers that's how we kind of you know puts a DNA to who's

doing what toward us who knows this the old pyramid of pain so what the pyramid of pain shows is from the top up I'm sorry from the bottom up how much can we trust an indicator of compromise and how often do we see them so as you see on the bottom you have hash values well you see hash values all day long and they're the least trustworthy actual indicator compromise you can have we're gonna talk about a lot of these then you get up to the top which is true TTP it's the hardest to actually get but the most reliable indicator compromise that you can utilize so any questions on this slide we're going to talk more about

each one but just in general anyone look at this and go I disagree because you Bree could be right I don't know I didn't write this okay so when we talk about indicators to compromise file names weren't even on the Pyramid of pain because let's face it if I drop something on your system and you use it you go strictly off my file name I am the worst hacker ever if my with my malware my my exploit that I wrote can be defeated because you can pick it up by a filename I suck it's probably something that I taught my kid to do for fun however when we started looking at hash values I'm not saying hash values are not a

good indicator of compromise they are but how easy is it to change a hash it's extremely easy without having to do a lot of rewriting of my exploit or my malware on my ransomware whatever it is host names now we're getting a little bit better however host names can be changed very easy to you know you throw something in the past flux botnet fast bugs DNS button it at that hostname goes up the window but why is it harder to change a hostname if you're talking you know in our example where we have a crypto currency botnet why is it harder for them to change a hostname than a file hash then when I get paid what else

imagine that you have that botnet set up and you wrote this code maybe you obfuscated it or its encrypt or whatever but how do you know how or how does it know who to talk to because you put a hostname in so if my hostname gets detected and it becomes a true indicator or compromised and it gets flagged I need to rewrite it that means I have to change my hostname ports the same thing you guys think ports are a little bit better from an indicator than a hostname is though because yeah I can utilize IP addresses or pass flux DNS for all these any of these fun little things to do at the end of the day I'm writing this code

to work across a certain communication stream so it's harder to change what ports its utilizing than it is a hostname or even the hash of the file itself because then I have to completely rewrite a big portion of my code to inclusio right well now I'm going to use this protocol over this port instead everyone get that cool this isn't the end that bringing it all together should be there but hey I'm not marketing so when we look at everything that we've gone through so far though we saw something and we decided this is an incident we have an alarm in my sim for example and it said this is communicating to a potentially malicious host so I looked it up yeah

sure it is we saw the host name it's communicating with so we took that information and we utilized open source intelligence to find out more information about the host and it turns out it's part of a crypto mining botnet we followed the standard steps of incident response so we went through our detection and analysis and we used indicators compromise and threat intelligence to get more and more information so that's where we're at currently so now let's use that and let's go hunting the rat hunting is very simple you know like I said it's the new buzz word of 2018 and it seems like it might something that's difficult and maybe it's something scary because you

haven't heard of threat hunting before but more than likely if you've ever ran an incident through you've done some sort of threat hunting at the end of the day we're taking indicators to compromise that we have found or maybe we created them and we're gonna go in our environment and start looking for those indicators of compromise we're gonna start looking internally for any signs of this threat in this case now you can do a full 360

we put into our monitoring and detection systems you know we spent $250,000 each probably roughly for all these different systems when you put these in here's a compromise in there and you start writing content for example if your sim I can put that hostname in and say if anything talks to this it's a priority one critical or notify everybody or I can take one of those file hashes or any of the other things that I have found and write indicators for them and then put it into my system so it'll let me know that's the most there that's the easiest part of threat hunting especially if you have more advanced systems that can actually you can push through and

automate it or if you can script it yourself to go through and just start pushing it out and automate it it's there's a lot of different things you can utilize the pyramid of pain again that's the biggest like threat hunting takeaway I would say is to remember that what's at the bottom you're gonna see the most best the least reliable up top is where we actually get into stuff you can hang your hat on when it comes to fine and profiling malicious actors so before I get into eradication let's talk a little bit about TCP a little bit more in depth when you think of I don't say Microsoft and this analogy has been used

many times you've probably heard it before when you think of Microsoft you think of a company that pushes up product that's a global leader in you know all sorts of stuff however maybe their product isn't that great sometimes from a security perspective maybe we need to patch it every once in a while maybe they have a really good tech support crew though actual threat actor groups are just like that but with better product there's help there's help desk you know you can you can do ransomware as a service for example you can do ransomware as a service you can do anything malicious as a service now you can hire hacker all this fun stuff out the dark web right now think about

when you first started with your current employer you probably had to go through some kind of orientation you probably had a procedure manual or a policy manual or something like that you had to go through you probably had some kind of run book or help desk certificate help desk knowledgebase or whatever it says if you see this do this right if you have not been through that raise your hand yep everybody right these groups do the exact same thing they have play books they have scripts for the help desk if they have an issue with the customer and there's a problem with the code they get on it like that they there is better tech support and dev work sorry devs

there's better dev work on the bad side why do you think that is money money money money product the product they put out is their name if their name goes out their products into yourself because somebody else is going to come up and eat them alive so when you think of that right we said that they have their policies and procedures and run books and everything like that when we go back to the pyramid of pain the very top thing was what TTP how hard is it going to be for me as though I lead a malicious group and I have all y'all as my employees and this is how we're gonna write our code this

is how we're gonna distribute it this is how we're gonna build clients etc and then all of a sudden some researcher comes along and can identify the methodology in which you code and to tell that that's you because you're a Russian based group however you like to code in Chinese to throw somebody off however you're not fluent in Chinese so there's indicators that that's not Chinese and then all of a sudden that gets tagged back to you now you have to completely go back and change how you do things because you've been busted that's why that little top piece of that triangle is so critical you have that and you can say definitely you know

Charles Yost wrote this code because I can tell because I've seen another code that he's before he's not a bad guy though usually but that's why it's so critical I can change the file hash all day long I can do all these other things but once you start messing with my business product it is extremely difficult for me to come back from just like any other software if you find a major vulnerability in I don't know WordPress our WordPress plugin it it may take specially if the plug-in and then that company or whoever wrote it has to go back through and completely rewrite it from scratch that causes a problem for them so just want to make sure

everyone kind of got a good understanding of the TTP piece of the house so let's talk about eradication now what have we done so far we found some stuff we looked up some stuff we found out some more information we thrown some stuff and I'm monitoring detection when they have scripted some stuff to go through and look at other stuff so we've done a lot of stuff what we haven't done is made sure that everyone's out all the bad guys are out of our network yet though so what we do that we have to think of a lot of different things this gentleman brought up one of the most important things before and that is do you tip off the

intruder or at what point do you tip off the intruder there might be times and it's a business decision so we have to educate the business side the sea level on the right risks but we have to let them know what's going on and what our plan is for example this system is compromised it's the admin assistant for the CFO we know it's compromised however we don't want to pull it off the water and here's why we want to do live memory forensics we want to do all these other things we want to see who it's talking to we want it to go through its paces we can trap more and more information to create more

and more indicators to compromise that sounds great but at what cost what's going to happen if we let that happen

exactly that comes to the business side of the house now I put my business hat on I say okay I hear what you're saying I understand that you want to get this information and how critical it is but at what cost what's gonna happen if I let you do that and let it run its course does that admin assistant have access to the CFO's calendar more than likely so if the CFO has a meeting on there with director of operations for Disney well that's business intelligence information that I can sell hey guess what Jamie Murdoch incorporated hasn't made it looks like a major meeting with Disney for operations so if I leaked that information and say hey Disney is

in is looking for security operations work they probably have an issue I wouldn't buy Disney movies or whatever it is so that's business intelligence that's one little thing just because of a calendar imagine what they have what they can get if they had access to the full inbox of that admin assistant who by the way probably can do what send on behalf so if they can send on behalf what else can they do fishing that pull access to that email account all sorts of things so for us in security you know we want like hey let's keep this machine open because there's a lot we want to do but sometimes we can sometimes we have

to say the right thing for the business is to pull the plug on this thing you know do some disk forensics we lost their capability memory forensics but it's what we had to do a good yes sir so the gentleman asked can't you tip them off also if you do if use open source intelligence possibly for example if I take the code and load it to let's say by total and I'm sitting there and I'm did you know I'm the bad guy developer and I monitor that looking for my code to show up then yeah especially if I customize that code for you if I wrote a custom exploit or a custom piece of ransomware malware based on the recon

that I did if you were you organization and I'm looking then yes absolutely suggest how to use the source and let's say you're looking at something where you're kind of website right and there's a lot of the first name they see their website was put in there you're not uploading something good question I like your thinking I'm gonna talk to you much so with the gentleman was saying is you know not only just like virustotal but you know looking at the website or other things like that what I do is and who's familiar retails the ISO security eyes have Trento I utilize tails through a VPN through somebody else's Wi-Fi like Starbucks or something like that that

way you know yeah I might upload their code but it's not directly tied back to that organization so yeah is that as the as the the bad developer I'll get nervous come like oh somebody saw my code I wrote this specifically for them but it's not necessarily definitive on it was you know Jamie Murdoch at you know besides Pittsburgh for example so yeah it's I hate the word bits like tradecraft stuff right when you're actually doing the intelligence work there's other things that go behind the scenes other than a couple of slides in a presentation I don't want to say that it's a bad example but your reactions to that would be different because it's warming and

anything more people you would want to eradicate first and contain before you would worry about tipping off you're a hundred percent agree so if if you didn't hear what the gentleman said in the example I gave you know because of the capabilities of what that can do it can spread I'm just paraphrasing difference so you'd want to contain that as soon as possible and you're absolutely right damn you for catching me that you're right I'm not I'm not afraid to admit I was wrong on that but no that's you're absolutely right in that situation you would definitely you know jumping not jump the gun but jump right into that container okay so I'm gonna go through

these a little quick Eradication most of the stuff you guys already know you know we can do host isolation through a very you know various different things pulling the host completely off the network's putting it into separate VLAN so you can keep communications alive all sorts of things you can do it the host you can get mentation and I'm not talking about a full-on architect level network engineers everyone involved segmentation I'm saying if a field office in Oshkosh Wisconsin is the one that we believe had the initial source compromised then we can segment them off completely we can look at very very very very difficult things like removing the hosts at layer one and removing the

hosts for forensics and this is what we're talking a little bit about before obviously if you do that say goodbye to memory forensics unless you've already done it but that goes a lot into what we have to do with business units post incident so we've gone through we had an incident just kind of bring us up to speed we had an incident we went through we did our detection analysis we did all that fun stuff we gathered indicators compromised and we went looking in our environment now we were all done however we can't just assume that because we believe we've eradicated everything's good to go I worked an incident for a very very large global manufacturer that got hit

by a specific threat actor group from Asia yes the country China yeah imagine that went through made recommendations here's what we need to do to not let this happen again cool guess what happened about three months later hey what's up again did you guys do anything we recommended no okay so you have to continue with the shields up posture that's the point you know when you look at your post incident you're going to be gun-shy anyway you see an account lockout you really like call everybody we're getting hacked again that's not necessarily a bad thing we need to document all the steps we took and put that in our analysis post incident activities are critical in any

kind of incident you know most of us who go through an incident we go through we do all of our work it's done and we just kind of leave it at that we don't do an after-action report we don't do an improvement plan we don't prep anything for senior management the c-suite Board of Directors or anything like that we're just like whew yeah it was bad so what we have to do we have to do is an after-action report an improvement plan in a a our IP this is based on everything we did for this incident you know the steps that we took this goes back to the documentation when we first started this discussion all the steps we

took what we found the indicators to compromise we created how we went through our environment to verify we didn't see anything else like that all these important things usually incidents are put into a ticketing system of some kind by Justin usually these things were put into a ticketing system of some kind do not close that incident do not close that ticket until you have gone over the after-action report with the whole incident response team because the reason I say that when you go to the entire incident response team and you're talking to somebody from corporate communications or HR or legal they might want you to do something else for example they might say those systems

that you did forensics on I also need you to take those you know we need to do a legal hold we need to do you know we're calling in the FBI we need to do a chain of custody and all this other stuff that's still part of the incident so that needs to be added back into that after-action report I'll close it until everyone's been communicated to and that again includes all numbers and responding again we're gonna push out any of the new I OCS that we found to our monitoring and detection systems we're gonna create new rules and content and monitoring platform so what does that mean huh no one okay that means if I saw communication on

port 445 and it's utilizing you know and it's associated with this you know this IP or this host then complete shields up wake up everybody you know create content if we discovered any avenues of approach that can be blocked or that we can do better work to help prevent another you know breach or ransom or anything else from happening we need to do that that's included in that after-action report improvement plan the improvement plan for those of you who may not be familiar with it basically says here's what happened during an incident when we were going through we discovered that you know we have no egress filtering in the company and this led to this happening so an approve Minh

though we recommend would be egress filtering so things like that closing avenues of approach now the last step in my model here is usually the first step which is preparation the reason why I have it is the last step is hopefully you have a plan of some kind whether it's formally documented and there's a formal policy around it or it's like hey I know that if something happens I'm gonna call Kevin and Kevin's gonna kick things off the reason I have it last year is because I want to put a lot of focus on it we're gonna take everything that we learned during this incident everything we gathered from threat intelligence any of the information we

found during our threat hunt and we're gonna put that update our incident response plan we're gonna communicate all not all but as much of the information as we can to our employee base let's say was fishing maybe the the original attack vector was fishing or spearfishing so we're gonna communicate with our employee base hey fishing sucks don't do it you know the BEC typical stuff maybe it was because somebody came in and installed a device or software and we allowed it well education on that is let's we need to have a serious look at policy change and then putting procedures and technology may be in place to not allow that anymore like I don't know not let everybody be to a

local admin on their box something might sound simple but it's very difficult for some people and most importantly because this all does relate back to a business discussion and business decisions update policies and procedures and they sound simple it may sound trivial even but policies of your teeth procedures was what we do that being said I'm out of bullet points any questions yes sir sorry you what happened I'm gonna be right over here you're pretty soon because I think I'm a gun just a little over but I'm gonna be right over here yeah I do have okay all right so on that it starts with baby steps so if you go to an organization and say or let's say

you're working in a smaller organization and you say I want to start doing threat hunting it's gonna be really beneficial for us and they laugh no no you're not we don't have time for that it's probably the same reaction you get if you say hey I think we should do internal pen testing we don't do that we're a you know we make widgets or whatever any time that you want to have a successful project with safer security always always always has to align with a business goal so if you can identify a business goal to relate to you know doing an exercise similar to this and show the benefit of you know taking a couple indicators compromise and

looking around a little bit poke you know kicking the tires so to speak I want it to some kind of business goal nothing gets security sold better a breach does outside a breach nothing gets security sold more than being able to relay it to a business discussion for example how many have heard where security we're not but a burden everybody right my suggestion of that has always been hell yeah we're a burden and embraced that don't try to show that you know well we kind of make a profit or if you don't do this then we could lose know we are a burden we're not only a burden in the organization we are the most important burden you can have in

this organization and here's why does that kind of help I mean I can get more into it afterwards but yeah any other quick questions yes sir I'm coming back to you to thread in tow feeds so what I will say about the rent until fees there's a lot of them out there there's a lot of good things that you can get my personal opinion is you can get open source threat intelligence feeds or do it yourself probably better than you can for paying for if you don't have the in-house capabilities or the bandwidth to do that on your own and you then paying for them is not a bad thing just keep in mind a lot of times when

you paper at threat intelligence feed it's Canada talked about before the ones and zeros you can do dartnet scraping now but it's darkness raping that they utilize and a lot of these things is no more than an algorithm that you can run yourself you had a question all right anyone else yes sir

five years from now I'm still learning about them how often would you recommend going through life everybody though so the question is finds all these indicators went for hunting found indicators how off and he's still seeing the alerts like five years from now how often do you kind of go back and reevaluate that it's a good point that kind of ties into your threat feed thing for example if you go to most threat intelligence feeds and as you know 1.2.3.4 is a bad IP address maybe it was five years ago but maybe now it's not but it's still listed as malicious because most people who write who keep those feeds do not update those feeds I

know one specific feed that does update a banned list by binary defense they do go through and bet read that the feeds so very similar that a if you're still seeing alerts after five years if you're still seeing alerts a couple months afterwards you then I would suggest you do like not just taking this stuff that I did and do a full threat hunting engagement whether you do it you have somebody else do it whatever you definitely want to get like super in the weeds at that point number two you can look at the what the indicator compromises that you're seeing look to the person to your left or right ask if they've seen something like that before

do some more research on the specific indicator that you're still flagging on because you might still have the issues inside the network it could be a false positive so the key thing to that with any piece of intelligence is all at all is always to vet the intelligence so that IOC maybe it's not legit anymore maybe it's you know who knows maybe the IP address got bought by Google and you know it's just a communication stream with Google all right I'll be right over here if anyone else wants to talk thank you for your time and I appreciate you coming out [Applause]