Clearing the Brush: Lessons Learned in Gutting a CIRT and Rebuilding - - PowerPoint PPT Presentation

clearing the brush lessons learned in gutting a cirt and
SMART_READER_LITE
LIVE PREVIEW

Clearing the Brush: Lessons Learned in Gutting a CIRT and Rebuilding - - PowerPoint PPT Presentation

Jan 22, 2023 30 likes •413 views

Clearing the Brush: Lessons Learned in Gutting a CIRT and Rebuilding with Free Tools Mike La Pilla Slide Warning These are draft slides, not the ones presented Most images have been removed from draft If you are reading these you

slide-1
SLIDE 1

Clearing the Brush: Lessons Learned in Gutting a CIRT and Rebuilding with Free Tools

Mike La Pilla

slide-2
SLIDE 2

Slide Warning

  • These are draft slides, not the ones presented
  • Most images have been removed from draft
  • If you are reading these you should check the

FIRST portal for the latest ones

slide-3
SLIDE 3

About This Presentation

  • Everyone Has Their Own Take
  • Plenty of Papers on This Subject
  • Focus on Building 10 Essential Tools/Systems

– Preferably without spending money

slide-4
SLIDE 4

If You Want Organization and Structure

  • http://first.org/resources/guides/

– CSIRT Setting up Guide – CERT-in-a-box

  • http://www.sans.org/reading_room/whitepap

ers/incident/

  • Also stuff on Auscert, CERT/CC, GFIRST, etc
slide-5
SLIDE 5

Past vs Present

slide-6
SLIDE 6

Past vs Present

slide-7
SLIDE 7

Preparation by Preservation

  • Picture of frozen hard drive
slide-8
SLIDE 8

Preparation by Obliteration

  • Picture of Bar
slide-9
SLIDE 9

Know Your Scope

  • Areas of Response
  • Actions Allowed
  • Contact List
slide-10
SLIDE 10

Know Your People

slide-11
SLIDE 11

Beware of Certifications

slide-12
SLIDE 12

Attack Categories

slide-13
SLIDE 13

10 Systems You Need To Build

slide-14
SLIDE 14

1: Automatic Malware Analysis System

  • Purpose: Automatically process malware

samples

  • Recommended Features: Fast, Exe and DLL,

Memory Dumps

slide-15
SLIDE 15

1: Automatic Malware Analysis System

slide-16
SLIDE 16

1: Automatic Malware Analysis System

slide-17
SLIDE 17

2: Automatic JS Analyzer

  • Purpose: Unpack/Analyze/Interpret Javascript
  • Recommended Capabilities: Network replay,

live site analysis, copy and paste

slide-18
SLIDE 18

2: Automatic JS Analyzer

slide-19
SLIDE 19

3: Automatic Document Analyzer

  • Purpose: Analyze non-executable documents
  • Recommended Capabilities: Exploit matching,

decompression, javascript/flash parsing

slide-20
SLIDE 20

3: Automatic Document Analyzer

slide-21
SLIDE 21

4: Document Database

  • Purpose: Archive documents
  • Recommended Capabilities: Store name, file

properties, metadata, link malware info

slide-22
SLIDE 22

4: Document Database

slide-23
SLIDE 23

5: Malware Repository

  • Purpose: Store malware
  • Recommended Capabilities: Search, store

properties, link to other systems

slide-24
SLIDE 24

5: Malware Repository

slide-25
SLIDE 25

6: IP and Hostname Tracker

  • Purpose: Track network information over time
  • Recommended Capabilities: Passive DNS,

active checking, search, ASN, GeoIP

slide-26
SLIDE 26

6: IP and Hostname Tracker

slide-27
SLIDE 27

7: Forensics System/Lab

  • Purpose: Forensic analzye drives, memory
  • Recommended Capabilities: Scanning,

automation, hashing

slide-28
SLIDE 28

7: Forensics System/Lab

slide-29
SLIDE 29

8: Image Repository

  • Purpose: Replicate machines in production

environment

slide-30
SLIDE 30

8: Image Repository

slide-31
SLIDE 31

9: Tiny Tools Server

  • Purpose: Collection of scripts and tools that

increase efficiency

slide-32
SLIDE 32

9: Tiny Tools Server

slide-33
SLIDE 33

10: Documentation Portal

  • Purpose: Self-explanatory

Recommended Capabilities: Revisions, author tracking

slide-34
SLIDE 34

10: Documentation Portal

slide-35
SLIDE 35

Final Workflow Diagram

slide-36
SLIDE 36

Questions?

  • mlapilla@netcentrics.com
slide-37
SLIDE 37

References

slide-38
SLIDE 38