2021-06-12, 16:00–16:45, Track 3
As an Incident Responder I have done many a presentation from a Blue Team perspective recommending you do some things, so let’s take a look at what we regularly see that our clients fail at, that either caused the event, made it worse, or why it went undetected.
As an Incident Response Principal, we respond to our clients’ incidents and we see a pattern. I have done many a presentation from a Blue Team perspective recommending you do some things, so let’s take a look at what we regularly see that our clients fail at, that either caused the event, made it worse, or why it went undetected. This is a teaching moment that I want to share with you to take back to your organization to prepare for an inevitable event.
I talk about the 3 Cs’ Configuration, Coverage, and Completeness and this helps us to understand what kind of process that is needed to address the whole of the problem and how these map to your security program and why organizations suffer so badly during a security event.
How is your logging? Is it enabled? Configured to some best practice? (hopefully better than an industry standard that is seriously lacking). Have you enabled some critical logs that by default are NOT enabled? Do you have a way to run a command, script, or a favorite tool across one or all your systems and retrieve the results? What is that we Incident Responders need and use to investigate an incident and what are the typical recommendations we make to all our clients that they fail to do? Sadly a lot of what we need, you already have and is free, nothing to buy, just process and procedural improvements.
This talk will describe these things and how to prepare, and be PREPARED to do incident Response, or if you hire an outside firm, what they want and need too.
The attendee can take the information from this talk and immediately start improving their environment to prepare for the inevitable, an incident.
Michael is a Malware Archaeologist, Blue Team defender, Incident Responder and logoholic for NCC Group. Michael developed several Windows logging cheat sheets to help the security industry understand Windows logging, where to start and what to look for. Michael presents at many security and technology conferences helping to educate on security that attendees can go back to work and actually do. Michael is a primary contributor to the Open Source project ARTHIR. Michael is also co-developer of LOG-MD, a free and premium tool that audits the settings, harvests and reports on malicious Windows log data and malicious system artifacts. Michael is co-host of “THE Incident Response Podcast”. In addition Michael also ran BSides Texas entity (Austin, San Antonio, Dallas and Houston) for six years and lead for the Austin Conference.