ciso conversant group€¦ · look at event logs eventvwr examine network configuration arp...
TRANSCRIPT
CISO
Conversant Group
• The OODA Loop• The Incident Response Process• Sources & Resources• Key Takeaways
• Deck Provided
• Some Slides are Lists
• != Every Tool Available
SETTING EXPECTATIONS
Source: https://en.wikipedia.org/wiki/John Boyd (military strategist)
OBSERVE ORIENT
ACT DECIDE
• USAF Fighter Pilot in Korean War
• Processing and Reacting to an Adversary
• Feed-Forward Loop
• Iterative
Source: https://en.wikipedia.org/wiki/John Boyd (military strategist)
Source: https://en.wikipedia.org/wiki/OODA loop
OBSERVE
•External Information
•Changing Circumstances
•Your Process
•The Enemy’s Reaction
OUTCOME: What Is Our SITUATION?
OBSERVE
OBSERVE
Source: https://en.wikipedia.org/wiki/OODA loop
•New Information
•Culture
•Experience
• Lessons Learned
•Your Own Predilections
•Analyze & Synthesize
OUTCOME: What Are Our OPTIONS?
ORIENT
OBSERVE ORIENT
Source: https://en.wikipedia.org/wiki/OODA loop
•Build a Hypothesis
•Work Your Script (‘Guidance & Control’)–Policies / Procedures
–BIA/RA/ERP/BCP/DRP
– IR Plan
•Make a Decision
OUTCOME: What Is Our Best ACTION Now?
DECIDE
OBSERVE ORIENT
DECIDE
Source: https://en.wikipedia.org/wiki/OODA loop
ACT
•Carry Out Your Hypothesis
•Work Within Your ‘Guidance’
• “Some action NOW is usually betterthan the perfect action later”
• Like Agile development
OUTCOME: Execute Our RESPONSE
John Boyd
OBSERVE ORIENT
ACT DECIDE
“Get inside youradversaries' OODAloop to disorientthem.”
• Situational Awareness: Observe, Orient, Decide, then ACT
• Accounts for our experience, predispositions, and what the bad guys are doing
• Feed-Forward Loop : Iterative & “agile” – short ‘sprints’
• Works within your guidance (e.g., IR Plan)
• Disrupt the Enemy’s OODA Loop
Eradication Recovery Lessons LearnedContainmentPreparation Identification
Eradication Recovery Lessons LearnedContainmentPreparation Identification
Eradication Recovery Lessons LearnedContainmentPreparation Identification
--------------------------------------
Eradication RecoveryLessons LearnedContainmentIdentification
• IR Plan
• Checklists
• Jump Bag
OBSERVE DECIDE
• Asset Inventory(Open-AudIT)
• Business Impact Analysis
• Risk Assessment• Identify IRT
Members
• Policies
• OOB Communications(ProtonMail, Zoom, WhatsApp)
• Use Cases
•Documentation
•Processes
•Tools & Equipment
• IRT Members
•Training
•Risk Appetite
ORIENT ACT
• Processes• Training & Tabletops• Ticketing System
(The Hive Project)• Call Trees
Preparation“The thing (check)lists solve for -
. the beast they tame - is complexity.”
. . . – Adam Savage
By Atul Gawande
•Monitor
•Detect
•Triage
•Classify
• IRT Activation CriterionSECURITY
EVENTSECURITY
INCIDENT
Preparation Eradication RecoveryLessons LearnedContainment
• Incident Response Plan
• Notes (Hard & Soft)
• Hot Washes
OBSERVE DECIDE
• SEIM (Security Onion)
• AV (ClamAV, Barkly)
• Logging (Kiwi)
• Honeypot (Honeyd)
• Ticketing (The Hive Project)
• IRT Communication(ProtonMail, WhatsApp, Zoom)
ORIENT ACT
• Asset Inv (Open-AudIT)
• Vuln Scan (BURP, OpenVAS, Maltego)
• Packet Analysis (Wireshark)
Identification“Prevention is great, but
detection is a must.” . .. – Dr Eric Cole
BIA
RA
RISK
APPETITE
Microsoft Windows [Version 10.0.16299.1087](c) 2017 Microsoft Corporation. All rights reserved.
C:\Users\youruid>
Look at event logs eventvwr
Examine network configuration arp -a,netstat -nr
List network connections and related details netstat -nao,netstat -vb,net session,net use
List users and groups lusrmgr,net users,net localgroup administrators,net group administrators
Look at scheduled jobs schtasks
Look at auto-start programs msconfig
List processes taskmgr,wmic process list full
List services net start,tasklist /svc
Check DNS settings and the hosts file ipconfig /all,more%SystemRoot%System32Driversetchosts,ipconfig /displaydns
Verify integrity of OS files (affects lots of files!) sigverif
Research recently-modified files (affects lots of files!) dir /a/o-d/p %SystemRoot%System32
Avoid using Windows Explorer, as it modifies useful file system details; use command-line.
Do not forget PowerShell! Source: https://zeltser.com/security-incident-survey-cheat-sheet/
Look at event log files in directories (locations vary) /var/log/,/var/adm/,/var/spool/
List recent security events wtmp, who,last, lastlog
Examine network configuration arp -an,route print
List network connections and related details netstat -nap (Linux),netstat -na (Solaris),
lsof -i
List users more /etc/passwd
Look at scheduled jobs more /etc/crontab,ls /etc/cron.*,ls /var/at/jobs
Check DNS settings and the hosts file more /etc/resolv.conf,more /etc/hosts
Verify integrity of installed packages (affects lots of files!) rpm -Va (Linux),pkgchk (Solaris)
Look at auto-start services chkconfig –list (Linux),ls /etc/rc*.d (Solaris),
smf (Solaris 10+)
List processes ps aux (Linux, BSD),ps -ef (Solaris),
lsof +L1
Find recently-modified files (affects lots of files!) ls -lat /,find / -mtime -2d -ls
Source: https://zeltser.com/security-incident-survey-cheat-sheet/
Validate a person fred smith “@company.com”fred smith + email (or) email address
fred smith + linkedinfred smith site: linkedin.com
Restrict use to a specific file suffix filetype:ext:
Find metadata about a URL info:URL
Find web pages with specific terms in the title intitle:
Restrict results to a word in the URL inurl:
Find pages that point to a specific URL link:
Restrict results to that particular domain site:
Source: Blue Team Handbook: Incident Response Edition
By Ben Clark
ByBen Clark & Alan J White
By Don Murdoch
IdentificationPreparation Eradication RecoveryLessons Learned
• Patch Management (PDQ Deploy)
• Communicate & Train
• Document
• Chain of Custody
OBSERVE DECIDE
• Threat Intelligence (Cisco Talos)
• IOCs
• Notes
• IRP
• Playbook(s)
• Policies
• Forensics
• Identify impacted system(s)
• Isolate
•Patch
•Communicate & Train
•Document
ORIENT ACT
• Malware Analysis (REMunx)
• Forensics
–SANS SIFT
–Google GRR
–VirusTotal, app.any.run
Containment
ContainmentIdentificationPreparation RecoveryLessons Learned
• Forensics / Live Disk(Kali Live USB)
• AV (Clam AV / Barkly)
OBSERVE DECIDE
• Notes
• Asset Inventory(Open-AudIT)
• Notes
• IRP & Policies
• Playbook
• Email/Teleconference
•Eliminate the Root Cause
• Stabilize Environment for Recovery
• “Do No Harm”ORIENT ACT
• Logs (Kiwi)
• ‘Risk Register’
Eradication
ContainmentIdentificationPreparation EradicationLessons Learned
• Data Recovery (Unitrends)
• Restore System(s)
OBSERVE DECIDE
• Checklists
• BIA
• BCP
• DRP
• Notes
• DRP
• BCP
•Restore Data
•Reestablish Systems
•Return to Normal Operations
ORIENT ACT
• DRP
• BCP
Recovery
ContainmentIdentificationPreparation Eradication Recovery
• Revise IR Plan
• Update IOCs
• New tools?
• Risk Assessment
OBSERVE DECIDE
• Notes
• Logs
• Meeting Minutes•Consolidate Notes
• Identify Errors, Oversights, & Inefficiencies
• Improve the Process
•Reduce Risk ORIENT ACT
• Lessons Learned Meetings
• Software(CornerThought, LessonFlow)
Lessons Learned
• There is not always a clear line between an event & an incident
• Use Checklists!
• References Help
• CLI … not cyber sexy, but really effective
OBSERVE
ORIENT
DECIDE
ACT
•Asset Inventory•BIA•Risk Assessment•Select IRT Team
•IPS,IDS,SEIM,UBA•Anti-Virus (+NGAV)•Log / Vuln Analysis•Honeypot
•IOCs•Threat Intelligence
•Notes•Asset Inventory
•Checklists•BIA•BCP•DRP
•Hard copy notes•Logs
Preparation Identification Containment Eradication RecoveryLessons Learned
•Training/Books•Tabletops•Checklists•Ticketing
•Asset Inventory•Threat Intelligence•IOCs / News•Chg/Cfg Mgmt
•Forensics•ID Devices
•IOCs•Logs•Risk Register
•DRP•BCP
•LL meetings
•Policies•Use Cases•Email accounts•Teleconference
•IRP / Playbook(s)•Policies
•BIA•DRP •Meeting Minutes
•IR Plan•Jump Bag
•IRP •Notes (hard & soft)•Hot Washes
•Patch Mgmt•Comm & Train•Block IP / Sinkhole•Chain of Custody
•Kali Live Disk•AV/NGAV
•Data Recovery•Restore System(s)
•Revise IR Plan•Update IOCs•New tools?•Risk Assessment
Email / Teleconference
•Hard Copy Notes•IRP•Playbook
•Triage•Categorization•Create Ticket
OBSERVE
ORIENT
DECIDE
ACT
•IRP•Open-AudIT
•Security Onion•Nagios Core•Kiwi•Honeyd
•REMunx•SANS Sift•VirusTotal•app.any.run
•Open-AudIT•Risk Register
•Checklists•BIA•BCP•DRP
•Hard copy notes•Logs
Preparation Identification Containment Eradication RecoveryLessons Learned
•The Hive Project •Cisco Talos•Maltego / Burp•Wireshark•MX Toolbox
•IOCs•Playbook
•IOCs•Logs
•DRP•BCP
•LL meetings
•ProtonMail•WhatsApp•Zoom
•IRP•Playbook
•BIA•DRP
•Meeting Minutes
•Jump Bag •Checklists
•IRP•Notes (hard & electronic)
•PDQ Deploy•Comm & Train•Cisco OpenDNS•Sinkhole
•Clam AV / Barkly•Kali Live Disk
•Unitrends•Acronis
•Revise IR Plan•Update IOCs•New tools?
•Notes•Logs
•The Hive Project•Gmail•Zoom
6 Phases In The Incident Response Plan, David Ellis.https://www.securitymetrics.com/blog/6-phases-incident-response-plan
Awesome Incident Response Tools, awesome-incident-response GitHub repository.https://github.com/meirwah/awesome-incident-response
Best Incident Response Software, https://www.g2.com/categories/incident-response
Critical Log Review Checklist for Security Incidents, L Zeltser & Dr. A. Chuvakin.https://zeltser.com/security-incident-log-review-checklist/
Good Practice Guide for Incident Management, ENSIA. https://www.enisa.europa.eu/publications/good-practice-guide-for-incident-management
Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities, NIST 800-84. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-84.pdf
John Boyd (Wikipedia). https://en.wikipedia.org/wiki/John Boyd (military strategist)
Incident Handling Annual Testing and Training, Kurtis Holland (SANS). https://www.sans.org/reading-room/whitepapers/incident/incident-handling-annual-testing-training-34565
Insider’s Guide to Incident Response, AT&T / AlienVault. https://www.alienvault.com/resource-center/ebook/insider-guide-to-incident-response
Meet ‘Bro’: The Best Keept Secret in Network Security, Greg Bell, July 14, 2018. https://www.darkreading.com/operations/meet-bro-the-best-kept-secret-of-network-security/a/d-id/1332028
Popular Computer Forensics Top 21 Tools, Infosec Institute. https://resources.infosecinstitute.com/computer-forensics-tools
Power to the Edge, Alberts and Hayes, 2003. http://www.dodccrp.org/files/Alberts Power.pdf
The Beginner’s Guide to Open Source Incident Response Tools and Resources, James Fritz, Feb 21, 2017.https://www.alienvault.com/blogs/security-essentials/beginners-guide-to-open-source-incident-response-tools-and-resources
The OODA Loop (Wikipedia).https://en.wikipedia.org/wiki/OODA loop
The Incident Handler’s Handbook, Patrick Kral. 2012. https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
Tips for Starting an Incident Response Team, Lenny Zelster. https://zeltser.com/security-incident-response-program-tips/
Top 20 Free Digital Forensic Investigation Tools for SysAdmins, Andrew Tabona, Jul 20, 2018. https://techtalk.gfi.com/top-20-free-digital-forensic-investigation-tools-for-sysadmins/
Conversant Group Incident Response
https://www.conversantgroup.com/security/IR/
PREPARATION
IR Plans
NIST Computer Security Incident Handling Guide, SP 800-61r2, https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Computer Security Incident Handling Guide (NIST 800-61), https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Good Practice Guide for Incident Management, https://www.enisa.europa.eu/publications/good-practice-guide-for-incident-management
Insider’s Guide to Incident Response, https://www.alienvault.com/resource-center/ebook/insider-guide-to-incident-response
The Incident Handler’s Handbook, https://www.sans.org/reading-room/whitepapers/incident/incident-handlers-handbook-33901
Tips for Starting an Incident Response Team, https://zeltser.com/security-incident-response-program-tips/
Asset Management
Creator, https://www.zoho.com/creator/apps/it-asset-tracker.html
Open-AudIT, https://www.open-audit.org/
PDQ Inventory, https://www.pdq.com
Spiceworks https://www.spiceworks.com/free-asset-management-software/
SysAid, https://www.capterra.com/p/107225/SysAid/
PREPARATION
Out Of Bounds Communications
Secure Email
CounterMail, https://countermail.com/
Hushmail, https://www.hushmail.com/
ProtonMail, https://protonmail.com/
Mailfence, https://mailfence.com/
Teleconferencing
Google Hangouts, https://hangouts.google.com/
Zoom, https://zoom.us
Uber Conference, https://www.uberconference.com/
Texting
WhatsApp ⚫ Line
Viber ⚫ Signal
PREPARATION
Ticketing
The Hive Project ,https://thehive-project.org/
Snipe-IT, https://snipeitapp.com/
Spiceworks, https://www.spiceworks.com/free-asset-management-software/
Use Cases
2018 Popular SIEM Starter Use Cases, https://securityboulevard.com/2018/07/2018-popular-siem-starter-use-cases/
Targeted SOC Use Cases for Effective Incident Detection and Response, https://digital-forensics.sans.org/media/Targeted-SOC-Use-Cases-for-effective-Incident-Detection-and-Response-Angelo-Perniola-David-Gray.pdf
Top 10 SIEM Use Cases to Implement, https://www.logpoint.com/en/understand/top-10-use-cases-implement/
Top 6 SIEM Use Cases, https://resources.infosecinstitute.com/top-6-seim-use-cases/
PREPARATION
Testing
Incident Handling Annual Testing and Training, https://www.sans.org/reading-room/whitepapers/incident/incident-handling-annual-testing-training-34565
Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities, NIST 800-84. https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-84.pdf
TrainingNational CyberSecurity Awareness Month (NSCAM)
Stay Safe Online, https://staysafeonline.org/ncsam/
DHS, https://www.dhs.gov/publication/national-cyber-security-awareness-month-resources
Cybrary, https://www.cybrary.it/
ICS CERT Virtual Learning, https://ics-cert-training.inl.gov/learn
SANS Cyber Aces, https://www.cyberaces.org/
TED Talks, https://www.springboard.com/blog/12-must-watch-cybersecurity-ted-talks/
Open Security Training, http://opensecuritytraining.info/Training.html
Open Cyber Challenge Platform, https://opencyberchallenge.net/
PREPARATION
Checklists
Incident Response Jumpkit Checklist
Critical Log Review Checklist for Security Incidents
Cheat Sheets
DDOS incident cheat sheet
Security-incident-questionnaire-cheat-sheet
Security-incident-survey-cheat-sheet
Forms
Incident Response Reporting Form
IR Chain of Evidence
IDENTIFICATION
Threat Intelligence
Hslatman’s Github: A curated list of Awesome Threat Intelligence Resources, https://github.com/hslatman/awesome-threat-intelligence
Cisco Talos, https://www.talosintelligence.com/
HoneyDB, https://riskdiscovery.com/honeydb/
Malware Domains, http://www.malwaredomains.com/
Talos Aspis, https://www.talosintelligence.com/aspis/
Threatfeeds.io, https://threatfeeds.io
Honeypots
GitHub list of Honeypots, https://github.com/paralax/awesome-honeypots
Honeyd, http://www.honeyd.org/
Valhala https://sourceforge.net/projects/valhalahoneypot/
HoneyTrap https://github.com/honeytrap/honeytrap
IDENTIFICATION
SEIM
Google Chronicle, https://chronicle.security/
Open Source SIEM, https://www.alienvault.com/products/ossim
OSSSEC, https://ossec.github.io/
Securicata, https://suricata-ids.org/
Security Onion, https://securityonion.net/
SNORT, https://www.snort.org/
Notebooks
Post-It Easel Pads, (~$30)
Rocketbook Everlast Reusable Smart Notebook, (~$30)
Before After
actual raw and processed images
Network Monitoring
Cacti, https://www.cacti.net/index.php
Icinga 2, https://icinga.com/products/icinga-2/
Nagios Core, https://www.nagios.org/projects/nagios-core/
Prometheus, https://prometheus.io/
Logs
Critical Log Review Checklist for Security Incidents, https://zeltser.com/security-incident-log-review-checklist/
Flutentd, https://www.fluentd.org/
Greylog, https://github.com/Graylog2/graylog2-server
LOGalyze, http://www.logalyze.com/
Logstash, https://www.elastic.co/products/logstash
LogWatch, https://logpacker.com/
Kiwi Syslog ($), https://www.solarwinds.com/kiwi-syslog-server
NTP
Google Public NTP, https://developers.google.com/time/
NIST Internet Time Servers, https://tf.nist.gov/tf-cgi/servers.cgi
NTP Pool Project, https://www.pool.ntp.org/zone/us
Time Tools, https://timetoolsltd.com/information/public-ntp-server/
US Navy NTP Network Time Servers, https://tycho.usno.navy.mil/NTP/
Vulnerability Scanner
Burp Suite (Community Edition), https://portswigger.net/burp/communitydownload
Nessus (Community), http://repository.slacky.eu/slackware-12.1/network/nessus/2.2.11/
OpenVAS, www.openvas.org/ (+Succubus) https://www.seccubus.com/
OWASP ZAP, https://www.owasp.org/index.php/OWASP Zed Attack Proxy Project
Forensics
CentralOps, https://centralops.net/co/
Google, https://google.com
Google GRR, https://grr-doc.readthedocs.io/en/v3.3.0/index.html
HPING, www.hping.org/
Maltego Classic, https://www.paterva.com/web7/buy/maltego-clients/maltego.php
MXBox Tools, https://mxtoolbox.com/NetworkTools.aspx
Masscan, https://github.com/robertdavidgraham/masscan
Nmap, https://nmap.org/
Open Source Intelligence (OSINT) Framework; https://osintframework.com/
SHODAN, https://www.shodan.io/
VirusTotal; virustotal.com ; >> How to Generate MD5Sum Hash and Submit to VirusTotal, https://youtu.be/yNjyQ00-EfQ
Wireshark, https://www.wireshark.org/
Playbooks
How to build an incident response playbook, S. Williams-Shaw, Swimlane. https://swimlane.com/blog/incident-response-playbook/
The Société Générale Incident Réponse Methodologies, https://github.com/certsocietegenerale/IRM/tree/master/EN
Incident Response Consortium, https://www.incidentresponse.com/playbooks/
MITRE Cyber Exercise Playbook, https://www.mitre.org/sites/default/files/publications/pr 14-3929-cyber-exercise-playbook.pdf
CLI
ENSIA Good Practice Guide, https://www.enisa.europa.eu/publications/good-practice-guide-for-incident-management p68
Command Line for Windows Forensics, https://resources.infosecinstitute.com/commandline-malware-and-forensics/
VM
Virtual Box, https://www.virtualbox.org/
VMware Workstation Player, https://www.vmware.com/products/workstation-player.htm
Forensics
App.any.run, https://app.any.run/
CAINE http://www.caine-live.net/
Cuckoo Sandbox, https://cuckoosandbox.org/
Fireeye Flare https://www.fireeye.com/blog/threat-research/2017/07/flare-vm-the-windows-malware.html
FTK Disk Imager Lite, https://accessdata.com/product-download/ftk-imager-lite-version-3.1.1
Ghidra, https://www.nsa.gov/resources/everyone/ghidra/
Hybrid Analysis, https://www.hybrid-analysis.com/
Mandiant Redline, https://www.fireeye.com/services/freeware/redline.html
Open Computer Forensics Architecture http://sourceforge.net/projects/ocfa/
REMunx https://remnux.org/; How to Dynamically Analyze Files Using Munin, https://youtu.be/2WyPK0RXGHE
SANS SIFT https://digital-forensics.sans.org/community/downloads/
The Sleuth Kit http://www.sleuthkit.org/; (+ Autopsy GUI) https://www.sleuthkit.org/autopsy/
Windows Forensic Toolchest ($), http://www.foolmoon.net/security/wft/
------------------------- -----------------------
Working Group on Digital Evidence, https://swgde.org/
Patch ManagementConnectWise Automate (Formerly LabTech [$$]), http://www.labtechsoftware.com/
PDQ Deploy ($), https://www.pdq.com
DNS Sinkholes
Brakmic Malware Sinkhole List in github; https://github.com/brakmic/Sinkholes
Bootable ISOs (USB or DVD)
BItDefender, http://download.bitdefender.com/rescue cd/latest/
GMER, http://www.gmer.net/
Kali Linux Live, https://docs.kali.org/downloading/kali-linux-live-usb-install
Trend Micro RescueDisk, https://www.trendmicro.com/en us/forHome/products/free-tools/rescue-disk.html
Anti-VirusArmadito Antivirus, https://armadito.com/
Avast Free Antivirus, https://www.tomsguide.com/us/avast-free-antivirus,review-2208.html
Barkly (AlertLogic [$$]), https://www.alertlogic.com/
Bitdefender Antivirus Free Edition, https://www.tomsguide.com/us/bitdefender-antivirus-free,review-3523.html
ClamAV, http://www.clamwin.com/
ClamWIn, http://www.clamwin.com/
Microsoft Windows Defender, https://support.microsoft.com/en-us/help/14210/security-essentials-download
Open Antivirus Project, http://www.openantivirus.org/index.php
Business Impact Analysis
https://www.ready.gov/business-impact-analysis
Disaster Recovery Plan
https://www.ready.gov/business/implementation/IT
https://blogs.technet.microsoft.com/mspfe/2012/03/08/a-microsoft-word-document-template-for-disaster-recovery-planning/
https://education.alberta.ca/media/3272748/3-it-disaster-recovery-workbook-and-template.docx
https://www.cisco.com/en/US/technologies/collateral/tk869/tk769/white paper c11-453495.pdf
Business Continuity Plan
https://www.ready.gov/business/implementation/continuity
https://mema.maryland.gov/Documents/FEMA Small Business Continuity Plan Template.docx
https://www.bdc.ca/en/articles-tools/entrepreneur-toolkit/templates-business-guides/pages/business-continuity-guide-templates-entrepreneurs.aspx
Data Backup & Recovery
Acronis (BMR ($$)), https://www.acronis.com
BorgBackup, https://www.borgbackup.org/
UrBackup, https://www.urbackup.org/
Unitrends ($$$), https://www.unitrends.com/
Veeam, https://www.veeam.com/
6 Phases In The Incident Response Plan, David Ellis.https://www.securitymetrics.com/blog/6-phases-incident-response-plan
CornerThought ($?), https://www.lessonslearnedsolutions.com/
LessonFlow ($?), https://www.lessonslearnedsolutions.com/
Blue Team Handbook: Incident Response Edition: A condensed field guide for the Cyber Security Incident Responder., Don Murdoch. ISBN: 978-1500734756
Blue Team Handbook: SOC, SIEM, and Threat Hunting (V1.02): A Condensed Guide for the Security Operations Team and Threat Hunter, Don Murdoch. ISBN: 978-1091493896
The Blue Team Field Manual, Ben Clark & Alan J White. ISBN: 978-1541016361
The Checklist Manifesto, Atul Gawande. ISBN: 978-0312430009
The Red Team Field Manual, Ben Clark. ISBN: 978-1494295509
Computer Incident Response and Forensics Team Management, Leighton Johnson. ISBN: 978-1597499965
Crafting the InfoSec Playbook, Brandon Enright, Jeff Bollinger, and Matthew Valites. ISBN: 978-1491949405
Cybersecurity Incident Response, Eric C. Thompson. ISBN: 978-1484238691
Intelligence-Driven Incident Response, Scott J. Roberts. ISBN: 978-1491934944
Security Operations Center - SIEM Use Cases and Cyber Threat Intelligence, Arun E. Thomas. ISBN: 978-1986862011
The Practice of Network Security Monitoring, Richard Bejtlich. ISBN: 978-1593275099
CyberSecurity Cannon, https://cybercanon.paloaltonetworks.com/
❑ Create your own IR Plan (BIA?)
❑ Setup alternate emails
❑ Setup alternate teleconference line
❑ Identify Key Firm Stakeholders
❑ Start Developing Use Cases
❑ Start Building your Jumpkit
❑ Find a Partner & Augment your Team
• Scheduled CSIRT Training
• Specific IR skill training
• Learn the RIGHT Tools
•Get the Right People on the Bus
•Develop IR Policies
•Continue to Build Skills
•Continuous Improvement
• The OODA Loop• The IR Process• Sources & Resources• Key Takeaways
(Processing Adversary & Situation)
(Processes & Tools)
(Where You Go)
(Things You Should Be Doing)
sceniccitysummit.com/feedback