02-14, 17:00–18:00 (Europe/Amsterdam), Mission Critical Room (Rembrandt)
In today's rapidly evolving digital landscape, the increasing frequency and the scale of security incidents pose significant challenges for incident response teams. The traditional approach, rooted in digital forensics, is no longer sufficient nor is it efficient enough. It's time for a shift towards an automated incident response strategy that combines the investigative prowess of a digital detective with a DevOps mindset.
In this talk, we will present how the incident response process of acquiring data, processing data, and analyzing information can be automated. Based on how we have built our incident response lab using open-source software packages developed by Microsoft (AVML), Google (Timesketch, WinPmem), Rapid7 (Velociraptor), Fox-IT (Dissect), Elastic, KROLL (KAPE) and HashiCorp (Terraform, Vault). We will guide you from using tools manually to using these tools automatically and magically. Well not really magically, but we will emphasise the application of a DevOps mindset to the process that most incident responders execute on a daily basis including ourselves, combined with examples that can be put into practice.
In today's rapidly evolving digital landscape, the increasing frequency and the scale of security incidents pose significant challenges for incident response teams. The traditional approach, rooted in the perspective of digital forensics, is no longer sufficient. It's time for a shift towards an automated incident response strategy that combines the investigative prowess of a digital detective with a DevOps mindset.
In this talk, we will present how the incident response process of acquiring data, processing data, and analyzing information can be automated. We will guide you from using tools manually to using these tools automatically and magically . Well not really magically, but we will emphasize the application of a DevOps mindset to the process that most incident responders execute on a daily basis including ourselves, combined with examples that can be put into practice.
An example of this is that the human knowledge of an incident responder should feed into the repeatable methods and should not stay in the mind of the best incident responder in the team. By using feedback loops, the knowledge that is gained during a case can be transformed into methods that can be re-used during new cases.
In setting up our incident response service, we had the benefit that we could start from scratch, without any legacy, in a cloud native world and with a significant number of lessons learned in the past, we have built an innovative incident response lab using open-source software packages developed by Microsoft, Google, Rapid7, Fox-IT, Elastic, KROLL and HashiCorp. By using Infrastructure as Code (IaC) we can automatically provision the lab on the Google Cloud Platform, acquire and process data and perform analysis using various methods within two hours, without the intervention of an incident responder.
We still need humans, but we should focus on doing the creative and research part of an incident response case. Besides that, there is no silver bullet, humans cannot fully trust the automated analysis. This is where the investigative prowess of a digital detective comes into play, ensuring the validation of results and the reproducibility of findings throughout the entire incident response process, from data acquisition to analysis of information.
References
https://hackernoon.com/the-devops-mindset-a-step-by-step-plan-to-implement-devops-s03p35rr
English
Zawadi Done is an Incident Responder at Hunt & Hackett. He has worked in the Cyber Security industry for six years in various roles as cyber security consultant, DevOps engineer and developer.
Mattijs is a problem solver. He has been working in the Cyber Security industry for almost a decade as an OSINT analyst, forensic analyst and incident handler. He uses his experience to keep on innovating and improving the way incident response is executed.