DFIR_Volatility.pdf
(
1815 KB
)
Pobierz
Digital Forensics & Incident Response (DFIR)
W. Owen Redwood, Ph.D.
Offensive Computer Security 2.0
http://hackallthethings.com/
Outline
Part I
● Understanding Incidents & Incident Response
○ Indicators of Compromise
● DFIR Toolkit
Part II
● Volatility Demo
○ Volatility
○ IDA
○ Yara rule writing
What is an Incident?
● Refers to a security breach or attack
○ DoS
○ Data leaks
■ Confidential
■ PII
■ IP
■ Secret
○ Sabotage
■ Data corruption
■ System damage
○ Malware
What is Incident Response?
Incident Response:
● Is an organized approach to addressing and
remediating the aftermath of a security breach /
attack.
The Goal(s):
● To limit the damage of the incident
● To limit the recovery time
● To limit the costs incurred by the incident
Common Challenges:
● Budgets, resources, limited personnel
● Bureaucracy, Share/Stakeholders
Incident Responder Roles
The following roles must be part of an effective IR team:
●
Incident Coordinator
○ Keep track of everything, address expectations, understands
bureaucracy, understands laws/regs
Incident Manager
○ someone with strong social skills, knows bosses, SME's
Incident Responders
○ capable, well-informed, and technically skilled
Subject Matter Experts (SME's)
○ perhaps consultants (usually IR team budgets cannot afford
SME's as full time)
Zeus (Ultimate Authority)
○ You need someone who can move the bureaucratic mountains
and oceans - may be an executive / stakeholder
■
"Why you ask? Because we just got hacked, do what I say,
or else"
Balance between responsibility and
authority is key
●
●
●
●
Plik z chomika:
kufel_007
Inne pliki z tego folderu:
DFIR_Volatility.pdf
(1815 KB)
Inne foldery tego chomika:
01.Intro
02.SecureC
03.Code_Auditing
04.Linux
05.Windows
Zgłoś jeśli
naruszono regulamin