Category:C21 Incident response

From ICO wiki
Jump to navigationJump to search

Introduction

Within C21 Incident response course, we will take a wide outlook on threats targeting modern enterprise in general and the ways responding to those threats takes place in real life scenarios. It is important to mention, that we will mostly focus and practical and applicational aspects of incident response, rather than governing or policy aspects. Thus, we will oversee these topics from a perspective of a SoC operations or system operations engineer/engineering lead, and look at those through a prism of a person responsible for actual mitigation, as opposed to policymaker view to the topic. While policymaking issues will be covered and touched during this course, practical and applicational aspects remain the focus here, for both lectures and hands-on training classes.

We will start from overlooking the current threat landscape, regional specifics and classification of threats targeting the modern enterprise. From that point, we will move over to detection and revealing mechanisms both technical and administrative used to detect the threat. We will go through most of the common detection and revealing tools used, and oversee the channels, which provide detection and initial discovery information. From that point, we will slightly switch over to tactics, and tactical approach to responding to each threat classification - racing over conventional threat vectors, and eventually concentrating the most focus on APT response in particular. We will cover evidence sustention, core reasons and intrusion path discovery and mitigation strategies in particular during the tactics session. Upon overlooking the technical and tactical aspects, we will finish with communications part, which may sound as non-technical, but plays a crucial, if not the most important role in incident response. While it may seem, that communication is something more of a front-office, communications-office business - it is important to understand, that pretty much in any real-life incident response scenario - communications is the key to success or failure, no matter how good or bad the technical effort is.

The course will be divided into 4-5 lecture sessions, depending on the speed and progress we will be doing during the coverage of topics mentioned above. For the hands-on part, class will be divided into working groups, simulating real enterprise staff structure (communications department, SoC, system engineering, monitoring, C-level management) - the blue team, and offensive intruders - the red team. Amazon EC2 based infrastructure will be provided by the instructor. Blue team, will be required to build up a near real-life infrastructure while the red team, will be constantly attacking this infrastructure, with eventual success. As common to regular penetration testing trainings, teams will not be aware of each others actions, and enterprise team will perform near to normal enterprise performance schedule. Instructor will assist each team in their activities and achieving the goal. Eventually, blue team will be required to detect and actively respond to the threat provided by the red team, while the last will be required to actively respond to mitigation efforts. Hands-on training part will take place throughout the entire course starting from Lecture 2, and will finish with a round table, where all parts, including the instructor will sit down to retro the training and discuss the results - what went wrong and what went right.

It is important to notice, that due to the lack of classical, or so to say conventional approaches to the topic - this course is more about common sense and obtaining the essential tactical understanding, that it is about anything else.
Ideally, in the end of this course a potential student:
a) Understands well how a big, multinational organization works from the SoC and system engineering points of view.
b) Knows and understands the general picture with threat landscape targeting common enterprise nowdays.
c) Knows and understands the action sequence and acting plans for intrusion response.
d) Is familiar with common communication guidelines and acting policies in case of intrusion.
e) The most important - in real life situation, when an intrusion happens in student responsibility premises - student knows the actions needed to be undertaken, doesn't get lost or panic and is capable of acting fast and smart in the situation effectively communicating and collaborating with parties capable of assisting him/her.

Course is intended to provide the necessary basic input for such 3 semester courses like:
- Logging and monitoring
- Evidence gathering and analysis
- Reverse engineering

Lectures plan

March 3, 2017 - 16:00 - 17:30Course and lecturer introduction. Getting to know each other.
March 3, 2017 - 18:00 - 19:30 Common threat landscape. Estonia and the world. Attack classifications. APT.
March 10, 2017 - 16:00 - 17:30 Hands-on session arrangements. Dividing into teams and initial briefing.
March 10, 2017 - 18:00 - 19:30 Monitoring, detection and reveal scenarios. Sources. Initial actions.
March 17, 2017 - 16:00 - 19:30 Monitoring, detection and reveal scenarios. Sources. Initial actions. Part 2.
March 24, 2017 - 16:00 - 19:30 Response coordination by threat classes. Common threat classes.
March 31, 2017 - 16:00 - 19:30 Response coordination - APT.
NB! No lecture on April 7!
April 14, 2017 - 16:00 - 19:30 Communcations.

This category currently contains no pages or media.