DeepSec 2018 Talk: Leveraging Endpoints to Boost Incident Response Capabilities – Francisco Galian, Mauro Silva
Sanna/ October 5, 2018/ Conference, Security
The information technology world is full of terms and acronyms. You got servers, nodes, clients, workstations, mobile devices, lots of stuff talking via the network to even more stuff. And then you got security breaches. How do you detect the latter? Well, you look for things out of the ordinary. Error messages, anomalies in behaviour, activity outside the usual time slots as system is being used, and the like. What’s the best place to look? Answer: The systems directly in touch with all the interactions attackers are interested in – endpoints.
Most organisations fail to properly detect or even respond to incidents. A factor that significantly contributes to this fact is the lack of visibility on endpoints. That being said, endpoint logging can be very noisy and most organizations don’t have infrastructure to cope with the volume. The aim of this talk is to help blue teams understand which logs give you the most benefit for the least investment. That will help improve detection mechanisms while also helping to trace back any breach, thus, improving incident response.
In order to achieve this we built a lab that represents a common Windows based business. We then reproduced some common attacks and techniques that we have worked on, from Threat Financial groups to Advanced Persistent Threats (APTs), and investigated the logs generated from it to analyse what the best indicators were.
Francisco Galian, SME on Incident Response & Digital Forensics. Leading the response during security incidents, compromised networks and data breaches. Helping customers in a proactive way by providing trainings, table top exercises and active threat assessments.
Previous roles include assessing security on a Critical National Infrastructure, consultancy and being main developer of Threat Intel solutions like malware sandboxes.
Mauro Silva’s interests can be summarized by two words: challenges and scripting. He loves challenges, and scripts every repetitive task he can.
In his current position he leads a team responsible for threat hunting within a telco environment. He has also developed a training program for it that includes simulation of incidents and puts the team into several roles present in order to enable it to understand the nuances of an incident. That includes red teaming (aka pentesting).
In his past positions he has focused mainly on Incident Response and Forensic Investigations. He was also involved in the development of a Threat Intel gathering tool called IntelMQ. Mauro always tries to streamline his team’s work by automating everything that can be automated. He’d also represented his previous employers at several conferences and led a nation wide cybersecurity exercise.