Video Converter
Audio Converter
Image Converter
PDF Converter
File Compressor
clearing the brush lessons learned in gutting a cirt and

Clearing the Brush: Lessons Learned in Gutting a CIRT and Rebuilding - PowerPoint PPT Presentation

Jan 22, 2023 •30 likes •412 views

Clearing the Brush: Lessons Learned in Gutting a CIRT and Rebuilding with Free Tools Mike La Pilla Slide Warning These are draft slides, not the ones presented Most images have been removed from draft If you are reading these you

  1. Clearing the Brush: Lessons Learned in Gutting a CIRT and Rebuilding with Free Tools Mike La Pilla

  2. Slide Warning • These are draft slides, not the ones presented • Most images have been removed from draft • If you are reading these you should check the FIRST portal for the latest ones

  3. About This Presentation • Everyone Has Their Own Take • Plenty of Papers on This Subject • Focus on Building 10 Essential Tools/Systems – Preferably without spending money

  4. If You Want Organization and Structure • http://first.org/resources/guides/ – CSIRT Setting up Guide – CERT-in-a-box • http://www.sans.org/reading_room/whitepap ers/incident/ • Also stuff on Auscert, CERT/CC, GFIRST, etc

  5. Past vs Present

  6. Past vs Present

  7. Preparation by Preservation • Picture of frozen hard drive

  8. Preparation by Obliteration • Picture of Bar

  9. Know Your Scope • Areas of Response • Actions Allowed • Contact List

  10. Know Your People

  11. Beware of Certifications

  12. Attack Categories

  13. 10 Systems You Need To Build

  14. 1: Automatic Malware Analysis System • Purpose: Automatically process malware samples • Recommended Features: Fast, Exe and DLL, Memory Dumps

  15. 1: Automatic Malware Analysis System

  16. 1: Automatic Malware Analysis System

  17. 2: Automatic JS Analyzer • Purpose: Unpack/Analyze/Interpret Javascript • Recommended Capabilities: Network replay, live site analysis, copy and paste

  18. 2: Automatic JS Analyzer

  19. 3: Automatic Document Analyzer • Purpose: Analyze non-executable documents • Recommended Capabilities: Exploit matching, decompression, javascript/flash parsing

  20. 3: Automatic Document Analyzer

  21. 4: Document Database • Purpose: Archive documents • Recommended Capabilities: Store name, file properties, metadata, link malware info

  22. 4: Document Database

  23. 5: Malware Repository • Purpose: Store malware • Recommended Capabilities: Search, store properties, link to other systems

  24. 5: Malware Repository

  25. 6: IP and Hostname Tracker • Purpose: Track network information over time • Recommended Capabilities: Passive DNS, active checking, search, ASN, GeoIP

  26. 6: IP and Hostname Tracker

  27. 7: Forensics System/Lab • Purpose: Forensic analzye drives, memory • Recommended Capabilities: Scanning, automation, hashing

  28. 7: Forensics System/Lab

  29. 8: Image Repository • Purpose: Replicate machines in production environment

  30. 8: Image Repository

  31. 9: Tiny Tools Server • Purpose: Collection of scripts and tools that increase efficiency

  32. 9: Tiny Tools Server

  33. 10: Documentation Portal • Purpose: Self-explanatory Recommended Capabilities: Revisions, author tracking

  34. 10: Documentation Portal

  35. Final Workflow Diagram

  36. Questions? • mlapilla@netcentrics.com

  37. References

Recommend

CIRT C ritical I ncident R esponse T eam What is CIRT? CIRT is the Critical Incident Response Team

CIRT C ritical I ncident R esponse T eam What is CIRT? CIRT is the Critical Incident Response Team

CIRT C ritical I ncident R esponse T eam What is CIRT? CIRT is the Critical Incident Response Team and is comprised of a multidisciplinary group of employees who have volunteered to respond when critical incident stress management (CISM)

466 views • 22 slides
UNIVERSITY CLEARING 2020 What is clearing? Clearing is how Universities and colleges fill

UNIVERSITY CLEARING 2020 What is clearing? Clearing is how Universities and colleges fill

UNIVERSITY CLEARING 2020 What is clearing? Clearing is how Universities and colleges fill any places they still have on their courses. On average there are 35,000 courses available through clearing. Clearing opened on the 6 th July

365 views • 8 slides
Lessons Learned Lessons Learned From From Lessons Learned Lessons Learned From From

Lessons Learned Lessons Learned From From Lessons Learned Lessons Learned From From

Protg 2006, July 26th, Stanford I R I S A C 1 R E C Saint-Cyr Lessons Learned Lessons Learned From From Lessons Learned Lessons Learned From From Ontology Ontology Design Design Ontology Ontology Design Design Jean Andr B

375 views • 12 slides
1.- How does clearing work? 1 CCP clearing Actors involved Actions Client An

1.- How does clearing work? 1 CCP clearing Actors involved Actions Client An

1.- How does clearing work? 1 CCP clearing Actors involved Actions Client An undertaking with a Provides Initial Margin (IM) to the contractual relationship with a clearing Client1 Client2 ClientN Clearing Member (CM)

690 views • 19 slides
Client clearing Warsaw, 15.10.2019 01. Client clearing in KDPW_CCP What new regulations are

Client clearing Warsaw, 15.10.2019 01. Client clearing in KDPW_CCP What new regulations are

Client clearing Warsaw, 15.10.2019 01. Client clearing in KDPW_CCP What new regulations are coming to the market? 02. How will the new regulations affect client clearing? 03. Benefits of client clearing for participants What new

457 views • 8 slides
TWO-GANTRY, FIVE-BRUSH MACHINES Objective NET.5 is a 2-gantry, 5-brush machine remarkable

TWO-GANTRY, FIVE-BRUSH MACHINES Objective NET.5 is a 2-gantry, 5-brush machine remarkable

TWO-GANTRY, FIVE-BRUSH MACHINES Objective NET.5 is a 2-gantry, 5-brush machine remarkable because of its high technological content; it was conceived and constructed to develop a brush washing concept unique in its class. New look The

347 views • 18 slides
Professional Clearing Member (PCM) Central Depository Company of Pakistan Professional Clearing

Professional Clearing Member (PCM) Central Depository Company of Pakistan Professional Clearing

Professional Clearing Member (PCM) Central Depository Company of Pakistan Professional Clearing Member (PCM) Background Presently, all Brokers assume the responsibility of clearing and settlement of trades executed on the behalf of their

359 views • 21 slides
Ohio AAP Brush, Book, Bed: Brush (Oral Health) CME Disclaimer I have no personal financial

Ohio AAP Brush, Book, Bed: Brush (Oral Health) CME Disclaimer I have no personal financial

Ohio AAP Brush, Book, Bed: Brush (Oral Health) CME Disclaimer I have no personal financial relationships in any commercial interest related to this CME. I do not plan to reference off label/unapproved uses of drugs or devices. James Duffee,

1.04k views • 31 slides
Cash Equity CCP Oslo Clearing Oslo Clearing Agenda Agenda Value proposition

Cash Equity CCP Oslo Clearing Oslo Clearing Agenda Agenda Value proposition

Cash Equity CCP Oslo Clearing Oslo Clearing Agenda Agenda Value proposition Participants and roles Account structure P Post trade processing t t d i Risk management Time schedule and communication Time

362 views • 35 slides
1. Participation All Clearing Clearing Member KDPW_CCP Members Participation opening or

1. Participation All Clearing Clearing Member KDPW_CCP Members Participation opening or

1. Participation All Clearing Clearing Member KDPW_CCP Members Participation opening or closing request Legal check of the Participation opening or request closing message N.2 SWI N.2 Change of participant Participant status status by

399 views • 15 slides
Central Clearing of OTC derivatives - OTC clearing from a Norwegian perspective Johan Christian

Central Clearing of OTC derivatives - OTC clearing from a Norwegian perspective Johan Christian

Central Clearing of OTC derivatives - OTC clearing from a Norwegian perspective Johan Christian Kongsli Introduction EMIR Implementation in Norway Comparison with current Norwegian regulation Some Norwegian perspectives on

263 views • 23 slides
OVERVI EW OF MTN 015 AND OVERVI EW OF MTN 015 AND LESSONS LEARNED LESSONS LEARNED Peter Mutale

OVERVI EW OF MTN 015 AND OVERVI EW OF MTN 015 AND LESSONS LEARNED LESSONS LEARNED Peter Mutale

OVERVI EW OF MTN 015 AND OVERVI EW OF MTN 015 AND LESSONS LEARNED LESSONS LEARNED Peter Mutale Mutale Peter MTN Study Laboratory Supervisor MTN Study Laboratory Supervisor October 2009 October 2009 A pioneer non-governmental

329 views • 31 slides
3/8/2019 Epidemiology, Risk Factors, and Outcomes of Pediatric PVD: LESSONS learned from the

3/8/2019 Epidemiology, Risk Factors, and Outcomes of Pediatric PVD: LESSONS learned from the

3/8/2019 Epidemiology, Risk Factors, and Outcomes of Pediatric PVD: LESSONS learned from the Spanish Registry: Lessons Learned from the Registries o Is It possible (and worthy) to do a national registry? Lessons learned from the o

1.16k views • 43 slides
OSHA Lessons Learned Adam Fries OSHA Compliance Officer February 13, 2018 OSHA Lessons Learned

OSHA Lessons Learned Adam Fries OSHA Compliance Officer February 13, 2018 OSHA Lessons Learned

OSHA Lessons Learned Adam Fries OSHA Compliance Officer February 13, 2018 OSHA Lessons Learned Jobsite Safety and Health Inspections/Audits better known as; PAPER WORK You hate it, Your safety director requires it, OSHA loves it, Does it

930 views • 35 slides
Lessons Learned A Value Added Product of the Project Life Cycle R Gilman April 19, 2006 Agenda

Lessons Learned A Value Added Product of the Project Life Cycle R Gilman April 19, 2006 Agenda

Lessons Learned A Value Added Product of the Project Life Cycle R Gilman April 19, 2006 Agenda Introduction What are Lessons Learned? Value to the Project Process and Organization Keanes Approach to Lessons Learned Keys to

263 views • 24 slides
Lessons Learned From Sequenced, Integrated Strategies of Economic After Hours Seminar

Lessons Learned From Sequenced, Integrated Strategies of Economic After Hours Seminar

Lessons Learned From Sequenced, Integrated Strategies of Economic Strengthening of the Lessons Learned From Sequenced, Integrated Strategies of Economic Strengthening of the Poorest Poorest March 21, 2012 Lessons Learned From Sequenced,

770 views • 46 slides
Defeat the Disruption of Assessment at a Distance: Too Much Data, Not Enough Time Alejandra

Defeat the Disruption of Assessment at a Distance: Too Much Data, Not Enough Time Alejandra

Defeat the Disruption of Assessment at a Distance: Too Much Data, Not Enough Time Alejandra Zertuche , MBA, MS Founder and CEO Enflux Dr. Annesha White , PharmD, MS, PhD Associate Dean for Assessment & Accreditation University of North

444 views • 14 slides
Yasunori Nomura UC Berkeley; LBNL Particle physics Try to understand fundamental laws in

Yasunori Nomura UC Berkeley; LBNL Particle physics Try to understand fundamental laws in

Yasunori Nomura UC Berkeley; LBNL Particle physics Try to understand fundamental laws in nature Conventional view / focus energy frontier E Quantum gravity / string theory? Fundamental physics Grand unification? New TeV

698 views • 26 slides
THEIR EFFECTIVE PHYSICS Denis Klevers University of Pennsylvania "New Ideas at the

THEIR EFFECTIVE PHYSICS Denis Klevers University of Pennsylvania "New Ideas at the

F-THEORY FLUXES & THEIR EFFECTIVE PHYSICS Denis Klevers University of Pennsylvania "New Ideas at the Interface of Cosmology and String Theory 17 of March, 2012 Based on: T.W. Grimm, M. Poretschkin, D.K.: arXiv:1202.0285

470 views • 21 slides
t

t

t r sttt rt Pss rst

467 views • 15 slides
Prst r t

Prst r t

Prst r t ttr r rs ttrsrrs

471 views • 42 slides
Improving CG-CAHPS in an Academic Medical Center Rick Evans, MA Senior Vice President &

Improving CG-CAHPS in an Academic Medical Center Rick Evans, MA Senior Vice President &

Improving CG-CAHPS in an Academic Medical Center Rick Evans, MA Senior Vice President & Chief Experience Officer Strategies for Improving CAHPS Clinician & Group (CG-CAHPS) Survey Scores A Webcast Presented by the AHRQ CAHPS User

801 views • 10 slides
Implementing RPKI-based origin validation one country at a time. The Ecuadorian case study.

Implementing RPKI-based origin validation one country at a time. The Ecuadorian case study.

Implementing RPKI-based origin validation one country at a time. The Ecuadorian case study. IETF 89 LONDRES MARCH 2014 Fabin Meja Why and who? BGP origin validation based on RPKI is in early stages of deployment. It is necessary to

320 views • 13 slides
Interaction Vertex Imaging (IVI) for carbon ion therapy monitoring a feasibility study E. Testa 1

Interaction Vertex Imaging (IVI) for carbon ion therapy monitoring a feasibility study E. Testa 1

Ion range verification Interaction Vertex Imaging principles Simulation tools Results Conclusion and perspectives Interaction Vertex Imaging (IVI) for carbon ion therapy monitoring a feasibility study E. Testa 1 , D. Dauvergne 1 , G. Dedes 1

391 views • 16 slides

More recommend

Explore More Topics

Stay informed with curated content and fresh updates.

animals pets art culture automotive transportation business finance computer internet construction architecture education-career electronics communication

Logo Sambuz

Unleash a World of Digital Possibilities—Browse, Share, and Explore Content Without Boundaries

Useful Links

About Us Privacy Services FAQ's Contact

Newsletter

Stay Informed & Inspired—Subscribe for the Latest Updates, Tips, and Exclusive Content Directly to Your Inbox.

Mail Us

mail@sambuz.com

2026 SAMBUZ, All right reserved.