BLUE TEAM VILLAGE - Automating DFIR: The Counter Future

Video thumbnail (Frame 0) Video thumbnail (Frame 1679) Video thumbnail (Frame 2872) Video thumbnail (Frame 3941) Video thumbnail (Frame 4701) Video thumbnail (Frame 5883) Video thumbnail (Frame 7346) Video thumbnail (Frame 7898) Video thumbnail (Frame 9353) Video thumbnail (Frame 11291) Video thumbnail (Frame 14294) Video thumbnail (Frame 15684) Video thumbnail (Frame 17252) Video thumbnail (Frame 19500) Video thumbnail (Frame 21182) Video thumbnail (Frame 24031) Video thumbnail (Frame 31724) Video thumbnail (Frame 42326)
Video in TIB AV-Portal: BLUE TEAM VILLAGE - Automating DFIR: The Counter Future

Formal Metadata

BLUE TEAM VILLAGE - Automating DFIR: The Counter Future
Title of Series
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date

Content Metadata

Subject Area
Automation has been the forefront of almost every tool or talk in the recent years. The DFIR industry has been moving rapidly towards automating everything! With some great work being done in the area of integrating workflows and various toolsets to make things easier for analysts, automation has really taken off. While that sounds like a worthwhile solution to help SOC analysts weed out the run of the mill adware/PUPs or phishing expeditions, can we really automate a response to the more sophisticated or targeted attack on our company’s crown jewels? The current argument being made, is that -- rather than building in house Incident Response teams, we should utilize automation to substitute analysts and use third party retainers for skilled analysis. Large investments in automation technologies, rather than resource development reflect this strategy. What does this mean for career progression for budding DFIR analysts? With security engineering taking the forefront, is analysis as a career in DFIR a dying star? Is automation moving us towards click forensics rather than intelligent analysis? I’d like to challenge groupthink, and debate where automation will lead the industry trends. Additionally, I will share some of my experiences in the changing face of DFIR.
Point (geometry) Ocean current Presentation of a group Divisor Similarity (geometry) Mereology Grass (card game) Rule of inference Event horizon Entire function
Dependent and independent variables Event horizon Computer configuration Information View (database) Blog Multiplication sign Duality (mathematics) Information Price index Data conversion Power (physics)
Area Link (knot theory) Dependent and independent variables Blog Multiplication sign Bit Data conversion Focus (optics) Twitter
Area Enterprise architecture Mathematical analysis Automaton Open set Medical imaging Goodness of fit Matrix (mathematics) Bit rate Data center Point cloud Game theory Point cloud
Windows Registry Computer icon Software bug Dependent and independent variables Group action Email Dependent and independent variables Workstation <Musikinstrument> Electronic mailing list Staff (military) Mathematical analysis Category of being Latent heat Fraction (mathematics) Read-only memory Semiconductor memory Cuboid MiniDisc Information security Point cloud
Dependent and independent variables Graphical user interface Process (computing) Dependent and independent variables Pi Operator (mathematics) Vertex (graph theory) Mathematical analysis Process (computing) Abelian category Automaton Information security
Latent heat Process (computing) Malware Strategy game Visualization (computer graphics) Firewall (computing) Mathematical analysis Automaton Information security Computer forensics Computer programming Twitter
Decision theory Virtual machine Disk read-and-write head Mereology Dressing (medical) Wave packet Uniform resource locator Strategy game Data conversion Extension (kinesiology) Information security Metropolitan area network Area Email Rational number Information Mathematical analysis Counting Price index System call Process (computing) Malware Integrated development environment Hash function Personal digital assistant Game theory Spacetime
Source code Complex analysis Group action Tape drive Multiplication sign Source code Online help Mathematical analysis Streaming media Software bug 2 (number) Front and back ends Cross-correlation Process (computing) Integrated development environment Personal digital assistant Video game Task (computing)
Complex analysis Stapeldatei Open source Duplex (telecommunications) Dependent and independent variables Multiplication sign Source code Mathematical analysis Price index Regular graph Latent heat Cross-correlation Process (computing) Numeral (linguistics) Sample (statistics) Integrated development environment Software Personal digital assistant Cross-correlation Point cloud Game theory Figurate number Physical system God
Point (geometry) Confidence interval Line (geometry) Multiplication sign Source code Online help Barrelled space Mathematical analysis Mereology Rule of inference Event horizon Wave packet Hypothesis Product (business) Goodness of fit Bit rate Hypermedia Software testing Computer forensics Information security Arithmetic progression Physical system Dependent and independent variables Intel View (database) Linear regression Structural load Expert system Mathematical analysis Extreme programming Incidence algebra Hypothesis Hand fan Dean number Data management Process (computing) Software Personal digital assistant Vertex (graph theory) Arithmetic progression Computer forensics
NP-hard Line (geometry) Multiplication sign Virtual machine Set (mathematics) Mathematical analysis Information privacy Disk read-and-write head Rule of inference Software bug Wave packet Neuroinformatik Response time (technology) Internet forum Bit rate Different (Kate Ryan album) Conservation law Selectivity (electronic) Endliche Modelltheorie Computer forensics Arithmetic progression Dependent and independent variables Key (cryptography) Artificial neural network Digitizing Feedback Mathematical analysis Data storage device Bit Price index Connected space Performance appraisal Process (computing) Integrated development environment Personal digital assistant Game theory Computer forensics Annihilator (ring theory)
we are extremely happy with the turnout here it's pretty fantastic the one thing we do need to know everyone is abiding by right now as we do need a pretty much the only rule is a we need to maintain the fire doors and the grass points for the fire marshals other than that it's awesome to see this kind of turnout for the first ever bloody village of armed of noble. mom and we have some amazing talks lined up for you guys today are all we can really and i'm gonna thank you so much. e.. all thought was her. those things properly we hear that people want to start early so do a little introduction here thank you for coming to the looting village of like to introduce divide and she's going to talk about automating. everyone you meet a friday and f.b.i. you're here so yea for all of you. i am talking about our meeting the entire big disclaimer phone presentation contains my part ideas and opinions they do not represent those of my current impasse employers any event characters and firms depicted in the course of this presentation a purely fictitious any similarity to events characters and firms merely coincidental and get bill is.
the trademark of marvel characters so since you've got that out of the way who am i am did an insider responder and for indicator of being i'm doing this for about six years now are currently on the blue team making a great response at work prior that i was at our best eighty eighty directv my.
personal journey into response and forensic started about six years ago when i got into my master's information insurance and not the sensible has to use. and you can reach me in there were two hundred i actually have a blog and you can email me and divide develops that are sold with that let's get started you started like all great marvel movies dual from the end what i'm talking about this i have been having this conversation for will long time within the blue view.
community and i thought that it's about time that you have had this in the open and how these great article that i read just recently and i would surely you know suggest that everyone reads this is also on my blog all the links to these articles but only give it to look this is why we're having this conversation because we don't need to have these conversations it. the handles doors anymore we have a bloody village so let's see what you're going to talk about and i talk about automation its journey as i have seen it in my career in six years how it's evolved will do a little bit retrospection on the major trends that i have seen come out of it the dark about the area's best to you.
i's automation then the few areas where i feel analysis takes the forefront and then we'll wrap of the open discussions i'd love to your everyone starts about it during after or even afterwards i will now be available so let's get started.
when i started six years ago it was really cool i walked into this awesome friends its lab and there was like a big the toolkit that those rate ago it had like these armed game old it had right boppers it had everything to go we could go on side good data center go image everything like hundred and hundreds of lab. dobson other stuff was really cool i was really excited i was like ok let's do this slowly that are boring and a lot of our own new deal came out and be could do never acquisitions on the flight we had and his enterprise we had left the game we had other awesome tools that came out and in that wasn't enough even now gone from there. actually doing all this in the cloud and that's a huge way.
we've gone from doing full memory acquisition and i remember when i started sands was evangelizing tree as as the next new thing which is really cool we didn't need to actually do full does acquisitions we could get as of artifacts maybe just memory registry be lists lodz and we could figure out what's going on so that was cool.
slowly i realized that i do want change those boxes in india's and have to give every single dime i did it is so greeted live response groups that was what i think automation actually took off including village and we also created awesome and houses are stations everyone's you serve to use them not everything is out there. already pre-packaged for all of us to use we've also come a long way from there to get into category specific tooling we have stuff or e-mail security now we have staff are employing detection response the d.r. we have very specific tools in the market and that's a really great.
when i started vendors one play for well with each other we had to buy like a particular vendor said i'm pretty sure everyone's gone through this been now with a.b.i. as we could actually integrated this great mentor do with the other great mentor to lend get all our lives together we cannot just a dollar lurks and our processes this in the us really efficient. you're starting off building one of the most mature our security operations centers when i started off and from there we've come a great long way to actually getting threat in jail security engineering as their own verticals instant response.
most importantly are hiring strategies have also changed i remember applying for of visual forensics analysts job in your may be forensics in maybe just we know all our mac or lynn expensive stuff and now we've actually have jobs which are very to said. specific you have to be great at automation you have to be great it's gripping you have to be good and evil security maybe just maybe our asean each next and firewall and you have done little everything is out there to come along the with hiring is well and that is actually help us groom ourselves into more specific kind of joy. jobs what we wanted to.
so in fact especially actually seen three major trends come out the first being the star of optimising run of the millers no longer do analyst want to work on advair potentially unwanted program kind of dollars we all want to work on fishing the my work on the cool stuff so we started automating all that the second the start.
and bringing in part by the retainers mandaean crowd strike cetera and dollars for big data exposures and we have targeted campaigns that are specific to us our industry not only for due diligence but also to like give us extra head count on our game when we have those long exposures and long hours of working and most import. frankly i've seen this major train be restarted invested in buzzwords present doing and by buzz what i mean ai machine learning e.r. india have doubled to e-mail security was the next new thing that everyone at our see all the venerable talking about you start actually investing in that one. i haven't been investing is the expertise to actually utilize those tools was really expensive to was are going to be pretty much not doing their full job if we don't have someone who get actually utilize them to the fullest. so i'll move on to areas best utilize automation.
i actually have this great conversation with my friend in our nation and he said ninety percent of their customers actually by artist ration automation tools to automate fishing so we'll take that as an example of phishing email comes in what does the orchestration to do it kicks off a bunch of applause. maybe he sets all the hash is your elder idea dresses etc to wear a soul or whatever you want to use kind of autumn is that process of bringing all that the back. send it off to a actually of sand box that you've set up may be who are your in-house saturday behavioral analysis on that's as an example that you're seeing in your environment ringing all the i.o.c. is indicator of of compromise that in the us embassy is dragged back to your environment. determining scope of infection how many people actually got the sea million the environment what do they do are the only finance team are they are on the marketing team what is going on here are also going back and looking at have these users actually been infected before do we see any historical cases tickets for these people what has been the infection. sector before what is the extent of the current infection and how did we can deal with infection have we seen it before. most importantly it also get pixar to me was one of the most important to work spaces it creates this ticket for all of us so we don't have to do it manually and it has signed it to the on call engineer was on call and here comes in they have all this information at hand already to make this informed decision on what to do. next maybe we're blocking the i.o.c. is maybe we're notifying the users were kicking of whatever our containment strategies are so this actually got automated and made it really easy for all of us were no longer creating manual tickets were no longer i'm doing these man you look up says so to recap we initiated this work was using our.
nation be provided correlation data sources i.o.c. is help and source intelligence around them even also thousands of intelligence around them from our threat streams cetera be matched his article kids data we went back and check what is what was happening what can you do this but how can we actually best contain it. we created this huge data pool on the back end which we can search quickly within seconds. and we also created use this created a couple how it anomalies maybe this is not a user behaviour in our environment but this particular curious is an anomaly we're no longer having users have to each case and have that analysts fifty going on we're looking at just the anomaly and now we have. have more time to spend on it and didn't gain it so that's really great.
however our nation only goes as far as putting tried and tested lee books into action is there for those mundine boring rapid of tasks that most out of this now don't want to do is there to automate fishing is their maker life easy to give us more time to do all the research work on complex cases that. what we want to really really do something really important is i i learned from my friend not to mention that only three percent of their customers actually have a process and a playbook employees to automate and without the playbook artist creation and automation technologies aren't really going to do anything do not have remarked that. process what we need to actually keep our eyes on is maturing our process. also another really great status stick and i was really alarmed by this is what i heard is ninety percent of the customers not only want to automate fishing but they want to stop there and let's discuss why does is happening let's see where i think automation is doing really really well and i think we should stop with the butt.
have and must do their work so where humans really fit in your great of looking at the bigger picture then rated looking at all this is what a learner were arrested while this environment doing get i'm all from this system that's infected to another why is this actually the initial infection actor is this patients ear or. did we get infected from somewhere else how do you actually move in this environment how is it set up can it get to our car going to get to read a blessed going to get to our other cloud environments where is this going to take us. there are great at analysing those made you lurks that none of these are the nation tools open source cool source in is going to give us we need to be able to dig that reverse engineer that actual now there are that board that we're seeing and figure out what it's doing for as when you're being targeted maybe nobody seems before maybe it's just company. he says of his industry specific we need humans to do that. we're great actually eating out false positive worse us to positive and that is also very environment industry company specific we need to figure out what is the game behind these indicators of compromise what is the attacker going after our is is just a scripted you as you know scanning our network and decided to get in there. those the new cd that god really is and maybe were not affected because we're bashed we just be sure batch of. also are doing great ad complex case correlation a was been in the industry she recently or even for the a long time will know that we've been teaching jobs as humans we kind of go in try to understand the environment new environments their companies are setting up where our crown jewels are and why.
the numerous attacks sectors are to actually get to those crown jewels great if we bring all those way is that all these attacker regular that death on are going to try to get into our environment we need humans for that. not only do we figure out how but we also know how to respond and contain depending on the kitchen where is the attack or are we add that denies asia now we just ever gonna send have the already deployed the ergo gold have they started exploration depending on where we are in the kitchen they're going to respond accordingly i mean. need a blue team to do that we need analysts to do that how to respond and what fees are you so that's where i think good humour as do the best to be did not replace our analysts.
so with that i'm going to wrap up and i'm going to start with a few things that i would love to discuss with you i think automation and human into an intervention needs to be balanced we shouldn't look at our to be shared as a few of folks in management maybe you've ever seen that before thing that automation is going to come inevitably the ripples. that's not automation is your for its year to make your for the better it's here to meet your team look at all these are similar that are coming out that nobody's looking at not look at the run of the millers anymore. why are these fees are going to can consider when you're actually considering a new job india are we giving back to the community we should be looking at scripting automation as a part of our job rather than actually fighting in there are a lot of analysts that are fighting are the mission because they think automation is going to take our jobs of the army shun is your. actually help us do our jobs better. i think we should look at his response forensics threat intel security engineering as their own verticals but within blue team maybe look at our career progression into moving into these lap growth i was fighting this myself to i started an analyst and now i've actually move into a scripting automation kind of rule because i want to learn more about this i want to see how. we can make all these alert better so we moved very quickly into these awesome vertical that we're setting up and that would make us do our jobs easier. and lastly automation is not here they are jobs only it's your help us grow as individuals it's your just have are your one thought out and basically get better at what they have learned in their training to see of the to get actually validate what they have seen before if they are the hypotheses are getting confirmed with the tool. and that's what automation is here for its here to help us three and it's here to help us make a better with that.
now that you're armed and dangerous for all this and an open up for questions or even a discussion. i. or so. as. as a. it is. ok the question was very my getting the data to automate all this are they to bend s. and i are other sources so i would suggest using every single source that began the most optimum be to do this would be basically taking are bent as data of all abilities candida. making sure we're automating that you're putting it into the orchestration system so we know that these systems are vulnerable what they want to do and what will happen when we actually see an incident common not only that we should put monitoring in place obviously and all the systems not just see all this his legacy so desirable way we're not going to really odd have made this we're not going to put any monitoring on it does. that legacy the one that's going to get. that created the biggest incident that we can actually think off is going to create the biggest problem that we're going to see so i did use all the sources that you can get work in tandem with the red team with the one of the d.s.'s main event answers on your team products security get everything all the data that you can not only from here too but in house from other analysts are the engine. years that of their everything every single data that you can get the help i can not emphasize more how many times us actually worked on an incident that we've seen in the past that have already come up in a vulnerable to these can and we've done nothing about it so i see the ball that historical tuesday to keep all those skandia just to make a point. have you seen this before we have a look at on this before and this is what we need to make better we need to our to me that process. who. we are. i. so what i think do i get demonstrate our nation and its this i used a thing because everyone wants did actually on a fishing we can use it for a lot of now their lives to have seen really great graphically both i wish i could discuss it in the deal. but i think the best thing to do here is kick off all those work through schools we don't want to actually going in and do all that on our self it easy is clean they're not seeing all our get out there you're making the search is available but we're not doing it from our current network so there's no lack of use it and that is all bad like a connecting all these a.b.i.. as having of hours to leave yeah except rolling put into our extreme is only making may giving us more fan of the data and i think whether you get from our you use it for hunting down like release of the skated adversaries use it for fishing do whatever you think your case load is actually high on right now and then you can. in our media other processes to make everything much easier for you all that ails out think the question the friend first now come back to you guys who are. i. you. i. i. ok so how do i make sure i'm not missing things that the question so that's a great thing that's where you and the scum in we have to still look at all the data that the automation technique technology is going to give us all the i.o.c. they're coming i was either going to be great where we're going to have to assign a confidence risk three should do it we're going to have to say ok maybe this deal. when was infected before now it's not anymore we need to the grid the confidence of it these things change the bees are going to change who could have to track our attackers of that's where take the deal comes into place we need to see what is the confidence rating what is the security reading what is the risk rating of this particular i.o.c. particular in tandem as well as individuals. and yes a lot of regression testing goes into it a lot of good analysis after the fact goes into it a lot of reading a false positive versus two positive on the current is goes into it. so i feel like every kid we get in we need to look at it in a way that is this data actually coming in are do we need to enrich this data more. at the back. ok how about in so doing my normal job of doing all these new tools so that hundred yuan it takes a while and have learned the hard way i have been completely overwhelmed with trying to do everything on my plate so i think it's low started doing europe will build out a really strong. dean is what i would say i'm not one person is not an instant response to be a huge team of experts we need everyone in all the four barrels that i'm talking about so we can actually concentrate on each process these works team that we're dealing with and in our down time i see i take like about.
at least four hours or like a friday to learn a new to actually listen to the forensics lunch by david cohen if anyone has knocked yes it if any was not the only one day you should only take that out that's a really good way to interference lot of articles out their keepers of a breast or training. mean i'm not going to go to all the training out there but begin to what you're interested in and kind of liked you or your career into that it takes time it takes effort it takes a long time to do scripting and all those things but it's totally worth it. will you. this is going to come back to our. it's a great question so was the evaluation of selecting in opposition to. that is a very complex question so when i got this is a couple of times over now and each plays that have been ad has a different selection criteria independent what you're trying to achieve how big your team is what the dual does is it obvious trading with all the current technology you have maybe you have a particular far all winter you have a particularly our solution he wanted to. great with and how does it do when your biggest come in with all that i was a dual purpose see i'm not going to see that i like this to go back to all but a certain set of tools fit into a certain environment and a different kind of tools fit into a much more different mentor environment tools are out there and vendors are really really respond. some of these days i ever occurred to me still ever but fandom ever worked with a bunch of other vendors who he really want your feedback you want to help us make this better when i was working with me so i asked them to help me make this forensics process though they didn't have that and they quickly in almost six months turned around and created this forum that forensics these into the store so don't really respond. sensitive begin to their battles privacy the false positive see how your friend healthy the feed into all this and how his opposition to giving everything to are you comfortable with it or if not maybe just keep everything around it to see how you would want to see it on the dashboard how's that going to help you is all there to help you the tools not. i'm going to do anything on its own is going to do whatever you wanted to do. to confront it. a. the. the scherzo artificial intelligence how you create and retrain the models on it in a good example and i don't really have a good example one it. and i'm going to be honest about that has seen in the news really well when you're looking to i.o.c. is indicators of compromise and how the degree of from one place the other how is how the model kind of understanding those anomalies so i've seen in do really well on seeing all be seen this user behaviour before. maybe this is taxis in and this is an anomaly because nobody clicked on it but we created our users and this person they've done it are this person b.t.o. and we still are seeing likely be any connections coming up a one up and forced from their computer so looking at those models to actually employ in into your for extreme it's a little difficult. a lot of to say that you can use really well i haven't really seen it effectively use yet if anyone have i would love to you by yeah i haven't really seen it used amazingly well i do know that and normally detection is one of the major examples of using artificial intelligence and machine learning whether have seen it. i asked to the best intend to help me. i have my thoughts on that. any more questions. one of the mac you. will it be seen as well. ok how i've been asked to don't often automation and however delta that soul actually have been fortunate enough not to have faith that i had my own i guess conservation and the rate of ideas on automation when it started i think something's automation. those below and it to be a long while to understand where to go with it so i thought initially we could do all this on her own why do we need automation but i don't really like reading tickets i don't really want to go ahead and like spend fifteen minutes on looking all these things up i don't want to do that i was given to me so helping you. you really want to make that case the way i had made it is looking at the response time when the game it do when we actually was old and is that can significantly lower that is you use key is to actually use on a mission. i hope that held the head. i. the. i. of. so the question is how do i feed working is easy to take an analyst entry in them to be an engineer or is it easier to take an engineering train them to be an analyst i think those two things are completely different. people were in the industry for a while and have done a mouse's have this is really great mind said that they build and that is what we contribute to the industry there are engineers out there were really passionate about our nation and different technologies and they might not want to do the analysis the handlers you just want to make things easier for the analysts to do so if you actually. considering moving from any of these rules to the other i'm not saying it's not possible to take a lot of hard work if you're an engineer was ability analysts mentality take a bit of training try to build that mentality try to get into the environment work with your analysts and see what kind of dollars are coming in how their car process works how do they know. what kind of artifacts they're looking for how do they actually devise these containment response trying to do this and if you're in alice looking to get in do i get engineering are stripping kind of roles there's a really great book digital forensics five hundred book and i think that will help us get started by phone is really doing well in the fire. community so as they start there and then once you get into it there are a lot of other resources that you can get that into a hole that has nothing is impossible you can go from alice to engineer engineered analyst. will any more questions. pull up quickly.