DIY Tooling for Incident Responders

Tools (716AB) October 6, 2022 1:30 pm - 2:30 pm Feedback     

Bookmark and Share

Peter Morin

Successful incident response requires swift action to contain. Whether it is a breach, insider threat or other attack the longer the adversary pivots in your network, the more difficult the event will be to contain. There are numerous tools available today to perform key orchestration tasks referred to as EDR or Endpoint Detection and Response tools – there are many reasons why these tools may not be suitable for your environment.  For example, if you are tasked with protecting an industrial control system or OT environment where agent-based EDR-style applications could cause interruption to critical infrastructure, alternative options may be required. This presentation will discuss the concept of security incident automation and response and focus on introducing open-source host orchestration tools that can be used to execute key tasks to contain a cyber-security event, collect key evidence and better prepare you to survive the incident.

During this presentation we will discuss the following:

  • Assessing what an organization’s incident response capabilities are
  • Discussing the concept of automation and response and how this fits into the concept of Security Orchestration, Automation and Response (SOAR)
  • Understanding what incident response processes can be easily automated and which cannot
  • Discuss the concepts of incident analysis, triage and prioritization
  • Review the benefits of incident response automation including quicker response to incidents, working with a smaller cyber workforce, lack of a sufficient tools budget and lack of response capabilities
  • Discuss the various processes that should be in place in your playbook to be executed when a cyber-event has been identified and how these can translate to an automated workflow
  • Discuss the value of agentless automation vs. commercial tools that require an agent
  • Look at tools such as PowerShell, Chef, Puppet and Ansible used as tools to enable incident response automation
  • Review a number of incident scenarios and response use cases and how they can be automated – including some uses for automation from a recent real-world ransomware response