CIRT-Level Response to Advanced Persistent Threat - SANS ...

ePAPER READ

DOWNLOAD ePAPER

computer.forensics.sans.org

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

START NOW

First Year after D-Zero

• Evaluate IR capability effectiveness

• Institutionalize counter-APT ops.

• Develop and embed counter-APT improvements.

• Collaborate with peers.

• Expand security instrumentation.

• Hire help.

D-Zero + 1 year

Building, Maturing & Rocking a Security Operations Center - SANS ...

Sniper Forensics “One Shot, One Kill” - SANS Computer Forensics

examples of recent apt persistence mechanisms - SANS Computer ...

Ovie Carroll - SANS Forensic Trends and Futures.pdf

Analysis & Correlation of Mac Logs - SANS

“ANN'S AURORA” - SANS Computer Forensics

Encryption v20.10 - SANS Computer Forensics

Tales from the Crypt - TrueCrypt Analysis - SANS

Digital Forensics for IaaS Cloud Computing - SANS Computer ...

All the Gear..and No Idea.. - Scalable, fast - SANS

Protecting Privileged Domain Accounts during Live Response

Taking Registry Analysis to the Next Level - SANS Computer ...

Mark McKinnon RedWolf Computer Forensics Mark ... - SANS

Brendan Dolan-Gavitt Georgia Institute of Technology - SANS

First Year after D-Zero • Evaluate IR capability effectiveness • Institutionalize counter-APT ops. • Develop and embed counter-APT improvements. • Collaborate with peers. • Expand security instrumentation. • Hire help. D-Zero + 1 year 10

• Create Red-Blue Team. Second Year after D-Zero • Develop security intelligence capability. • Contribute to industry counter-APT work. • Continue hiring help. D-Zero + 2 years 11

Page 1 and 2: CIRT-Level Response to Advanced Per
Page 3 and 4: • You are an APT victim. • You
Page 5 and 6: Favorite Kris Harms APT Quotes (FIR
Page 7 and 8: First Day after D-Zero • Switch t
Page 9: • Determine incident scope. First
Page 13 and 14: Incident Response Center Incident H
Page 15 and 16: Company General Electric Aerospace
Page 17: Questions? Richard Bejtlich richard

CIRT-Level Response to Advanced Persistent Threat - SANS ...

Create successful ePaper yourself

Delete template?

Save as template?