CIRT-Level Response to Advanced Persistent Threat - SANS ...

More documents

Recommendations

Info

Containment vs Honeynet? • Reasons to not immediately contain/disconnect victims when you are new to counter-APT ops: – Scope of incident likely unknown. – Disconnecting victims removes intelligence source. – Adversary will notice and change tools, tactics, and procedures. • When to start disconnecting? When you meet your win criteria. 12
Incident Response Center Incident Handlers Incident Analysts Event Analysts Incident Coordinator Suggested CIRT Structure G E - C I R T Director of Incident Response Security Assurance Team Threat Cell Red-Blue Team Technical Assistance Group Support Detection-Response Architect and Engineer Software Developer Infrastructure Engineer System Administrators 13
Page 1 and 2: CIRT-Level Response to Advanced Per
Page 3 and 4: • You are an APT victim. • You
Page 5 and 6: Favorite Kris Harms APT Quotes (FIR
Page 7 and 8: First Day after D-Zero • Switch t
Page 9 and 10: • Determine incident scope. First
Page 11: • Create Red-Blue Team. Second Ye
Page 15 and 16: Company General Electric Aerospace
Page 17: Questions? Richard Bejtlich richard

CIRT-Level Response to Advanced Persistent Threat - SANS ...

Create successful ePaper yourself

Delete template?

Save as template?