Incident Response is HARRRRRD: But It Doesn’t Have to Be – Michael Gough
So your EDR, AV, or other fancy shiny blinky lights security tools alerted you that Bobs Windows box has some suspicious activity. Do you have the details you need to investigate or remediate the system? Can you quickly and easily investigate it? You can enable a lot of things you already have for FREE to help you with your investigations, no matter the tools used. Let’s take a look at how we do Incident Response on Windows systems and what you can do to prepare for an inevitable event.
How is your logging? Is it enabled? Configured to some best practice? (hopefully better than an industry standard that is seriously lacking). Have you enabled some critical logs that by default Microsoft does NOT enable? Do you have a way to run a command, script, or a favorite tool across one or all your systems and retrieve the results? Do you block some well-known exploitable file types so users do not initiate the scripting engine when they double click, rather just open good ol’ Notepad?
Everything mentioned here is FREE and you already have it!
This talk will describe these things and how to prepare, and be PREPARED to do incident Response on Windows systems. A few tools will be discussed as well that you can use to speed things up. The attendee can take the information from this talk and immediately start improving their environment to prepare for the… inevitable, an incident.
Michael is a Malware Archaeologist, Blue Team defender, Incident Responder and logoholic. Michael developed several Windows logging cheat sheets to help the security industry understand Windows logging, where to start and what to look for. Michael is a primary contributor to the Open Source project ARTHIR. Michael is also co-developer of LOG-MD, a free tool that audits the settings, harvests and reports on malicious Windows log data and malicious system artifacts. Michael also blogs on HackerHurricane.com on various InfoSec topics. Michael also is co-host of the “Brakeing Down Incident Response” BDIR Podcast to education on Incident Response daily tasks. Michael also ran BSides Texas for five years for the Austin, San Antonio, Dallas and Houston cons.