As you may have heard, this year RSA Conference has launched a crowdsourced speaking track, in short RSA has opened a number of speaking abstract up for a vote and the top 25 will have a shot at being included at the conference. Voting will be open until April 2 with the RSA program committee narrowing down the final 12 winners by April 9.
I’m honored, that my proposed session, “How-To: Aggressive Remediation in an APT World” is included in the voting pool and wanted to give our readers a preview of what my session would entail. Don’t worry, if you’re too busy to read the blog but trust that it’s a good session you can skip ahead and vote here.
The breaches we investigate reveal that APT hackers are often embedded for months or years before discovery and remediation is not as simple as ending the attack and fixing vulnerabilities. In order to address these advanced attacks, security staff needs to take an aggressive stance during incident response and focus not only containment but eradication of the threat.
When you break it down, any incident response program has three equally important parts:
Once a breach becomes public knowledge, attack activity can jump as much as 30-50 percent in the following days and week. This means the containment process must include the necessary step of securing the network from other threat actors who will try to get in while the network is compromised. There are many key elements of a solid containment strategy prior to publicly announcing a breach, but particular attention must be paid to keeping new threat actors out as the team works to contain the damage.
This is the newest and less-talked-about aspect of incident response. It is vitally important that eradication is carefully planned or attackers will just move around the network as their tools are identified. Eliminating all compromised tools and access points can be a monumental task given the pervasive approaches taken by APT actors as they spend months (or years) embedding themselves within networks. I’ll dive into some of the different eradication techniques, such as network segmentation, a method we utilized successfully during an APT breach in the defense industry. I will also discuss the legal and political considerations to be taken into account during the eradication phase.
Once the threat is eradicated, the actual remediation of the breach can get underway. I’ll go over some of the different strategies for regaining as much data as possible, identifying the perpetrators (always a very difficult task) and preventing future damage to the network.
So, if this sounds like a session you would like to hear at RSA next month, please take a second to vote for it on the RSA Conference crowding page. The deadline to vote is April 2. I hope to see you all in San Francisco next month!