In the physical realm, a successful hunt ends with either a kill or a capture. While some might enjoy the thrill of the hunt, no one really wants to walk away empty handed. Why do we treat hunting in the digital realm differently? The Containment, Eradication, and Recovery phase of the Incident Response Lifecycle is the digital equivalent of the kill or capture in the physical world. Proper execution of this phase is necessary for a successful hunt, and it’s as easy as remembering your ABCs. You’ve stalked and located your prey, evil has been found, are you prepared to take it out?
I gave this talk at the GoSec 2019 conference in Montreal, and the 2019 Texas Cyber Summit in San Antonio. Slides are available below. I’d like to give a shout out to Michael Melone, who I believe originally came up with the “ABCs”, Jared Poeppleman for writing the krbtgt reset script, as well as Andrew Robbins and his team for creating the Bloodhound tool, all of which are referenced in these slides.
If you are interested in having this talk delivered at your event or conference, please contact me through Twitter or LinkedIn.
Josh M. Bryant is currently a Director of Technical Account Management at Tanium where he helps customers overcome the challenges of managing very large scale computing environments. Prior to joining Tanium, he was a Premier Field Engineer at Microsoft specializing in Microsoft Exchange Server, and then later a Cybersecurity Architect specializing in Compromise Recovery. Josh is also a Master Sergeant in the Illinois Air National Guard where he manages a team of Systems Administrators maintaining the weapons system for an Air Operations Center.