Texas Cyber Summit II

In the physical realm, a successful hunt ends with either a kill or a capture. While some might enjoy the thrill of the hunt, no one really wants to walk away empty handed. Why do we treat hunting in the digital realm differently? The Containment, Eradication, and Recovery phase of the Incident Response Lifecycle is the digital equivalent of the kill or capture in the physical world. Proper execution of this phase is necessary for a successful hunt, and it’s as easy as remembering your ABCs. You’ve stalked and located your prey, evil has been found, are you prepared to take it out?

Containment, Eradication, and Recovery is a key phase of the NIST Incident Response Lifecycle that often doesn't receive the attention it deserves. Focus is mainly placed on detection and analysis. After an incident, organizations are often left with a report detailing attacker activity with a few remediation suggestions at best, leaving them on their own to figure out what to do next. Any incident involving a determined human adversary (aka "advanced persistent threat") requires simultaneous disruption of three key areas known as "the ABCs" (Accounts, Backdoors, Command and Control). We'll cover a three-phased approached that addresses the ABCs and has been proven successful in use across many of the most high profile incidents over the last decade. Starting with a high level strategic overview of this methodology before getting into the technical details on how to address the ABCs during each phase of this approach using freely available tools.