This event has ended. Visit the official site or create your own event on Sched.
Saturday, October 12 • 2:00pm - 3:00pm
IR-3017 The ABCs of Containment, Eradication, and Recovery

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.

In the physical realm, a successful hunt ends with either a kill or a capture. While some might enjoy the thrill of the hunt, no one really wants to walk away empty handed. Why do we treat hunting in the digital realm differently? The Containment, Eradication, and Recovery phase of the Incident Response Lifecycle is the digital equivalent of the kill or capture in the physical world. Proper execution of this phase is necessary for a successful hunt, and it’s as easy as remembering your ABCs. You’ve stalked and located your prey, evil has been found, are you prepared to take it out?

Containment, Eradication, and Recovery is a key phase of the NIST Incident Response Lifecycle that often doesn't receive the attention it deserves. Focus is mainly placed on detection and analysis. After an incident, organizations are often left with a report detailing attacker activity with a few remediation suggestions at best, leaving them on their own to figure out what to do next. Any incident involving a determined human adversary (aka "advanced persistent threat") requires simultaneous disruption of three key areas known as "the ABCs" (Accounts, Backdoors, Command and Control). We'll cover a three-phased approached that addresses the ABCs and has been proven successful in use across many of the most high profile incidents over the last decade. Starting with a high level strategic overview of this methodology before getting into the technical details on how to address the ABCs during each phase of this approach using freely available tools.

avatar for Josh Bryant

Josh Bryant

Director of Technical Account Management, Tanium
Josh Bryant is currently a Director of Technical Account Management at Tanium where he helps very large enterprise customers gain high speed visibility and control over their endpoints. As one of the Subject Matter Experts on Tanium’s Threat Response module, he helps customers quickly... Read More →

Saturday October 12, 2019 2:00pm - 3:00pm CDT
TEXAS BALLROOM - E Track 3 600 E Market St, San Antonio, TX Floor 4