Open source tools for Incident Response bogota 2016
-
Upload
mateo-martinez -
Category
Engineering
-
view
231 -
download
3
Transcript of Open source tools for Incident Response bogota 2016
![Page 1: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/1.jpg)
Open Source Toolsfor Practical Response to Incidents
Mateo Martínez Giovanni Cruz ForeroCEO KOD LATAM SECURITY
www.kod.uy CEO CSIETE
www.csiete.org
![Page 2: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/2.jpg)
Temario1. INTRODUCCIÓN
2. PREPARACIÓN
3. DETECCIÓN Y ANÁLISIS
4. CONTENCIÓN, ERRADICACIÓN Y RECUPERACIÓN
5. ACTIVIDADES POST-INCIDENTE
![Page 3: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/3.jpg)
Respuesta a Incidentes después del Simposio
![Page 4: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/4.jpg)
Oficialmente eres el encargado de IR...
![Page 5: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/5.jpg)
Hay un incidente…
![Page 6: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/6.jpg)
¿Porqué Respuesta a Incidentes?
![Page 7: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/7.jpg)
Software Libre + Respuesta a Incidentes
![Page 8: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/8.jpg)
![Page 9: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/9.jpg)
¿Cómo sentimos que estamos?
![Page 10: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/10.jpg)
¿Cómo nos hemos preparado?
![Page 11: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/11.jpg)
Así estamos...
![Page 12: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/12.jpg)
Así nos ven los atacantes...
![Page 13: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/13.jpg)
Así son los atacantes
![Page 14: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/14.jpg)
Y así...
![Page 15: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/15.jpg)
Y así también...
![Page 16: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/16.jpg)
Y aún así...
![Page 17: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/17.jpg)
O incluso así...
![Page 18: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/18.jpg)
También se ven ...
![Page 19: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/19.jpg)
Fuente: NIST Computer Security Incident Handling Guide
NIST SP 800-61
![Page 20: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/20.jpg)
Preparación
![Page 21: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/21.jpg)
Preparación● Crear un plan de respuesta ante incidentes
● Priorizar activos
● Sistemas de reporte de incidentes
● Analizadores de tráfico de red
● Herramientas de análisis forense digital
● Conocer configuración de sistemas
● Imágenes de Sistemas Operativos Limpias
● Hashes de archivos críticos
![Page 22: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/22.jpg)
Preparación
https://www.owasp.org/index.php/OWASP_Incident_Response_Project
![Page 23: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/23.jpg)
Preparación
https://www.owasp.org/index.php/OWASP_Open_Cyber_Security_Framework_Project
![Page 24: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/24.jpg)
Preparación
https://www.sans.org/reading-room/whitepapers/incident/incident-response-capabilities-2016-2016-incident-response-survey-37047
![Page 25: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/25.jpg)
Preparación
http://www.haka-security.org/
![Page 26: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/26.jpg)
Preparación
http://molo.ch/
![Page 27: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/27.jpg)
Preparación
https://github.com/volatilityfoundation/volatility
![Page 28: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/28.jpg)
Preparación
https://www.cuckoosandbox.org/
![Page 29: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/29.jpg)
Preparación
https://www.alienvault.com/products/ossim
![Page 30: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/30.jpg)
Preparación
https://github.com/CERTUNLP
![Page 31: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/31.jpg)
Prevención● Gestión de riesgos
● Hardening
● Seguridad y monitoreo de redes
● Prevención de malware
● Capacitación a usuarios
![Page 32: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/32.jpg)
Prevención
http://ossec.github.io/
![Page 33: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/33.jpg)
Prevención
https://oisf.net/suricata/
![Page 34: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/34.jpg)
Prevención
http://www.openvas.org/
![Page 35: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/35.jpg)
Prevención
https://www.owasp.org/index.php/Category:OWASP_ModSecurity_Core_Rule_Set_Project
![Page 36: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/36.jpg)
Detección y Análisis
Vectores de AtaqueSignos de un Incidentes
Fuentes de Precursores e IndicadoresAnálisis de Incidentes
Documentación del IncidentePriorización del IncidenteNotificación del Incidente
![Page 37: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/37.jpg)
Contención, Erradicación y Recuperación
Elección de la Estrategia de ContenciónRecolección y Manejo de Evidencia
Identificación de los Equipos AtacadosErradicación y Recuperación
![Page 38: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/38.jpg)
F.I.D.O.
Fuentes de Precursores e Indicadore
https://github.com/Netflix/Fido
Signos de un Incidente
![Page 39: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/39.jpg)
F.I.D.O.
![Page 40: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/40.jpg)
F.I.D.O.
![Page 41: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/41.jpg)
ELK
![Page 42: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/42.jpg)
osquery
Análisis del Incidentehttps://osquery.io/
![Page 43: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/43.jpg)
![Page 44: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/44.jpg)
REDLINE
![Page 45: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/45.jpg)
MIG: Mozilla InvestiGator
![Page 46: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/46.jpg)
Linux + OS X
![Page 47: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/47.jpg)
VERIS - Vocabulary for Event Recording and Incident Sharing
Documentación del Incidente
![Page 48: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/48.jpg)
STIX - Structured Threat Information eXpression Documentación del Incidente
![Page 49: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/49.jpg)
TAXII
![Page 50: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/50.jpg)
HAIL A TAXII
![Page 51: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/51.jpg)
THREATCONNECT
![Page 52: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/52.jpg)
OTX - Open Threat Exchange
![Page 53: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/53.jpg)
Soluciones Internas
![Page 54: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/54.jpg)
MISP
![Page 55: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/55.jpg)
MISP
![Page 56: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/56.jpg)
MOZDEF
![Page 57: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/57.jpg)
Manera Tradicional de Documentación
![Page 58: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/58.jpg)
FIR
![Page 59: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/59.jpg)
RTIR
![Page 60: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/60.jpg)
THREAT NOTE
![Page 61: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/61.jpg)
Actividades Post-Incidente● Lecciones Aprendidas● Análisis de datos recolectados● Retención de Evidencias
![Page 62: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/62.jpg)
Conclusiones● No hemos cubierto ni el 30% de herramientas open source disponibles para
hacer la respuesta a incidentes de manera práctica, cubrimos solamente algunas de las más relevantes
● El uso de este tipo de herramientas puede permitir una fácil operación de un grupo de respuesta a incidentes sin la necesidad de una inversión alta ni la necesidad de muchos recursos
● Se debe tener un espíritu hacker para poder tener una infraestructura de un grupo de Respuesta a Incidentes con herramientas open source, no será un click and install, pero el resultado podrá permitir tener una infraestructura realmente personalizada.
![Page 63: Open source tools for Incident Response bogota 2016](https://reader034.fdocuments.co/reader034/viewer/2022042517/58a2bf0f1a28ab217a8b4775/html5/thumbnails/63.jpg)
Muchas gracias
CEO KOD LATAM SECURITYwww.kod.uy
CEO CSIETEwww.csiete.org