FIRST TC Prague 2016

Incident Response

Expanding on CSIRT capability models

Presentation made using reveal.js. Type ? for navigation help, or just skip through using space key.

About me

Frode Hommedal

Subject Matter Lead at Telenor CERT.
7 years at Norwegian national CERT.
Background from HW/SW dev and QA.

I think a lot about models and "the big picture".

What will I present?

Not The Answer™

But rather the status of my own research and
learning experience on CSIRT capability modelling.

PS: This is basically a highlights tour of a 3h talk.

Why this topic?

Because we are not keeping up

We have actually had to conclude that we are unable to
design, deploy and operate IT infrastructure securely.

What can we do about it?

We can improve our game!

Which is different from trying harder.

But how?

One path to improvement
goes through better modeling
of what a CSIRT is and should be

I hope this presentation will contribute
to our collective effort to improve

Very briefly

on technology and incidents

Technology

Incidents

CSIRT

Two CSIRT LOOPS

That probably anyone can recognize

KEEP CALM

AND WHACK-A-MOLE

So we have at least 8 possible paths to improvement

Upping our game means traversing as many of these
8 paths fast enough to outperforme our adversaries

And our job is to outperform our adversaries

A Capability Stack

needed to drive the two loops

The CSIRT

Analysis Pyramid

From incidents to risk management

Purpose

Driving improvements along as
many of the 8 paths as possible.

Tactical analysis is a crucial bridge between your
incidents and many of the 8 improvement paths

WARNING: Brace for impact...

(Complicated figure ahead)

Engaging your adversaries with

The CSIRT OODA loop

Attackers want

accass to information and
control over capabilities

We want

to limit the risk exposure and
damage to our organizations
from our adversaries' operations

Attackers

have three main foothold perspectives

We as defenders

have five main footprint perspectives

Getting inside your adversary's OODA loop means performing these steps faster and better than the tactical actions of your adversary during your engagement

Getting there requires an advanced, infrastructured
and supported core incident response team

Do this right, and you may
outperform your adversaries

Do this right, and you will
be able to kick some butt!

</presentation>

Questions?