- Rob Reese - Cyber Incident Response team Manager - MS-ISAC
- SLTT - State, Local, Tribal, and Territorial - K12 schools included
- Provides Free Incident Response Services
- In case of Incident, Contact for services - 24x7
- They will Treage your case and respond within 24 hours or less
- Recommends a Central Log repository for Firewall, server logs.
- Provides Capture tool to run on infected machines that captures intrusion artifacts
- MS-ISAC SOC (Security Operations Center) 1-866-787-4722 or
This email address is being protected from spambots. You need JavaScript enabled to view it. - Free access to CERT, Threat Intelligence team, and SOC
Yeah, making sure I know what i'm gonna do Welcome everybody to the October thirteenth edition of Technology Check. In thanks, everyone, for showing up today. you might notice we got some a lot new faces here So have. agree. Prairies eighta school districts that are joining us, and can. After go through presentation can little bit more formal presentations on it. But welcome all this meeting. stuff it think Lan Allen kind talked about other people, it's just like know, problems have schools going be same statewide. And so since makes very good forum turn around, talk issues it, sake time presenter invited robberies from Center Internet security Msisack. was at Msi Sec annual meeting couple months ago, Rob call Then he front table, discussion or whatever. talking incident response program which knew of. occurred me Well, if could utilize your program. What would great us schools. in place make their jobs easier hopefully unlikely event upon services with over alright. Hello, everybody. Yeah. my name is rice I'm. cyber Response Team manager sack. tell everybody, you've laugh out but this. dumbest person team as being manager. manage pretty smart group guys gals responsible helping respond intrusions State, local travel, territorial governments around United States. tend busy. K. 12 one us. That definitely our radar. say. You experience right basically past, i'd say past year, feel I've seen an uptick k K targeting we've had several different rant somewhere cases come times. really battling. opinion. better than do. battling especially things start where, you're attacker, where get most bang buck is, impact bill even begin year. Right. yeah, thankful Scott invite much want discussion. questions interrupt me. I'm perfectly fine we'll ask. answer scott's, first question available team. then also Ms. sack general. provide specifically provides free Slt community, obviously, part means any time, day night? We receive phone calls S. Lt. organizations. reporting they will initially go, goes intake process sock. Our operations center point sock analysts ask tree object, because imagine prioritization levels. depending level prioritization, has either contact within business hour. Typically. depends levels Happy into later. now initial triage additionally there. They collect information actually happened. next reach they'll handling worksheet, worksheet It used whole involved, made effort tone down. Because there's there were hard folks answer. focuses how data be. What? how, controls won't concern data? Federal Government funds set scissor. So? know. Do information, okay shared with? Dhs says partners right? option yes no From perspective. look owners authority never passes you. follow restrictions another helping. understand terms conditions, before engaged accept conditions. page pager basically, read long yes. thing happens call, call. The best way explain An ex cop, Sometimes detective coming back asking after patrol went took report not example. me, you, sitting end life. asked already. yes, Yes, did we're trying clearly situation details situation. help approach right, evidence. ways doing Collection. something called Cape Cape. If online, copy Eric Zimmerman crow, R. O. L. customized version cape artifacts need order analysis particular send cake capture tool execute machine. collects evidence need. may windows. Event locks firewall logs. things. Other logs that's put together timeline events. identify potential vulnerability exploited, moving forward work process. sot Ts: access search services, Tjs Who join later hasn't already Threaded Intelligence center. Security Operations who manages our, platforms. So, example, Albert Sensors, familiar Albert, those intrusion. Detection systems placed network. Those provided subsidized costs sltts. through, member Now, cert member. That's. Okay, don't require membership assistance. All requires you'd state travel organization. Certainly fall outside scope For compliance. auditing. shed tier compliance yeah We're see compliant Hipaa Pci Dss case maybe ferpa type related no, You'd surprised comes when law enforcement like, cause similar role enforcement. oftentimes whether Virginia State police, FBI. A concerned about. like? collect, Is reported office? No, nothing auditing position. disposition. serve honest, biggest selling points employee Ms big customers we? service oriented. One say, though members adequate resources. underserved you'll hear company talks motto continue preached perspective, able slt community position themselves to. resources afford service. Hence free. solidarity. policy violations nobody somebody name, John. Let's let's carl Carl his own Facebook marketing during hours. getting involved probably plenty stories violations. percolate ends student man We've interesting cases. students downloaded hacking tools onto issue. Laptop, corn mind operation. time. so, method creative. we, intrusion aspect, been. unauthorized engaged. suspected confirmed yet. enough reason believe based everything been victim take well. force. hopefully, sense. not, certainly anything recent third party providers. girls providers, specific product piece software. Right well upstream. situations provider breached. resulted downstream. Lack Unfortunately, unless can't cooperative agreement Government. cover commercial network forensics. let stop minute i've discussed thus far, hitting interested knowing Not everyone's quiet here. We'll on. bad. yeah. types you? When well, My logging turned idea normal looks cannot 3 am. Every Wednesday, behavior holy crap. Here here's lot. these communication forth working help. Understand. expected activity, unexpected activity narrow down separate band? important, having centralized logging, thing. saying logging. general thing, gotta analyze, Right? give feedback. depth specifically? important log Assuming one. mean assuming majority people windows systems. true, Mac system speak up. windows, logs, huge helps develop period How Should keep people? vary generally light purposes. 30 days worth Frame maintaining Firewall cis Cis mon helpful. automatically collected cake. Capture tool. once even, deploy cake, remotely, literally, executable. pull executable infecting machines. multiple to, create capture. Of artifacts, analysis. share file link secure filing upload link. folder guys, whoever whatever agency is. begin. ingest utilize. ingestion data, axiom cyber, captures parse elements deem notable indicators Iac's areas attack. try move circular starts preparation encounter identification phase they're Oh, problem containment, eradication, recovery. As recovery area become consultation rebuild server. hardware right. hey? Look thing's lost seeing prepared rebuild, that. often, occasion. them mind. exchange vulnerabilities sometimes, server recommend presence such eradication necessarily 100% accomplished comfortable with. so. drive lessons. Learn state. recommendations question. This ridiculous brand somewhere? crawl executable? does machine ransomware ransom wears very, difficult. It's difficult ran somewhere. honest wanna throw first. Ransom prepare hurricane by hit hurricane? There's certain routine backups maintained offline. outsource okay, That's vendor using abiding sla place. world difference between entity doesn't 6 months. key component immunable backups. searching backup determine sit decide break point. him glad brought actual somewhere, why that? Rob's personal opinion savvy rent known week, pay 1 million dollars cryptocurrency, pack sand backed week ago. determined acceptable risk loss incur week. Losing dollars. network? far collecting post Cause second now, Now leak site money until they've want, then, backups, mean, maintain basis. linked time? offline, executes what's volume shadow copies. eliminate recover question? elaborate that, guess. Also I'd curious. sometimes worry okay. solid sudden 45 days. out. restore backup, still ensure it? retain form of, vary, storage hold address thinking land, msi available, er. Mammy Gdr Technically, servers, would. wrong technically prevent stored equipment, correctly sent it's, software service, socks monitoring 24 7 unusual, heard Jamie Ward 5 min somebody's threat hunting turning checking have, edr program, least critical infrastructure personally believe, managed, watching email notification thank Scott. appreciate the, case. scenarios grant pick behavioral analytics alerted someone prior executed. Scott's allows collection stomper. To like. Know Just imagine, them. them? sorry. name? Landon: Okay. Landon. last Landing land alright back, honestly nobody's ever before. Scott, Is. at. consider mission vms servers identified John day. $8 cents per month iowa ocio ed devices be, server, Linux support infrastructure, affected infected superintendent machines, principles credit, likely impacted devices. terribly worried ability Restore machine, recovered pieces Iowa does. Ocio office offering works $90 You're purchase Cisa $60 year instead. save 30% running. running servers. staff highly recommended think, cheap insurance against actually, Tj. jumped pun him. See thinks Tj: Can me? Hey! us? There afraid spot, i'll Curious landon allow executed Backup. Landon fair question, raise fair. Usually guess satisfactory. typically, advise band, constantly connected Once taken hold. major across image band were, connect store system, essentially connecting environment. typically advise. Try wipe first, reimage sense, answers Looking check taking actors needed restored, see. shift C 2 communications encryption ransom. Where native without 2. tough actor while taken, assumingly Re. Over, wrote previously. backing currently has. restoring access, predicament Honestly, Why emphasize thoroughly investigate full intrusion, Containment run found everything. didn't rid gone persistence, current persistence presumably exact locations live derive response. environment, remediate much, complicated. only sense point, bad opportunity, determine, using, executable, remove executes. Again, essentially, semi fair? variance hands, network, gained foothold, coverage, maximum saturation including encrypt instance already, haven't deployed ransomware, present theory, respiration connectivity regain today ransomware. action actors, remote insider 4 aware presently trigger system. Usually, see, direct employment deployment threat. takes place, realize connected, grab Rob, jumping answering There. said excellent Wanna Iocs. exist backup. perfect Thank Yep. either. started, connected. started offline assume wasn't beginning too, variant encrypting assets. assume. compromised access. should conceivably, encrypted. hook First clean slate cut off redeploy identified, in, close contain reconnect afterwards. 10 there? else cover? really, wanted offer? Kind incident. open questions. source I'm, thread links Delete footprints could. central log, Centralized back. Let top head anything? environment use elf stack Iowa. My, handful audience Probably side. speculating. looking for, locally? Or logs? rob noted storing location district. topic happy Bill o research Either again. having. work. beneficial low budget budget, do, greatly help, awesome. Any questions? Alrighty sounds closing thoughts circle email. I'll sync Aaron thoughts, options options. There, ones cross membership. exactly sure. What's common space Absolutely thought Tj's team, passionate t space. number reasons. job. times involves always done. please i'll. add notes, send. that'll website great, Alright. Rob. Take care. Thanks. Guess short dropping lantern John, introduce Alright, babbling bit. normally walk schools, Diane, leave earlier, wants anyone windows? Mdm: software? using? managing Lynn Woobles. clarification course. Question, district yesterday. wave installed. dozen machines administration. left under impression away wondering alternatives deploying applications various File am she's she tech director runs tune intune quite wave, thanks everyone joining. meet regularly every Thursday Pm. Typically Meetings October. November. hosting parts mother grape great. thanks. Everybody rest video Friday. Poe Org website. review notes along