Responding to APT: Unpwning the Pwned
Chad Olivier is scheduled to speak at this year’s BSidesNOLA Security Conference being held on May 17, 2014. During the talk, he will be discussing responding to APT during an Incident Response. Areas of interest will include initial response, penetration testing to find weaknesses, investigating traffic and suspicious files, closing the gaps, and hardening the network. For more information check out the BSidesNOLA 2014 schedule.
Abstract: In 2012, one of the largest data breaches took place. This talk covers the entire process of incident response to the APT from day one on site, through mitigation and finally remediation. The attackers were inside the network of a major credit card processor for months without their knowledge, using interesting techniques for data exfiltration including IP V6 tunneling and DNS look ups and responses for data exfiltration as well as command and control. The attackers modified several known exploit and payload packages to accomplish their task including tools such as stacheldraht and stuxnet. The talk will begin with the first day of our arrival onsite to find little to no security in place, tracking down the entry points, running forensics on database systems and discovered malware, setting up security tools and assisting redesign the security department, placing a SOC in the organization, and hardening the entire network.