The Cyber Ireland Threat Intel Group aims to build the expertise within the Cyber Ireland community to develop Threat Intelligence capabilities through the sharing of knowledge and experiences at a strategic level.
This session start a new phase, the Implementation Phase.
So we conclude now the Introduction Phase:
1st Session: Threat Intel and Mitre Att&ck 101
2nd Session: Developing you TI Strategy
3rd Session: Law Enforcement
4th Session: Threat intelligence platforms and consumption 101
Active Defence with Effective Incident Response
On the 30th March we were joined by Michael Walsh, Seniot IT Security Engineer at Qualcomm to talk us about “Active Defence with Effective Incident Response”:
CSIRT (Computer Security Incident Response Team): Process and Procedures
- Why Critical Thinking?
– Issues & Goals: There are often dead ends with no exit in sight. This can be prevented with the development of critical thinking. The skills that contribute to critical thinking include decision making, reasoning, evaluating, problem solving and analyzing.
– Analysis of Competing Hypothesis (ACH): ACH is a process that includes Hypothesis, Evidence, Diagnosis, Refinement, Inconsistency, Sensitivity, Conclusions and Identify Indicators
“The hypothesis with the fewest number of assumptions is generally correct”
- Incident Response Processes
– NSIT IR Methodoogy / SANS IR Methodologhy
- Incident Response Roles
– Incident Commander the designated leader
– Incident Communicator
– Incident Scribe
– Response Team Members
– Incident Response Sections – e.g. forensic analysis where the IR team has the ability to pull required forensic images for the investigation of a host.
- Testing, Testing and more Testing
A CSIRT should conduct testing at least three times a year. This is vital for the incident response process. There are three principal methods:
– Tabletop Exercise
– Red Teaming
– External Penetration Test
- Lessons Learned and Action Items
– Follow through on lessons learned from each incident to improve future response
– Formal procedures for non-major incidents
– Fail to prepare, prepare to fail…
About the Speaker:
Michael Walsh, Senior IT Security Engineer at Qualcomm, is an active blue team member and heavily involved in Incident Response, Threat Intelligence and Investigation work. He is also involved in local security meet-ups such as OWASP and Cork|Sec.t