Advanced Incident Remediation Techniques

Explore advanced incident remediation techniques for large network breaches in this 46-minute conference talk presented by Steve Armstrong at the 44CON Information Security Conference. Learn about alternative methods to the traditional one-by-one infected host removal, including "mass remediation" and "outrunning the attacker." Discover the necessary conditions for successful implementation, such as team composition, target profile, network structure, and attacker behavior. Gain insights into scaling these techniques, required resources, and potential attacker responses. Benefit from real-world experiences and lessons learned from both successful and unsuccessful implementations. Delve into topics like the UFP problem, wiping infected systems, active attacker profiles, typical incident timelines, and emerging trends in incident management. Explore strategies for protecting intelligence, deploying agents, and distinguishing between penetration testing and red team activities. Examine scenarios involving sector-synchronized isolation, mass simultaneous system remediation, and hostile asset recovery. Understand the importance of full visibility, decisive action, and strategic intel management in effective incident response.

Intro
Bad hosts
The UFP
Problem with the UFP
The circle despair
Why is wiping the box
What is happening
Who is the attacker
Active attacker
What we typically get
Typical timeline
EM Trends
What can you do
Missed opportunities
Look after your Intel
Protect your information
Telegraph your activities
ENOS
Day slots
Deploying agents
Pentest vs Redteam
They know how to
How we can detect them
OPSEC fails
Sector synchronized isolation
Scenario
How long does it take
Theyre the after bad guy
Weve got some great people
WhackaMole
Mass simultaneous system remediation
Full visibility
Balls of steel
Rebuild
Sector synchronized
Hostile asset recovery
Play a game
Burn Intel
DEFCON Group