- Steve Shirley from the DoD Cyber Crime Center (DC3) said "Security dollars are not fun dollars." In other words, what CIO/CTO wants to spend money on security when he/she could buy iPhones?
- Rob Lee noted than an Incident Response Team (IRT) needs the independence to take actions during an emergency. I've called this authority the ability to declare a "Network State of Emergency" (NSOE). When certain preconditions are met, the IRT can ask a business owner to declare a NSOE, just like a state governor can declare a state of emergency during a forest fire or other natural disaster. The IRT can then exercise predefined powers (like host containment, memory acquisition, live response, etc.), acting under the business owner's authority without coordinating in the moment with IT or other parties. Rob also mentioned that SleuthKit 3 would arrive soon; it was released yesterday. Rob shared the idea that sharing IR information resembles the full disclosure debate.
- Mike Poor from the newly renamed InGuardians provided the following advice when asked "what logs should we collect?" He responded: "Collect the logs to tell the story you want to tell." I thought this was a great response. Some enterprises don't want to tell a story. Some only know the middle, by virtue of being in the midst of an intrusion. Those who collect data that validates a successful resolution of an intrusion can tell the end of the story. Those with mature visibility and detection initiatives can tell the beginning of the story as well. Furthermore, during lunch Mike suggested I read Ed Skoudis' WMIC articles to understand Windows Management Instrumentation Commands.
- Aaron Walters from Volatile Systems and Matt Shannon from F-Response announced that F-Response 2.0.3 can remotely acquire memory on target systems. Aaron mentioned that intruders have dynamically injected malicious code into processes, like Web servers, to offer one-time-use URLs that don't exist on disk. Aaron also noted cases where a system reports it is patched, but because of a driver conflict the system is really running vulnerable software. Aaron provided a short demo of Voltage, a commercial enterprise product for investigations. Aaron used the MIT Simile Timeline application to outline time series data visually.
- Harlan Carvey cited Nick Petroni while defending the collection of memory on targets: "collecting memory now lets us answer new questions later." He said he sometimes arrives at a client site where all victim systems have been reinstalled and no logs are kept, yet the customer wants to know what happened.
- Ovie Carroll, now Director of the Cybercrime Lab at U.S. Department of Justice Computer Crime and Intellectual Property Section, said he has been briefing judges on the need to collect volatile data during investigations. He said DoJ has to be ready to answer a defense attorney who says "by pulling the plug on my client's computer, you destroyed exculpatory evidence!" Ovie emphasized the importance of developing an investigative mindset in analysts, not simply concentrating on "data extraction." After his presentations we discussed how future investigations may have very little to do with individual PCs, since most of the interesting evidence might reside on provider applications and networks.
- Mike Cloppert ruffled a few feathers (justifiably so) by stating "the advanced persistent threat has rendered the classical IR model obsolete." In other words, persistent threats make it difficult to start over when there is no end. Mike emphasized the need for "indicator management" and that "intelligence drives response." I agree; without having investigative leads, identifying intruders can be very difficult.
- Eoghan Casey and Chris Daywalt warned of early containment and remediation during an incident. Do we want to disrupt an intruder or eject him?
I believe my keynote on day 2 went well. Rob stated he plans to hold a second conference in July near Washington, DC next year, so I look forward to attending it.