Black Hat Europe 2019 – London, UK
December 2 @ 8:00 am - December 5 @ 5:00 pm
Mega-breach or minor incident? The difference is in the speed of detection, effectiveness of containment, and accuracy of scoping. IT and security professionals are on the front lines.
In this technical, hands-on class, we’ll dig into different types of breach scenarios, including cloud account breaches (using Office365 as an example), internal compromise, lost/stolen device, and ransomware. Learn strategies for detection and evidence preservation, and techniques for quickly scoping/containing a breach. Each module includes a hands-on lab where you analyze and scope the breach.
We will begin by examining a transit system breach which lurked undetected for years, illustrating how a minor mistake, left unchecked, can spiral out of control. Next, we’ll dig into data breach detection and reporting statistics, and examine factors which make certain types of breaches easier to detect than others.
Cloud account breaches became an epidemic in 2017, often motivated by attackers hungry for financial data. We’ll investigate an Office365 data breach, including cloud evidence preservation, containment and scoping strategies.
From there, we will dissect two types of internal compromises: phishing and perimeter breaches. In each case, we will conduct a full review of the internal environment, identify types of evidence for preservation, containment strategies, and methods for tracking the compromise through your internal environment. Along the way, we’ll show common “gotchas” that can dramatically affect data breach investigations, such as the use of public malware analysis services that can reveal internal information about your infrastructure.
Lost/stolen device incidents are all-too-common triggers for data breach crises. If you detect and respond quickly, however, even seemingly clear-cut cases like these can be minimized. We’ll review common questions that come up in lost/stolen device cases, and show you strategies that can help you narrow down the scope.
Finally, ransomware is on the rise. We will study a Cryptolocker ransomware case, which led to a data breach, and identify early actions that could have avoided a breach or minimized the notification. We will compare and contrast the two types of ransomware cases (confidentiality vs. availability). Early on in ransomware cases, operational issues often trump evidence preservation, which can lead to far bigger data breach problems down the road. Learn strategies for preserving evidence early on in ransomware cases, in order to minimize the potential impact down the road.
Payment card data, HIPAA/HITECH information, and personally identifiable information (PII) are three core types of data that can trigger a breach. We will study each of these classes of information, and discuss how technical analysts can help gather evidence and respond most effectively in each case.
The capstone of the class is an interactive tabletop exercise. Imagine that your organization is infected with the Maktub ransomware—and then the media starts calling because data has been leaked on Pastebin. We’ll assign roles and walk through a multicomponent incident, with curve balls along the way.
Every day, another data breach hits the news. Early detection and effective technical response are critical. This intensive, engaging class will give you plenty of “war stories” to share, and hands-on experience in data breach scoping and response.
- Recognizing the signs of a potential data breach.
- Responding to a potential data breach.
- Practical investigation techniques to scope and understand the potential breach.
WHO SHOULD TAKE THIS COURSE
- Network and Computer Forensic Professionals who want to solidify and expand their understanding of network forensic and incident response related topics.
- Incident Response Team Members who are responding to complex security incidents/intrusions.
- Law enforcement officers, federal agents, or detectives who may be involved in data breach investigations, or who wish to expand their investigative skill set.
- Networking professionals who would like to branch out into data breach management/network forensics in order to understand information security implications and work on investigations.
- Anyone with a firm technical background who might be asked to investigate a data breach incident.
WHAT STUDENTS SHOULD BRING
WHAT STUDENTS WILL BE PROVIDED WITH
- Lab workbook
- USBs containing lab exercises
Matt Durrin is a Security Consultant with LMG Security and specializes in Digital Forensics, Programming, Development, and Cybersecurity R&D. Matt holds a Bachelor’s Degree in Computer Science from the University of Montana and has worked in the tech sector for over 10 years with experience as a field technician, system administrator, software developer, and more. He recently completed an IoT proof of concept demonstrating that security cameras were vulnerable to cryptojacking attacks and was a co-instructor for LMG’s Data Breaches class at the Black Hat conference in Las Vegas in 2018. Matt has been a featured speaker at RSA and CTIN.
Sherri Davidoff is a noted cybersecurity expert, author, speaker and CEO of both LMG Security and BrightWise, Inc. As a recognized expert in digital forensics and cybersecurity, Sherri has authored courses and conducted training at Black Hat and the SANS Institute. She has consulted for and/or provided cybersecurity training at many notable organizations, including the Department of Defense, the American Bar Association, FFIEC/FDIC, and many more. Sherri is a faculty member at the Pacific Coast Banking School, where she teaches cybersecurity classes. She is a frequent contributor of education articles and webinars, and occasionally serves as a cybersecurity expert on television. Sherri is a GIAC-certified forensic examiner (GCFA) and penetration tester (GPEN), and holds her degree in Computer Science and Electrical Engineering from MIT.