HUNT AND INCIDENT RESPONSE TEAM (HIRT)...Proactive Hunt Incident Response A search for malicious...
Transcript of HUNT AND INCIDENT RESPONSE TEAM (HIRT)...Proactive Hunt Incident Response A search for malicious...
![Page 1: HUNT AND INCIDENT RESPONSE TEAM (HIRT)...Proactive Hunt Incident Response A search for malicious activity through the examination of a network environment for exploitation tools, tactics,](https://reader033.fdocuments.us/reader033/viewer/2022042917/5f59025311926035f61e566c/html5/thumbnails/1.jpg)
HUNT AND INCIDENT RESPONSE TEAM (HIRT)
National Cybersecurity & Communications Integration Center (NCCIC)
Benjamin LoaderDeputy Chief, Incident Management GroupNCCIC Hunt and Incident Response Team (HIRT)
![Page 2: HUNT AND INCIDENT RESPONSE TEAM (HIRT)...Proactive Hunt Incident Response A search for malicious activity through the examination of a network environment for exploitation tools, tactics,](https://reader033.fdocuments.us/reader033/viewer/2022042917/5f59025311926035f61e566c/html5/thumbnails/2.jpg)
UNCLASSIFIED2
![Page 3: HUNT AND INCIDENT RESPONSE TEAM (HIRT)...Proactive Hunt Incident Response A search for malicious activity through the examination of a network environment for exploitation tools, tactics,](https://reader033.fdocuments.us/reader033/viewer/2022042917/5f59025311926035f61e566c/html5/thumbnails/3.jpg)
UNCLASSIFIED
WHO AM I?• Benjamin Loader
• Deputy Chief, Incident Manage Group• NCCIC Hunt and Incident Response Team (HIRT)
• More than 11 years of operational and strategic experience• Intelligence and Cyber Analyst• Army Veteran• Teacher and mentor• Boater and diver
![Page 4: HUNT AND INCIDENT RESPONSE TEAM (HIRT)...Proactive Hunt Incident Response A search for malicious activity through the examination of a network environment for exploitation tools, tactics,](https://reader033.fdocuments.us/reader033/viewer/2022042917/5f59025311926035f61e566c/html5/thumbnails/4.jpg)
UNCLASSIFIED
WHY AM I HERE?
• To talk about who we (HIRT) are• Dive into discussion about incident reponse
![Page 5: HUNT AND INCIDENT RESPONSE TEAM (HIRT)...Proactive Hunt Incident Response A search for malicious activity through the examination of a network environment for exploitation tools, tactics,](https://reader033.fdocuments.us/reader033/viewer/2022042917/5f59025311926035f61e566c/html5/thumbnails/5.jpg)
UNCLASSIFIED
Agenda
HIRT Overview
HIRT Service Offerings
Proactive Hunt vs. Incident Response
Incident Response Lifecycle
Prioritizing Incidents
Engagement Types
Engagement Workflow
How to Contact HIRT
![Page 6: HUNT AND INCIDENT RESPONSE TEAM (HIRT)...Proactive Hunt Incident Response A search for malicious activity through the examination of a network environment for exploitation tools, tactics,](https://reader033.fdocuments.us/reader033/viewer/2022042917/5f59025311926035f61e566c/html5/thumbnails/6.jpg)
UNCLASSIFIED 6
Hunt & IncidentResponse Team(HIRT)
The National Cybersecurity Communications and Integration Center (NCCIC) Hunt and Incident Response Team (HIRT) provides expert intrusion analysis and mitigation guidance to clients who lack the in-house capability or require additional assistance with responding to a cyber incident.
HIRT’s clients include: Uniquely positioned to provide comprehensive analysis
Federal departments and agencies
State, Local, Tribal and Territorial (SLTT) governments
Private Sector (Industry & Critical Infrastructure)
Academia
International Organizations
Classified and unclassified tactics, techniques and procedures (tips)
Public and private sector partners
Established relationships with Law Enforcement, Intelligence Community and International Partners
![Page 7: HUNT AND INCIDENT RESPONSE TEAM (HIRT)...Proactive Hunt Incident Response A search for malicious activity through the examination of a network environment for exploitation tools, tactics,](https://reader033.fdocuments.us/reader033/viewer/2022042917/5f59025311926035f61e566c/html5/thumbnails/7.jpg)
UNCLASSIFIED
HIRT Service Offerings
ü Incident Triage ü Hunt Analysis
ü Network Topology Review ü Mitigation
ü Infrastructure Configuration Review ü Malware Analysis
ü Log Analysis ü Digital Media Analysis
ü Incident Specific Risk Overview ü Control System Incident Analysis
![Page 8: HUNT AND INCIDENT RESPONSE TEAM (HIRT)...Proactive Hunt Incident Response A search for malicious activity through the examination of a network environment for exploitation tools, tactics,](https://reader033.fdocuments.us/reader033/viewer/2022042917/5f59025311926035f61e566c/html5/thumbnails/8.jpg)
UNCLASSIFIED
Proactive Hunt Incident Response
A search for malicious activity through the examination of a network environment for exploitation tools, tactics, procedures, and associated artifacts
An asset owner-driven request
Uses a risk review to scope the breadth of the Proactive Hunt
If malicious activity is observed during a hunt, move to Incident Response
HIRT takes action to respond to a reported incident and to address the increased risks generated by the incident
Asset owners and trusted third parties report information to NCCIC.
Trusted reporters include FBI, Information Sharing and Analysis Centers (ISACs), and other government agencies
Uses a risk review to scope the breadth of the Incident Response
![Page 9: HUNT AND INCIDENT RESPONSE TEAM (HIRT)...Proactive Hunt Incident Response A search for malicious activity through the examination of a network environment for exploitation tools, tactics,](https://reader033.fdocuments.us/reader033/viewer/2022042917/5f59025311926035f61e566c/html5/thumbnails/9.jpg)
UNCLASSIFIED
HIRT Incident Response Lifecycle
![Page 10: HUNT AND INCIDENT RESPONSE TEAM (HIRT)...Proactive Hunt Incident Response A search for malicious activity through the examination of a network environment for exploitation tools, tactics,](https://reader033.fdocuments.us/reader033/viewer/2022042917/5f59025311926035f61e566c/html5/thumbnails/10.jpg)
UNCLASSIFIED
NCISS Solution
Based on NIST 800-61 Revision 2• Functional Impact• Information Impact• Recoverability• Adds Actor Characterization• Adds Observed Activity• Adds Location of Observed Activity• Adds Cross Sector Dependency• Adds Potential Impact
NCCIC Cyber Incident Scoring System (NCISS)
Uses a weighted average (math) of the above criteria for a repeatable process
![Page 11: HUNT AND INCIDENT RESPONSE TEAM (HIRT)...Proactive Hunt Incident Response A search for malicious activity through the examination of a network environment for exploitation tools, tactics,](https://reader033.fdocuments.us/reader033/viewer/2022042917/5f59025311926035f61e566c/html5/thumbnails/11.jpg)
UNCLASSIFIED
Engagement Types
Remote Assistance Providing assistance without being physically onsite
Advisory Deployment Advising for mitigation onsite but technical analysis capabilities not deployed
Remote Deployment Deploying Equipment, remotely conducting analysis
Onsite Deployment Deployment of equipment and personal onsite to conduct technical analysis
![Page 12: HUNT AND INCIDENT RESPONSE TEAM (HIRT)...Proactive Hunt Incident Response A search for malicious activity through the examination of a network environment for exploitation tools, tactics,](https://reader033.fdocuments.us/reader033/viewer/2022042917/5f59025311926035f61e566c/html5/thumbnails/12.jpg)
UNCLASSIFIED
Incident Response Workflow
![Page 13: HUNT AND INCIDENT RESPONSE TEAM (HIRT)...Proactive Hunt Incident Response A search for malicious activity through the examination of a network environment for exploitation tools, tactics,](https://reader033.fdocuments.us/reader033/viewer/2022042917/5f59025311926035f61e566c/html5/thumbnails/13.jpg)
UNCLASSIFIED
Onsite Deployment Team Composition
![Page 14: HUNT AND INCIDENT RESPONSE TEAM (HIRT)...Proactive Hunt Incident Response A search for malicious activity through the examination of a network environment for exploitation tools, tactics,](https://reader033.fdocuments.us/reader033/viewer/2022042917/5f59025311926035f61e566c/html5/thumbnails/14.jpg)
UNCLASSIFIED
Engagement Timeline
![Page 15: HUNT AND INCIDENT RESPONSE TEAM (HIRT)...Proactive Hunt Incident Response A search for malicious activity through the examination of a network environment for exploitation tools, tactics,](https://reader033.fdocuments.us/reader033/viewer/2022042917/5f59025311926035f61e566c/html5/thumbnails/15.jpg)
UNCLASSIFIED
How to Contact NCCIC for Hunt and Incident Response Services
OPERATIONS
Email: [email protected]
Phone: 888-282-0870
![Page 16: HUNT AND INCIDENT RESPONSE TEAM (HIRT)...Proactive Hunt Incident Response A search for malicious activity through the examination of a network environment for exploitation tools, tactics,](https://reader033.fdocuments.us/reader033/viewer/2022042917/5f59025311926035f61e566c/html5/thumbnails/16.jpg)