Monday, June 4, 2012

nullcon Goa 2012: An effective Incident Response Triage framework in the age of APT - By Albert Hui

 The talk begins by first introducing the dilemmas facing modern-day organizations, covering

1. the scalability challenge (the intrinsic imbalance between attackers and defenders -- e.g. it takes almost no cost to generate large amounts of obfuscated or even manually modified malware payloads but exponentially more expensive to scale-up the defense against it,

2. traditional IR / forensics capabilities are not focused on scalability -- e.g. takes half a day just to image hard drives and a day to come up with a forensic report, and

3. the fatal weakness in common HR model -- e.g. incompetent first tier IR / forensic staffs neglected to collect vital evidence in time or neglected to notice potent exploitations (e.g. "just another fake AV, let's get the box rebuilt"). All too often, misguided management decisions drive CSIRTs to self-destruction -- management is frustrated at not achieving results commensurate with the resources thrown into the problem, and analysts get burnt out fighting an unwinnable war.

Al, then takes a step back and reorientates the situation as an economic problem. I agree with him on this. With the use of strategic models we can bring out and highlight places where mitigations can start winning. He presents his vision of an effective CSIRT -- all the way from strategic direction, organization structure, the right level of empowerment, to the right metrics and mitigation principles.

Interesting presentation.