Blackhat talk: Rapid Enterprise Triaging by Aaron Le Master & Michael Murphy
Talk focused on a methodology for restoration after a massive compromise while keeping the users on the network and somewhat productive.
Four phases for RETRI
- Preparation
- Assessment
- Segmentation and restoration
- Investigate and recovery
Phase 1: Make sure you are ready for everything. This includes having propper backups, know how your network works and having a terminal server.
Phase 2: Do damage assessment. Disconnect the infected network from the internet
Phase 3: Segmentation and restoration
- Create two isolated networks (QNet – dirty and CleanNet – clean) with the same IP address schema and separate the two networks with something like MPLS.
- Turn all computers on the QNet into dump terminal and only allow access to CleanNet terminal server over port 443 with dual factor authentication and encryption.
- Provide basic servers on the terminal servers
- Then start moving functionality over.
Phase 4:
Use tools to figure out what happened.
CodeWord is a tool they developed that can assist it has not been release yet, but is planned to be released as open source later. It has quite a bit of nice features.
Interesting fact: User downtime costs 3 times as much as the actual cleanup.