PANEL TOPIC: INCIDENT RESPONSE PROVIDERS: CASEWORK TRENDS presented at First 2017

by Robert Floodeen, Brian Klenke, Eric Szatmary,

Summary : Brian Klenke is the Vice President of Services for Morphick. In this role, he leads a team of experienced incident responders, threat analysts, and threat intelligence experts that help organizations identify and respond to targeted cyber intrusions. Brian brings 17 years of information security experience to this position. Before joining Morphick, he was a Senior Cyber Intelligence Analyst for the Lockheed Martin CIRT. He was also instrumental in building the counter-APT program for General Electric's Aviation, Energy, and Transportation businesses. He has been a leading contributor to the counter-APT community within the Defense Industrial Base, organizing and leading cyber intelligence sharing events between the major defense contractors and the US intelligence community, including the DoD, FBI, USAF, and NCIS. Brian has presented on counter-APT techniques and initiatives to the CIO of the Pentagon, the Department of Defense Cyber Crime Center (DC3), and defense industry groups. Additionally, he has participated in meetings with senior cyber policy makers at the White House and Department of State.
Eric Szatmary is the Future Operations Lead for SecureWorks IR services. In this role, Eric Szatmary leads the functional area focused on continuous improvement for current and emergent global IR service delivery capabilities. Previous roles at SecureWorks included serving as a Senior Security Consultant providing IR services, onsite assessment services, and security monitoring deployment services. Prior to joining SecureWorks in 2010, Eric Szatmary held various IT and security consulting, leadership, and technical staff positions over a 13-year time period in the private sector for consulting, financial services, healthcare, and manufacturing organizations.
Robert Floodeen's bio coming soon.
Cyber incident response providers handle a large number of incident response cases each year spanning numerous verticals. This level of exposure offers each provider unique perspectives on what is and is not working in cyber incident response practices for numerous environments. While a subset of details on these cases are published in threat advisories and individual provider casework reports, few outlets exist where accredited commercial incident response providers are publicly sharing observations from their collective casework. As a result, commercial incident response casework reports commonly suffer from various biases that result in incomplete perspective on trends for the greater incident response community to benefit from.
The panelists would like to provide an overview of collective findings and indicators of trends observed over the previous calendar year.
While the time slot precludes the session from being an overly technical presentation, there will be technical aspects of compromise scenarios, threat actor patterns, and sanitized victim details shared during the presentation.
This panel can be viewed as a first step in establishing a focus area for FIRST to help bring together accredited commercial incident response service providers to regularly share casework perspectives and eventually casework datasets in a common format for the benefit of the FIRST community.
In accordance with FIRST policy, the panel organizers will ensure this session is not a marketing presentation.