Technical Tuesday – 24 May 2011 – APT Intrusion Remediation: The Top Do’s and Don’ts by Rob Lee of MANDIANT and The SANS Institute
During Incident Response, Advanced Persistent Threat (APT) remediation is challenging because from the first day the attacker selected your network as a target, they have operated knowing that they will someday be caught. Because of that, they attempt to cover their tracks and make it as difficult as possible for you to find them and extricate them from your network. To complicate this challenge, they will be anticipating your response activities and some attackers may even be monitoring them. Due to these factors, traditional approaches like wiping and removing systems immediately as they are identified and blocking IP addresses will not work as a long term solution. This discussion covers the top do’s and don’ts of APT intrusion remediation to help you and your organization avoid common pitfalls encountered dealing with this adversary.
Presented by: Rob Lee of MANDIANT and The SANS Institute
Rob Lee is a Director for MANDIANT, a leading provider of information security consulting services and software to Fortune 500 organizations and the U.S. government. Rob is also the curriculum lead for digital forensic training at the SANS Institute. Rob has more than 15 years’ experience in computer forensics, vulnerability and exploit discovery, intrusion detection/prevention, and incident response.
Rob graduated from the U.S. Air Force Academy and served in the U.S. Air Force as a founding member of the 609th Information Warfare Squadron, the first U.S. military operational unit focused on information operations. Later, he was a member of the Air Force Office of Special Investigations where he conducted computer crime investigations, incident response, and computer forensics. Prior to joining MANDIANT, he directly worked with a variety of government agencies in the law enforcement, U.S. Department of Defence, and intelligence communities as the technical lead for a vulnerability discovery and exploit development team, lead for a cyber forensics branch, and lead for a computer forensic and security software development team.
Rob co-authored the bestselling book Know Your Enemy, 2nd Edition. Rob earned his MBA from Georgetown University in Washington DC. He was awarded the Digital Forensic Examiner of the Year from the Forensic 4Cast Awards. Rob is also an ardent blogger about computer forensics and incident response topics at the SANS Computer Forensic Blog. Rob is also co-author of the MANDIANT threat intelligence report M-Trends: The Advanced Persistent Threat.