The objective of this presentation is to outline why reactive detection frameworks are inherently flawed and propose an alternative – a methodology which includes collection and analysis of artifacts on a routine schedule; this approach ensures greater institutional knowledge while also increasing analyst expertise. Simply put: you cannot find what you do not look for.
Devon Kerr is a Principal Consultant in Mandiant’s Alexandria office. Mr. Kerr has led and participated in threat assessments, incident response engagements, forensic analysis, and proactive assessments. Mr. Kerr routinely teaches enterprise incident response for Mandiant and FireEye customers as well as at Blackhat. Mr. Kerr has worked with clients in financial services, defense, manufacturing, aerospace, telecommunications, media, healthcare and infrastructure. Many of those clients rank in the Fortune 50 or Fortune 100. Technical publications include the topics of Windows Management Instrumentation (WMI), Windows Scripting Host (WSH), Incident Response methodologies, proactive threat detection, ColdFusion exploits, security issues facing government contractors, UNIX-based investigative techniques, and investigative case studies. Mr. Kerr has spoken at CanSecWest, SANS DFIR USA, the inaugural DoD Incident Response Forum, FS-ISAC Summit, and delivered the keynote at SANS DFIR Prague. In March 2016, Mr. Kerr will be speaking at Norway’s CERT summit is Oslo. Prior to joining Mandiant in 2011, Mr. Kerr spent more than a decade in Network Operations and ISP infrastructure.