Speaking of which, there were a number of exceptional presentations throughout the two days. Rob talked about using TSK's fls and ils to generate file system timelines, which led me to think that it wouldn't be too great a stretch to add the same sort of capability to RegRipper, and have the Registry data included in the timeline information. The guys from Verizon gave a great presentation on their incident statistics, and the Mandiant presentation illustrated some interesting artifacts from a real-world examination.
One prevalent theme throughout the summit was that there was a lot of folks "calling the baby ugly". As humorous as that may sound, that was the euphemism for being up-front and letting folks know, yes, we have a problem. At least one of the issues identified that both Richard Bejtlich and I (and others) seemed to agree on was that the need to protect data is no longer the driver for incident response...if it ever truly was. Currently, legislation (state notification laws) and regulatory oversight (PCI, HIPAA, etc.) are the drivers for incident response.
Also, a common thread from the consultants to the admins in the audience seemed to be, help us help you. At one point during a panel, Rob Lee asked something along the lines of, how soon should someone who's been breached call for help, and my response was "before it happens." Seriously. Get someone on-site before you
All in all, it was a great event, very beneficial to attendees and speakers alike. Rob did a great job pulling together talent such as Richard Bejtlich of GE and TaoSecurity fame, AAron Walters, Mike Poor and Tom Liston of InGuardians, Lance Mueller, Eoghan Casey, Bret Padres and Ovie Carroll, as well as Kris Harms, Wendi Rafferty and Ken Bradley from Mandiant, and Monty McDougal. Jennifer Kolde was there representing the FBI, as was Matt Shannon...F-Response is and was a huge hit. I was talking with a couple of folks who attended the summit and when the topic of F-Response came up, you could see the light come on in their eyes as they realized the potential that could be realized through a product like this.
It was also great to be able to talk with folks like Jeff Caplan, and (me being really bad with names) Doug and the guy from Ford.
One of the big take-aways that I got from the summit is the fact that folks like the speakers (consultants, in most cases) and attendees (admins, etc.) face a lot of the same problems with respect to incident response...namely, how to preview and triage systems, and how to do so in an enterprise environment.
I'm hoping to be invited to and be able to attend the next SANS Forensic Summit, in July 2009!
See what others thought:
Matt from F-Response