homepage
Menu
Open menu
  • Training
    Go one level top Back

    Training

    • Courses

      Build cyber prowess with training from renowned experts

    • Hands-On Simulations

      Hands-on learning exercises keep you at the top of your cyber game

    • Certifications

      Demonstrate cybersecurity expertise with GIAC certifications

    • Ways to Train

      Multiple training options to best fit your schedule and preferred learning style

    • Training Events & Summits

      Expert-led training at locations around the world

    • Free Training Events

      Upcoming workshops, webinars and local events

    • Security Awareness

      Harden enterprise security with end-user and role-based training

    Featured: Solutions for Emerging Risks

    Discover tailored resources that translate emerging threats into actionable strategies

    Risk-Based Solutions

    Can't find what you are looking for?

    Let us help.
    Contact us
  • Learning Paths
    Go one level top Back

    Learning Paths

    • By Focus Area

      Chart your path to job-specific training courses

    • By NICE Framework

      Navigate cybersecurity training through NICE framework roles

    • DoDD 8140 Work Roles

      US DoD 8140 Directive Frameworks

    • By European Skills Framework

      Align your enterprise cyber skills with ECSF profiles

    • By Skills Roadmap

      Find the right training path based on critical skills

    • New to Cyber

      Give your cybersecurity career the right foundation for success

    • Leadership

      Training designed to help security leaders reduce organizational risk

    • Degree and Certificate Programs

      Gain the skills, certifications, and confidence to launch or advance your cybersecurity career.

    Featured

    New to Cyber resources

    Start your career
  • Community Resources
    Go one level top Back

    Community Resources

    Watch & Listen

    • Webinars
    • Live Streams
    • Podcasts

    Read

    • Blog
    • Newsletters
    • White Papers
    • Internet Storm Center

    Download

    • Open Source Tools
    • Posters & Cheat Sheets
    • Policy Templates
    • Summit Presentations
    • SANS Community Benefits

      Connect, learn, and share with other cybersecurity professionals

    • CISO Network

      Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

  • For Organizations
    Go one level top Back

    For Organizations

    Team Development

    • Why Partner with SANS
    • Group Purchasing
    • Skills & Talent Assessments
    • Private & Custom Training

    Leadership Development

    • Leadership Courses & Accreditation
    • Executive Cybersecurity Exercises
    • CISO Network

    Security Awareness

    • End-User Training
    • Phishing Simulation
    • Specialized Role-Based Training
    • Risk Assessments
    • Public Sector Partnerships

      Explore industry-specific programming and customized training solutions

    • Sponsorship Opportunities

      Sponsor a SANS event or research paper

    Interested in developing a training plan to fit your organization’s needs?

    We're here to help.
    Contact us
  • Talk with an expert
  • Log In
  • Join - it's free
  • Account
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Review: Mandiant's Incident Response Conference (MIRCon) Day 1
Gregory Pendergast

Review: Mandiant's Incident Response Conference (MIRCon) Day 1

October 13, 2010

I have the good fortune this week of being able to attend Mandiant's Incident Response Conference (MIRcon) in Alexandria, Virginia, and so far it's a very good time. For those who couldn't attend, or who may have chosen instead to attend that other conference that's going on right now, I thought I'd blog a few impressions and take aways both to solidify the day in my own mind and provide some food (and flavor) for thought. This won't be a comprehensive, presentation-by-presentation summary, but rather an overview with focus on what I consider to be some of the highlights. And if you weren't at MIRcon today, the single most important highlight you missed was Richard Bejtlich simultaneously coining a new phrase and inventing a new psychological diagnosis: "Incident Intrusion Fatigue Syndrome." So, if you want to find out whether you or your team suffer from this debilitating illness, read on.

The day started strong with a humorous keynote presentation from Kevin Mandia, followed immediately by an excellent panel discussion titled The IR Dream Team, featuring Richard Bejtlich, Ron Davis and Curtis Rose. (You can see the full agenda and presenter details over on the MIRcon Agenda page.) I found this to be the strongest and most insightful part of the day. The discussion kicked off with the panel members being asked about the two biggest challenges Incident Response Teams face. Richard Bejtlich and Ron Davis responded, and between the two, arrived at some of the biggest challenges faced by most responders and response teams. In the order they were presented, these challenges are:

  1. Visibility (Bejtlich) - the ability to see what is happening across our network and endpoints, in order to detect that a compromise has occurred. For many security/IR teams, it's challenging enough to gain visibility into even the basic building blocks of a network - namely, the network devices, servers and endpoints. But here, Richard noted that devices like Blackberries and iPhones further complicate this issue. How, indeed, do you detect a compromise on the growing number of mobile devices that appear and disappear on our networks?
  2. Authority (Bejtlich) - Richard identified the challenge of authority as the second biggest challenge for IR teams, then summarized the problem by saying that if you don't have the support of your organization, you can't do anything. As I understand this, it is essentially the challenge of "executive buy-in." As I see it, authority is one aspect of that. Part of supporting an IR team is giving them the authority necessary to execute their job. When this doesn't happen, the IR team can end up dependent on (at the mercy of?) IT operations and other stake holders and find themselves begging and borrowing all of the data they need to do the job.
  3. Preparation (Davis) - While Ron Davis called this the "preparation" challenge, his real focus was on process, with the challenge being defining and refining response processes for all of the ways we can be attacked. I would suggest the real challenge here is maturation. In other words, creating and following repeatable processes is a mark of a mature IR team and a mature organization. The challenge, then, lies in reaching that level of maturity.
  4. Coordination (Davis) - The challenge here is in coordinating response activities across distances and time zones. This is particularly challenging for organizations with global presences and operations, as they face increased levels of complexity, but it's important to remember that coordination is not a challenge exclusive to global organizations. Any organization with multiple offices and/or satellite locations experiences some version of this challenge.

The Dream Team panelists were also asked, among other things, to name their best source(s) of threat intelligence. The unanimous consensus here is that the best threat intelligence comes from the incidents you are already working or have worked. In other words, your best threat intelligence comes from responding to and analyzing the attacks you're actually seeing. While I'm sure this is true for organizations who have an adequately mature Incident Response capability, those teams/responders that aren't adequately staffed and funded are likely to miss this kind of intelligence due to a lack of ability to respond to and collect data on all of the incidents that cross their wire. Of course, you can begin to collect threat intelligence from wherever you are on the maturity scale simply by collecting data and beginning to correlate the data you do have. But it would have been nice to hear the panelists more fully address other sources of threat intelligence that might be more useful/actionable for organizations that are still building up their own response capabilities. (Unfortunately, I've only now thought of this, so didn't think to raise the question myself during the panel Q&A.)

Finally, the Dream Team panel was asked how we know we've "won." That is, how do we know we've been successful as incident responders. While the clear consensus is that there is no real "winning" (the fight goes on), Richard Bejtlich did offer some interesting indicators of a successful IR team or organization:

  1. You've increased the amount of money per megabyte that the intruder must spend to exfiltrate data. That is, you've made the intruder's job more difficult and more expensive.
  2. You've developed threat intelligence to a level that you are able to predict the intruder's next move.
  3. You can not only predict the intruder's next move, but you can track the changes they make on compromised systems.
  4. You've achieved a level of "intrusion suppression," such that you are able to defend your network well enough to keep the number of intrusions to a manageable level, and thus avoid "Intrusion Fatigue Syndrome." It's fairly obvious, after all, that if you're trying to respond to an excessive number of incidents you run the risk of exhausting your team and either compromising their skills or loosing them as employees.

From this high point, the day moved into a couple of Mandiant-centric presentations that, nevertheless conveyed a number of broader ideas worth considering and trying to build on. When I say Mandiant-centric here, it is not derogatory. What I mean is that the presentations focussed on Mandiant's technologies and how they are used. MIR Integration and Automation, for example, introduced the idea of integrating Mandiant Intelligent Response (MIR) with Request Tracker (both offer a Perl REST interface that can be leveraged to make them interoperate) to automate the feeding of incident data and details into a ticketing system, which can then be leveraged to generate metrics and reports that are valuable to both the incident response team and the broader business. Unfortunately, the Mandiant customer that created the presentation had to remain anonymous, so the presentation was delivered by a Mandiant representative. While he presented well, he could not provide the level of detail that the original author might have been able to share. Nevertheless, the presentation transcended product specificity in the sense that this kind of interoperability is the kind of thing we can be looking for and trying to develop in any set of tools we use. In this case, the customer organization automatically creates incident tickets from things like SIEM alerts and MIR scans. This allows them to leverage the collection and reporting capabilities of the ticketing system to automate the production of a wide variety of metrics, including numbers and types of incidents. By doing this, they've eliminated significant effort and hours spent on manual data collection that such reporting often entails.

The weak point of the day, for me, was a panel discussion on intelligence sharing. This was, I think, partly a problem of expectation, as the discussion seemed a relatively minimal part of the presentation. For at least the first 30 minutes, this was more like a series of lightning talks as the panelists each gave brief presentations discussing their involvement in various intelligence sharing organizations and initiatives, such as DSIE (Defense Security Information Exchange) and FS-ISAC (Financial Services Information Sharing and Analysis Center). The one valuable nugget I took away from this came from Kevin Naver of Sandia National Labs, whose information and resource sharing model for the numerous National Laboratories also involves the sharing of personnel resources across the organizations, such that an expert from one site could be leveraged to assist with incident response (or any issue, really) at any of the other sites. This model would lend itself well to small businesses, universities, state and federal agencies at a minimum. I can see where more sensitive private corporations and agencies would have concerns with intelligence sharing and data leakage in a scenario like that, but in a world where true incident response and forensics experts are in short supply, this kind of personnel sharing makes a great deal of sense.

Finally, the presentation day concluded on a heavily technical note with Kelcey Tietjen (Los Alamos National Laboratory) demonstrating the value of Windows Crash Dump Analysis for incident response. The crash dump can provide a lot of useful and detailed information about the crashing process and other items in memory. Where such crashes are related to a compromise, analyzing the crash dump files using WinDbg can provide a wealth of information that can be used to create Indicators of Compromise and other intelligence. Unfortunately, slides of the presentations have not been made available (and I don't know whether they will be), and there was more information here than I was able to capture in my notes. In that regard, the presentation was delivered a bit too quickly, leaving the audience (speaking for myself, here) with some good ideas but unable to capture enough detail to avoid having to go look up the information ourselves.

Overall, however, the weaknesses were exceptionally minimal, and I'm looking forward to Day 2. MIRcon has already provided more value than some conferences and courses I've paid for. So I give props to Mandiant for providing so much to the community in valuable tools and information. And, of course, I would be terribly remiss if I did not also say thanks to Mandiant for the free food and free beer.

Obviously, this is one man's view, and I certainly couldn't capture everything. So if any attendees or presenters are reading this, please share your own impressions and take aways in the comment section.

Gregory Pendergast is the Interim Information Security Officer at Virginia Commonwealth University.

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Tags:
  • Digital Forensics, Incident Response & Threat Hunting

Related Content

Blog
ransomware 25 340x340.png
Digital Forensics, Incident Response & Threat Hunting, Cyber Defense, Offensive Operations, Pen Testing, and Red Teaming
May 30, 2025
Visual Summary of SANS Ransomware Summit 2025
Check out these graphic recordings created in real-time throughout the event for SANS Ransomware Summit 2025
No Headshot Available
Alison Kim
read more
Blog
Blog Teaser: Shoplifting2.0 340x340.jpg
Digital Forensics, Incident Response & Threat Hunting
May 21, 2025
Shoplifting 2.0: When it’s Data the Thieves Steal
Identify steps organisations can implement to protect against Scattered Spider and DragonForce
Adam Harrison
Adam Harrison
read more
Blog
emerging threats summit 340x340.png
Digital Forensics, Incident Response & Threat Hunting, Offensive Operations, Pen Testing, and Red Teaming, Cyber Defense, Industrial Control Systems Security, Cybersecurity Leadership
May 14, 2025
Visual Summary of SANS Emerging Threats Summit 2025
Check out these graphic recordings created in real-time throughout the event for SANS Emerging Threats Summit 2025
No Headshot Available
Alison Kim
read more
  • Company
  • Mission
  • Instructors
  • About
  • FAQ
  • Press
  • Contact Us
  • Careers
  • Policies
  • Training Programs
  • Work Study
  • Academies & Scholarships
  • Public Sector Partnerships
  • Law Enforcement
  • SkillsFuture Singapore
  • Degree Programs
  • Get Involved
  • Join the Community
  • Become an Instructor
  • Become a Sponsor
  • Speak at a Summit
  • Join the CISO Network
  • Award Programs
  • Partner Portal
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • Privacy Policy
  • Terms and Conditions
  • Do Not Sell/Share My Personal Information
  • Contact
  • Careers
© 2025 The Escal Institute of Advanced Technologies, Inc. d/b/a SANS Institute. Our Terms and Conditions detail our trademark and copyright rights. Any unauthorized use is expressly prohibited.
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn