Listen to the Audio
Watch the Video
Enjoyed this podcast?
Share it with friends now!
Ryan Corey, co-founder and CEO of Cybrary, speaks with Joe Loomis, the founder and CEO of CyberSponse, to discuss the IRC (Incident Response Consortium) at Blackhat 2019. IRC focuses on Incident Response, Security Operations and Remediation Processes, concentrating on Best Practices, Playbooks, Runbooks and Product Connectors. In building its growing community of over a thousand people, the IRC provides open source playbooks, runbooks and response plans for the industry community to use. The collaborative community created by the IRC is aimed at advancing education and collaboration. Joe Loomis describes IRC’s upcoming two day free Incident Response Conference in Arlington, VA, on Sept. 5 and 6, 2019, and encourages people to join the IRC.
Ryan Corey discusses how IRC’s mission aligns with Cybrary’s mission: to educate people about incident response and cybersecurity. In last year’s Incident Response conference, speakers talked about threat intelligence and incident response, and this year’s conference will also cover speakers talking about how to apply the MITRE attack framework in order to help defeat adversaries. The conference will also feature competitions on both days, and be hands-on. Participants can get on products and tools to get hands on experience.
The IRC Consortium is about communicating with everybody in cybersecurity defense and about training and educating, as we can't fight this fight without good operators. It’s also about the people coming out of college that really want to make a break into the cybersecurity space, to make them aware of job openings, and to get them familiar with the industry itself.
The IRC focuses today around the MITRE Attack framework: learning about how the Attack framework works and how the adversaries use it, and then how to actually learn the framework so that you can counter the adversary itself. There are a lot of MITRE Attacks statements, a lot of products, a lot of demonstrations, and a lot of explanations around certain types of APTS and threats that are out there and how to use the MITRE Attack Framework in order to be able to educate, learn and defend.
Ryan: All right guys. Welcome to Cybrary at Blackhat 2019. We're here with a good friend and a somebody I've done a lot of things with in the past: Joe Loomis from CyberSponse, CEO and cofounder. How are you?
Joe: Good seeing you Ryan. Founder.
Ryan: Founder, Founder. That's right. That's right.
Joe: Co-founders didn't make it out very much. Kind of had to stick it out on my own.
Ryan: Okay. Understandable. But what I wanted to talk about a little more before we get into CyberSponse with, I think somebody who's a little more technical than myself who can cover that and understand it, I want to talk about the initiative and how things are going with IRC. So I've been associated with IRC for a couple of years now. And it seems to just be growing like a weed. Tell me what's going on there.
Joe: So the IRC is continually growing; the community’s up to almost a thousand people that are just instant responders looking to educate themselves. And it's more about the people coming out of college that really want to make a break into the cybersecurity space, job openings, get familiarity with the industry itself. So the IRC is coming up here September five and six, and we're going to have another free two days of training. We're going to have a two day competition. So there's two: one competition on day one and a second competition on day two. So you can either participate on one day or the other, or do training on the other. So we're alternating a little bit. And we're just taking feedback from the market and what people are looking for and how things are shaping up, but good sponsors this year. Again, it's about communicating with everybody and about training and educating. We really can't fight this fight without good operators. And we gotta get, we gotta get more of a bootcamp mentality where people can understand what it is that they can do to perform optimally in their job.
Ryan: Yep. So we've talked about how Cybrary’s mission aligns really closely with the IRC. That's why I'm a part of the organization. And the fact that it's been growing and the community is coming together and getting bigger and bigger is amazing. The free training aspect is something super compelling that I really, really liked about what you guys do. What kind of topics are covered maybe in this upcoming year, what kind of things and training are gonna be covered at the event?
Joe: So the training, we're giving them hands-on training so they can really understand what products and tools can do and how they actually use them. So they're getting really in depth product training itself. So they're not just learning, you know, theoretical stuff on a whiteboard or in a classroom like you would if you took a SANS course. They’re actually getting on product and on range so they can actually get hands-on experience and they're working with more experienced operators. So we're focusing today on the IRC around the MITRE Attack framework and learning about how the Attack framework works and how the adversaries use it, and then how to actually learn the framework so that you can counter the adversary itself. So there's going to be a lot of MITRE Attacks statements, a lot of products, a lot of demonstrations, a lot of explanations around certain types of APTS and threats that are out there and how to use the framework, in order to be able to educate and learn and how to defend against.
Ryan: Gotcha. So last year had some really good speakers, including you and I on a jam session where we talked about people getting into the industry at greater scale. Could you go over for me who are some of the people that spoke last year and what was presented, and then some of the keynotes and people presenting this year?
Joe: So last year we were talking a lot about cloud with Felipe, from Qualis. We talked about Palo Alto. Rick Howard came and did a keynote and talked about the cybersecurity framework that Palo Alto has been implementing. We talked a lot about the incident response life cycle and threat intelligence with Anomaly. So they're going to be back again this year as well. There's a big push on, they're actually working closely with CyberSponse on the automation orchestration side with threat intelligence. So you're going to see a convergence between Anomaly and CyberSponse working closely together.
This year, the agenda's just getting finalized now, but I know that there's a lot of product demonstrations and capability sessions. So it's not really a sales pitch. You're really being able to use the products themselves. You're going to see, I'm not too close to Palo Alto anymore because of the Dymista acquisition itself, but we've got the FBI and Secret Service coming to do some explanations of how to get involved with law enforcement in the cyber security space. A lot of times crimes and attacks happen there might be a crime that’s taken present that you need to preserve certain evidence. So we're doing some work with accessing data as well.
On the forensic side of incident response, people are starting to see the importance of understanding how to forensically capture certain types of data, like a drive image, for example, as soon as it's been compromised, getting a capture of that drive will be powerful, especially if you're dealing with ransomware, because if you can capture an image of the drive before the ransomware actually takes effect, you actually can preserve all the data that the drive already had on it. So you won't have to necessarily pay for the ransom itself.
Ryan: Got it. That’s awesome.
Joe: It's got these kinds of things that are happening with the Incident Response Consortium, where we really took the feedback of the MITRE approach, because it's really good community driven frameworks that we're actually being able to get people to understand what MITRE is and how to contribute yourself because all MITRE is, is really contributions of other team members providing: “this is how we handle these adversaries.” And this is a framework we followed.
Ryan: Yeah. Makes sense. Awesome, man. So kind of wrapping up, why don't you tell us a little bit about where people can join the IRC and then tell us when and where the conference is again?
Joe: So it's Arlington Virginia, September five and six of this year is coming up. It's free to attend. You go register right on the website, insert response.com or .org, depending which one you prefer to go to. You'll find a lot of free training materials on there as well as links to Cybrary and all your content and your libraries of information. A lot of playbooks are out there too, so people that can understand how to deal with malware and incident response, DDoS attacks, etc. The conference has gotten much more momentum this year than it even did. Last year it was capped out at about 600 attendees while we've already got over 400 attendees registered, and we're still more than a month away. Most of the tracks came out this last month, where people started becoming willing to attend. We're seeing everything from federal agencies coming, from NSA, to large corporations, like General Electric and large commercial entities, etc. So it's going to be big: September five and six, 2019.
Ryan: That's awesome. So when it comes to incident response, don't miss out on that event.
Joe: It's just out once a year, and if you're willing to give back and you want to learn the latest and greatest, it's a place where everybody can meet. It's really a meetup around Incident Response. We try to formalize it, and I believe it's something that I'll probably do for the rest of my career, even after CyberSponse gets bought and sold. I think that building the Incident Response Consortium has been a passion. I kind of can relate to how exciting it is to work for Cybrary, because it's a lot different feeling when you show up willing to with help, and contribute to education.
Joe: You get a lot more welcome than you are when you're a vendor. And I really noticed that kind of contrast when I'm on the vendor side or CyberSponse. You're in this competition space where everybody's trying to sell, sell, sell, but when you're in the education space, everybody's so much more different to you and attitudes are entirely different. Their approach is different. It's much more of a welcoming community when you're wanting to give back.
Ryan: And you watch it become a growing organism because those people can participate. So it becomes part of theirs. It's actually really powerful. Yeah. My friend, CEO and founder of CyberSponse, Joe Loomis. Thanks, guys.
Joe: Thanks a lot, Ryan.