Everyone talks about the intrusion kill chain (sometimes called the cyber kill chain) a model for actionable intelligence in which defenders align enterprise defensive capabilities to the specific processes an adversary undertakes to target that enterprise but much of what is said is misinformation and scare tactics. Much of what is covered will be hands on free walkthroughs in a Windows environment. MS Windows domains are the most popular target for attackers as they are frequently the most insecurely configured. We explores the most effective steps you can take to protect your organization from the vast majority of threats with defensive mitigation and monitoring, covering use cases such as ransomware, data exfiltration, and lateral movement to demonstrate how to improve the standard of defense at each level. We will conclude with an overview of tabletop exercises and drills to strengthen your understanding.

Amanda Berlin is a Sr. Security Analyst for a consulting firm in Southern Michigan. She has spent over a decade in different areas of technology and sectors providing infrastructure support, triage, and design. Amanda has been involved in implementing a secure Payment Card Industries (PCI) process and Health Insurance Portability and Accountability Act (HIPAA) compliance as well as building a comprehensive phishing and awards-based user education program. Amanda is an avid volunteer and has also presented at a large number of conventions, meetings and industry events. Some examples of these are: DerbyCon, O,Reilly Security, GrrCon, and DEFCON. She is the author for a Blue Team best practices book called "Defensive Security Handbook: Best Practices for Securing Infrastructure" with Lee Brotherston through O'Reilly Media. She is a co-host on the Brakeing Down Security podcast and writes for several blogs. While she doesn't have the credentials or notoriety that others might have, she hopes to make up for it with her wit, sense of humor, and knack for catching on quick to new technologies.

Recorded at AIDE 2018