To silo or not to silo

Picture yourself knee deep in an incident, racing to contain an adversary that is actively moving laterally within your network. You have people tasked, based on skill set, that will enable you to achieve this goal as quickly as possible. Some may be looking at network data, some at host/log … Continue reading

Command Line Fun

Analyzing data related to intrusions can be fast and furious much of the time. We are typically looking to identify things such as entry points, lateral movement and other items that will help scope and contain the incident as quickly as possible. When you find an indicator that may be … Continue reading

Minimizing Misses

Having spent most of last year helping to train a 24/7 SOC as well as having performed a ton of alert analysis myself, I hold a special place in my heart for these people. I wanted to write this post, not only for the analysts I work with, but for … Continue reading

Detecting Your Adversaries

I tweeted earlier today that I was starting to work on a new memory forensics challenge. While brainstorming on what I wanted to do with this I remembered that I had scripted out my last challenge in kind of a step by step order. I actually built a dev environment … Continue reading

Thoughts on Incident Response Teams

With all of the breach notifications that seem to be flying around daily over the past few months I can’t help but wonder how their IR teams operate.  I won’t speculate or cast any blames or failures as I simply don’t know.  I do have definite opinions on how I … Continue reading

Keeping Focus During an Incident

It’s been a long night and you finally get to bed only to be woken up 30 minutes later to the sound of your phone alerting you that there’s an alert that fired and needs to be triaged immediately.  Crawling out of bed you’re thinking this has to be a … Continue reading

Malicious Tool Execution and Output

In my post, Identifying Malicious Processes, I stated some additional steps I would take after locating and containing all identified compromised machines. One of the steps was to attempt to recover malicious files from memory or from the compromised host. When responding to advanced intrusions I have found that, more … Continue reading