IR do’s and don’ts

There is a lot of documentation around the different phases of the IR cycle. We talk a lot about preparation, identification, containment, eradication, recovery and lessons learned. Lets face it, dealing with intrusions can be very fast paced with a lot of activity all usually happening at the same time. … Continue reading

Another hunting post

I often see statements like “people need to know their network like the back of their hand to be able to identify evil”. While I don’t disagree with this, I think there are many other things that people should be just as familiar with. Sally’s machine in finance may not … Continue reading

Has your threat feed made you lazy

There has been a lot of conversation around threat feeds and how to automate the ingestion of ip’s and domains. A lot of work can go into taking these indicators, wrapping automation around it and feeding our detection tools, but I have to wonder if we have become somewhat lazy … Continue reading

Answering those needed questions

When I look at incident response I like to see at as a series of questions that typically needs to be answered. Once all of the stones have been turned, analysis performed and questions have been answered we can usually wind down and learn from what has transpired. As I … Continue reading

Feeds, feeds and more feeds

I’ve seen some email threads on a few listserv groups talking about developing a capability to take indicators from threat feeds and automatically generating signatures that can be used in various detection technologies. I have some issues with taking this approach and thought a blog post on it may be … Continue reading

To silo or not to silo

Picture yourself knee deep in an incident, racing to contain an adversary that is actively moving laterally within your network. You have people tasked, based on skill set, that will enable you to achieve this goal as quickly as possible. Some may be looking at network data, some at host/log … Continue reading

Command Line Fun

Analyzing data related to intrusions can be fast and furious much of the time. We are typically looking to identify things such as entry points, lateral movement and other items that will help scope and contain the incident as quickly as possible. When you find an indicator that may be … Continue reading

Minimizing Misses

Having spent most of last year helping to train a 24/7 SOC as well as having performed a ton of alert analysis myself, I hold a special place in my heart for these people. I wanted to write this post, not only for the analysts I work with, but for … Continue reading

Detecting Your Adversaries

I tweeted earlier today that I was starting to work on a new memory forensics challenge. While brainstorming on what I wanted to do with this I remembered that I had scripted out my last challenge in kind of a step by step order. I actually built a dev environment … Continue reading