This week we’re going to take a look at how standard triage methodology can detect advanced attack techniques. Even as a newer examiners, if you learn the standard triage methods that I have covered in the fast triage series, you will find the skills provide ample opportunity to detect all sorts attack activity-even very advanced attack activity. This is because there are natural chokepoints in the attack chain that can be used to your advantage. This week we are going to see the non-Windows core process triage in action through the lens of a very advanced attack dubbed “operation ghost.”
This week we take another look at the top threats to cloud computing. On tap This week is account hijacking. All analysts working in the DFIR field today must be aware of threats to cloud computing in order to be effective in their roles.
This week I talk about lateral movement fast triage. This is the next topic in the Windows fast triage miniseries and it aligns with the goal of the entire series, which is to help new or any analyst identify the most accessible artifacts that may be quickly analyzed to find evidence of compromise. So far we have dealt with persistence, suspicious network activity, and suspicious processes. As always, I will provide a simple yet effective approach to work with lateral movement artifacts.
This week I’m doing another walk-through to illustrate how standard triage methodology can detect advanced attack techniques. Sometimes as a newer examiner, it’s easy to become overwhelmed with the technical detail necessary to understand and attack. It’s also easy to become discouraged and convince yourself that it’s way too complicated for your current skill set and you may not even feel useful as a team member. This episode is going to dispel all of that and show you how a focus on the standard fast triage method provides all the knowledge you need to detect and advanced breach into an environment.