As an analyst, it is important to identify root cause and link it back to security governance strategies. This is dealt with through root cause statements typically. What exactly should you be doing for a root cause statement? How important is it? If you produce a findings report you can count on the root cause statement being read. Other parts of the document may be skimmed through, or even ignored, but the root cause statement is going to draw the attention of a variety of different audiences. Therefore this is something you want to get right. In this episode I’m going to deliver a simple approach you can use.
Most of my episodes are about computer forensic artifacts and methods. Once in a while I like to cover non-technical topics, such as thoughts and recommendations about career development, subject matter expertise strategies, and impact exposure or delivery of your work. These soft skills are important to your career success. So this week will be on maximizing DFIR exposure in your current role, whatever that role may be. I will cover how to connect the work you do with the high-level strategies that are important to your management or your customers.
This week is a continuation of the threats to cloud computing miniseries. We are stepping through the top 11 threats to cloud computing as identified by the Cloud Security alliance. When you are protecting cloud assets or investigating breaches of cloud assets, there is a lot to keep in mind. You must remember the standard security infrastructure, the new cloud infrastructure as well as any changes to the standard infrastructure that could be affected for your investigation. The top 11 threats to cloud computing help identify where you, as an analyst, should prioritize your time both as a starting point and how you use your limited time for continuing education.
This week we continue with the Windows fast triage series. We are up to lateral movement and talking about admin shares. On topic this week is event 5145 which is a Windows log that records verbose information about network share objects and it is an artifact you can use to triage a system or group of systems for evidence of malicious lateral movement.
This week I wanted to take a break from Windows forensics and talk about Linux malware triage. The Linux platform offers forensic analysts the opportunity to do a very decent job performing malware triage. What I mean by this is that you do not need any special tools installed, all you essentially need is the knowledge of a handful of commands in the ability to make sense of the output. Armed with this, any analyst can do a malware triage quickly and efficiently.