This week is about cloud network segmentation. Network segmentation has security advantages, and that’s regardless of whether or not security is the intention. There are some big differences between traditional on-prem network segmentation and cloud infrastructure segmentation. As a DFIR practitioner, knowing the difference is vital for your incident response preparedness. This week I will break it down from a DFIR point of view and provide some necessary insight that will help you better structure your investigations involving cloud assets.
This week I cover insider threat, which is sort of a gray area between traditional investigations and DFIR investigations.
This week I’m talking about identity access controls commonly encountered in cloud environments. These come up during DFIR investigations and high-level awareness, at the least, is necessary for analysts in order to be effective during investigations. These are the things that may be part of root cause, part of the attack escalation, or part of mitigation will remediation. This week all cover the basics to help with your incident response preparedness.
This week is my advice for conducting a career critique as well as to plan for the future - or at least for 2022. I do this episode every year at this time with the intention of helping newer analysts maximize their efforts to achieve the desired career goals in both the short term and long term.
This week we continue with the Windows fast triage series and talk about lateral movement evidence that may be found in DC records.
This week is a continuation of the threats to cloud computing miniseries. We are stepping through the top 11 threats to cloud computing as identified by the Cloud Security alliance. When you are protecting cloud assets or investigating breaches of cloud assets, there is a lot to keep in mind. You must remember the standard security infrastructure, the new cloud infrastructure as well as any changes to the standard infrastructure that could be affected for your investigation. The top 11 threats to cloud computing help identify where you, as an analyst, should prioritize your time both as a starting point and how you use your limited time for continuing education.
This week I review a great method to detect file poisoning on Linux using all native commands.
This week SUMURI's Steve Whalen (a.k.a. 'MacBoy') talks Mac artifacts
This week we continue with the Windows fast triage series and talk about lateral movement evidence that may be found in logon event records.
This week Brian Carrier of Basis Technology joins me to talk about OSDFCon. The DFIR community relies on open source tools and the conference is a great way to get exposure to new tools and to learn how to use them. There's a great lineup this year with something for everyone. Registration is free for everyone.
This week is a case study where we look at an actual attack strategy and compared it against standard triage methods to see how well they hold up. In this episode I break down some attack methods attributed to APT32, also known as Ocean Lotus, and we’ll see how standard triage techniques hold up against the attack chain.
Amanda Berlin of Blumira speaks on malicious Powershell attacks and defense techniques.
This week SUMURI's Steve Whalen (a.k.a. 'MacBoy') talks Mac forensics.
This week I’m talking about Nested Groups and the risk they pose for security. Built-in to the functionality of Active Directory is the ability to attach a group to another group. While this has advantages for account administration across an organization, it also offers attackers opportunity if certain precautions are not taken. This week I’ll break down Nested Groups in DFIR terms, talk about how attackers take advantage of it and what analysts need to know for investigations.
This week is a case study where we look at an actual attack strategy and compared it against standard triage methods to see how well they hold up. The Turla group using ComRat malware is our case example, let’s see if standard triage techniques can save the day.
Matt Warner, Blumira CTO and Co-Founder, talks ransomware investigations.
This week is a continuation of the threats to cloud computing miniseries. We are stepping through the top 11 threats to cloud computing as identified by the Cloud Security alliance. When you are protecting cloud assets or investigating breaches of cloud assets, there is a lot to keep in mind. You must remember the standard security infrastructure, the new cloud infrastructure as well as any changes to the standard infrastructure that could be affected for your investigation. The top 11 threats to cloud computing help identify where you, as an analyst, should prioritize your time both as a starting point and how you use your limited time for continuing education.
This week is a case study that demonstrates how fundamental DFIR triage methods can detect advanced attacks. Examiners, especially newer examiners, should find confidence in the fact that standard triage techniques have such a powerful impact on security investigations.
This week Nato Riley from Blumira pays a visit to talk about the top threats to cloud computing.
This week we continue with the Windows fast triage series and talk about lateral movement evidence that may be found in admin shares event records. Four different types of logs are covered, each containing different information for triage purposes.
This week SUMURI's Steve Whalen (a.k.a. 'MacBoy') and Dave Melvin talk about the latest in Mac training and certification. Learn the advantages of vendor neutral training and how to prioritize it in your own training regiment.
As an analyst, it is important to identify root cause and link it back to security governance strategies. This is dealt with through root cause statements typically. What exactly should you be doing for a root cause statement? How important is it? If you produce a findings report you can count on the root cause statement being read. Other parts of the document may be skimmed through, or even ignored, but the root cause statement is going to draw the attention of a variety of different audiences. Therefore this is something you want to get right. In this episode I’m going to deliver a simple approach you can use.
Most of my episodes are about computer forensic artifacts and methods. Once in a while I like to cover non-technical topics, such as thoughts and recommendations about career development, subject matter expertise strategies, and impact exposure or delivery of your work. These soft skills are important to your career success. So this week will be on maximizing DFIR exposure in your current role, whatever that role may be. I will cover how to connect the work you do with the high-level strategies that are important to your management or your customers.
This week is a continuation of the threats to cloud computing miniseries. We are stepping through the top 11 threats to cloud computing as identified by the Cloud Security alliance. When you are protecting cloud assets or investigating breaches of cloud assets, there is a lot to keep in mind. You must remember the standard security infrastructure, the new cloud infrastructure as well as any changes to the standard infrastructure that could be affected for your investigation. The top 11 threats to cloud computing help identify where you, as an analyst, should prioritize your time both as a starting point and how you use your limited time for continuing education.
This week we continue with the Windows fast triage series. We are up to lateral movement and talking about admin shares. On topic this week is event 5145 which is a Windows log that records verbose information about network share objects and it is an artifact you can use to triage a system or group of systems for evidence of malicious lateral movement.