Growing up Mennonite in Lancaster County with no computer, and no television, only to become a Digital Forensic Analyst and Incident Response Specialist living in New York City, has been quite a journey. My friends tell me the uniqueness of my life requires a blog, but I tell them, I haven't changed much, really.
Personal blog, nothing on here represents my employer.
Wednesday, September 26, 2018
DFIR Field Manual?
“Investigating Windows Systems” by Harlan Carvey was a great read on so many different levels for me. After binge-reading it over a weekend, I was so excited about it that the following Monday morning I found myself almost shouting at warp-speed to a co-worker about why it was such an important read. Our chat reminded me of something I had thought about while still making my way through the book. How could a book so compact, contain that much valuable information?! I actually believe this book could have been titled, “DFIR Field Manual”, or “DFIRFM.”
For one thing, the book was easily digestible. At times, I found myself “playing along”, almost like a CTF. That’s because the book takes you (step-by-step) on an analyst’s journey through several investigations, and invites you to follow-along by downloading all the free images and open source tools the author is using to walk you through. You get to learn alongside a seasoned veteran, almost in real-time, and observe, even as critical case decisions are being made along the way.
The book felt really timely to me. I’d recently been following some thought-provoking discourse around the pronounced differences between the “DF” and “IR” of “DFIR” - Digital Forensics and Incident Response, and have even myself gotten into some rather animated discussions during time-sensitive incidents asking, “Where’s our DirListing?!” or, “May I please just have a DirListing!”
The book had a recurring theme for me, and that was, the steps you take regardless of the type of investigation, are often consistent. Why? Low hanging fruit! My take-away was that Harlan almost always makes a visual inspection of the data before he does anything else. That is not just to verify that he has an image that isn’t damaged, but it’s also so that he can identify outliers rather quickly, such as a batch file sitting in the root of C:\ - might be nothing, but could be something. Things that make you go, “hmmm”.
Another important concept I learned was the art of discernment and how critical that can be to your end-goal (which an analyst must keep in mind is often guided by a paying client, not your own curiosity). So, should you choose to dive down a rabbit-hole, (and we all do), a concise analysis plan will help keep you on track, and he shows you how.
As our digital landscape continues to grow, and the average size of hard drives (and memory) gets larger and larger, sometimes it can seem like we’re trying to “boil the ocean”. To combat that, Harlan teaches us the art of timelining and how that process can help you streamline your analysis by distilling down the data and filtering out the noise. Additionally, we learn that we have tiered options in our approach, so that we don’t lose meaningful data by doing so; mini, micro, and even nano timelines.
I also learned how to “fail fast”. Trust me, when you have a client or upper management breathing down your neck for answers, you’ll be glad you grasped that concept. Regardless of how long you’ve been in the field, you will be astounded at the knowledge you acquire from this book. New folks might learn not to assume that malware or “hacking tools” simply sitting on a system, are bad. On the contrary, they’ll become proficient in how to prove whether or not those tools were launched, and how they might have been used. Or, what local accounts on a system with no profile might mean, and how FTP being run from a browser might be overlooked as it leaves fewer artifacts and in “unusual” places. Even TimeStomping is covered, as well as using the “Conversations” filter in WireShark to “Follow Stream”. It’s all there!
The book also tackles another topic I’ve been seeing articles around recently – Sufficiency. How much data is enough data for us to come to our analysis goals? Lately that’s been on a lot of people’s minds. Well, perhaps that answer depends. For example, have we answered the questions the (paying) principal has asked of us? It also pivots on another very important case concept – have we, as the investigator, helped our client ask the right questions, because they don’t always know themselves what questions they need to be asking. If so, and we’ve come to a solid conclusion, then yes, we can confidently state that “our work here is done!” Even more so, if the principal cannot articulate those questions, and in fact leaves you with almost no information to begin your quest, how do you still make magic happen? Those answers are all in the book, and the reader is steadily guided through every scenario.
You’ll learn what persistence can look like, and how to spot it. You’ll grasp what the artifacts of “staging” resemble, whether it’s being done by an advanced adversary, or an insider who’s ready to bolt. You will also learn how not to allow your own analysis to create a red herring in your case, in other words, if you detonate a piece of malware from the Desktop of your VM, you need to understand that you might be building artifacts that would not be present had it been introduced via its native vector (email, URL, USB), and what those are so you don’t include them in your findings. You might even find a new trick for using Calc.exe.
I also learned a new thought process around triaging malware that I hadn’t read before and found it to be quite clever. Execute the sample, let it run for a bit, then shut the box down and grab an image. Then you can perform analysis to examine the complete file system after the malware runs. Perhaps not all incidents have time for that, but I thought it was a brilliant methodology. I typically use RegShot or other tools to snapshot the Registry state before (and after) I run a sample, but now I no longer need to chance missing anything that the malware might have changed.
In conclusion, it truly is fascinating how much ground the book covers in such a concise manner, which I believe can only be attributed to the author being both an accomplished writer, and a seasoned investigator. Whether you’re running-to-ground File System Tunneling, WindowsXP, Windows10, a Web Server running iis or Apache, it’s all covered in the book, and with log locations and examples. You. Will. NOT. Be. Disappointed!
Tuesday, June 19, 2018
CLOUD EXPOSURE, DLP & IR, A-Z
Photo Credit: My co-worker’s mug, taken with permission for use.
Friday, August 25, 2017
Homegrown Hunt: You Can Do This! (or How to Think Like a RAT!)
1. Before we begin, this post won’t by any means try to define Hunt. There are already hundreds of articles arguing about what that term means, this isn’t one of them. I use the word sprinkled throughout quite loosely and you are free to take poetic license of your own while reading.
2. This is by no means an exhaustive guide to hunt; hunt never ends, it evolves daily, sometimes hourly. The following is meant to simply get you started thinking about some easy, low-hanging fruit, so that maybe you’ll want to take it further. There’s so much more that I could have included, but as someone I respect and look up to recently taught me, “MaryEllen, don’t let perfect be the enemy of good!” In other words, at some point you just have to cut bait and drop it, hook, line and sinker, or you’ll never publish it!
3. Regardless of the maturity level of your enterprise, work with what you have. At the end of the day, if you read the following and it affords you the opportunity to increase the security posture of your organization even a little, everybody wins!
4. Some of the concepts mentioned below are from brainstorming sessions with someone far smarter than me, my long-time friend and colleague, Lawrence Judd. Thank you Lawrence. I strive to be at your level every single day, and it’s a privilege to call you friend. Lawrence is wicked smart, and sometimes when I’m chatting with him, I find myself harkening back to one of my first conversations with a NYC building Superintendent. He would tell me, “MaryEllen, if you want to catch a rat, you have to think like a rat, behave like a rat, and sometimes even pretend you ARE a rat!”
5. I’m finally digging through all the stuff I learned at BlackHat and DEF CON, and you may see some of that referenced below. Enjoy!
Let’s Dive In!
Bytes In vs. Bytes Out (Producer-Consumer Ratio, or PCR) from Robert M. Lee and David J. Bianco’s BlackHat presentation:
- See slide #12. One way to implement that might be to run a daily script that calculates the bytes-in vs. bytes-out per endpoint (PCR). When you do that over time, you can begin to compare the data and look for blips which could indicate someone was staging, i.e. planning to leave in a couple weeks and siphoning a bunch of stuff out. I've worked in companies where they had v.v. expensive tools that could track all of those types of behaviors, but if the security posture (or budget) within your organization is still maturing, get down in the weeds and write your own, you can do this!
- There are a couple other slides in David and Robert's deck that I would like to try to turn into use cases as well.
⇨If I physically badge into an office in North America but then log into the network later that day from the APAC region, whassup?
⇨If I log into the network from the APAC region, but then later that same day I physically badge into an office in North America, whassup?
⇨If I log into a system in North America and then later that day I also log in from the APAC region, whassup?
Login time behaviors oddities:
⇨For example, let’s say someone almost always works 8am-4pm but now all of a sudden they are logged in at 2am, whassup?
Don’t just monitor your logs for unsuccessful logins, also track successful logins, but with correlation, for example, did any of those unsuccessful login attempts just log in, or was there a successful login from an account we have no record of? Just today, FS-ISAC warned that credential stuffing/ATO attacks are at an elevated level and there is a huge uptick in brute force attacks attempting to leverage stolen credentials. They suggested a possible defense around that would be to monitor your Call Center for increases in account lock-outs.
If you have Splunk, take a look at Shannon Entropy via the following (if you don’t have Splunk, try to see how you can improvise using other tools):
⇨https://www.splunk.com/blog/2015/10/01/random-words-on-entropy-and-dns.html
⇨https://www.splunk.com/blog/2016/04/21/when-entropy-meets-shannon.html
Also with Splunk, take a look at the following (again, if you don’t have Splunk, try to see how you can improvise using other tools):
⇨https://www.splunk.com/blog/2016/03/22/splunking-1-million-urls.html
⇨https://www.splunk.com/blog/2016/04/01/hunting-that-evil-typosquatter.html
Huge shout-out to Google Chrome’s Andrew R. Whalley who I had the great fortune of meeting at BlackHat. I was invited to a small group where Mr. Whalley was discussing browser security and some interesting trickery such as Unicode characters and xn--, some of which are outlined here, and here. There are nuggets in both URL's to begin building alerts for.
Office products (Word, Excel, PowerPoint, etc.) probably shouldn’t be spawning .exe, cmd.exe, PowerShell, and a host of other items, for example.
You can hunt down private domain registrations so as to properly investigate, triage and submit for takedown. I attended a Lunch and Learn in June at the SANS Austin Summit by DomainTools that specifically talked about just that, it was fascinating. Lunch and Learns aren't recorded and don't always release a slide deck afterward, but I found a free video on the DomainTools Web site which is similar to the talk they gave in Austin. If you advance the video to exactly 15 minutes in, at the "Hunt Case Study" section, they discuss work-arounds/pivots for private registrations. It's not in the video link, but at the Lunch and Learn they were even showing how you could pivot off of Google Analytics code to see if anyone else had used it. I wish I had taken better notes, but I was pretty fried at that point from the malware 610 class I was taking...the video link is close to what was in their talk, just start at exactly 15 minutes in, at "Hunt Case Study."
Track anomalies in CarbonBlack, NetWitness, Splunk, Tanium or a million other other tools, including but not limited to:
o Large outbound files.
o Outbound .rar and .tar files.
o Traffic to high risk geo locations such as .cn, .nk, .ru, .su, tr, etc.
o Traffic from any of the top 20 in your APL reaching-out to high risk locations such as .cn, .nk, .ru, .su, .tr, etc.
o Traffic to odd TLD’s such as .xyz, .sex, .sexy, .xxx, etc.
Applications running which have a hash that’s different than all known good application hashes in the enterprise.
Detecting MimiKatz running in memory:
- If I understood the author correctly, regardless of what process MimiKatz is injected into, it needs both of these to run: vaultcli.dll and wlanapi.dll.
Known Web Server apps being launched from non-standard locales:
o apache.exe where path is NOT: c:\oracle\program files\apache
o tomcat.exe where path is NOT: c:\program files\tomcat
Track exe’s that could be associated with evil (impersonating the legitimate versions), for example, if any of the following have a running path that is NOT c:\windows OR c:\winnt (not an exhaustive list):
o aspnet_compiler.exe
o at.exe
o bcdedit.exe
o bitsadmin.exe
o cmd.exe
o conhost.exe
o csc.exe
o cscript.exe
o csrss.exe
o dfsvc.exe
o excel.exe
o expler.exe
o hh.exe
o hkcmd.exe
o IEExec.exe
o iexple.exe
o iexpress.exe
o igfxpers.exe
o igfxsrvc.exe
o ilasm.exe
o InstallUtil.exe
o journal.exe
o jsc.exe
o lsass.exe
o lsm.exe
o MSBuild.exe
o msdt.exe
o mshta.exe
o msiexec.exe
o mstsc.exe
o Net.exe
o Net1.exe
o ping.exe
o PowerShell.exe
o PowerShell_ise.exe
o PresentationHost.exe
o reg.exe
o RegSvcs.exe
o RegSvr32.exe
o rundll32.exe
o sc.exe
o script.exe
o SearchFilterHost.exe
o SearchProtocolHost.exe
o services.exe
o set.exe
o setx.exe
o spoolsv.exe
o svchost.exe
o systemreset.exe
o taskhost.exe
o taskmgr.exe
o vbc.exe
o vssadmin.exe
o w3wp.exe
o winlogon.exe
o winword.exe
o wmic.exe
o Wscript.exe
o wuauclt.exe
Detect single character file name executables, including but not limited to: 0-9.exe and A-Z.exe as well as other characters like ..exe, _.exe, $.exe, etc.
Monitor email for certain file-types within zip, such as .js or scr.
Monitor for encrypted zips.
Check email for .iso, .scr, etc. attachments.
Detect zero-byte files.
o There are several concerns with zero-byte files, some I am sure I am not even aware of, but think of log deletion...files that should contain content but all of a sudden do NOT. Also, think of destructive malware, which can zero-out files: https://forums.malwarebytes.com/topic/87855-zero-byte-data-files - there are probably a lot of other things, so if anyone wants to pile on, please do!
Take a look at the SANS “Finding Evil” poster. Note which processes should never spawn certain other processes, etc. and create rule-sets or dashboards to look for those types of anomalies. Additionally, this may help you begin tracking known malware injects.
Check the “Behavior Rule-sets” and “Digital Signatures” as outlined in this famous SANS poster.
Monitor what’s being downloaded across the organization.
Correlate hosts that generate greater than one a/v alert within the span of up to one week.
Track a/v hits where the action was “Allowed”, “Deferred”, “Left Alone”, etc. Create rule-sets for correlation.
Track a/v hits where the action was “Blocked”, “Deleted”, “Quarantined”, etc. Create rule-sets for correlation.
CarbonBlack offers the following threat indicators:
o Execution from Recycle Bin
o Suspicious process name
o Processes with obfuscated extensions
o Known malware file name
o Execution from System Volume Information folder
o Possible BlackPOS malware registry artifact
o Possible APT backdoor installation
o Possible Ransomware file artifac
o Possible Point-of-Sale malware file artifact
o Execution from APT staging area
o Possible credential theft or misuse
o Possible ZeroAccess activity
o Possible Tibet.c backdoor installation
o Possible wirelurker infection
o ntvdm.exe spawned by office application
o Siesta campaign indicators
o PlugX campaign indicators
o Modification of launchd.conf
o Suspicious OSX persistence mechanism
o Modification of /etc/rc.common
o Possible Olyx/Lasyr activity
o Possible wirenet and/or netweird activity
o Possible Flashback infection
o Possible iWorm infection
o Possible NetWeirdRC infection
o Suspicious local password change
o Attempted osx password hash collection
o Execution from trash bin
o Suspicious process execution
o Suspicious shell activity
o Powershell executed with encoded instructions
o Modification of powershell execution policy
o Possible malicious powershell activity
o Possible WMI Persistence
o Possible WMI command invocation
o WinRM command activity
Begin looking at all the remote access software being utilized in your environment and start to baseline the activity around it. I'm not just talking about Windows built-in RDP, but also tools like GoToMyPC, LogMeIn, TeamViewer, and even Web-Based products such as Join.me (to name a few). These can all be valuable tools but if a SysAdmin has one sitting on his/her server that they didn't install themselves...ummm...gulp.
Lastly, it’s too much to retype it all, but there is a wealth of additional information along the topic of hunt at the following links:
I met Cheryl Biswas at DEF CON a few weeks ago when her laptop malfunctioned as she was taking the stage for her talk. She asked if anyone in the audience had a spare laptop, and guess what, I did...and I gained a wonderful new friendship as well! Not only is Cheryl incredibly smart, this woman knows her stuff when it comes to Threat Intel and Hunt! Take a read!
⇨Contains 87 references to Hunt, just search the page for “Hunt”
⇨Contains 21 references to Hunt, just search the page for “Hunt”
⇨http://www.threathunting.net/reading-list
⇨http://www.hexacorn.com/blog/2016/10/15/threat-hunting-a-tale-of-wishful-thinking-and-willful-ignorance
⇨http://www.hexacorn.com/blog/page/26
⇨http://www.hexacorn.com/blog/2016/10/15/threat-hunting-a-tale-of-wishful-thinking-and-willful-ignorance
Monitor email for certain file-types within zip, such as .js or scr.
Monitor for encrypted zips.
Check email for .iso, .scr, etc. attachments.
Detect zero-byte files.
o There are several concerns with zero-byte files, some I am sure I am not even aware of, but think of log deletion...files that should contain content but all of a sudden do NOT. Also, think of destructive malware, which can zero-out files: https://forums.malwarebytes.com/topic/87855-zero-byte-data-files - there are probably a lot of other things, so if anyone wants to pile on, please do!
Take a look at the SANS “Finding Evil” poster. Note which processes should never spawn certain other processes, etc. and create rule-sets or dashboards to look for those types of anomalies. Additionally, this may help you begin tracking known malware injects.
Check the “Behavior Rule-sets” and “Digital Signatures” as outlined in this famous SANS poster.
Monitor what’s being downloaded across the organization.
Correlate hosts that generate greater than one a/v alert within the span of up to one week.
Track a/v hits where the action was “Allowed”, “Deferred”, “Left Alone”, etc. Create rule-sets for correlation.
Track a/v hits where the action was “Blocked”, “Deleted”, “Quarantined”, etc. Create rule-sets for correlation.
CarbonBlack offers the following threat indicators:
o Execution from Recycle Bin
o Suspicious process name
o Processes with obfuscated extensions
o Known malware file name
o Execution from System Volume Information folder
o Possible BlackPOS malware registry artifact
o Possible APT backdoor installation
o Possible Ransomware file artifac
o Possible Point-of-Sale malware file artifact
o Execution from APT staging area
o Possible credential theft or misuse
o Possible ZeroAccess activity
o Possible Tibet.c backdoor installation
o Possible wirelurker infection
o ntvdm.exe spawned by office application
o Siesta campaign indicators
o PlugX campaign indicators
o Modification of launchd.conf
o Suspicious OSX persistence mechanism
o Modification of /etc/rc.common
o Possible Olyx/Lasyr activity
o Possible wirenet and/or netweird activity
o Possible Flashback infection
o Possible iWorm infection
o Possible NetWeirdRC infection
o Suspicious local password change
o Attempted osx password hash collection
o Execution from trash bin
o Suspicious process execution
o Suspicious shell activity
o Powershell executed with encoded instructions
o Modification of powershell execution policy
o Possible malicious powershell activity
o Possible WMI Persistence
o Possible WMI command invocation
o WinRM command activity
Begin looking at all the remote access software being utilized in your environment and start to baseline the activity around it. I'm not just talking about Windows built-in RDP, but also tools like GoToMyPC, LogMeIn, TeamViewer, and even Web-Based products such as Join.me (to name a few). These can all be valuable tools but if a SysAdmin has one sitting on his/her server that they didn't install themselves...ummm...gulp.
Lastly, it’s too much to retype it all, but there is a wealth of additional information along the topic of hunt at the following links:
I met Cheryl Biswas at DEF CON a few weeks ago when her laptop malfunctioned as she was taking the stage for her talk. She asked if anyone in the audience had a spare laptop, and guess what, I did...and I gained a wonderful new friendship as well! Not only is Cheryl incredibly smart, this woman knows her stuff when it comes to Threat Intel and Hunt! Take a read!
⇨Contains 87 references to Hunt, just search the page for “Hunt”
⇨Contains 21 references to Hunt, just search the page for “Hunt”
⇨http://www.threathunting.net/reading-list
⇨http://www.hexacorn.com/blog/2016/10/15/threat-hunting-a-tale-of-wishful-thinking-and-willful-ignorance
⇨http://www.hexacorn.com/blog/page/26
⇨http://www.hexacorn.com/blog/2016/10/15/threat-hunting-a-tale-of-wishful-thinking-and-willful-ignorance
Friday, July 7, 2017
How to Lose Like a Champion
Some of you may remember that just recently a little side project AboutDIFR.com which I am a part of with Devon Ackerman had been nominated for a very prestigious award in our field of Digital Forensics and Incident Response called the Forensic 4:cast award. Perhaps some of you reading this even voted for us, thank you for that. We didn't walk away with the award and I know this sounds trite, but it truly was an honor just to be nominated. I mean that. It hurt to lose, I don't know how else to phrase it, it really did, but when we lose in life, there can be real value in that, and that's what I'd like to focus on.
The first thing I thought when we didn't win was, what am I going to tell my little girls back home. Of course the truth, but how could I hide my sadness from them and not look like a poor loser! I texted home and an answer shot right back..."We have to show them real life!" That was great advice, and honestly, it was the kick in the [you know what] that I needed!
The reality is, there was a ton of good in our loss. Let's count all of the blessings first. I had finally gotten a chance to meet my partner Devon Ackerman in person, what a joy! I also had the pleasure of meeting more than one person who came up to us to tell us how much value they have gotten out of our project AboutDIFR.com.
One of the persons who approached us was Jessica Hyde. Jessica was one of the first persons I met at the conference. She made a point to march right over to us and introduce herself and tell us how much she enjoyed our project. Turns out, she was born a few miles from my home and the next time she visits her parents, she's coming to dinner! But there's one more thing you need to know about Jessica (besides the fact that she is a wicked h@cker and gave one of the most awesome talks at the con). Jessica works for Magnet Forensics, the company that won the award in our category. Yup, that's right folks. Here we were competing against her company, but she had taken it upon herself to come over to us and compliment us on how much she enjoyed our project. Wow! None of us knew at that point who had won the award or who had lost, but I can assure you that when her team won the award and we didn't, she was one of the first persons I reached out to to congratulate.
I had put some thought into what I might write in a blog post in the off-chance that we won, and I think those ideas still hold some value so I'll share some of them below.
I believe that one of the things that makes our DFIR community great, is that we share, but what's ironic (and complicated) about that is, when you look at some of the folks in our space who have shared, and their incredible tools, blog posts, code, etc., it can be rather intimidating, at least to someone like me who sometimes wonders if I'd be more comfortable in a cave.
The other thing about sharing is that when you put yourself out there, you give up some control of your work, which can be scary on different levels. For one, control is a hot-button topic among many security practitioners. We love our controls, but I bet we've all worked for someone who's taken it a bit too far and either (a) not shared enough and kept too many keys to the kingdom to themselves and then the business suffered a single point of failure, or (b) locked-down users to the point they had trouble getting actual work done.
Also, in some respects, sharing can make you vulnerable to criticism (good or bad) - here's an example - if you're a singer-songwriter like myself, you might publish a song and then have someone get a totally different meaning from it, or someone else might hear a lyric incorrectly and have that song take on a whole other meaning. I remember my agent having to explain to me how I shouldn't get so bent out of shape by that. She called it, "poetic license" and went on to point out how it can be a beautiful thing. Afterward, I thought about all the times I had sung the wrong words to popular songs and was guilty of the same myself!
So when I returned home from the conference, my daughters were so excited for me! My oldest asked me, "Mom, what prize did you win for second place?!" And I took such great pleasure in sharing my wonderful life lesson with them, that for a fleeting second, I was almost glad we'd lost.
In closing, I suppose some of the above can be reasons not to publish or post, but our community is built on sharing, and it only gets better if everyone contributes. Don't be afraid! There's a little song I used to sing when I was a child called, "This Little Light of Mine" - I bet some of you know it! Everyone has an inner light, find yours and let it shine! Even if all you think you have is a bunch of annotated URL's in a NotePad file floating around somewhere (like yours truly), you can still turn that into something useful for others - and if one person benefits, isn't that winning? Isn't that your real prize?
Wednesday, April 5, 2017
The Little Engine That Could?
The Little Engine That Could by Watty Piper is one of my favorite books to read to my little ones. It's chock-full of lessons such as The Golden Rule and The Power of Positive Thinking, to name just a couple. Funny thing is, as an adult, it applies to me these days too. You see, my partner Devon Ackerman and I have just been nominated for an industry award called the Forensic :4cast Award which is arguably one of the biggest awards in our industry. We run a little site called AboutDFIR.com and we were nominated as "Digital Forensic Organization of the Year". We're up against some industry giants, but with your vote, we could (did you get that reference?) win. It's a long shot, so here's where I humbly and respectfully request your vote, if you feel we've earned it. Devon and I are both passionate about DFIR (and malware), and we each have full-time jobs and small children as well, so we do the best we can with the little bit of free time that we have, but we do it with a great love for our industry and the belief that if we think we can, we *will* leave our profession "better than we found it," which is advice I often impart upon my children.
THANK YOU SO MUCH to everyone who nominated us and we'd be honored if you voted for us. As for our competition, Magnet Forensics and Cellebrite (and who doesn’t LOVE those two industry luminaries?!) my thinking is, you can still vote for them in other categories and then choose us for your "Organization of the Year" vote. Just my personal elevator pitch, but maybe it makes sense?! Regardless, it’s simply splendid and an honor to be nominated! Thank you everyone!!!
Sunday, January 22, 2017
AboutDFIR.com Partnership
Today I have the great pleasure of announcing a partnership that has formed between Devon Ackerman and myself. Devon had been sharing a DFIR resource that was similar to my Threat Intel list but we have now merged those two projects into one bigger and better repository that we host at AboutDFIR.com!
Our merger is still a work in progress so if you don't see a familiar data set, it's probably because we haven't quite ported everything over yet. One of our goals is to offer continuous, timely and meaningful resources, in a very easy to use format and in one central repository.
I'd like to thank a few people who have been silent cheerleaders during this transition period, offering their support, wisdom, and in some cases their own resources. David Cowen, who took a big chunk of his very valuable time to answer several questions and offer guidance. Josh Sutfin, who offered valuable data which we will look forward to adding as time allows. Matt Bromiley, Harlan Carvey, Phill Moore, and Andreas Sfakianakis, each industry rockstars in their own right, have been so kind to mention my research.
Last but certainly not least, I'd like to thank Devon. Devon quickly became a friend, and when I would get really stressed about the added pressure of a project of this magnitude on top of a full-time job and raising two children (which is another FT job LOL!), he would simply remind me that this was a hobby, and something that we chose to do because it was fun, so no angina allowed!
One more thing, if you're reading this and you are new to the field of DFIR, Threat Intelligence, Malware Analysis/Research or perhaps deciding whether or not to pursue a career in Information Security, I hope you will find our new shared resource DFIR - The Definitive Compendium Project helpful. There is real community in Security, and one of our goals is to shine a light on that. Enjoy!
Our merger is still a work in progress so if you don't see a familiar data set, it's probably because we haven't quite ported everything over yet. One of our goals is to offer continuous, timely and meaningful resources, in a very easy to use format and in one central repository.
I'd like to thank a few people who have been silent cheerleaders during this transition period, offering their support, wisdom, and in some cases their own resources. David Cowen, who took a big chunk of his very valuable time to answer several questions and offer guidance. Josh Sutfin, who offered valuable data which we will look forward to adding as time allows. Matt Bromiley, Harlan Carvey, Phill Moore, and Andreas Sfakianakis, each industry rockstars in their own right, have been so kind to mention my research.
Last but certainly not least, I'd like to thank Devon. Devon quickly became a friend, and when I would get really stressed about the added pressure of a project of this magnitude on top of a full-time job and raising two children (which is another FT job LOL!), he would simply remind me that this was a hobby, and something that we chose to do because it was fun, so no angina allowed!
One more thing, if you're reading this and you are new to the field of DFIR, Threat Intelligence, Malware Analysis/Research or perhaps deciding whether or not to pursue a career in Information Security, I hope you will find our new shared resource DFIR - The Definitive Compendium Project helpful. There is real community in Security, and one of our goals is to shine a light on that. Enjoy!
Subscribe to:
Posts (Atom)
