Sunday, January 22, 2017

Recovering Luddite?

Growing up Mennonite in Lancaster County with no computer, and no television, only to become a Digital Forensic Analyst and Incident Response Specialist living in New York City, has been quite a journey. My friends tell me the uniqueness of my life requires a blog, but I tell them, I haven't changed much, really.

Personal blog, nothing on here represents my employer. Partnership

Today I have the great pleasure of announcing a partnership that has formed between Devon Ackerman and myself.  Devon had been sharing a DFIR resource that was similar to my Threat Intel list but we have now merged those two projects into one bigger and better repository that we host at!

Our merger is still a work in progress so if you don't see a familiar data set, it's probably because we haven't quite ported everythin
g over yet.  One of our goals is to offer continuous, timely and meaningful resources, in a very easy to use format and in one central repository.

I'd like to thank a few people who have been silent cheerleaders during this transition period, offering their support, wisdom, and in some cases their own resources.  David Cowen, who took a big chunk of his very valuable time to answer several questions and offer guidance.  Josh Sutfin, who offered valuable data which we will look forward to adding as time allows.  Matt Bromiley, Harlan Carvey, Phill Moore, and Andreas Sfakianakis, each industry rockstars in their own right, have been so kind to mention my research.

Last but certainly not least, I'd like to thank Devon. Devon quickly became a friend, and when I would get really stressed about the added pressure of a project of this magnitude on top of a full-time job and raising two children (which is another FT job LOL!), he would simply remind me that this was a hobby, and something that we chose to do because it was fun, so no angina allowed!

One more thing, if you're reading this and you are new to the field of DFIR, Threat Intelligence, Malware Analysis/Research or perhaps deciding whether or not to pursue a career in Information Security, I hope you will find our new shared resource DFIR - The Definitive Compendium Project helpful.  There is real community in Security, and one of our goals is to shine a light on that.  Enjoy!

Sunday, December 4, 2016

Threat Intelligence

UPDATE: Just added a new tab for CTF, Challenges and Sample Image Files, check it out!
I am really looking forward to sharing a new post with the community! 

I revamped my older "Links I Follow" spreadsheet and added a repository of Threat Intelligence portals, Hunt tactics and more malware links.  The new spreadsheet has tabs, so don't miss all three tabs. The "Research" tab has my old "Links I Follow" spreadsheet, with anything new in bold.  A good portion of the entries are free or open source, but if you like something you see and the author asks for a small donation, remember it's nice to give back if you are able.

Some time ago my "IR A-Z" paper was warmly welcomed, as was my list of tools that I shared.  I've since found a whole bunch more tools, but my new list doesn't have very many tools in it, instead I decided to focus my energy on answering a question I received from a former co-worker as well as from some of the listserv's I follow.  A few weeks back a good friend texted me, "Do you happen to have a list of blog intel stuff, API feeds, or anything that reports on current malware or phishing?"  Well, turns out I did, but it seems now that I follow Twitter, I come across so much incredible intel every day, that all I have time to do is copy the URL and move on!  I'd had links and links and links that I had saved but not taken the time to add to my spreadsheet!  But I knew, that in order to help my friend, I needed to sit down and take some time to cull through my pile of information and organize some of it.  There's tons more, but it's an infinite process, which at some point I just have to cut my losses and say, here's all I have time to record.

So that's what this post is about.  It's not meant to be an exhaustive directory by any means, and trust me, I've labored over how to categorize things, where to place them in the list, and eventually just ran out of time. So you might find some malware research under Threat Intelligence or some Hunt stuff under Tools, etc.  I did the best I could with the little bit of free time that I had, so please know that the list is far from perfect, but hopefully it will be helpful to the community.

Friday, November 18, 2016

Unofficial Holiday Hack Countdown

I am so eager for this year's SANS Holiday Hack Challenge that I created a fun counter for myself! Thank you to the wonderful Katie Knowles for letting me use her pic!

Wednesday, June 29, 2016

Incident Response: A-Z

Update: I am incredibly humbled by the positive responses I've received since posting my paper on Incident Response A-Z. I am very grateful to each and every person who added their suggestions, and pointed out that glaring mistake on page 6 where I duplicated the first 3 processes.  I was on my way to Disneyland when I noticed it, and was mortified (and humbled in a different way)!  I have just posted a revised and corrected copy/link below.  Thank you again everyone for all your input, that's what makes community great, enjoy!

I began the concept of this paper with one sentence, almost 5 years ago. I have slowly expanded upon that sentence over the past 5 years, and I fully expect that trend to continue. Over the course of chipping away at the paper, I have published portions of it on my blog.

A likely follow-up would be an example investigation, soup to nuts, along with a final report that you would hand to the client. That may be my next endeavor. I started that process recently, but with not a lot of free time in my schedule, I decided to go ahead and publish what I have so far, and if I can eke out enough time to do the rest and tack on other stuff, I certainly will.

The paper is dedicated to my daughters. My 1 year old cannot yet grasp the concept of malware, however while traveling recently and Skyping with my 5 year old who is crazy about princesses and of course “Frozen,” we were sharing stories about our day and I mentioned that I had come across a very interesting piece of malware, to which she responded, “Mom, was it pink malware?!” And thus, "pink malware" was born, because of course I had to come home with some for her.

Lastly, my thoughts and processes are just one of a thousand ways you can approach an incident. I am making no claims that the paper is perfect, or exhaustive. I do, however, hope that someone will find something meaningful that they can take away from it. I recently received a private message from someone anonymously via my blog who encouraged me to keep putting things like this out there because it was incredibly helpful to the DFIR community. I am releasing this paper in the spirit of that post. It’s far from ready for publishing, or complete, but it is good enough for now: It opens to PDF:

Monday, May 30, 2016

Memorial Day Blessings

This past weekend I had the privilege of participating in a memorial service for a loved one in San Diego. Our beloved grandfather (through marriage, and great-grandfather to our children) passed away last week, and we all scrambled to fly to San Diego and celebrate his life.

Being a Mennonite, I had not previously had an opportunity to be exposed to a ceremony which included military honors. However, I have always adopted the philosophy that although our Mennonite theology is one of pacifism, we would not be able to have the choice to worship freely if those liberties hadn't been defended, fought for, and if many hadn't sacrificed their lives for them. So my belief on that matter has always been a very thoughtful one, and quite frankly with the threats our nation now faces, well, it's complicated,,,but I digress.

While poring over many photographs and memories of our dear grandfather, I learned about the Murmansk Run and how dangerous that passage was during World War II. So dangerous in fact that our grandfather, who was a Gunner in the Navy, had earned a Bronze Star and a Purple Heart.

The graveside message that the Reverend left us with will stick with me for a very long time. He opened by saying, "No matter what your political beliefs are in this heated election year, there's nothing that unifies us greater than the loss of someone who has served our country."

And that, my friends, is why I have had many conversations over the course of this Memorial Day weekend, to stop, pause, and make sure my 6 year-old and my 2 year-old, understand why they have the day off school, and how important Memorial Day is, not just today, but every single day.  Blessings to all the families who have lost a loved one who has made the ultimate sacrifice, and to all who are serving and have served our great country.

Friday, April 29, 2016

I Heart Malware!

I love malware, I really do.  And let’s face it, malware gets a really bad rap!  After all, it’s evil, it’s vicious, and no one wants it, right?  Hmmm…that’s funny, cuz I download as much of it as I can!  It fascinates me, almost to the point of getting me in trouble with one of my Supervisors.  Yup.  As it was so delicately explained to me, “Mary Ellen, malware to you is like a needle to an addict.  I can remove the drug but the needle is still stuck in your vein.”  There’s a back-story to that which I won’t bore you with, but it was all in good fun mind you, he was absolutely right-on with his assessment and here's why.  I was way too focused on commodity malware, meanwhile behavioral hunt-work such as lateral movement and looking for good-tools (#Goodware) being used for bad was taking too much of a backseat.  But, I digress.

So why do I enjoy looking at malware so much anyway?  Well, it’s smart enough to sneak through a ton of sensors (like a good pen-tester), and occasionally it’s very well written.  OK, so where am I going with all of this?

I was recently discussing a custom piece of “malware” that a co-worker had written, and as he was describing it to me, my mind was racing to a million different places.  What a cool piece of code!  Most of the a/v engines were calling it malware, but it was really just a cleverly crafted program that wasn’t evil at all. Yes, it stopped a process to inject something then started it back up again, but it didn't do anything malicious per se.

OK, OK, so the hardcore malware entomologists amongst the group could argue that in fact that’s actually not malware to begin with, it’s #goodware…but the end-point solutions are all whacking it due to its “malcode”, so doesn’t that make it malware?  If malware was strictly defined by heuristics, maybe, but that could lead to too many false positives.

What’s my point?  Whatever you want it to be.  If your take-away is simply to think about “good code” vs. “malcode” then maybe that’s beneficial to you.  If you’re now wondering about or reevaluating your current security controls and why those solutions are allowing grayware or adware into your enterprise, then maybe that’s helpful also.  And BTW, what files does your organization currently allow or block?  Do you allow zips?  If so, do you block zips if they're encrypted?  Or, maybe you filter zips by file-type content, like .exe, .js or .scr inside of a zip (of course one could manually change the file extensions to bypass)?  Additionally, are there files that you block as attachments straight-up such as .doc, .docm, .rtf or .xls?

I wrote the above blurb earlier in the week but didn't have a chance to post it, and just today a friend sent me a link to a FAR BETTER post, so check that one out too!