tag:blogger.com,1999:blog-82657301983329904412024-03-13T12:20:47.431-04:00What's A Mennonite Doing In Manhattan?!Mary Ellenhttp://www.blogger.com/profile/05132981467812838271noreply@blogger.comBlogger113125tag:blogger.com,1999:blog-8265730198332990441.post-30600787738700562892023-04-18T13:15:00.000-04:002023-04-18T13:15:40.154-04:00Recovering Luddite?<b><span style="font-family: "arial"; font-size: 130%;">Growing up Mennonite in Lancaster County with no computer, and no television, only to become a Digital Forensic Analyst and Incident Response Specialist living in New York City, has been quite a journey. My friends tell me the uniqueness of my life requires a blog, but I tell them, I haven't changed much, really.</span></b><br />
<b><br /></b>
<b><span style="font-family: "arial"; font-size: small;"><i>Personal blog, nothing on here represents my employer. </i></span></b>Mary Ellenhttp://www.blogger.com/profile/05132981467812838271noreply@blogger.com2tag:blogger.com,1999:blog-8265730198332990441.post-61301172449658165652023-04-18T12:45:00.007-04:002023-04-18T13:48:24.177-04:00Successful Threat Hunting<html>
<body>
<b><span style="font-family: "arial"; font-size: 130%;">
<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVtNyt1XD7o0IVR94fWCqy1jyB7X7vTlbd9eC-Wooovhcdk2cyYFruSse-Ag6nTy2NOhQ3ptjWkccu6DxetcPHytlrf46o-oqh7Wr6iOz2CemCgd8iGByjWL-1AdYKHE5a9IX7ZEAJdWCYZ7MNkHNPOdrYVtr9nkXiiL_XeQcRMEx0WzGspPsV3yZFEg/s680/ActiveCounterMeasures.jpg" style="margin-left: 1em; margin-right: 1em;"><span style="color: black; font-family: arial; font-size: medium;"><img border="0" data-original-height="383" data-original-width="680" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgVtNyt1XD7o0IVR94fWCqy1jyB7X7vTlbd9eC-Wooovhcdk2cyYFruSse-Ag6nTy2NOhQ3ptjWkccu6DxetcPHytlrf46o-oqh7Wr6iOz2CemCgd8iGByjWL-1AdYKHE5a9IX7ZEAJdWCYZ7MNkHNPOdrYVtr9nkXiiL_XeQcRMEx0WzGspPsV3yZFEg/w400-h225/ActiveCounterMeasures.jpg" width="400" /></span></a></div><span style="font-family: arial; font-size: medium;"><br /></span><div style="text-align: left;"><span style="font-family: arial; font-size: medium;"><span class="NormalTextRun SCXW186113363 BCX0" color="windowtext" face="Arial, Arial_EmbeddedFont, Arial_MSFontService, sans-serif" style="-webkit-tap-highlight-color: transparent; -webkit-user-drag: none; font-variant-ligatures: none; margin: 0px; padding: 0px; user-select: text; white-space: pre-wrap;">I received a very prestigious award this past week at work, </span><span class="NormalTextRun SCXW186113363 BCX0" color="windowtext" face="Arial, Arial_EmbeddedFont, Arial_MSFontService, sans-serif" style="-webkit-tap-highlight-color: transparent; -webkit-user-drag: none; font-variant-ligatures: none; margin: 0px; padding: 0px; user-select: text; white-space: pre-wrap;">arguably one</span><span class="NormalTextRun SCXW186113363 BCX0" color="windowtext" face="Arial, Arial_EmbeddedFont, Arial_MSFontService, sans-serif" style="-webkit-tap-highlight-color: transparent; -webkit-user-drag: none; font-variant-ligatures: none; margin: 0px; padding: 0px; user-select: text; white-space: pre-wrap;"> of the biggest my company doles out</span><span class="NormalTextRun SCXW186113363 BCX0" color="windowtext" face="Arial, Arial_EmbeddedFont, Arial_MSFontService, sans-serif" style="-webkit-tap-highlight-color: transparent; -webkit-user-drag: none; font-variant-ligatures: none; margin: 0px; padding: 0px; user-select: text; white-space: pre-wrap;">. </span><span class="NormalTextRun SCXW186113363 BCX0" color="windowtext" face="Arial, Arial_EmbeddedFont, Arial_MSFontService, sans-serif" style="-webkit-tap-highlight-color: transparent; -webkit-user-drag: none; font-variant-ligatures: none; margin: 0px; padding: 0px; user-select: text; white-space: pre-wrap;">Since the </span><span color="windowtext" face="Arial, Arial_EmbeddedFont, Arial_MSFontService, sans-serif" style="font-variant-ligatures: none; white-space: pre-wrap;">fanfare and graphics w</span><span class="NormalTextRun SCXW186113363 BCX0" color="windowtext" face="Arial, Arial_EmbeddedFont, Arial_MSFontService, sans-serif" style="-webkit-tap-highlight-color: transparent; -webkit-user-drag: none; font-variant-ligatures: none; margin: 0px; padding: 0px; user-select: text; white-space: pre-wrap;">ere internal only and labeled as “Confidential</span><span class="NormalTextRun SCXW186113363 BCX0" color="windowtext" face="Arial, Arial_EmbeddedFont, Arial_MSFontService, sans-serif" style="-webkit-tap-highlight-color: transparent; -webkit-user-drag: none; font-variant-ligatures: none; margin: 0px; padding: 0px; user-select: text; white-space: pre-wrap;">”, I wanted to take </span><span class="NormalTextRun SCXW186113363 BCX0" color="windowtext" face="Arial, Arial_EmbeddedFont, Arial_MSFontService, sans-serif" style="-webkit-tap-highlight-color: transparent; -webkit-user-drag: none; font-variant-ligatures: none; margin: 0px; padding: 0px; user-select: text; white-space: pre-wrap;">a moment to share with you one of the big reasons why </span><span class="NormalTextRun SCXW186113363 BCX0" color="windowtext" face="Arial, Arial_EmbeddedFont, Arial_MSFontService, sans-serif" style="-webkit-tap-highlight-color: transparent; -webkit-user-drag: none; font-variant-ligatures: none; margin: 0px; padding: 0px; user-select: text; white-space: pre-wrap;">I </span><span class="NormalTextRun ContextualSpellingAndGrammarErrorV2Themed SCXW186113363 BCX0" color="windowtext" face="Arial, Arial_EmbeddedFont, Arial_MSFontService, sans-serif" style="-webkit-tap-highlight-color: transparent; -webkit-user-drag: none; background-image: var(--urlContextualSpellingAndGrammarErrorV2, url("data:image/svg+xml;base64,PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPHN2ZyB3aWR0aD0iNXB4IiBoZWlnaHQ9IjNweCIgdmlld0JveD0iMCAwIDUgMyIgdmVyc2lvbj0iMS4xIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIj4KICAgIDwhLS0gR2VuZXJhdG9yOiBTa2V0Y2ggNTUuMiAoNzgxODEpIC0gaHR0cHM6Ly9za2V0Y2hhcHAuY29tIC0tPgogICAgPHRpdGxlPmdyYW1tYXJfZG91YmxlX2xpbmU8L3RpdGxlPgogICAgPGRlc2M+Q3JlYXRlZCB3aXRoIFNrZXRjaC48L2Rlc2M+CiAgICA8ZyBpZD0iZ3JhbW1hcl9kb3VibGVfbGluZSIgc3Ryb2tlPSJub25lIiBzdHJva2Utd2lkdGg9IjEiIGZpbGw9Im5vbmUiIGZpbGwtcnVsZT0iZXZlbm9kZCIgc3Ryb2tlLWxpbmVjYXA9InJvdW5kIj4KICAgICAgICA8ZyBpZD0iR3JhbW1hci1UaWxlLUNvcHkiIHN0cm9rZT0iIzMzNTVGRiI+CiAgICAgICAgICAgIDxwYXRoIGQ9Ik0wLDAuNSBMNSwwLjUiIGlkPSJMaW5lLTItQ29weS0xMCI+PC9wYXRoPgogICAgICAgICAgICA8cGF0aCBkPSJNMCwyLjUgTDUsMi41IiBpZD0iTGluZS0yLUNvcHktMTEiPjwvcGF0aD4KICAgICAgICA8L2c+CiAgICA8L2c+Cjwvc3ZnPg==")); background-position: 0% 100%; background-repeat: repeat-x; border-bottom: 1px solid transparent; font-variant-ligatures: none; margin: 0px; padding: 0px; user-select: text; white-space: pre-wrap;">believe,</span><span class="NormalTextRun SCXW186113363 BCX0" color="windowtext" face="Arial, Arial_EmbeddedFont, Arial_MSFontService, sans-serif" style="-webkit-tap-highlight-color: transparent; -webkit-user-drag: none; font-variant-ligatures: none; margin: 0px; padding: 0px; user-select: text; white-space: pre-wrap;"> I</span><span class="NormalTextRun SCXW186113363 BCX0" color="windowtext" face="Arial, Arial_EmbeddedFont, Arial_MSFontService, sans-serif" style="-webkit-tap-highlight-color: transparent; -webkit-user-drag: none; font-variant-ligatures: none; margin: 0px; padding: 0px; user-select: text; white-space: pre-wrap;"> received that award.</span></span></div><div style="text-align: left;"><span style="font-family: arial; font-size: medium;"><br />
</span></div><div><div class="OutlineElement Ltr SCXW186113363 BCX0" style="-webkit-tap-highlight-color: transparent; -webkit-user-drag: none; background-color-repeat; clear: both; cursor: text; direction: ltr; margin: 0px; overflow: visible; padding: 0px; position: relative; user-select: text;"><p class="Paragraph SCXW186113363 BCX0" lang="EN-US" paraeid="{1cc9bb03-9247-47c1-bb83-69ba3cbc51cc}{131}" paraid="913742312" style="-webkit-tap-highlight-color: transparent; -webkit-user-drag: none; background-color: transparent; font-kerning: none; margin: 0px; overflow-wrap: break-word; padding: 0px; user-select: text; vertical-align: baseline; white-space: pre-wrap;" xml:lang="EN-US"></p>
<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCdFFljtGEjDVvZFgvY2n7O6cIXwIHDdSs0E43B1vqOUO_d1AIhJr5HjyaBadH5FLAVDiMkg0G-66J8v9IaN1O2NOzsc0UPJWbowJMflhF1lVOBtnuDS3-9pUBKAEgeuW0JJU5hYfP7l5LzXZbArsoN8s8IblX6pbM7K6kGkTGOeXP_bU-5V-nztcA3w/s600/GIFMaker_me.gif" style="margin-left: 1em; margin-right: 1em;"><span style="color: black; font-family: arial; font-size: medium;"><img border="0" data-original-height="296" data-original-width="600" height="158" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgCdFFljtGEjDVvZFgvY2n7O6cIXwIHDdSs0E43B1vqOUO_d1AIhJr5HjyaBadH5FLAVDiMkg0G-66J8v9IaN1O2NOzsc0UPJWbowJMflhF1lVOBtnuDS3-9pUBKAEgeuW0JJU5hYfP7l5LzXZbArsoN8s8IblX6pbM7K6kGkTGOeXP_bU-5V-nztcA3w/s320/GIFMaker_me.gif" width="320" /></span></a></div>
<b><span style="font-family: "arial"; font-size: 130%;">
<BR>
<div style="background-color: transparent; font-kerning: none; margin: 0px; overflow-wrap: break-word; padding: 0px; text-align: left; user-select: text; vertical-align: baseline; white-space: pre-wrap;"><span style="font-family: arial; font-size: medium;"><span><span class="TextRun SCXW186113363 BCX0" color="windowtext" data-contrast="auto" face="Arial, Arial_EmbeddedFont, Arial_MSFontService, sans-serif" lang="EN-US" style="-webkit-tap-highlight-color: transparent; -webkit-user-drag: none; background-color: transparent; font-variant-ligatures: none; line-height: 18px; margin: 0px; padding: 0px; user-select: text;" xml:lang="EN-US">The title graphic used in this post is from an upcoming (and recurring) FREE class taught by <a href="about:invalid#zSoyz" target="_blank">Chris Brenton</a> over at </span><a class="Hyperlink SCXW186113363 BCX0" href="https://www.activecountermeasures.com/hunt-training" rel="noreferrer noopener" style="-webkit-tap-highlight-color: transparent; -webkit-user-drag: none; background-color: transparent; margin: 0px; padding: 0px; text-decoration-line: none; user-select: text;" target="_blank"><span class="TextRun Underlined SCXW186113363 BCX0" data-contrast="none" face="Arial, Arial_EmbeddedFont, Arial_MSFontService, sans-serif" lang="EN-US" style="-webkit-tap-highlight-color: transparent; -webkit-user-drag: none; font-variant-ligatures: none; line-height: 18px; margin: 0px; padding: 0px; text-decoration-line: underline; user-select: text;" xml:lang="EN-US"><span class="NormalTextRun SCXW186113363 BCX0" data-ccp-charstyle="Hyperlink" style="-webkit-tap-highlight-color: transparent; -webkit-user-drag: none; margin: 0px; padding: 0px; user-select: text;">Active Counter Measures</span></span></a><span class="TextRun SCXW186113363 BCX0" color="windowtext" data-contrast="auto" face="Arial, Arial_EmbeddedFont, Arial_MSFontService, sans-serif" lang="EN-US" style="-webkit-tap-highlight-color: transparent; -webkit-user-drag: none; background-color: transparent; font-variant-ligatures: none; line-height: 18px; margin: 0px; padding: 0px; user-select: text;" xml:lang="EN-US"><span class="NormalTextRun SCXW186113363 BCX0" style="-webkit-tap-highlight-color: transparent; -webkit-user-drag: none; margin: 0px; padding: 0px; user-select: text;"> (a <a href="https://www.linkedin.com/in/john-strand-a1b4b62" target="_blank">John Strand</a>/<a href="https://www.linkedin.com/company/black-hills-information-security" target="_blank">Black Hills Information Security company</a>)</span><span class="NormalTextRun SCXW186113363 BCX0" style="-webkit-tap-highlight-color: transparent; -webkit-user-drag: none; margin: 0px; padding: 0px; user-select: text;">. </span><span class="NormalTextRun SCXW186113363 BCX0" style="-webkit-tap-highlight-color: transparent; -webkit-user-drag: none; margin: 0px; padding: 0px; user-select: text;">The first SANS class I ever took was back in 2007 and taught by Mr. Brenton, it was called “SANS SEC502 Perimeter Protection In-Depth"...</span></span></span>back in the day, when I scanned the cert, I don’t even think I had a color scanner LOL!
<a><img alt="cert" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqKUQJEP7jtSMTc5Wj_T9rIezW68JpTF_EmnLZs3Pb0r-MzB3S2IGqfhuFTdHmP5VGk7iBeZ_j6nt0tgw9h2C6AoZ8IxpAxGM6114SyTpWn5vG7Xnk-Alp4NaYsBAzakH3h_Sg7oDs_QfhRdVGyqQL6XoEVyLUdhcuTFkvYPWz-7S4SuVM3GMN7s1c9g/s320/CertSANS_SEC502_PerimeterProtectionInDepth_Jan192007.jpg"/></a>
So how does all this tie into my award? On April 4, 2020 when so many of us were on lockdown due to COVID-19, Active Counter Measures offered their first free Threat Hunting course, taught by none other than Chris Brenton. Back then, it was a 4-hour class, which I took, and was blown away. Chris has since taught that course a total of 14 times, and I have taken it, as many. Several times after taking that class, I turned right around and used said new-found knowledge in my own threat hunting.
I remember a couple of times after reviewing my notes the next day, I had a question which I put into the <a href="https://discord.com/invite/2JjfB7E" target="_blank">Active Counter Measures Discord server</a> and Chris got right back to me. Folks, who does this, and for FREE?! Who consistently takes an entire Saturday to teach a 6-hour class for nothing! Seriously, what a gift to our community! <a href="https://zoom.us/webinar/register/8816777954731/WN_EaHjJY4MQzKflLwt7PXeCg" target="_blank">I encourage everyone reading this to take the next class on Saturday, April 22nd, 2023 from 11 AM to 5 PM (ET).</a> You won't regret it, and trust me, fun fact...you might just find yourself emerging from a rabbit hole, clutching a very, very real, and shiny object!
</span></div>
</body>
</html>Mary Ellenhttp://www.blogger.com/profile/05132981467812838271noreply@blogger.com0tag:blogger.com,1999:blog-8265730198332990441.post-3110964570234101082023-01-29T15:50:00.002-05:002023-01-29T19:57:31.409-05:00Honoring Mentoring Month<div class="separator" style="clear: both;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgp1yULjsi-YSQ2HUT-EWrcUiKAeVE8edsgKBJd7xCFdqVbkeL17OxEKch9y6M39HjUlmRzW35RAzHYFGdaD4XawZ3sVcebB-OU9h32-ZFzv3MQpDk4yPRKWEQTruLQYoS2JmTkHI4XQNmZB3Kd-HT2zxPaDGqJjZbCkTrLcrkLITU61tDLBQhYYxP_Qw/s1549/HomePage2.png" style="display: block; padding: 1em 0px; text-align: center;"><img alt="" border="0" data-original-height="1036" data-original-width="1549" height="268" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgp1yULjsi-YSQ2HUT-EWrcUiKAeVE8edsgKBJd7xCFdqVbkeL17OxEKch9y6M39HjUlmRzW35RAzHYFGdaD4XawZ3sVcebB-OU9h32-ZFzv3MQpDk4yPRKWEQTruLQYoS2JmTkHI4XQNmZB3Kd-HT2zxPaDGqJjZbCkTrLcrkLITU61tDLBQhYYxP_Qw/w400-h268/HomePage2.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;"><b><span style="font-family: helvetica; font-size: medium;"><b>If you are new to InfoSec or trying to break into CyberSecurity, this post is dedicated to you. I have revamped my <a href="https://dfirlinks.blogspot.com" target="_blank">DFIRLinks Website and added a whole new row of resources</a> for newcomers or those seeking a new role. You may be wondering why, right next to <a href="https://dfirlinks.blogspot.com/p/infosec101.html" target="_blank">“InfoSec101”</a>, there’s a link to <a href="https://dfirlinks.blogspot.com/p/leadership.html" target="_blank">“Leadership”</a> resources. Here’s why. Many of you are just trying to get your foot in the door, but if you study the materials listed in my blog, I’m confident that you will...and it might not be long until you find yourself with an opportunity to move up from your entry-level role. Additionally, I’m a firm believer that leadership skills can help you gain that chance to move ahead. Just because your job title doesn’t have, “Manager, Director, or Team Lead” in it, certainly doesn’t mean you can’t exhibit leadership qualities.</b></span></b></div><div class="separator" style="clear: both; text-align: left;"><b><span style="font-family: helvetica; font-size: medium;"><b><br /></b></span></b></div><div class="separator" style="clear: both; text-align: left;"><b><span style="font-family: helvetica; font-size: medium;"><b>It’s never too soon to begin building <a href="https://dfirlinks.blogspot.com/p/leadership.html" target="_blank">“Servant Leadership”</a> qualities. Those traits can help you with more than just your career, they can guide you to becoming a better parent, friend, spouse, sibling, child, and so much more. Being a servant leader is far more than being just a manager, so I’ve listed some resources that I hope will inspire you.</b></span></b></div><div class="separator" style="clear: both; text-align: left;"><b><span style="font-family: helvetica; font-size: medium;"><b><br /></b></span></b></div><div class="separator" style="clear: both; text-align: left;"><b><span style="font-family: helvetica; font-size: medium;"><b>But building your character can be hard work. It can mean things like evaluating how we apologize to people. For example, there’s a way to say, “I’m sorry” which can completely absolve yourself of any responsibility for your deeds, and then there’s a way to take ownership of your words/actions, spell them out, and truly apologize in a very specific manner.</b></span></b></div><div class="separator" style="clear: both; text-align: left;"><b><span style="font-family: helvetica; font-size: medium;"><b><br /></b></span></b></div><div class="separator" style="clear: both; text-align: left;"><b><span style="font-family: helvetica; font-size: medium;"><b>What I’m equally advocating for you, is that you land that first gig, and then once you do, you won’t want to stop learning and trying to better yourself. So, while this post is hitting the tail-end of Mentoring Month (January), I hope you will still find it useful. </b></span></b></div>
Mary Ellenhttp://www.blogger.com/profile/05132981467812838271noreply@blogger.com0tag:blogger.com,1999:blog-8265730198332990441.post-3954652142006297372022-10-03T10:14:00.003-04:002022-10-03T11:00:45.983-04:00Hedge Funds: A Unique CyberSecurity Posture<div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYtPKh5adMn_H4euP8BXsd5k8PSx8H78Wx6oAEFWHw-ce5fQ_7CoCrJ0P8NhPhze9BxQnhoxBdktf6nPTBgYu26qDt-J3-FnmLHg7wBcJrutjPIHz0Hy_1OW2a_PyjmWodwxqYKfpkbPWQ5MM3A3MQhH2G8BMK5jK29iZx1AKpk12kTLWjoSzYJOCCbQ/s4259/IMG_20221002_114534_Edited.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="2448" data-original-width="4259" height="184" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYtPKh5adMn_H4euP8BXsd5k8PSx8H78Wx6oAEFWHw-ce5fQ_7CoCrJ0P8NhPhze9BxQnhoxBdktf6nPTBgYu26qDt-J3-FnmLHg7wBcJrutjPIHz0Hy_1OW2a_PyjmWodwxqYKfpkbPWQ5MM3A3MQhH2G8BMK5jK29iZx1AKpk12kTLWjoSzYJOCCbQ/s320/IMG_20221002_114534_Edited.jpg" width="320" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><b><span style="font-family: helvetica; font-size: medium;">Hedge Funds: A Unique Cyber Security Landscape?</span></b></div><p><span style="font-family: helvetica; font-size: medium;"><b>I was recently asked to join a <a href="https://www.hedgefundassoc.org" target="_blank">Hedge Fund Association</a> panel to discuss the unique Cyber Security challenges that keep Hedge Fund managers up at night. Although the <a href="https://www.citrincooperman.com" target="_blank">Citrin Cooperman</a> event had to be postponed, I put together the following article based on my research leading-up to my appearance at the event.</b></span></p><p><b><span style="font-family: helvetica; font-size: medium;">"Hedge Funds...they're so risky!" Have you ever heard that said? I sure have, but it was strictly meant in terms of ROI, like “Two and Twenty”, but not cyber security. In terms of cyber security, what is the risk for a hedge fund, and what does that threat landscape look like?</span></b></p><p><b><span style="font-family: helvetica; font-size: medium;">While I find myself every day at the coalface of real-time cyber security threats toward financial institutions, hedge funds are sort of their own unique snowflake. Similar to a wealth management firm, they don't have brick and mortar tellers, debit cards, ATMs, or even physical vaults. That being said, they still face the standard cyber related threats that a major financial institution has to mitigate, but what I believe is quite different, is the vector.</span></b></p><p><b><span style="font-family: helvetica; font-size: medium;">For example, Regulatory Compliance is super important to the financial sector, but for a Hedge Fund it’s arguably hard to track. Think about MNPI for a second, let’s say you run a small hedge fund and you overhear a conversation at a bar that Broadcom is planning to buy VMWare. The next day, you throw a ton of money into VMWare, but if you are questioned by FINRA or the SEC, you probably won’t have any background research or recent published reports about the two companies, and if you were to take a selfie at that point, you just might have some egg on your face. Which is a great segue into Regulatory Tech and monitoring traders.</span></b></p><p><b><span style="font-family: helvetica; font-size: medium;">Monitored trading at a hedge fund is important for a lot of reasons, such as the threat of intellectual property theft like trading algorithms or M&A information being stolen, however one of the misnomers around monitoring is the term “Insider Threat”. Often in cyber security that term is meant to refer to a trusted insider with a very high level of access whom has become disgruntled, however with regards to a hedge fund, it is equally important to monitor for reasons like an honest mistake such as forgetting about a political contribution. In Real Estate, it is often said, “Location, Location, Location” but in terms of a hedge fund, it’s “Monitor, Monitor, Monitor”.</span></b></p><p><b><span style="font-family: helvetica; font-size: medium;">BEC is everywhere, just ask <a href="https://twitter.com/iHeartMalware" target="_blank">Ronnie Tokazowski</a>, but the stakes are much higher for a hedge fund. Hedge funds are often known for their rock-star leader(s), and so the risk against disruption or extortion is far greater, and VIP protection is likely top of mind. These leaders are highly targeted due to the perception that they’d pay to reduce any downtime. Spearfishing is very high on the list of threats against hedge funds.</span></b></p><p><b><span style="font-family: helvetica; font-size: medium;">Wire Fraud is another biggie - Account Takeover where stolen PII might be used to impersonate and commit fraud is much riskier for a hedge fund because the stakes are higher.</span></b></p><p><b><span style="font-family: helvetica; font-size: medium;">Hedge funds are also in a much higher risk category for supply chain attacks. Aside from the handful of exceptions, an average hedge fund’s technical staff is made up of a CTO and 1-3 sys-admins, max. So, let’s say at one of these smaller funds, you have a trader who relies on open-source software. They might have some knowledge of “R” or Python, but they aren’t necessarily trained in security. For example, do they understand what all of their libraries are doing within the code they’re writing? Are they aware which ones might be external-facing? And are they making sure their S3 buckets aren’t open?</span></b></p><p><b><span style="font-family: helvetica; font-size: medium;">In some of those smaller shops, who’s monitoring for patches and updates? It can sometimes be three months before a CVE gets published, but the delta on patch management can even be greater than that when you have just one person managing all of that. And what about Vulnerability management. Large financial firms have entire departments of people dedicated to mitigating their vulnerabilities, but again, many hedge funds don’t have that luxury. They also don’t always have enough staff to build-out a follow-the-sun model of 24/7 coverage, so who’s keeping watch while the lights are out? Often, they are operating in reactive mode and not able to be proactive.</span></b></p><p><b><span style="font-family: helvetica; font-size: medium;">So, what can we do to improve the cyber security landscape around hedge funds? I believe that Change Management can play a huge role in creating a more secure and resilient environment, one that is built upon a strong foundation of compliance, code of ethics, and cyber security awareness training. Also, know your assets (hardware and software - see the CIS Top 18 Critical Controls), make sure your network architecture diagrams are more up-to-date than the attacker’s architecture layout of your infrastructure (you’d be surprised how often this is not the case). In addition, start encrypting your back-ups (if you haven’t already), and run routine exercises to test the recovery from those back-ups. Make sure you have full EDR coverage across all flavors of your endpoints (Linux, Mac, Windows, other), and don’t forget your servers. Consider cyber security insurance, but keep those contracts hidden so that the contents cannot be used against you by the threat actors during negotiation. Lastly, know who to call. If you’re a larger sized organization, consider keeping a ransomware/extortion brokering-service on retainer.</span></b></p><p><b><span style="font-family: helvetica; font-size: medium;">I hope this information has been helpful. In closing, I would like to state that I could not have written this post without several friends who generously spent collective hours with me on the phone, entertaining my often-elementary questions. Each of them has asked to remain anonymous, as many of them are experts at their craft and spend their entire workday negotiating with ransomware criminals, or closely following them and aiding in bringing them down. I don’t pretend to be an expert on hedge funds by any means, I simply talked to several people who were much smarter than me, and I’ve tried to put together what I learned, in case it’s useful to anyone.</span></b></p>Mary Ellenhttp://www.blogger.com/profile/05132981467812838271noreply@blogger.com0tag:blogger.com,1999:blog-8265730198332990441.post-61683767623200470092022-08-16T08:23:00.002-04:002022-08-16T08:24:16.939-04:00My People Are Hackers<div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdkNZBDbY4QEpckOe2JsDsvpU_FKD3IKug8eVGlxtk35cphoZTobzGBOPXPYaow6CrCm17eNC_xz7eT_DrJLAY4B_vt9SFO5udOPld84k2Vb02CgBXmfcmZIykJU-GSrb1SqgV1JCSnvSev00eU3KaT32pOxUElOnzPm4ZVdnFaOp4A8pA-tcXrm2Qkw/s3843/IMG_20220811_201150_Edited.jpg" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: helvetica;"><img border="0" data-original-height="2616" data-original-width="3843" height="218" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgdkNZBDbY4QEpckOe2JsDsvpU_FKD3IKug8eVGlxtk35cphoZTobzGBOPXPYaow6CrCm17eNC_xz7eT_DrJLAY4B_vt9SFO5udOPld84k2Vb02CgBXmfcmZIykJU-GSrb1SqgV1JCSnvSev00eU3KaT32pOxUElOnzPm4ZVdnFaOp4A8pA-tcXrm2Qkw/s320/IMG_20220811_201150_Edited.jpg" width="320" /></span></a></div><p><b><span style="font-family: helvetica; font-size: medium;">As I reflect on my week in Vegas for Hacker Summer Camp 2022, I had several takeaways from Christopher Krebs' engaging keynote address. One which stood out was, "Find your people", nurture those relationships, mentor, and give back when you can (I’m paraphrasing).</span></b></p><p><b><span style="font-family: helvetica; font-size: medium;">Well, my people are hackers. We’re good people who break stuff, build stuff, and we leave things better than we found them, (a personal family motto that I have been telling my daughters for years).</span></b></p><p><b><span style="font-family: helvetica; font-size: medium;">I am overwhelmed with gratitude to have been able to gather this past week with so many of my people. Some of us only met in spirit as we passed like ships in the night due to insane schedules where (guilty as charged) we tried to make up for two years of not attending in-person. Additionally, there were others that I had never met before, who have become new friends. Regardless of which “bucket” you fit in, I thank you for your relationship with me. I hope I can live up to Chris’ words, and nurture you, encourage you, be an ear for you, and give back when I can.</span></b></p><p><b><span style="font-family: helvetica; font-size: medium;">I have some big plans for the near future, which I cannot yet divulge, but if you too are a hacker, stay tuned because you will NOT want to miss what I'm cooking up. It won’t happen for several more weeks, so enjoy the rest of your summer, then get ready to strap yourself in, very close to your computer, because we’re gonna have some fun together, and that’s all I can say for now!</span></b></p><p><b><span style="font-family: helvetica; font-size: medium;">To everyone I interfaced with this past week, in one way or another, including but not limited to the following, may we be sustained by our time together, until we meet again:</span></b></p><p><b><span style="font-family: helvetica; font-size: medium;">Tarik Abdel, Danny Akacki, Rui Ataide, Corey J. Ball, Paul Battista, Samantha Isabelle Beaumont, Jay Bhalodia, Jaime Blasco, Chris Camacho, Mickey Cecil, Patrick Chapman, Ray Davidson, PhD, Michael Francess, Bilal Green, Jeremiah Grossman, Juan Andres Guerrero-Saade, John Hammond, William Harris, Tom Hegel, Nick Hensley, CISSP, Dave Herrald, Christofer Hoff, Kyle Kephart, Sandy Lindsey, 🛡️Alyssa Miller, Albert Mimo, Kevin Perlow, Joseph Rivela, Lynn Schifano, 🤖 Shelby Shum, Michael Sinno, Ed Skoudis, Jack Smith, Jennifer Sunshine Steffens, John Stoner, Joshua Sutfin, Tristin Tharp, Ted Theisen, James Turner.</span></b></p>Mary Ellenhttp://www.blogger.com/profile/05132981467812838271noreply@blogger.com0tag:blogger.com,1999:blog-8265730198332990441.post-40276741413394944762022-07-27T13:23:00.007-04:002022-07-27T18:15:52.570-04:00Finding Your Voice<b></b><span style="color: white; font-family: georgia; font-size: large;"><b>“Miracles happen when you believe in yourself enough to let go.” -credit <a href="https://www.debrasperling.com" target="_blank">Debra Sperling</a>. <br /><br /> Many of us in InfoSec and DFIR are content creators. Perhaps you aspire to have your own Information Security YouTube, Twitch, or podcast channel like <a href="https://www.youtube.com/c/JohnHammond010" target="_blank">John Hammond</a> or <a href="https://www.blackhillsinfosec.com" target="_blank">Black Hills Information Security</a>. Or, maybe you strive to hone your speaking skills in front of an audience.<br /><br />Some of you may know that I had a whole other career as a television executive before I broke into tech. One of the many responsibilities I held in the entertainment world was receiving copy from local TV stations (and often tweaking it), then directing the stars of #1-rated shows, helping them to make that copy read like it was their own.<br /><br />If you want to engage with your audience on a whole new level, Debra Sperling’s class is for you! “You are the only authentic YOU there will ever be” - Debra... so why wouldn’t you get to know that person a little bit better?!<br /><br />I have had the privilege of attending two of <a href="https://www.frankverderosa.com" target="_blank">Frank Verderosa's</a> free, “Meet a Coach!” events with Debra Sperling - Authenticity in Voiceover. The concepts I learned from those brief sessions were invaluable, and far exceeded in worth, the cost of her full workshop. Debra is an absolute champion, in a highly competitive field, and I believe that a lot of that is due to her mindset. Don’t get me wrong, she’s got wicked talent, but I believe it's her attitude that sets her apart. A session with her is like spending time with your own personal motivational speaker! <br /><br /> CyberSecurity is a vast and expansive field. Some of us are team-leads or aspiring leaders, while others in our field find ourselves behind the curtain, and perhaps prefer that. If you're a manager, are you a leader? Do you raise-up those individuals whom report into you? And do you see each one of them individually as their own unique person, understanding that one style or approach might not fit everyone on the team? Do you take into consideration every challenge that makes each of us fearfully and wonderfully made? I felt like all of those concepts were unintended take-aways from my time spent with Debra (and Frank), just by observing how they treated (and coached) others during their Webcast. Each of them are at the top-tier in their field, yet truly care about sharing what they’ve learned about their craft with others. Debra shared skills which translated into any line of work. For example, she used a scenario from her world of how one can choose to complain about “mountains of auditions to get through” vs. “wow, look at how blessed I am to have all of these auditions while others are struggling just to get one”.<br /><br />I encourage everyone who seeks to be a better speaker/creator, to take Debra's "Authenticity in Voiceover" class! It’s a 3-hour, affordable coaching class, in which you’ll learn a ton about yourself, and how to capture any audience.</b></span>Mary Ellenhttp://www.blogger.com/profile/05132981467812838271noreply@blogger.com0tag:blogger.com,1999:blog-8265730198332990441.post-63164448451673907652021-12-08T22:17:00.004-05:002021-12-08T22:20:51.406-05:00IR A-Z<span style="font-family: helvetica; font-size: medium;"><b>Earlier this year I updated my paper entitled, "IR A-Z" for a talk that I was giving at the Magnet Forensics Summit, so I wanted to put its new link here. Enjoy! </b></span><a href="https://bit.ly/31JHGoF" target="_blank"><span style="font-family: helvetica; font-size: medium;"><b>https://bit.ly/31JHGoF</b></span></a><div class="separator" style="clear: both;"><a href="https://bit.ly/31JHGoF" style="display: block; padding: 1em 0px; text-align: center;" target="_blank"><span style="font-family: georgia; font-size: large;"><img border="0" data-original-height="631" data-original-width="1201" height="210" src="https://blogger.googleusercontent.com/img/a/AVvXsEh73JHZBIc5PopQvBm-L9WPe-lE_wt0pcONe9LvfemEuhfS_2ssnsC0aUgu_4JoYD5q16DG-pvS3gU7tcbcBi6XWHyQjII5t5wjDrNad7TtGl58t-aDevdmSyNj40pjB7-S5dOwM7faNh4u-wSahuvHVs6bcPRVB6zFhH84fw2cEDorX9K012mJDiSj4w=w400-h210" width="400" /></span></a></div>
Mary Ellenhttp://www.blogger.com/profile/05132981467812838271noreply@blogger.com0tag:blogger.com,1999:blog-8265730198332990441.post-31539712183792620462021-11-18T15:54:00.002-05:002021-11-18T16:16:31.165-05:00Book Review<p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://smile.amazon.com/Art-Being-School-Counselor-Authenticity/dp/1977235964" style="margin-left: 1em; margin-right: 1em;" target="_blank"><img border="0" data-original-height="1500" data-original-width="1500" height="400" src="https://1.bp.blogspot.com/-bNT7KcejAFs/YZa7Jut13OI/AAAAAAABWMg/-c_wBdRsFGANVkTTdmx8yaSL_421fA_6QCLcBGAsYHQ/w400-h400/WINNER-The%2BArt%2Bof%2BBeing%2Ba%2BSchool%2BCounselor.jpeg" width="400" /></a></div><p><span style="color: #cccccc; font-size: large;"><b>What was your high school experience like? For me, high school was a struggle. Not because of the material, I was a top student...but the spring of my junior year, it was period two, and I was sitting in my English Literature class when there was a knock on the door. It was my brother and his wife, and I knew why they were there. My father was in the hospital, and had been in a coma for ten days. Losing my dad tore me apart, and the next several years were the most difficult of my life.</b></span></p><p><span style="color: #cccccc; font-size: large;"><b>High school counselors can play a critical, and pivotal, role in a student’s life, and we know that our youth are the future, so we need to invest heavily in them. If you know someone in the education sector, do them a favor and get them a copy of this book. It’s a great stocking-stuffer by a fantastic counselor who just happens to be my mother-in-law, Nancy Regas. </b></span></p><p><span style="color: #fcff01; font-size: medium;"><a href="https://smile.amazon.com/Art-Being-School-Counselor-Authenticity/dp/1977235964">https://smile.amazon.com/Art-Being-School-Counselor-Authenticity/dp/1977235964</a></span></p>Mary Ellenhttp://www.blogger.com/profile/05132981467812838271noreply@blogger.com0tag:blogger.com,1999:blog-8265730198332990441.post-65781995794947562492021-05-02T21:12:00.001-04:002021-05-02T21:21:48.225-04:00InfoSec101 CheatSheet<div style="text-align: left;"><b><span style="font-family: arial;"><div class="separator" style="clear: both; text-align: center;"><a href="https://1.bp.blogspot.com/-jyd2xeoccAM/YI9P9VzMcrI/AAAAAAABN_Y/-qlJl6_vbHcWYXHrMUfr3WBy4SguRUN8gCLcBGAsYHQ/s2048/20210410_082606_Edited.jpg" imageanchor="1" style="clear: right; float: right; margin-bottom: 1em; margin-left: 1em;"><img border="0" data-original-height="2048" data-original-width="1403" height="320" src="https://1.bp.blogspot.com/-jyd2xeoccAM/YI9P9VzMcrI/AAAAAAABN_Y/-qlJl6_vbHcWYXHrMUfr3WBy4SguRUN8gCLcBGAsYHQ/s320/20210410_082606_Edited.jpg" /></a></div></span></b><b><span style="font-family: arial;"><span style="font-size: 130%;">So, you’re new to InfoSec you say? How can I help? Below are a few resources that I just put together for one of my mentee’s.</span></span></b><span style="font-family: arial; font-size: 130%; font-weight: bold;"> I offer a bunch of InfoSec links over at my DFIRLinks site: </span><a href="https://dfirlinks.blogspot.com" style="font-family: arial; font-size: 130%; font-weight: bold;" target="_blank">https://dfirlinks.blogspot.com</a><span style="font-family: arial; font-size: 130%; font-weight: bold;">. The formatting on the blog is a bit wonky, so if you want this cheatsheet as a PDF, go here: </span><span style="font-family: arial;"> </span><span style="font-family: arial;"><span><b style="font-size: 130%;"><a href="https://bit.ly/InfoSec101" target="_blank">https://bit.ly/InfoSec101</a>.</b></span></span></div><div style="text-align: left;"><span style="font-family: arial;"><span><div style="font-size: 130%; font-weight: bold;"><br /></div><div style="font-size: 130%; font-weight: bold;"><span style="color: red;">Jason Blanchard:</span></div><div style="font-size: 130%; font-weight: bold;">-Jason is amazing. He runs a twice-weekly job search meet-up. Jason works for one of the leading Cyber Security firms called Black Hills InfoSec (BHIS), owned by an industry luminary, John Strand. </div><div style="font-size: 130%; font-weight: bold;"><br /></div><div style="font-size: 130%; font-weight: bold;"><span style="color: red;">Schedule:</span> </div><div style="font-size: 130%; font-weight: bold;">Tuesday Nights: 7-9pm ET </div><div style="font-size: 130%; font-weight: bold;">Friday Afternoons: 1-3pm ET </div><div style="font-size: 130%; font-weight: bold;"><br /></div><div style="font-size: 130%; font-weight: bold;">-Jason's job meet-up group meets over Twitch, once or twice each week. It covers job hunting tactics and techniques, resume and interview tips, and much more. People looking to fill open positions sometimes attend, and even recruiters have been known to attend because it’s so popular with strong candidates: <a href="https://www.twitch.tv/banjocrashland" target="_blank">https://www.twitch.tv/banjocrashland</a>.</div><div style="font-size: 130%; font-weight: bold;"><br /></div><div style="font-size: 130%; font-weight: bold;">-Jason has archived some of the meet-ups on the BHIS YouTube channel: <a href="https://www.youtube.com/c/BlackHillsInformationSecurity/videos" target="_blank">https://www.youtube.com/c/BlackHillsInformationSecurity/videos</a>, and they are also on his Twitch channel: <a href="https://www.twitch.tv/banjocrashland/videos" target="_blank">https://www.twitch.tv/banjocrashland/videos</a>. </div><div style="font-size: 130%; font-weight: bold;"><br /></div><div style="font-size: 130%; font-weight: bold;">-Jason's online handle is @BanjoCrashLand: </div><div style="font-size: 130%; font-weight: bold;"><a href="https://twitter.com/BanjoCrashland/status/1359630484695904257 " target="_blank">https://twitter.com/BanjoCrashland/status/1359630484695904257 </a></div><div style="font-size: 130%; font-weight: bold;">"We're doing a 5-part extended series on each one of the aspects of the job hunt. </div><div style="font-size: 130%; font-weight: bold;">52+ viewers have landed new jobs so far since March 2020."</div><div style="font-size: 130%; font-weight: bold;"> </div><div style="font-size: 130%; font-weight: bold;"><span style="color: red;">Black Hills InfoSec (BHIS): </span></div><div style="font-size: 130%; font-weight: bold;">BHIS runs weekly Cyber Security WebCasts which they often record and post afterward. I try to never miss them! They also offer discounted (pay what you can) training: </div><div style="font-size: 130%; font-weight: bold;"><a href="https://www.blackhillsinfosec.com" target="_blank">https://www.blackhillsinfosec.com</a>. </div><div style="font-size: 130%; font-weight: bold;"><a href="https://www.youtube.com/c/BlackHillsInformationSecurity/videos" target="_blank">https://www.youtube.com/c/BlackHillsInformationSecurity/videos</a>. </div><div style="font-size: 130%; font-weight: bold;"><br /></div><div style="font-size: 130%; font-weight: bold;">Be sure to follow them on Twitter: <a href="https://twitter.com/BHinfoSecurity" target="_blank">https://twitter.com/BHinfoSecurity</a>.</div><div style="font-size: 130%; font-weight: bold;"><br /></div><div style="font-size: 130%; font-weight: bold;">They also have an active Discord server: <a href="https://discord.gg/4mJ7Hf7W" target="_blank">https://discord.gg/4mJ7Hf7W</a>.</div><div style="font-size: 130%; font-weight: bold;"><br /></div><div style="font-size: 130%; font-weight: bold;">-Here’s an example of their “Pay what you can” training: </div><div style="font-size: 130%; font-weight: bold;"><a href="https://wildwesthackinfest.com/training/getting-started-in-security-with-bhis-and-mitre-attck-john-strand" target="_blank">https://wildwesthackinfest.com/training/getting-started-in-security-with-bhis-and-mitre-attck-john-strand</a>. </div><div style="font-size: 130%; font-weight: bold;"><br /></div><div style="font-size: 130%; font-weight: bold;"><span style="color: red;">Wild West Hackin’ Fest: </span></div><div style="font-size: 130%; font-weight: bold;">Wild West Hackin’ Fest is a Cyber Security conference by the folks at BHIS: </div><div style="font-size: 130%; font-weight: bold;"><a href="https://www.youtube.com/c/WildWestHackinFest/videos" target="_blank">https://www.youtube.com/c/WildWestHackinFest/videos</a>.</div><div style="font-size: 130%; font-weight: bold;"><br /></div><div style="font-size: 130%; font-weight: bold;">-Here's an example WebCast from BHIS: The Dirty Truth Behind Breaking into Cybersecurity: </div><div style="font-size: 130%; font-weight: bold;"><a href="https://www.youtube.com/watch?v=D9IDqb-Fsak&t=1s" target="_blank">https://www.youtube.com/watch?v=D9IDqb-Fsak&t=1s</a>. </div><div style="font-size: 130%; font-weight: bold;"><br /></div><div style="font-size: 130%; font-weight: bold;">Be sure to follow them on Twitter: <a href="https://twitter.com/WWHackinFest" target="_blank">https://twitter.com/WWHackinFest</a>. </div><div style="font-size: 130%; font-weight: bold;">They also have an active Discord server: <a href="https://discord.gg/wwhf" target="_blank">https://discord.gg/wwhf</a>.</div><div style="font-size: 130%; font-weight: bold;"><br /></div><div style="font-size: 130%; font-weight: bold;"><span style="color: red;">Active Counter Measures (ACM):</span></div><div style="font-size: 130%; font-weight: bold;">John Strand of BHIS also runs: Active Counter Measures: <a href="https://www.activecountermeasures.com" target="_blank">https://www.activecountermeasures.com</a>. </div><div style="font-size: 130%; font-weight: bold;"> </div><div style="font-size: 130%; font-weight: bold;">-ACM often runs free Threat Hunting classes: <a href="https://www.activecountermeasures.com/events" target="_blank">https://www.activecountermeasures.com/events</a>. </div><div style="font-size: 130%; font-weight: bold;"><br /></div><div style="font-size: 130%; font-weight: bold;">Be sure to follow them on Twitter: <a href="https://twitter.com/ActiveCmeasures" target="_blank">https://twitter.com/ActiveCmeasures</a>. </div><div style="font-size: 130%; font-weight: bold;"><br /></div><div style="font-size: 130%; font-weight: bold;">They also have an active Discord server: <a href="https://discord.com/invite/2JjfB7E" target="_blank">https://discord.com/invite/2JjfB7E</a>. </div><div style="font-size: 130%; font-weight: bold;"><br /></div><div style="font-size: 130%; font-weight: bold;"><span style="color: red;">Dave Kennedy/TrustedSec/Binary Defense: </span></div><div style="font-size: 130%; font-weight: bold;">Dave Kennedy runs two companies (Trusted Sec and Binary Defense), and he has been known to “tweet” when they are hiring (often Junior level): </div><div style="font-size: 130%; font-weight: bold;"><a href="https://twitter.com/HackingDave/status/1359623939815862276 " target="_blank">https://twitter.com/HackingDave/status/1359623939815862276 </a></div><div style="font-size: 130%; font-weight: bold;">"My favorite thing this year is we are opening up our junior program. To get new folks to INFOSEC trained up and into the field. Where best to learn!? #TrustedSec We are crazy hiring over at #TrustedSec and #BinaryDefense with more jobs being posted in the next few days. Have to shape our future, and more than pumped to have new folks coming into the industry." </div><div style="font-size: 130%; font-weight: bold;"><br /></div><div style="font-size: 130%; font-weight: bold;">Be sure to follow them on Twitter: <a href="https://twitter.com/HackingDave" target="_blank">https://twitter.com/HackingDave</a>. </div><div style="font-size: 130%; font-weight: bold;"><br /></div><div style="font-size: 130%; font-weight: bold;">They also have an active Discord server: <a href="https://discord.gg/trustedsec" target="_blank">https://discord.gg/trustedsec</a>. </div><div style="font-size: 130%; font-weight: bold;"><br /></div><div style="font-size: 130%; font-weight: bold;"><span style="color: red;">SANS Institute:</span> </div><div style="font-size: 130%; font-weight: bold;">Great courses as well as many free offerings: <a href="https://www.sans.org/free" target="_blank">https://www.sans.org/free</a>. </div><div style="font-size: 130%; font-weight: bold;"><br /></div><div style="font-size: 130%; font-weight: bold;">Check out their “New-to-Cyber Field Manal”: </div><div style="font-size: 130%; font-weight: bold;"><a href="https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt5ab5b4422465696e/608990afb9440f10206ea26e/SANS_New_to_Cyber_Field_Manual.pdf" target="_blank">https://assets.contentstack.io/v3/assets/blt36c2e63521272fdc/blt5ab5b4422465696e/608990afb9440f10206ea26e/SANS_New_to_Cyber_Field_Manual.pdf</a>. </div><div style="font-size: 130%; font-weight: bold;"><br /></div><div style="font-size: 130%; font-weight: bold;"><span style="color: red;">Train up! CTF’s: </span></div><div style="font-size: 130%; font-weight: bold;">I offer a bunch of links to CTF’s and training video’s: <a href="https://dfirlinks.blogspot.com" target="_blank">https://dfirlinks.blogspot.com</a>, below is a sample: </div><div style="font-size: 130%; font-weight: bold;">(1) Watch Ed's CTF talk which begins about 17.5 mins in: </div><div style="font-size: 130%; font-weight: bold;"><a href="https://www.youtube.com/watch?v=lQsKX92uTW8" target="_blank">https://www.youtube.com/watch?v=lQsKX92uTW8</a> </div><div style="font-size: 130%; font-weight: bold;">(2) Holiday Hack: <a href="https://holidayhackchallenge.com" target="_blank">https://holidayhackchallenge.com</a> </div><div style="font-size: 130%; font-weight: bold;">(3) CTFtime: <a href="https://ctftime.org" target="_blank">https://ctftime.org </a></div><div style="font-size: 130%; font-weight: bold;">(4) WeChall: <a href="https://www.wechall.net/active_sites" target="_blank">https://www.wechall.net/active_sites</a> </div><div style="font-size: 130%; font-weight: bold;">(5) Smash the Stack: <a href="http://smashthestack.org" target="_blank">http://smashthestack.org</a> </div><div style="font-size: 130%; font-weight: bold;">(6) picoCTF: <a href="https://picoctf.com" target="_blank">https://picoctf.com</a> </div><div style="font-size: 130%; font-weight: bold;">(7) WarGames (Bandit is recommended): <a href="https://overthewire.org/wargames" target="_blank">https://overthewire.org/wargames</a> </div><div style="font-size: 130%; font-weight: bold;">(8) Daily CTF, just one challenge per day: <a href="https://nw3.ctfd.io/challenges" target="_blank">https://nw3.ctfd.io/challenges</a> </div><div style="font-size: 130%; font-weight: bold;">(9) <a href="https://www.root-me.org/?lang=en" target="_blank">https://www.root-me.org/?lang=en</a> </div><div style="font-size: 130%; font-weight: bold;">(10) <a href="https://ringzer0ctf.com" target="_blank">https://ringzer0ctf.com</a> </div><div style="font-size: 130%; font-weight: bold;">(11) <a href="https://247ctf.com" target="_blank">https://247ctf.com</a> </div><div style="font-size: 130%; font-weight: bold;">(12) <a href="https://cryptopals.com" target="_blank">https://cryptopals.com</a> </div><div style="font-size: 130%; font-weight: bold;">(13) <a href="http://websec.fr" target="_blank">http://websec.fr</a></div><div style="font-size: 130%; font-weight: bold;">(14) <a href="https://chall.stypr.com" target="_blank">https://chall.stypr.com</a></div><div style="font-size: 130%; font-weight: bold;">(15) <a href="http://pwnable.kr" target="_blank">http://pwnable.kr</a></div><div style="font-size: 130%; font-weight: bold;">(16) <a href="https://pwnable.tw" target="_blank">https://pwnable.tw</a></div><div style="font-size: 130%; font-weight: bold;">(17) Hack the Box (free account works fine): <a href="https://www.hackthebox.eu" target="_blank">https://www.hackthebox.eu</a> </div><div style="font-size: 130%; font-weight: bold;">(18) CTF MindMap CheatSheet: <a href="https://www.amanhardikar.com/mindmaps/Practice.html" target="_blank">https://www.amanhardikar.com/mindmaps/Practice.html</a> </div><div style="font-size: 130%; font-weight: bold;">(19) Cyber Defenders: <a href="https://cyberdefenders.org/labs" target="_blank">https://cyberdefenders.org/labs</a> </div><div style="font-size: 130%; font-weight: bold;">(20) Try Hack Me: <a href="https://tryhackme.com" target="_blank">https://tryhackme.com</a></div><div style="font-size: 130%; font-weight: bold;"><br /></div><div style="font-size: 130%; font-weight: bold;">I can count on one hand the recruiters whom I respect, and that’s as nice as I can put it; sorry, not sorry - been burned one too many times. That being said, I do have two fantastic recruiters whom I can highly recommend:</div><div style="font-size: 130%; font-weight: bold;"><br /></div><div style="font-size: 130%; font-weight: bold;">Katie Owston </div><div style="font-size: 130%; font-weight: bold;"><a href="https://www.linkedin.com/in/katieowston" target="_blank">https://www.linkedin.com/in/katieowston</a> </div><div style="font-size: 130%; font-weight: bold;">Email: katie.owston@glocomms.com </div><div style="font-size: 130%; font-weight: bold;"><br /></div><div style="font-size: 130%; font-weight: bold;">John Terkovich </div><div style="font-size: 130%; font-weight: bold;"><a href="https://www.linkedin.com/in/johnterk" target="_blank">https://www.linkedin.com/in/johnterk</a> </div><div style="font-size: 130%; font-weight: bold;">Email: John@TerkoTech.com
</div></span></span></div>Mary Ellenhttp://www.blogger.com/profile/05132981467812838271noreply@blogger.com0tag:blogger.com,1999:blog-8265730198332990441.post-45790882574465550732020-08-30T14:34:00.002-04:002020-08-30T14:51:20.586-04:00SANS SOF-ELK CheatSheet<p><span style="font-family: verdana; font-size: medium;"></span></p><div class="separator" style="clear: both; text-align: center;"><span style="font-family: verdana; font-size: medium;"><a href="https://1.bp.blogspot.com/-HOmiD56Egrc/X0v1ETJ5DII/AAAAAAABHv8/1S94SqyWNQYNtz65gbOPigPQG7XY0khrQCLcBGAsYHQ/s2048/20200729_171001_Cropped.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1271" data-original-width="2048" src="https://1.bp.blogspot.com/-HOmiD56Egrc/X0v1ETJ5DII/AAAAAAABHv8/1S94SqyWNQYNtz65gbOPigPQG7XY0khrQCLcBGAsYHQ/s640/20200729_171001_Cropped.jpg" width="640" /></a></span></div><span style="font-family: verdana; font-size: medium;"><b>Finally! Successfully got the SANSInstitute PhilHagen SOF-ELK up and running in VirtualBox! I struggled a bit with what others in #DFIR seemed to do with ease, so I created a CheatSheet I'm sharing in the off-chance it could lessen someone else's pain! <a href="http://bit.ly/SOFELK">http://bit.ly/SOFELK</a></b></span><p></p>Mary Ellenhttp://www.blogger.com/profile/05132981467812838271noreply@blogger.com0tag:blogger.com,1999:blog-8265730198332990441.post-45371955442177656162020-02-26T07:41:00.000-05:002020-03-04T09:41:55.804-05:00I Passed!<div class="separator" style="clear: both; text-align: center;">
<a href="https://1.bp.blogspot.com/-wEhdqtZ1K0E/Xl-87nK3r-I/AAAAAAABDiE/FsmrXEuRqGA7Fv_YkXH_G_H7fM2H8mvgACLcBGAsYHQ/s1600/KungFu1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1065" data-original-width="1600" height="212" src="https://1.bp.blogspot.com/-wEhdqtZ1K0E/Xl-87nK3r-I/AAAAAAABDiE/FsmrXEuRqGA7Fv_YkXH_G_H7fM2H8mvgACLcBGAsYHQ/s320/KungFu1.jpg" width="320" /></a></div>
<br />Mary Ellenhttp://www.blogger.com/profile/05132981467812838271noreply@blogger.com0tag:blogger.com,1999:blog-8265730198332990441.post-73894557462220961872019-12-12T22:12:00.000-05:002020-02-13T22:13:13.991-05:00The World's First Kringle Coin!<div style="text-align: left;">
<b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span></b>
<b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;">Mary Ellen & Friends - Holiday Hack!</span></b></div>
<b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br /><a href="https://1.bp.blogspot.com/-ct_dmRxCnsA/XkYNeurkXkI/AAAAAAABCkU/RfKaxCEwlckVa8EHYO-h_cdGmSIT2vcKACLcBGAsYHQ/s1600/0.jpg"><img border="0" src="https://1.bp.blogspot.com/-ct_dmRxCnsA/XkYNeurkXkI/AAAAAAABCkU/RfKaxCEwlckVa8EHYO-h_cdGmSIT2vcKACLcBGAsYHQ/s320/0.jpg" /></a><br /><br />What an honor it is to hold the world's first SANS HolidayHack KringleCoin. It was presented to me, in person, by <a href="https://www.linkedin.com/in/ACoAAAALLdQBIfnSEvUMmMCDOUdlcTI8229vGSY/">Ed Skoudis</a> himself, who drove all the way from SANS CDI in D.C., straight to Manhattan to personally hand me this award. I truly consider it one of my biggest professional achievements. Thank you so much, <a href="https://www.linkedin.com/in/ACoAAAALLdQBIfnSEvUMmMCDOUdlcTI8229vGSY/">Ed Skoudis</a>, <a href="https://www.linkedin.com/company/sans-institute/">SANS Institute</a>, and <a href="https://www.linkedin.com/company/bny-mellon/">BNY Mellon</a> for hosting the event! If you missed our "live" NYC KringleCon party, and the excellent talk from our Guest Speaker, <a href="https://www.linkedin.com/in/ACoAABp5jdkBqY5ZrIzRjtem-6TYkwuwy9u6Z2Q/">Vitali Kremez</a>, the video is now posted: <a href="https://lnkd.in/ez_DwSp">https://lnkd.in/ez_DwSp</a></span></b>Mary Ellenhttp://www.blogger.com/profile/05132981467812838271noreply@blogger.com0tag:blogger.com,1999:blog-8265730198332990441.post-64766393375959779062019-12-08T16:07:00.000-05:002019-12-10T19:51:32.490-05:00Save the Date!<div class="separator" style="clear: both;">
</div>
<div style="text-align: center;">
<a href="https://1.bp.blogspot.com/-_QGC8edj6uo/Xe1kjWo2BOI/AAAAAAABA1w/66kTL764KYQX7GxxWuxS_oP2VTIAHTtjQCLcBGAsYHQ/s1600/KringleConSANS_2019.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="900" data-original-width="1600" height="225" src="https://1.bp.blogspot.com/-_QGC8edj6uo/Xe1kjWo2BOI/AAAAAAABA1w/66kTL764KYQX7GxxWuxS_oP2VTIAHTtjQCLcBGAsYHQ/s400/KringleConSANS_2019.jpg" width="400" /></a></div>
<br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: medium;"><b>I AM FREAKING OUT!! SAVE THE DATE!! <a href="https://holidayhack.eventbrite.com/" target="_blank">If you are in NYC, I am planning an EPIC event the night of 12/17!!!</a></b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: medium;"><b><br /></b></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: medium;"><b><a href="https://bit.ly/KringleCon2019" target="_blank">Download v1.0 of my #KringleCon CheatSheet</a> NOW! Enjoy!</b></span>Mary Ellenhttp://www.blogger.com/profile/05132981467812838271noreply@blogger.com0tag:blogger.com,1999:blog-8265730198332990441.post-7723715343199473182019-08-17T21:11:00.000-04:002019-12-08T16:32:52.917-05:00Holiday Hack Sneak Peek 2019<div style="text-align: center;">
<a href="http://1.bp.blogspot.com/--xpVr__LRQU/XVikG44rXWI/AAAAAAAA91g/ZqjBRxXgV8M_RWWSSsX4eqw8M5FwD7MLACK4BGAYYCw/s1600/IMG_2410.jpeg" imageanchor="1"><img border="0" height="320" src="https://1.bp.blogspot.com/--xpVr__LRQU/XVikG44rXWI/AAAAAAAA91g/ZqjBRxXgV8M_RWWSSsX4eqw8M5FwD7MLACK4BGAYYCw/s320/IMG_2410.jpeg" width="305" /></a></div>
<br />
<b><span style="font-size: large;">It seems the SANS Annual Holiday Hack Challenge buzz begins earlier and earlier every year. This year is no exception. My first <a href="http://bit.ly/KringleCon2019" target="_blank">Holiday Hack CheatSheet of the season</a> is here! HUGE shout-out to our RedTeam mole, <a href="https://twitter.com/ssampana_tr" target="_blank">@ssampana_tr</a> for infiltrating the <a href="https://twitter.com/edskoudis" target="_blank">@edskoudis</a> party in Vegas during BlackHat USA DEF CON week and reporting back clues. <a href="http://bit.ly/KringleCon2019" target="_blank">Download v1.0 of my #KringleCon CheatSheet</a> NOW! Enjoy!</span></b>Mary Ellenhttp://www.blogger.com/profile/05132981467812838271noreply@blogger.com0tag:blogger.com,1999:blog-8265730198332990441.post-64928124698098059042019-03-20T00:21:00.005-04:002019-03-20T00:32:13.027-04:00About DFIR - Moar!<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-LNXNxs7vwMU/XJG7QysyDiI/AAAAAAAA4cE/GnLkSzhXdL4yvJE8-XqaP4MbVosB7p0YACEwYBhgL/s1600/AboutDFIR_March192019.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="384" data-original-width="1259" height="195" src="https://3.bp.blogspot.com/-LNXNxs7vwMU/XJG7QysyDiI/AAAAAAAA4cE/GnLkSzhXdL4yvJE8-XqaP4MbVosB7p0YACEwYBhgL/s640/AboutDFIR_March192019.PNG" width="640" /></a></div>
<br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>I’m overdue for an update, so here we go! I came across some pretty cool stuff recently. I know I’ve said this before, but it really is a fantastic time to be involved in DFIR!</b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Nick Caldwell won me over with the very first article of his I came across, and he hasn’t disappointed me since! He’s such a solid force of wisdom: </span></b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><a href="https://hackernoon.com/the-worst-career-advice-i-ever-received-54aaf2a50c93" target="_blank">The Worst Career Advice I Ever Received</a></span></b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><a href="https://medium.com/@nickcaldwell/latest" target="_blank"><b>https://medium.com/@nickcaldwell/latest</b></a></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>@NickCald </b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Unless you live in a cave, you probably already knew this, but Eric Zimmerman has a new tool out, looks amazing! KAPE - Kroll Artifact Parser and Extractor </span></b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><a href="https://learn.duffandphelps.com/kape" target="_blank"><b>https://learn.duffandphelps.com/kape </b></a></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>@EricRZimmerman </b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">I came across this “Malware Dynamic Analysis” nugget by Veronica Kovah, one of so many great and FREE training resources available on OpenSecurityTraining.info: </span></b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><a href="http://opensecuritytraining.info/MalwareDynamicAnalysis.html" target="_blank"><b>http://opensecuritytraining.info/MalwareDynamicAnalysis.html </b></a></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>@VeronicaKovah </b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Microsoft Security Intelligence puts out an annual Report, guess I knew that but forgot about it. Really enjoyed this most recent one! </span></b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><a href="https://www.microsoft.com/en-us/security/operations/security-intelligence-report" target="_blank"><b>Microsoft's Annual Security Intelligence Report</b></a></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><u>Podcasts worth mentioning: </u></span></b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">CISO-SecurityVendor Relationship Podcast with David Spark and Mike Johnson: </span></b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><a href="https://cisoseries.com/podcast" target="_blank"><b>https://cisoseries.com/podcast</b></a></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>@DSpark </b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>@YanceySlide </b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Defense in Depth Podcast with David Spark and Allan Alford: </span></b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><a href="https://cisoseries.com/podcast" target="_blank"><b>https://cisoseries.com/podcast</b></a></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>@DSpark </b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>@AllanAlfordinTX </b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Simple Leadership Podcast: </span></b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>@cmccarrick </b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><a href="http://simpleleadership.io/category/podcast" target="_blank"><b>http://SimpleLeadership.io/category/podcast </b></a></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">World Class Investigator Podcast: </span></b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>@HuntedJulie </b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><a href="https://itunes.apple.com/ca/podcast/world-class-investigator/id1330196085" target="_blank"><b>https://itunes.apple.com/ca/podcast/world-class-investigator/id1330196085 </b></a></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Human Factor Security Podcast: </span></b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>@Jenny_Radcliffe </b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><a href="https://humanfactorsecurity.co.uk/podcast-2" target="_blank"><b>https://humanfactorsecurity.co.uk/podcast-2</b></a></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">The OSINT Podcast: </span></b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>@JakeCreps </b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><a href="http://osintpodcast.com/" target="_blank"><b>http://osintpodcast.com</b></a></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Hackable Podcast by McAfee: </span></b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><a href="https://hackablepodcast.com/" target="_blank"><b>https://HackablePodcast.com</b></a></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Inside Intercom Podcasts: </span></b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>https://radiopublic.com/inside-intercom-podcast-GmMPaG </b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">ATM Malware Tracker: <span style="color: red;">(Caution Malware!)</span></span></b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>@cybercrimewhq </b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><a href="http://atm.cybercrime-tracker.net/" target="_blank"><b>http://atm.cybercrime-tracker.net</b></a></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">13 Cubed DFIR Learning Series: </span></b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>@DavisRichardG </b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><a href="https://www.youtube.com/user/davisrichardg" target="_blank"><b>https://www.youtube.com/user/davisrichardg</b></a></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Fixed: https://aboutdfir.com/articles </span></b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>http://mc.fhstp.ac.at/sites/default/files/Anubis.pdf BAD URL, NEW URL: </b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><a href="https://www.hybrid-analysis.com/sample/504ba97ba44ab7890d71997832a5e2535c71972aebb12d996e7c15a35db9a910?environmentId=120" target="_blank"><b>Now you can grab it here</b></a></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b><br />
Updated BelkaSoft, Carnegie Mellon, and eForensics training listings.</b></span>Mary Ellenhttp://www.blogger.com/profile/05132981467812838271noreply@blogger.com0tag:blogger.com,1999:blog-8265730198332990441.post-54473016823976068242019-01-27T12:30:00.000-05:002019-03-20T00:30:02.685-04:00About DFIR - Catching Up<b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;">I took some time this weekend to catch-up a bit with <a href="https://aboutdfir.com/catching-up" target="_blank">AboutDFIR</a> and add some of the content I've been too busy to share. I've got tons more, so that will be coming as time allows. I know Devon has stated it, but I'll reiterate, the links that we add often have context and so I've decided to take a few minutes to add some backstory around the new additions I've made this weekend.</span></b><br />
<b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span></b>
<b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;">First, under "Certifications and Trainings", I've added the free class The Cuckoo's Egg Decompiled that Chris Sanders gives (yes free, and yep, "the" Chris Sanders!). Not sure how that wasn't already on here, but hey, now it is, so don't miss that one! Next, under CTF's (one of my favorite categories), I've added two really cool links from a wonderful gentleman, Mr. John York, whom I met last month while playing the phenomenal "Holiday Hack" that Ed Skoudis and the CounterHack team puts together every year. John has not only won the annual "Holiday Hack" in the past, he's placed in other years as well. He teaches at the Shenandoah Valley Governor's School, and has put a unique spin on "Holiday Hack", using it to teach his students about cyber security: KringleCon Lessonized and Holiday Hack 2017 Lessonized.</span></b><br />
<b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span></b>
<b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;">Then, also through playing "Holiday Hack", I met Mr. Jim Kirn who told me he really likes a tool called OSquery, so I added that under "Intelligence Portals". And, one more friend I met through "Holiday Hack" (you really need to play that CTF because you make so many wonderful friends) is Mr. Mike Felch. I actually met Mr. Felch through playing "Holiday Hack" last year, but we reconnected again this year and I realized he is part of the CoinSec PodCast, so check that out.</span></b><br />
<b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span></b>
<b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;">For all the OSCP fans out there, I came across a real gem that's really gonna help you "Try harder", and he's from my hometown! I can't wait to buy him a soda next time I'm in Lancaster, PA! Shout-out to Mr. Michael LaSalvia and his Youtube Channel: Path to OSCP - he's got other really great videos on there as well. He's totally passionate and such a great teacher!</span></b><br />
<b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span></b>
<b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;">Then, there's the Google Phishing Quiz that was all over Twitter this past week, so I stuck that under the "Malware Analysis" section. I also learned about yet another ISAC, the Health-ISAC, so I added that one along-side all the others we have listed.</span></b><br />
<b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span></b>
<b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;">Lastly, I had the great privilege of sitting down to lunch with Evan Gaustad who used to work for Target and has now branched out on his own. Evan is no stranger to the stages of large conferences and it's not every day that I get to chew the fat with someone of his ilk, so that was a really great treat. Evan told me how much he really likes using LogicHub and so I added that tool under "Intelligence Portals".</span></b>Mary Ellenhttp://www.blogger.com/profile/05132981467812838271noreply@blogger.com0tag:blogger.com,1999:blog-8265730198332990441.post-57118767071288188752018-12-15T08:15:00.001-05:002019-08-17T21:22:16.896-04:00HolidayHack 2018 CheatSheet<span style="font-size: large;"><b>SANS HolidayHack 2018 is going to drop any hour now. I've compiled a list of tips that I've come across to help get you started. Enjoy!</b></span><br />
<br />
<b><span style="font-size: large;"><a href="https://drive.google.com/open?id=1KFoDRTOJ_lPh_SktsWl6sa9UcqcoXbzn" target="_blank">HolidayHackCheatSheet 2018</a></span></b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://bit.ly/HolidayHackCheatSheet" target="_blank"><img border="0" data-original-height="670" data-original-width="1238" height="215" src="https://3.bp.blogspot.com/-dzG0RxAlNZQ/XBT7sT23Q3I/AAAAAAAA0sQ/WvTLR2n7N6kTDVb1wzLAzUSmt7jZ7nd0QCLcBGAs/s400/KringleConLinkedIn.PNG" width="400" /></a></div>
Mary Ellenhttp://www.blogger.com/profile/05132981467812838271noreply@blogger.com0tag:blogger.com,1999:blog-8265730198332990441.post-64326018914617002442018-09-26T08:34:00.002-04:002018-09-26T08:34:59.393-04:00DFIR Field Manual?<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-MDsFIltjg64/W6r7cAQksiI/AAAAAAAAxOg/YcysCVYQua4rN8co4sTsDG9nibMCxmOngCLcBGAs/s1600/HarlanCarveyBook.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><b><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><img border="0" data-original-height="1600" data-original-width="1092" height="320" src="https://3.bp.blogspot.com/-MDsFIltjg64/W6r7cAQksiI/AAAAAAAAxOg/YcysCVYQua4rN8co4sTsDG9nibMCxmOngCLcBGAs/s320/HarlanCarveyBook.jpg" width="217" /></span></b></a></div>
<span style="font-size: large;"><br /></span>
<b><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><a href="https://www.amazon.com/Investigating-Windows-Systems-Harlan-Carvey/dp/0128114150" target="_blank">“Investigating Windows Systems”</a> by <a href="http://windowsir.blogspot.com/" target="_blank">Harlan Carvey</a> was a great read on so many different levels for me. After binge-reading it over a weekend, I was so excited about it that the following Monday morning I found myself almost shouting at warp-speed to a co-worker about why it was such an important read. Our chat reminded me of something I had thought about while still making my way through the book. How could a book so compact, contain that much valuable information?! I actually believe this book could have been titled, “DFIR Field Manual”, or “DFIRFM.”</span></b><br />
<b><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span></b>
<b><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;">For one thing, the book was easily digestible. At times, I found myself “playing along”, almost like a CTF. That’s because the book takes you (step-by-step) on an analyst’s journey through several investigations, and invites you to follow-along by downloading all the free images and open source tools the author is using to walk you through. You get to learn alongside a seasoned veteran, almost in real-time, and observe, even as critical case decisions are being made along the way.</span></b><br />
<b><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span></b>
<b><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;">The book felt really timely to me. I’d recently been following some thought-provoking discourse around the pronounced differences between the “DF” and “IR” of “DFIR” - Digital Forensics and Incident Response, and have even myself gotten into some rather animated discussions during time-sensitive incidents asking, “Where’s our DirListing?!” or, “May I please just have a DirListing!”</span></b><br />
<b><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span></b>
<b><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;">The book had a recurring theme for me, and that was, the steps you take regardless of the type of investigation, are often consistent. Why? Low hanging fruit! My take-away was that Harlan almost always makes a visual inspection of the data before he does anything else. That is not just to verify that he has an image that isn’t damaged, but it’s also so that he can identify outliers rather quickly, such as a batch file sitting in the root of C:\ - might be nothing, but could be something. Things that make you go, “hmmm”.</span></b><br />
<b><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span></b>
<b><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;">Another important concept I learned was the art of discernment and how critical that can be to your end-goal (which an analyst must keep in mind is often guided by a paying client, not your own curiosity). So, should you choose to dive down a rabbit-hole, (and we all do), a concise analysis plan will help keep you on track, and he shows you how.</span></b><br />
<b><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span></b>
<b><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;">As our digital landscape continues to grow, and the average size of hard drives (and memory) gets larger and larger, sometimes it can seem like we’re trying to “boil the ocean”. To combat that, Harlan teaches us the art of timelining and how that process can help you streamline your analysis by distilling down the data and filtering out the noise. Additionally, we learn that we have tiered options in our approach, so that we don’t lose meaningful data by doing so; mini, micro, and even nano timelines.</span></b><br />
<b><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span></b>
<b><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;">I also learned how to “fail fast”. Trust me, when you have a client or upper management breathing down your neck for answers, you’ll be glad you grasped that concept. Regardless of how long you’ve been in the field, you will be astounded at the knowledge you acquire from this book. New folks might learn not to assume that malware or “hacking tools” simply sitting on a system, are bad. On the contrary, they’ll become proficient in how to prove whether or not those tools were launched, and how they might have been used. Or, what local accounts on a system with no profile might mean, and how FTP being run from a browser might be overlooked as it leaves fewer artifacts and in “unusual” places. Even TimeStomping is covered, as well as using the “Conversations” filter in WireShark to “Follow Stream”. It’s all there!</span></b><br />
<b><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span></b>
<b><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;">The book also tackles another topic I’ve been seeing articles around recently – Sufficiency. How much data is enough data for us to come to our analysis goals? Lately that’s been on a lot of people’s minds. Well, perhaps that answer depends. For example, have we answered the questions the (paying) principal has asked of us? It also pivots on another very important case concept – have we, as the investigator, helped our client ask the right questions, because they don’t always know themselves what questions they need to be asking. If so, and we’ve come to a solid conclusion, then yes, we can confidently state that “our work here is done!” Even more so, if the principal cannot articulate those questions, and in fact leaves you with almost no information to begin your quest, how do you still make magic happen? Those answers are all in the book, and the reader is steadily guided through every scenario.</span></b><br />
<b><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span></b>
<b><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;">You’ll learn what persistence can look like, and how to spot it. You’ll grasp what the artifacts of “staging” resemble, whether it’s being done by an advanced adversary, or an insider who’s ready to bolt. You will also learn how not to allow your own analysis to create a red herring in your case, in other words, if you detonate a piece of malware from the Desktop of your VM, you need to understand that you might be building artifacts that would not be present had it been introduced via its native vector (email, URL, USB), and what those are so you don’t include them in your findings. You might even find a new trick for using Calc.exe.</span></b><br />
<b><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span></b>
<b><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;">I also learned a new thought process around triaging malware that I hadn’t read before and found it to be quite clever. Execute the sample, let it run for a bit, then shut the box down and grab an image. Then you can perform analysis to examine the complete file system after the malware runs. Perhaps not all incidents have time for that, but I thought it was a brilliant methodology. I typically use RegShot or other tools to snapshot the Registry state before (and after) I run a sample, but now I no longer need to chance missing anything that the malware might have changed.</span></b><br />
<b><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span></b>
<b><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;">In conclusion, it truly is fascinating how much ground the book covers in such a concise manner, which I believe can only be attributed to the author being both an accomplished writer, and a seasoned investigator. Whether you’re running-to-ground File System Tunneling, WindowsXP, Windows10, a Web Server running iis or Apache, it’s all covered in the book, and with log locations and examples. You. Will. NOT. Be. Disappointed!</span></b>Mary Ellenhttp://www.blogger.com/profile/05132981467812838271noreply@blogger.com0tag:blogger.com,1999:blog-8265730198332990441.post-80483179612133208052018-06-19T13:43:00.000-04:002018-06-19T13:43:54.743-04:00CLOUD EXPOSURE, DLP & IR, A-Z<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-9ENXKezENv8/WyhpTrk-suI/AAAAAAAAsY0/vIzeAsbO8WYy5A255NXURYu9OE3AVJ52gCLcBGAs/s1600/Mug_Edited.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="322" data-original-width="368" height="280" src="https://3.bp.blogspot.com/-9ENXKezENv8/WyhpTrk-suI/AAAAAAAAsY0/vIzeAsbO8WYy5A255NXURYu9OE3AVJ52gCLcBGAs/s320/Mug_Edited.png" width="320" /></a></div>
<div style="text-align: center;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: xx-small;">Photo Credit: My co-worker’s mug, taken with permission for use.</span></div>
<div style="text-align: center;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: xx-small;"><br /></span></div>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><b><a href="http://bit.ly/Cloud_DLP_IR_A-Z" target="_blank">Today I'm releasing my guide on data leakage and IR in the cloud.</a> I was incredibly inspired by Ed Skoudis’ portion of the 2018 SANS RSA Keynote entitled, <a href="https://www.sans.org/five" target="_blank">“The Five Most Dangerous New Attack Techniques.”</a> In his keynote, Ed talked about our increasing collaboration with cloud based tools and repositories. Some examples were Amazon AWS/S3, Docker Hub, GitHub, Google Cloud and Microsoft Azure. Ed reminded us that we’ve seen some pretty serious “oopsies” from several high profile entities over the past year (Time Warner, Uber, U.S. Army, Verizon), and that data exposure can happen from something as mindless as a misconfiguration of a private repository marked as public or even a public repo mistakenly containing sensitive data. The talk was so popular, there’s since been a SANS follow-up webinar (also posted at the aforementioned link). <a href="http://bit.ly/Cloud_DLP_IR_A-Z" target="_blank">Grab my new paper here, hope you enjoy it!</a></b></span>Mary Ellenhttp://www.blogger.com/profile/05132981467812838271noreply@blogger.com0tag:blogger.com,1999:blog-8265730198332990441.post-58200486351788887092017-08-25T01:09:00.002-04:002017-08-27T14:55:52.372-04:00Homegrown Hunt: You Can Do This! (or How to Think Like a RAT!)<div style="text-align: center;">
<a href="https://1.bp.blogspot.com/-iIeJ33jbtT4/WZ-aT7no0VI/AAAAAAAAfBQ/nu8KNf_ZjtoZ1y2-He7D_sInKXsxFTYIQCLcBGAs/s1600/ElmerFudd.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><img border="0" data-original-height="200" data-original-width="200" src="https://1.bp.blogspot.com/-iIeJ33jbtT4/WZ-aT7no0VI/AAAAAAAAfBQ/nu8KNf_ZjtoZ1y2-He7D_sInKXsxFTYIQCLcBGAs/s1600/ElmerFudd.png" /></span></a></div>
<div style="text-align: center;">
<div style="text-align: center;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: xx-small;"><a href="https://en.wikipedia.org/wiki/File:Elmer_in_Rabbit_Fire_(1951).png" target="_blank">Image from Wikipedia Fair Use</a></span></div>
</div>
<b><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;">Preamble and Assumptions:</span></b><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">1.<span style="white-space: pre;"> </span>Before we begin, this post won’t by any means try to define Hunt. There are already hundreds of articles arguing about what that term means, this isn’t one of them. I use the word sprinkled throughout quite loosely and you are free to take poetic license of your own while reading.</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">2.<span style="white-space: pre;"> </span>This is by no means an exhaustive guide to hunt; hunt never ends, it evolves daily, sometimes hourly. The following is meant to simply get you started thinking about some easy, low-hanging fruit, so that maybe you’ll want to take it further. </span>There’s so much more that I could have included, but as someone I respect and look up to recently taught me, “MaryEllen, don’t let perfect be the enemy of good!” In other words, at some point you just have to cut bait and drop it, hook, line and sinker, or you’ll never publish it!</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">3.<span style="white-space: pre;"> </span>Regardless of the maturity level of your enterprise, work with what you have. At the end of the day, if you read the following and it affords you the opportunity to increase the security posture of your organization even a little, everybody wins!</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">4.<span style="white-space: pre;"> </span></span></span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;">Some of the concepts mentioned below are from brainstorming sessions with someone far smarter than me, my long-time friend and colleague, <a href="https://twitter.com/juddlawr" target="_blank">Lawrence Judd</a></span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;">. Thank you Lawrence. I strive to be at your level every single day, and it’s a privilege to call you friend. Lawrence is wicked smart, and sometimes when I’m chatting with him, I find myself harkening back to one of my first conversations with a NYC building Superintendent. He would tell me, “MaryEllen, if you want to catch a rat, you have to think like a rat, behave like a rat, and sometimes even pretend you ARE a rat!”</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">5.<span style="white-space: pre;"> </span>I’m finally digging through all the stuff I learned at BlackHat and DEF CON, and you may see some of that referenced below. Enjoy!</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><b>Let’s Dive In!</b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span><span style="color: magenta; font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><b>Bytes In vs. Bytes Out (Producer-Consumer Ratio, or PCR) from <a href="http://www.robertmlee.org/blog" target="_blank">Robert M. Lee </a>and <a href="http://detect-respond.blogspot.com/" target="_blank">David J. Bianco’s</a><span id="goog_184137915"></span><a href="https://www.blogger.com/"></a><span id="goog_184137916"></span> BlackHat presentation:</b></span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></span><br />
<ul>
<li><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><a href="https://speakerdeck.com/davidjbianco/go-to-hunt-then-sleep" target="_blank">See slide #12.</a> One way to implement that might be to run a daily script that calculates the bytes-in vs. bytes-out per endpoint (PCR). When you do that over time, you can begin to compare the data and look for blips which could indicate someone was staging, i.e. planning to leave in a couple weeks and siphoning a bunch of stuff out. I've worked in companies where they had v.v. expensive tools that could track all of those types of behaviors, but if the security posture (or budget) within your organization is still maturing, get down in the weeds and write your own, you can do this!</span></span></li>
</ul>
<ul><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: large;">
<li>There are a couple other slides in David and Robert's deck that I would like to try to turn into use cases as well. </li>
</span></span></span></ul>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: large;"><b><span style="color: magenta;">Moving on - Ground Speed; badging/access logs, including but not limited to:</span></b></span><br />
<span style="font-size: large;"><br /></span><span style="font-size: large;">⇨If I physically badge into an office in North America but then log into the network later that day from the APAC region, whassup?</span><br />
<span style="font-size: large;"><br /></span><span style="font-size: large;">⇨If I log into the network from the APAC region, but then later that same day I physically badge into an office in North America, whassup?</span><br />
<span style="font-size: large;"><br /></span><span style="font-size: large;">⇨If I log into a system in North America and then later that day I also log in from the APAC region, whassup?</span><br />
<span style="font-size: large;"><br /></span><span style="color: magenta; font-size: large;"><b>Login time behaviors oddities:</b></span><br />
<span style="font-size: large;"><br /></span><span style="font-size: large;">⇨For example, let’s say someone almost always works 8am-4pm but now all of a sudden they are logged in at 2am, whassup?</span><br />
<span style="font-size: large;"><br /></span><span style="font-size: large;"><span style="color: magenta;"><b>Don’t just monitor your logs for unsuccessful logins</b>, </span>also track successful logins, but with correlation, for example, did any of those unsuccessful login attempts just log in, or was there a successful login from an account we have no record of? Just today, <a href="https://www.fsisac.com/" target="_blank">FS-ISAC </a>warned that credential stuffing/ATO attacks are at an elevated level and there is a huge uptick in brute force attacks attempting to leverage stolen credentials. They suggested a possible defense around that would be to monitor your Call Center for increases in account lock-outs.</span><br />
<span style="font-size: large;"><br /></span><span style="color: magenta; font-size: large;"><b>If you have Splunk, take a look at Shannon Entropy via the following </b></span></span></span><span style="color: magenta; font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><b>(if you don’t have Splunk, try to see how you can improvise using other tools):</b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;">⇨<a href="https://www.splunk.com/blog/2015/10/01/random-words-on-entropy-and-dns.html" target="_blank">https://www.splunk.com/blog/2015/10/01/random-words-on-entropy-and-dns.html</a></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;">⇨<a href="https://www.splunk.com/blog/2016/04/21/when-entropy-meets-shannon.html" rel="nofollow">https://www.splunk.com/blog/2016/04/21/when-entropy-meets-shannon.html</a></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span><span style="color: magenta; font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>Also with Splunk, take a look at the following </b></span><span style="color: magenta; font-size: large;"><b>(again, if you don’t have Splunk, try to see how you can improvise using other tools):</b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;">⇨<a href="https://www.splunk.com/blog/2016/03/22/splunking-1-million-urls.html" target="_blank">https://www.splunk.com/blog/2016/03/22/splunking-1-million-urls.html</a></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;">⇨<a href="https://www.splunk.com/blog/2016/04/01/hunting-that-evil-typosquatter.html" target="_blank">https://www.splunk.com/blog/2016/04/01/hunting-that-evil-typosquatter.html</a></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b><span style="color: magenta;">Huge shout-out to Google Chrome’s</span></b> <a href="https://twitter.com/arw?lang=en" target="_blank">Andrew R. Whalley</a> who I had the great fortune of meeting at BlackHat. I was invited to a small group where Mr. Whalley was discussing browser security and some interesting trickery such as Unicode characters and xn--, <a href="http://fortune.com/2017/04/18/google-chrome-phishing-scam" target="_blank">some of which are outlined here</a>, <a href="https://bugs.chromium.org/p/chromium/issues/list?can=1&q=Type%3DBug-Security+unicode+spoofing+label%3Aallpublic&colspec=ID+Pri+M+Stars+ReleaseBlock+Component+Status+Owner+Summary+OS+Modified&x=m&y=releaseblock&cells=ids" target="_blank">and here</a>. There are nuggets in both URL's to begin building alerts for.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b><span style="color: magenta;">Office products (Word, Excel, PowerPoint, etc.) probably shouldn’t be spawning</span></b> .exe, cmd.exe, PowerShell, and a host of other items, for example.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b><span style="color: magenta;">You can hunt down private domain registrations</span></b> so as to properly investigate, triage and submit for takedown. I attended a Lunch and Learn in June at the <a href="https://digital-forensics.sans.org/community/summits" target="_blank">SANS Austin Summit </a>by <a href="http://www.domaintools.com/" target="_blank">DomainTools</a> that specifically talked about just that, it was fascinating. Lunch and Learns aren't recorded and don't always release a slide deck afterward, but <a href="https://info.domaintools.com/True_Stories_from_the_Threat_Hunting_Files_WebinarVideoPage.html" target="_blank">I found a free video on the DomainTools Web site which is similar to the talk they gave in Austin.</a> If you advance the video to exactly 15 minutes in, at the "Hunt Case Study" section, they discuss work-arounds/pivots for private registrations. It's not in the video link, but at the Lunch and Learn they were even showing how you could pivot off of Google Analytics code to see if anyone else had used it. I wish I had taken better notes, but I was pretty fried at that point from the malware 610 class I was taking...<a href="https://info.domaintools.com/True_Stories_from_the_Threat_Hunting_Files_WebinarVideoPage.html" target="_blank">the video link</a> is close to what was in their talk, just start at exactly 15 minutes in, at "Hunt Case Study."</span></span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: magenta; font-size: large;"><b>Track anomalies in CarbonBlack, NetWitness, Splunk, Tanium or a million other other tools, including but not limited to</b>:</span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">o<span style="white-space: pre;"> </span>Large outbound files.</span><br />
<span style="font-size: large;">o<span style="white-space: pre;"> </span>Outbound .rar and .tar files.</span><br />
<span style="font-size: large;">o<span style="white-space: pre;"> </span>Traffic to high risk geo locations such as .cn, .nk, .ru, .su, tr, etc.</span><br />
<span style="font-size: large;">o<span style="white-space: pre;"> T</span>raffic from any of the top 20 in your APL reaching-out to high risk locations such as .cn, .nk, .ru, .su, .tr, etc.</span><br />
<span style="font-size: large;">o<span style="white-space: pre;"> </span>Traffic to odd TLD’s such as .xyz, .sex, .sexy, .xxx, etc.</span><br />
<span style="font-size: large;"><br /></span><span style="color: magenta; font-size: large;"><b>Applications running which have a hash that’s different than all known good application hashes in the enterprise.</b></span><br />
<span style="font-size: large;"><br /></span><span style="color: magenta; font-size: large;"><b><a href="https://securityriskadvisors.com/blog/post/detecting-in-memory-mimikatz" target="_blank">Detecting MimiKatz running in memory:</a></b></span></span></span><br />
<ul><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">
<li>If I understood the author correctly, regardless of what process MimiKatz is injected into, it needs both of these to run: vaultcli.dll and wlanapi.dll.</li>
</span></span></ul>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">
<span style="font-size: large;"><br /></span><span style="color: magenta; font-size: large;"><b>Known Web Server apps being launched from non-standard locales:</b></span><br />
<span style="font-size: large;"><br /></span>
<span style="font-size: medium;">o<span style="white-space: pre;"> </span>apache.exe where path is NOT: c:\oracle\program files\apache</span><br />
<span style="font-size: medium;">o<span style="white-space: pre;"> </span>tomcat.exe where path is NOT: c:\program files\tomcat</span><br />
<span style="font-size: large;"><br /></span><span style="font-size: large;"><span style="color: magenta;"><b>Track exe’s that could be associated with evil</b> </span>(impersonating the legitimate versions), for example, if any of the following have a running path that is NOT c:\windows OR c:\winnt (not an exhaustive list):</span><br /><span style="font-size: large;"><br /></span>
<span style="font-size: x-small;">o<span style="white-space: pre;"> </span>aspnet_compiler.exe<br />
o<span style="white-space: pre;"> </span>at.exe<br />
o<span style="white-space: pre;"> </span>bcdedit.exe<br />
o<span style="white-space: pre;"> </span>bitsadmin.exe<br />
o<span style="white-space: pre;"> </span>cmd.exe<br />
o<span style="white-space: pre;"> </span>conhost.exe<br />
o<span style="white-space: pre;"> </span>csc.exe<br />
o<span style="white-space: pre;"> </span>cscript.exe<br />
o<span style="white-space: pre;"> </span>csrss.exe<br />
o<span style="white-space: pre;"> </span>dfsvc.exe<br />
o<span style="white-space: pre;"> </span>excel.exe<br />
o<span style="white-space: pre;"> </span>expler.exe<br />
o<span style="white-space: pre;"> </span>hh.exe<br />
o<span style="white-space: pre;"> </span>hkcmd.exe<br />
o<span style="white-space: pre;"> </span>IEExec.exe<br />
o<span style="white-space: pre;"> </span>iexple.exe<br />
o<span style="white-space: pre;"> </span>iexpress.exe<br />
o<span style="white-space: pre;"> </span>igfxpers.exe<br />
o<span style="white-space: pre;"> </span>igfxsrvc.exe<br />
o<span style="white-space: pre;"> </span>ilasm.exe<br />
o<span style="white-space: pre;"> </span>InstallUtil.exe<br />
o<span style="white-space: pre;"> </span>journal.exe<br />
o<span style="white-space: pre;"> </span>jsc.exe<br />
o<span style="white-space: pre;"> </span>lsass.exe<br />
o<span style="white-space: pre;"> </span>lsm.exe<br />
o<span style="white-space: pre;"> </span>MSBuild.exe<br />
o<span style="white-space: pre;"> </span>msdt.exe<br />
o<span style="white-space: pre;"> </span>mshta.exe<br />
o<span style="white-space: pre;"> </span>msiexec.exe<br />
o<span style="white-space: pre;"> </span>mstsc.exe<br />
o<span style="white-space: pre;"> </span>Net.exe<br />
o<span style="white-space: pre;"> </span>Net1.exe<br />
o<span style="white-space: pre;"> </span>ping.exe<br />
o<span style="white-space: pre;"> </span>PowerShell.exe<br />
o<span style="white-space: pre;"> </span>PowerShell_ise.exe<br />
o<span style="white-space: pre;"> </span>PresentationHost.exe<br />
o<span style="white-space: pre;"> </span>reg.exe<br />
o<span style="white-space: pre;"> </span>RegSvcs.exe<br />
o<span style="white-space: pre;"> </span>RegSvr32.exe<br />
o<span style="white-space: pre;"> </span>rundll32.exe<br />
o<span style="white-space: pre;"> </span>sc.exe<br />
o<span style="white-space: pre;"> </span>script.exe<br />
o<span style="white-space: pre;"> </span>SearchFilterHost.exe<br />
o<span style="white-space: pre;"> </span>SearchProtocolHost.exe<br />
o<span style="white-space: pre;"> </span>services.exe<br />
o<span style="white-space: pre;"> </span>set.exe<br />
o<span style="white-space: pre;"> </span>setx.exe<br />
o<span style="white-space: pre;"> </span>spoolsv.exe<br />
o<span style="white-space: pre;"> </span>svchost.exe<br />
o<span style="white-space: pre;"> </span>systemreset.exe<br />
o<span style="white-space: pre;"> </span>taskhost.exe<br />
o<span style="white-space: pre;"> </span>taskmgr.exe<br />
o<span style="white-space: pre;"> </span>vbc.exe<br />
o<span style="white-space: pre;"> </span>vssadmin.exe<br />
o<span style="white-space: pre;"> </span>w3wp.exe<br />
o<span style="white-space: pre;"> </span>winlogon.exe<br />
o<span style="white-space: pre;"> </span>winword.exe<br />
o<span style="white-space: pre;"> </span>wmic.exe<br />
o<span style="white-space: pre;"> </span>Wscript.exe<br />
o<span style="white-space: pre;"> </span>wuauclt.exe</span>
<span style="font-size: large;"><span style="color: magenta;"><b><br /></b></span></span></span></span><br />
<div>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><span style="color: magenta;"><b>Detect single character file name executables</b>,</span> including but not limited to: 0-9.exe and A-Z.exe as well as other characters like ..exe, _.exe, $.exe, etc.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b><span style="color: magenta;">Monitor email for certain file-types</span></b> within zip, such as .js or scr.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span><span style="color: magenta; font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>Monitor for encrypted zips</b>.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span><span style="color: magenta; font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>Check email for .iso, .scr, etc. attachments</b>.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span><span style="color: magenta; font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>Detect zero-byte files.</b></span><br />
<span style="font-size: large;">o<span style="white-space: pre;"> </span>There are several concerns with zero-byte files, some I am sure I am not even aware of, but think of log deletion...files that should contain content but all of a sudden do NOT. Also, think of destructive malware, which can zero-out files: https://forums.malwarebytes.com/topic/87855-zero-byte-data-files - there are probably a lot of other things, so if anyone wants to pile on, please do!</span></span></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: large;"><br /></span><span style="color: magenta;"><b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><a href="https://www.sans.org/security-resources/posters/dfir-find-evil/35/download" target="_blank">Take a look at the SANS “Finding Evil” poster</a>. </span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"> </span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;">Note which processes should never spawn certain other processes, etc. and create rule-sets or dashboards to look for those types of anomalies. Additionally, this may help you begin</span><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"> tracking known malware injects.</span></b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span><span style="color: magenta; font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>Check the “Behavior Rule-sets” and “Digital Signatures” <a href="https://www.sans.org/security-resources/posters/windows-forensics-evidence-of/75/download" target="_blank">as outlined in this famous SANS poster</a>.</b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span><span style="color: magenta; font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>Monitor what’s being downloaded across the organization.</b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span><span style="color: magenta; font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>Correlate hosts that generate greater than one a/v alert within the span of up to one week.</b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span><span style="color: magenta; font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>Track a/v hits where the action was “Allowed”, “Deferred”, “Left Alone”, etc. Create rule-sets for correlation.</b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span><span style="color: magenta; font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b>Track a/v hits where the action was “Blocked”, “Deleted”, “Quarantined”, etc. Create rule-sets for correlation.</b></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span><span style="color: magenta; font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><b><a href="https://www.bit9.com/cbfeeds/advancedthreat_feed.xhtml" target="_blank">CarbonBlack offers the following threat indicators:</a></b></span><br /><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: x-small;">o<span style="white-space: pre;"> </span>Execution from Recycle Bin<br />
o<span style="white-space: pre;"> </span>Suspicious process name<br />
o<span style="white-space: pre;"> </span>Processes with obfuscated extensions<br />
o<span style="white-space: pre;"> </span>Known malware file name<br />
o<span style="white-space: pre;"> </span>Execution from System Volume Information folder<br />
o<span style="white-space: pre;"> </span>Possible BlackPOS malware registry artifact<br />
o<span style="white-space: pre;"> </span>Possible APT backdoor installation<br />
o<span style="white-space: pre;"> </span>Possible Ransomware file artifac<br />
o<span style="white-space: pre;"> </span>Possible Point-of-Sale malware file artifact<br />
o<span style="white-space: pre;"> </span>Execution from APT staging area<br />
o<span style="white-space: pre;"> </span>Possible credential theft or misuse<br />
o<span style="white-space: pre;"> </span>Possible ZeroAccess activity<br />
o<span style="white-space: pre;"> </span>Possible Tibet.c backdoor installation<br />
o<span style="white-space: pre;"> </span>Possible wirelurker infection<br />
o<span style="white-space: pre;"> </span>ntvdm.exe spawned by office application<br />
o<span style="white-space: pre;"> </span>Siesta campaign indicators<br />
o<span style="white-space: pre;"> </span>PlugX campaign indicators<br />
o<span style="white-space: pre;"> </span>Modification of launchd.conf<br />
o<span style="white-space: pre;"> </span>Suspicious OSX persistence mechanism<br />
o<span style="white-space: pre;"> </span>Modification of /etc/rc.common<br />
o<span style="white-space: pre;"> </span>Possible Olyx/Lasyr activity<br />
o<span style="white-space: pre;"> </span>Possible wirenet and/or netweird activity<br />
o<span style="white-space: pre;"> </span>Possible Flashback infection<br />
o<span style="white-space: pre;"> </span>Possible iWorm infection<br />
o<span style="white-space: pre;"> </span>Possible NetWeirdRC infection<br />
o<span style="white-space: pre;"> </span>Suspicious local password change<br />
o<span style="white-space: pre;"> </span>Attempted osx password hash collection<br />
o<span style="white-space: pre;"> </span>Execution from trash bin<br />
o<span style="white-space: pre;"> </span>Suspicious process execution<br />
o<span style="white-space: pre;"> </span>Suspicious shell activity<br />
o<span style="white-space: pre;"> </span>Powershell executed with encoded instructions<br />
o<span style="white-space: pre;"> </span>Modification of powershell execution policy<br />
o<span style="white-space: pre;"> </span>Possible malicious powershell activity<br />
o<span style="white-space: pre;"> </span>Possible WMI Persistence<br />
o<span style="white-space: pre;"> </span>Possible WMI command invocation<br />
o<span style="white-space: pre;"> </span>WinRM command activity</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br /><span style="color: magenta;">Begin looking at all the remote access software being utilized in your environment and start to baseline the activity around it. I'm not just talking about Windows built-in RDP, but also tools like GoToMyPC, LogMeIn, TeamViewer, and even Web-Based products such as Join.me (to name a few). These can all be valuable tools but if a SysAdmin has one sitting on his/her server that they didn't install themselves...ummm...gulp.</span></span></span></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: magenta; font-size: large;"><br /></span></span></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="color: magenta;"><span style="font-size: large;">Lastly, it’s too much to retype it all, but there is a wealth of additional information along the topic of hunt at the following links:</span></span></span></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: large;"><br /></span></span></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: large;">I met <a href="https://whitehatcheryl.wordpress.com/" target="_blank">Cheryl Biswas</a> at DEF CON a few weeks ago when her laptop malfunctioned as she was taking the stage for her talk. She asked if anyone in the audience had a spare laptop, and guess what, I did...and I gained a wonderful new friendship as well! <a href="https://cdn.shopify.com/s/files/1/0177/9886/files/phv2017-cbiswas.pdf" target="_blank">Not only is Cheryl incredibly smart, this woman knows her stuff when it comes to Threat Intel and Hunt! Take a read!</a></span></span></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: medium;"><span style="font-size: large;"><br /></span></span></span></span>
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: medium;"><span style="font-size: large;">⇨</span><span style="color: orange;"><a href="http://aboutdfir.com/articles" target="_blank">Contains 87 references to Hunt, just search the page for “Hunt”</a></span></span></span></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">
<span style="font-size: large;"><br /></span><span style="font-size: medium;"><span style="font-size: large;">⇨</span><span style="color: orange;"><a href="http://aboutdfir.com/blogs" target="_blank">Contains 21 references to Hunt, just search the page for “Hunt”</a></span></span></span></span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;">
<span style="font-size: large;"><br /></span><span style="font-size: medium;"><span style="font-size: large;">⇨</span><a href="http://www.threathunting.net/reading-list" target="_blank">http://www.threathunting.net/reading-list</a></span><br />
<span style="font-size: large;"><br /></span><span style="font-size: large;">⇨</span><a href="http://www.hexacorn.com/blog/2016/10/15/threat-hunting-a-tale-of-wishful-thinking-and-willful-ignorance" style="font-size: small;" target="_blank">http://www.hexacorn.com/blog/2016/10/15/threat-hunting-a-tale-of-wishful-thinking-and-willful-ignorance</a><br />
<span style="font-size: large;"><br /></span><span style="font-size: medium;"><span style="font-size: large;">⇨</span><a href="http://www.hexacorn.com/blog/page/26" target="_blank">http://www.hexacorn.com/blog/page/26</a></span><br />
<span style="font-size: large;"><br /></span><span style="font-size: large;">⇨</span><a href="http://www.hexacorn.com/blog/2016/10/15/threat-hunting-a-tale-of-wishful-thinking-and-willful-ignorance" style="font-size: small;" target="_blank">http://www.hexacorn.com/blog/2016/10/15/threat-hunting-a-tale-of-wishful-thinking-and-willful-ignorance</a></span><br />
</span></div>
Mary Ellenhttp://www.blogger.com/profile/05132981467812838271noreply@blogger.com0tag:blogger.com,1999:blog-8265730198332990441.post-33161431139848530992017-07-07T13:39:00.000-04:002017-07-29T12:52:59.779-04:00How to Lose Like a Champion<div class="separator" style="clear: both; text-align: left;">
<a href="https://4.bp.blogspot.com/-j3YdXBPKgRY/WV_Ev4UUHaI/AAAAAAAAdW8/N7vwy5s6Ycwv4SOLNFj9zL1P2UkkZqFugCLcBGAs/s1600/20170209_103504%2B-%2BCopy.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="1084" data-original-width="1445" height="240" src="https://4.bp.blogspot.com/-j3YdXBPKgRY/WV_Ev4UUHaI/AAAAAAAAdW8/N7vwy5s6Ycwv4SOLNFj9zL1P2UkkZqFugCLcBGAs/s320/20170209_103504%2B-%2BCopy.jpg" width="320" /></a></div>
<br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;">Some of you may remember that just recently a little side project <a href="https://aboutdfir.com/" target="_blank">AboutDIFR.com</a> which I am a part of with <a href="https://www.linkedin.com/in/devonackerman" target="_blank">Devon Ackerman</a> had been nominated for a very prestigious award in our field of Digital Forensics and Incident Response called the <a href="https://forensic4cast.com/forensic-4cast-awards" target="_blank">Forensic 4:cast award</a>. Perhaps some of you reading this even voted for us, thank you for that. We didn't walk away with the award and I know this sounds trite, but it truly was an honor just to be nominated. I mean that. It hurt to lose, I don't know how else to phrase it, it really did, but when we lose in life, there can be real value in that, and that's what I'd like to focus on.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br />The first thing I thought when we didn't win was, what am I going to tell my little girls back home. Of course the truth, but how could I hide my sadness from them and not look like a poor loser! I texted home and an answer shot right back..."We have to show them real life!" That was great advice, and honestly, it was the kick in the [you know what] that I needed!</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br />The reality is, there was a ton of good in our loss. Let's count all of the blessings first. I had finally gotten a chance to meet my partner <a href="https://www.linkedin.com/in/devonackerman" target="_blank">Devon Ackerman</a> in person, what a joy! I also had the pleasure of meeting more than one person who came up to us to tell us how much value they have gotten out of our project <a href="https://aboutdfir.com/" target="_blank">AboutDIFR.com</a>.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br />One of the persons who approached us was <a href="https://www.linkedin.com/in/hydejessica" target="_blank">Jessica Hyde</a>. Jessica was one of the first persons I met at the conference. She made a point to march right over to us and introduce herself and tell us how much she enjoyed our project. Turns out, she was born a few miles from my home and the next time she visits her parents, she's coming to dinner! But there's one more thing you need to know about Jessica (besides the fact that she is a wicked h@cker and <a href="https://www.sans.org/summit-archives/dfir" target="_blank">gave one of the most awesome talks at the con</a>). Jessica works for Magnet Forensics, the company that won the award in our category. Yup, that's right folks. Here we were competing against her company, but she had taken it upon herself to come over to us and compliment us on how much she enjoyed our project. Wow! None of us knew at that point who had won the award or who had lost, but I can assure you that when her team won the award and we didn't, she was one of the first persons I reached out to to congratulate.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br />I had put some thought into what I might write in a blog post in the off-chance that we won, and I think those ideas still hold some value so I'll share some of them below.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br />I believe that one of the things that makes our DFIR community great, is that we share, but what's ironic (and complicated) about that is, when you look at some of the folks in our space who have shared, and their incredible tools, blog posts, code, etc., it can be rather intimidating, at least to someone like me who sometimes wonders if I'd be more comfortable in a cave.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br />The other thing about sharing is that when you put yourself out there, you give up some control of your work, which can be scary on different levels. For one, control is a hot-button topic among many security practitioners. We love our controls, but I bet we've all worked for someone who's taken it a bit too far and either (a) not shared enough and kept too many keys to the kingdom to themselves and then the business suffered a single point of failure, or (b) locked-down users to the point they had trouble getting actual work done.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br />Also, in some respects, sharing can make you vulnerable to criticism (good or bad) - here's an example - if you're a singer-songwriter like myself, you might publish a song and then have someone get a totally different meaning from it, or someone else might hear a lyric incorrectly and have that song take on a whole other meaning. I remember my agent having to explain to me how I shouldn't get so bent out of shape by that. She called it, "poetic license" and went on to point out how it can be a beautiful thing. Afterward, I thought about all the times I had sung the wrong words to popular songs and was guilty of the same myself!</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br />So when I returned home from the conference, my daughters were so excited for me! My oldest asked me, "Mom, what prize did you win for second place?!" And I took such great pleasure in sharing my wonderful life lesson with them, that for a fleeting second, I was almost glad we'd lost.</span><br />
<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif; font-size: large;"><br />In closing, I suppose some of the above can be reasons not to publish or post, but our community is built on sharing, and it only gets better if everyone contributes. Don't be afraid! There's a little song I used to sing when I was a child called, "This Little Light of Mine" - I bet some of you know it! Everyone has an inner light, find yours and let it shine! Even if all you think you have is a bunch of annotated URL's in a NotePad file floating around somewhere (like yours truly), you can still turn that into something useful for others - and if one person benefits, isn't that winning? Isn't that your real prize?</span>Mary Ellenhttp://www.blogger.com/profile/05132981467812838271noreply@blogger.com0tag:blogger.com,1999:blog-8265730198332990441.post-25457051271892135182017-04-05T21:51:00.001-04:002017-04-05T21:51:33.059-04:00The Little Engine That Could?<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://3.bp.blogspot.com/-n-dBAxQj9F0/WOWT0SFG4HI/AAAAAAAAXeo/qH_WJl1E5LM2NdApsGMDxIvffXLiL4mjgCLcB/s1600/LittleEngineThatCould.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="281" src="https://3.bp.blogspot.com/-n-dBAxQj9F0/WOWT0SFG4HI/AAAAAAAAXeo/qH_WJl1E5LM2NdApsGMDxIvffXLiL4mjgCLcB/s320/LittleEngineThatCould.jpeg" width="320" /></a></div>
<br />
<span style="font-size: large;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-weight: normal;"><a href="https://en.wikipedia.org/wiki/The_Little_Engine_That_Could" target="_blank">T</a><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><a href="https://en.wikipedia.org/wiki/The_Little_Engine_That_Could" target="_blank">he Lit</a><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><a href="https://en.wikipedia.org/wiki/The_Little_Engine_That_Could" target="_blank">tle Engine </a><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><a href="https://en.wikipedia.org/wiki/The_Little_Engine_That_Could" target="_blank">That Could</a> by Watty Piper is one of my favorite books to read to my <span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">little ones</span>. It's chock-full of lessons <span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">such as</span> <a href="https://en.wikipedia.org/wiki/Golden_Rule" target="_blank">The Golden </a><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><a href="https://en.wikipedia.org/wiki/Golden_Rule" target="_blank">Rule</a> and <a href="https://en.wikipedia.org/wiki/The_Power_of_Positive_Thinking" target="_blank">The Power</a><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><a href="https://en.wikipedia.org/wiki/The_Power_of_Positive_Thinking" target="_blank"> of Positive Thin</a><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><a href="https://en.wikipedia.org/wiki/The_Power_of_Positive_Thinking" target="_blank">king</a>, to name <span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">just</span> a couple.<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"> Funny thing is, as an adult, it applies to me these day<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">s too. You see,<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"> my partner <a href="https://www.linkedin.com/in/devonackerman" target="_blank">Devon Ackerman</a> and I have <a href="http://bit.ly/Forensic4castVote" target="_blank">just been nomin</a><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><a href="http://bit.ly/Forensic4castVote" target="_blank">a</a><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><a href="http://bit.ly/Forensic4castVote" target="_blank">ted for an industry award called the Forensic :4</a><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><a href="http://bit.ly/Forensic4castVote" target="_blank">cast Awar</a><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><a href="http://bit.ly/Forensic4castVote" target="_blank">d</a><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"> which is ar<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">guabl<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">y <span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">one of the biggest awards <span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">in <span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">our industry. We run <span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">a little site called <a href="https://aboutdfir.com/" target="_blank">AboutDFIR.com</a> and we were nomin<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">ated as "Di<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">gital Forensic <span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Organization of the <span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Year".</span></span></span></span> </span> We're up against <span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">some industry giants, but with your <span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">vo<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">te, we <i>could</i> (<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">did you get</span> th<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">at</span> reference?) win<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">.</span> It's a long shot, so here's where <span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">I</span> humbly and res<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">pectfully</span> <span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">request your vote, if you <span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">feel</span> we<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">'ve earned</span> it<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">. <span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">Devon and I are<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"> both</span></span> passionate about DFIR (and malware)<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">, and we <span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">each</span> have<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"> full-time jobs and small children as well, so we<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"> do the best we can with the little bit of free time that we have, but we do it with <span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">a great love for our industry and <span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">the belief that if we think we can, we <span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">*will* leave our profession "better than we found it," which is<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"> advi<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">ce</span></span> I often<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"> impart upon</span> my children<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">.</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span><br />
<span style="font-size: large;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-weight: normal;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><br /></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span>
<span style="font-size: large;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-weight: normal;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">T<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">HANK YOU SO MUCH to everyone who nominated us and <a href="http://bit.ly/Forensic4castVote" target="_blank">we</a><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><a href="http://bit.ly/Forensic4castVote" target="_blank">'d be honored if you voted for us</a>. <span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">As for our competition<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">, </span>Magnet Forensics and Cellebrite<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"> (</span>and who doesn’t LOVE those two <span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">industry luminaries</span>?!) <span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">m</span>y thinking is, you can still vote for them in other categories and then <span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">choose</span> us for <span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">your</span> "Organization of the Year" vote. Just my personal elevator pitch, but maybe it makes sense?! Regardless, it’s simply splendid and an honor to be nominated! Thank you everyone!!!</span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span></span>Mary Ellenhttp://www.blogger.com/profile/05132981467812838271noreply@blogger.com0tag:blogger.com,1999:blog-8265730198332990441.post-87764587005249616592017-01-22T17:43:00.000-05:002017-01-23T07:39:19.163-05:00AboutDFIR.com Partnership<span style="font-size: large;"><b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-weight: normal;">Today I have the great pleasure of announcing a partnership that has formed between Devon Ackerman and myself. Devon had been sharing a DFIR resource that was similar to my Threat Intel list but we have now merged those two projects into one bigger and better repository that we host at <a href="http://aboutdfir.com/" target="_blank">AboutDFIR.com</a>!<br /><br />Our merger is still a work in progress so if you don't see a familiar data set, it's probably because we haven't quite ported everythin</span></span></b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-weight: normal;">g over yet. One of our goals is to offer continuous, timely and meaningful resources, in a very easy to use format and in one central repository.<br /> </span></span></span><br />
<span style="font-size: large;"><b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-weight: normal;">I'd like to thank a few people who have been silent cheerleaders during this transition period, offering their support, wisdom, and in some cases their own resources. <a href="http://www.hecfblog.com/" target="_blank">David Cowen</a>, who took a big chunk of his very valuable time to answer several questions and offer guidance. <a href="https://twitter.com/scsinusy" target="_blank">Josh Sutfin</a>, who offered valuable data which we will look forward to adding as time allows. <a href="https://medium.com/@mbromileyDFIR" target="_blank">Matt Bromiley</a>, <a href="http://windowsir.blogspot.com/" target="_blank">Harlan Carvey</a>, <a href="https://thisweekin4n6.com/" target="_blank">Phill Moore</a>, and <a href="https://threatintel.eu/" target="_blank">Andreas Sfakianakis</a>, each industry rockstars in their own right, have been so kind to mention my research.<br /><br />Last but certainly not least, I'd like to thank <a href="https://twitter.com/aei4n6" target="_blank">Devon</a>. Devon quickly became a friend, and when I would get really stressed about the added pressure of a project of this magnitude on top of a full-time job and raising two children (which is another FT job LOL!), he would simply remind me that this was a hobby, and something that we chose to do because it was fun, so no angina allowed!</span></span></b></span><br />
<span style="font-size: large;"><b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-weight: normal;"><br /></span></span></b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><span style="font-weight: normal;">One more thing, if you're reading this and you are new to the field of <span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">DFIR, Threat Intelligence, Malware Analysis/Research</span> or perhaps deciding whether or not to pursue a career in Information Security, I hope you will find our new shared resource <a href="http://aboutdfir.com/" target="_blank">DFIR - The Definitive Compendium Project</a> helpfu<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">l</span>. There is real community<span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"> in Security</span>, and one of <span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">our</span> goals is to shine a light on that. Enjoy!</span></span><b><br /></b></span>Mary Ellenhttp://www.blogger.com/profile/05132981467812838271noreply@blogger.com1tag:blogger.com,1999:blog-8265730198332990441.post-62872821778987101612016-12-04T20:52:00.000-05:002017-09-02T18:06:17.021-04:00Threat Intelligence<span style="color: red;"><span style="font-size: large;"><span style="font-family: "arial" , "helvetica" , sans-serif;">UPDATE: <a href="https://1drv.ms/x/s!AilmDQY9_Q5NhDPqcC8lr2Kpl36y" target="_blank">Just added a new tab for CTF, <span style="font-family: "arial" , "helvetica" , sans-serif;">Challenges and Sample Image <span style="font-family: "arial" , "helvetica" , sans-serif;">Files, check it out!</span></span></a></span></span></span><br />
<span style="font-size: large;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-family: "arial" , "helvetica" , sans-serif;"> </span></span> </span></span><br />
<span style="font-size: large;"><span style="font-family: "arial" , "helvetica" , sans-serif;">I am really looking forward to sharing a new post with the community! </span></span><br />
<br />
<span style="font-size: large;"><span style="font-family: "arial" , "helvetica" , sans-serif;">I revamped my older "Links I Follow" spreadsheet and added a repository of
<a href="https://1drv.ms/x/s!AilmDQY9_Q5NhDPqcC8lr2Kpl36y" target="_blank">Threat Intelligence <span style="font-family: "arial" , "helvetica" , sans-serif;">p</span>ortals, Hunt tactics and more malware links</a>. The new
spreadsheet has tabs, so don't miss all three tabs. The "Research" tab <span style="font-family: "arial" , "helvetica" , sans-serif;">has</span> my old "Links I Follow<span style="font-family: "arial" , "helvetica" , sans-serif;">"</span> spreadsheet, with anything new in bold. A good portion of the entries are free<span style="font-family: "arial" , "helvetica" , sans-serif;"> or</span> open source, but if you like something you see and the author asks for a small donation, remember it's nice to give back if you are able.</span></span><br />
<span style="font-size: large;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><br /></span></span>
<span style="font-size: large;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Some time ago my <a href="http://bit.ly/IR_A2Z" target="_blank">"IR A-Z"</a> paper was warmly welcomed, as was my <a href="http://bit.ly/1KQ4IuL" target="_blank">list of tools</a> that I shared. I've since found a whole bunch more tools, but my new list doesn't have very many tools in it, instead I decided to focus my energy on answering a question I received from a former co-worker as well as from some of the listserv's I follow. A few weeks back a good friend texted me, "Do you happen to have a list of blog intel stuff, API feeds, or anything that reports on current malware or phishing?" Well, turns out I did, but it seems now that I follow Twitter, I come across so much incredible
intel every day, that all I have time to do is copy the URL and move on! I'd had links and links and links that I had saved but not taken the time to add to my spreadsheet! But I knew, that in order to help my friend, I needed to sit down and take some time to cull through my pile of information and organize some of it. There's tons more, but it's an infinite process, which at some point I just have to cut my losses and say, here's all I have time to record.</span></span><br />
<br />
<span style="font-size: large;"><span style="font-family: "arial" , "helvetica" , sans-serif;">So that's what this post is about. It's not meant to be an exhaustive directory by any means, and trust me, I've labored over how to categorize things, where to place them in the list, and eventually just ran out of time. So you might find some malware research under Threat Intelligence or some Hunt stuff under Tools, etc. I did the best I could with the little bit of free time that I had, so please know that the list is far from perfect, but hopefully it will be helpful to the community.</span></span>Mary Ellenhttp://www.blogger.com/profile/05132981467812838271noreply@blogger.com4tag:blogger.com,1999:blog-8265730198332990441.post-83100097661591910282016-11-18T19:16:00.000-05:002016-11-18T19:19:05.223-05:00Unofficial Holiday Hack Countdown<span style="font-size: large;"><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;">I am so eager for this year's <a href="https://holidayhackchallenge.com/" target="_blank">SANS Holiday Hack Challenge </a>that I created a fun counter for myself! Thank you to the wonderful Katie Knowles for letting me use her pic!
</span></span><br />
<br />
<embed frameborder="0" height="200" src="http://www.arewethere.yt/Unofficial-Holiday-Hack-Countdown-/56027.htm?type=embed" width="350"></embed>Mary Ellenhttp://www.blogger.com/profile/05132981467812838271noreply@blogger.com0