I can’t talk about important intelligence concepts for security without talking about the grand daddy, the original: the Intelligence Cycle. This should be great discussion fodder for anyone who has to talk to someone who claims they’re selling some form of Threat Intelligence product, given in most cases they seem to be using the phrase in place of the word smart. Intelligence vs smart couldn’t be farther from the truth....
In September I wrote about Crisis Communications in Incident Response and after some great feedback I expanded it and built a presentation. I gave this presentation in June at FIRST and today (July 8th) at SANS DFIR Summit. Both were great events and I highly recommend them. My Slides I’m going to actually do a post soon (I hope) on building security presentations. In case you’re curious I built this deck using Deckset....
I’m lucky enough to get to go to FIRST 2015 in Berlin. I’ll be speaking on Tuesday afternoon, but one of the best things about conferences like this is being able to attend other sessions. I’ve never been to FIRST before, and this year looks jam packed. Here are the talks I’m most excited about and you’ll be likely to find me in. Monday June 15: 11:00 — Building instantly exploitable protection for yourself and your partners against targeted cyber threats using MISP by Mr....
Update - April 2019: To be honest I don’t Atom anymore. I switched to Visual Studio Code in the middle of 2017 while writing TypeScript and Golang and haven’t looked back. During the time I’ve been at GitHub one of the coolest projects to come out has been Atom, GitHub’s own text editor. I’ve been using it since the day it got released internally at GitHub and I can say Atom is one of my 3 top used applications and an essential part of my work flow....
Getting away from the abstract to something a bit more distinctly DFIR we get to the (in)famous SANS Incident Response Process. The basis of SANS 504: Incident Response & Hacker Techniques this process attempts to codify the typical incident process into key steps. This is an essential process that helps form a cogent understanding of the incident process, but it’s limitations need to be just as well understood. SANS Incident Response Process Preparation: Getting ready for incident response, creating documentation, building tools, etc....
pbpaste & pbcopy give you direct access to the OSX clipboard from a shell and makes it easy to tie together data from GUI based apps with command line apps. pbpaste So say you use ⌘+c to copy something from a browser that you want to then feed through a command line tool like ./jq: $ pbpaste | jq ‘.’ pbpaste feeds the text from the clipboard to jq through standard in, which then allows jq to manipulate it as you see fit....
Impostor syndrome can be defined as a collection of feelings of inadequacy that persist even in face of information that indicates that the opposite is true. It is experienced internally as chronic self-doubt, and feelings of intellectual fraudulence. Imposter Syndrome ~ The CalTech Counseling Center There isn’t an easy way to start a post like this and there doesn’t need to be. Imposter Syndrome is something most people don’t know a lot about (I’d never heard the idea until I started working at GitHub) but it’s something everyone is intimately familiar with....
Great, you’ve decided to move beyond reactive incident response and start hunting. While hunting is primarily a way of thinking about incident response it does rely on your technical capabilities, so what tools should you use? The focus for me is always on open source tools with tools with wide ranging applications. Here are my favorites: Endpoint Alerting Tools: Facebook osquery osquery is a tool from Facebook that describes itself as:...
Talk to anyone in the DFIR Illuminati and one of the topics that always comes up is Hunting. Much like threat intelligence & string theory, people talk a lot about this, but nearly no one knows what it actually means. Proactive vs. Reactive At its core, Hunting is about taking a proactive vs a reactive approach to identifying incidents. In Reactive organizations, an incident starts when notification comes in; whether that’s a vendor IDS or AV alert, or worse a phone call from the FBI or getting Krebs-ed....
One of the most talked-about intelligence concepts in information security today is F3EAD. Standing for Find, Fix, Finish, Exploit, Analyze, and Disseminate, this is a methodology for combining operations (in this case we’re talking about kinetic ops) and the intelligence process. While the Intelligence Cycle & SANS IR cycle are both useful, they are ultimately academic. If the goal is Intelligence-Driven Incident Response, we need to combine intelligence with ops, and that’s where F3EAD shines....