Chris Sanders 🔎 🧠
@chrissanders88
Followers
31,915
Following
505
Media
1,590
Statuses
14,263
Ed.D. | Founder @networkdefense @RuralTechFund | Former @Mandiant , DoD | Author: Intrusion Detection Honeypots, Practical Packet Analysis, Applied NSM
Mayfield KY ➡️ Gainesville GA
Joined July 2008
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Rio Grande do Sul
• 201547 Tweets
Madonna
• 156305 Tweets
Bucks
• 74997 Tweets
Dame
• 58630 Tweets
Knicks
• 53496 Tweets
Racing
• 53112 Tweets
Pacers
• 45184 Tweets
Sixers
• 34213 Tweets
#911onABC
• 32151 Tweets
bruno mars
• 28205 Tweets
憲法改正
• 27325 Tweets
Pabllo
• 26750 Tweets
dua lipa
• 22312 Tweets
Giannis
• 21496 Tweets
Rony
• 20947 Tweets
Bruins
• 15629 Tweets
Anne Hathaway
• 15150 Tweets
Costas
• 14848 Tweets
Lillard
• 14237 Tweets
#SnowMan結成12周年
• 13473 Tweets
76ers
• 12529 Tweets
Arias
• 12285 Tweets
Estevão
• 11858 Tweets
#LeafsForever
• 11422 Tweets
Talleres
• 10575 Tweets
Last Seen Profiles
Pinned Tweet
Hi, Y'all!
I tweet about the intersection of cyber security investigation doctrine, cognitive psychology, and education. Also BBQ.
👨🏻🏫 Online Courses I Teach:
📚 Books I've Written:
🌎 Blog & More Links:
5
20
90
Look at this slice of awesome. The new Wireshark version in dev (3.3.0) has a packet diagram view.
A fantastic teaching and learning tool! When released, I'll be making pretty extensive use of this in my classes! Great job
@geraldcombs
and
@WiresharkNews
team.
93
3K
7K
Student: *asks question about thing*
Me: *looks up thing in book I wrote*
Student: "Wait, you have to look up something from your own book?"
Me: "Well yea, why do you think I took the time to write it all down?"
Student: *twitches*
38
335
3K
You’re confident about your bug fix, but are you "hot patch the Apollo 14 lander or the mission is scrapped” confident?
31
1K
2K
Anytime the word "Novel" is capitalized, I initially read it as "Novell" and am taken back to a very dark and different place.
202
70
1K
This isn't easy news to share, but my family could use your thoughts and prayers if you have them to spare.
311
48
1K
I don't know who needs to hear this today but cyber security work is really hard. Even at the entry level, it's difficult work.
People around you too easily forget that because of the curse of knowledge -- we can't remember what it was like to not know something we know.
26
212
1K
I know a lot of teachers right now are getting their classrooms ready for the new year. You're loved and appreciated.
If you've got a classroom wishlist...
Reply to this tweet with your wish list link
AND
Follow me or open your DMs so I can message you
#clearthelist
📚🎁😄
1K
273
866
Big news!
After a long wait, I'm excited to publicly release my doctoral dissertation, "The Analyst Mindset: A Cognitive Skills Assessment of Digital Forensic Analysts".
You can download it here: .
28
205
819
I held Ellen's hand as she passed away peacefully last night after an 18 month battle with brain cancer. She was the best person I've ever known and was so incredibly loved.
285
15
759
I got a text message today from someone asking for help increasing their mailbox size.
She owns a small business in Kentucky and got my number from a business card taped to a server I installed FIFTEEN YEARS AGO.
It’s still there, running the entire business.
25
68
738
I know a lot of teachers right now are getting their classrooms ready for the new year. You're loved and appreciated.
If you've got a classroom wishlist...
Reply to this tweet with your wish list link
AND
Follow me or open your DMs so I can message you
#clearthelist
📚🎁😄
1K
278
728
I’m excited to launch our latest online course, YARA for Security Analysts.
We built this course for people who want to learn to write YARA rules for detection engineering, system triage, incident response, and threat intel research.
#Yara
#DetectionEngineering
#DFIR
#Malware
6
174
655
My newest book, Intrusion Detection Honeypots: Detection through Deception, is out today. 🍯
You can read about it here:
You can buy it here:
#idhbook
42
172
595
I've got a few SIGNED copies of my Intrusion Detection Honeypots to give away. 🍯
To enter, retweet this tweet. I'll pick a few folks at random to win on Friday. You must have a US shipping address to win.
Learn about the book here:
44
908
514
My entire
#cuckoosegg
Intro to Infosec course is now available as a free download here:
This includes recordings, lecture notes, and slides.
9
287
507
After many months of design, planning, and building... I finally finished this massive set of built-in bookshelves today.
#woodworking
#shelfie
43
7
463
I'm excited to share the cover for my next book:
🍯🍯🍯🍯🍯🍯🍯🍯🍯🍯🍯
Intrusion Detection Honeypots: Detection through Deception.
🍯🍯🍯🍯🍯🍯🍯🍯🍯🍯🍯
Available this summer where books are sold.
25
72
464
Investigation Scenario 🔎
HR suspects that a former employee may have taken sensitive data when they quit.
What do you look for to investigate this event?
Assume you have access to any evidence source you want, but no commercial DLP tools.
#InvestigationPath
#DFIR
#SOCAnalyst
72
81
462
One of the more helpful things new analysts can do is to read about different sorts of attacks and understand the timeline of events that occurred in them. This enables something called forecasting, which is an essential skill. Let's talk about that. 1/
8
131
449
Little guy decided he wanted to get here a few weeks early, so we had a baby today. Elijah Carter Sanders — “Eli”. Everyone’s happy and healthy.
86
0
434
Today I’m releasing the first in a series of blog posts dedicated to analysis techniques you can use to deal with large overwhelming PCAP files.
First up I’m colorizing packets by conversation in Wireshark.
11
216
422
I'm beyond excited to announce the newest
@NetworkDefense
online course: CyberChef for Security Analysts. 👨🍳👩🍳
You can learn more and sign up for it here: .
7
129
413
Today is my official graduation day. I needed to be elsewhere so I couldn’t attend as planned, but I did manage to take a picture in my doctoral regalia a couple of days ago for posterity.
37
6
410
It looks like my next woodworking project is going to be a crib. It's gotta be ready for him by May.
88
0
401
A new doormat, inspired by the Intrusion Detection Honeypots book.
9
52
394
I don't know who needs to hear this, but if you traveled regularly for work and haven't in a while because of the pandemic, go check your travel bag and make sure you didn't leave any snacks in there...
...
21
61
392
I don't know who needs to hear this, but don't abbreviate "analysis" as "anal".
54
38
344
A lot of SOC jobs are seen as temporary stepping stones and places where burnout is a certainty. I think that's less about the job and more about many environments failing to adequately support the job.
15
91
346
I've also got a free signed copy for whoever replies to *this* tweet with their favorite recipe that includes honey as an ingredient.
I've got a few SIGNED copies of my Intrusion Detection Honeypots to give away. 🍯
To enter, retweet this tweet. I'll pick a few folks at random to win on Friday. You must have a US shipping address to win.
Learn about the book here:
44
908
514
299
129
325
Let’s play a game. Assume you’ve been hired as the CISO of a 1000 employee org that has literally no security infrastructure.
What types of product-based security solutions are REQUIRED purchases to build an effective sec program within 3 years?
94
82
319
When an attacker gains initial access to a system on a network, common actions are:
1. Scanning the network for pivot targets
2. Pillaging the system for valuable files
3. Stealing credentials from the system
Each provides an opportunity for honeypot-based detection 🧵
1/
4
64
313
A lot of teachers are starting back to school today or around now. We love you and we're thinking about you.
PS - If you're seeing this and you're one of those teachers, DM me your classroom Amazon wishlist if you have one 😉
175
80
308
We had the funeral service for Ellen this past weekend. It was a beautiful celebration of her life with hundreds of people who loved her in attendance. I'm trying to figure out what life looks like now, and honestly, I'm struggling, but I've got help and I'll be okay eventually.
19
4
308
The most common action an analyst will take is performing a search. Usually in a tool like Security Onion, Splunk, Kibana, and so on. The second most common action an analyst will take is pivoting. That term gets used a lot, but what exactly does it mean? 1/
6
106
305
Intrusion Detection Honeypots are the most valuable, yet underutilized detection technologies available, and these techniques often scale down as well as they scale up. 🍯
9
52
305
For threat hunting, a non-trivial amount of the work is referencing, creating, and updating system and network inventory. This doesn't get talked about enough as a skill set that someone develops. 1/
20
93
303
What is your Mt. Rushmore of infosec books?
Mine is TCP/IP Illustrated, Practical Malware Analysis, The Cuckoo’s Egg, and Kingpin.
34
50
294
If you're learning a new task, use familiar tools. If you're learning new tools, use a familiar task.
3
101
293
I've been getting a lot of new RTF gear lately. It's good timing because I'm down 60 pounds now and all my old stuff is too big. A good problem to have! It's been a long road but I'm feeling the best I have physically since college.
26
6
294
Here's the deal. Today's my birthday and all I want from you is the same thing I ask for every year -- reply to this tweet and share with me some *unconventional* wisdom you've learned over the course of your life. It can be about anything.
253
34
289
Hi New Followers!
I tweet about infosec, psychology, packets, education, and investigations.
Favorite blog posts:
Free Cuckoo’s Egg training:
Online training courses:
7
62
284
As always, a special thanks to SOC analysts and incident responders who are working today. Be sure and send some love to them!
0
48
284
I’ve been working with
@da_667
to turn his Building Virtual Labs book into a “Choose Your Own Adventure" online course for
@NetworkDefense
. I think it turned out really well, and it’ll be open on Thursday.
You can read about it here:
14
80
281
Investigation Scenario 🔎
A user workstation made a DNS query for a domain that was reported to be associated with malvertising activity.
What do you look for to start investigating this event?
Assume you have access to any evidence source you want.
57
54
277
One of the bigger initial barriers for newer analysts to break through is understanding exactly where investigative work happens. Much of it happens in the web browser and search engine rather than the SIEM or command line. 1/
9
71
268
We put together a
@sigma_hq
cheat sheet while building our Detection Engineering with Sigma online course.
Even if you don't take the course, you can grab the cheat sheet for free here:
Course Details:
2
114
268
Shout out to all the SOC analysts on shift or IR folks working cases today, and their families. We appreciate ya.
If you're able, drop by and bring them something tasty or give 'em a shout to let them know you're thinking about them.
5
64
266
By the way, when I say great tools don't just help people do a job, they teach them how to do it...this is an example.
Sometimes it's nudging people toward decisions. Here, it's simplifying complexity using visual reference models.
Look at this slice of awesome. The new Wireshark version in dev (3.3.0) has a packet diagram view.
A fantastic teaching and learning tool! When released, I'll be making pretty extensive use of this in my classes! Great job
@geraldcombs
and
@WiresharkNews
team.
93
3K
7K
3
53
247
I’m excited to launch our latest course, Splunk for Security Analysts. ⛏️
You can read more about the online, on-demand Splunk for Security Analysts course and register now at .
4
61
248
If we were putting all my courses on sale this year, I'd probably announce it here on Friday morning.
9
36
246
Ten years ago today -- what a great day that was.
18
1
246
I'm really excited to share that our newest online class, Detection Engineering with Sigma, is open this morning. You can learn more and register at .
The course is discounted for launch until next Friday.
10
84
243
Investigation Scenario 🔎
While hunting through O365 logs, you discovered the depicted entry related to one of your user’s mailboxes.
The user is on vacation for a week and unreachable. What do you look for to investigate whether an incident occurred?
#InvestigationPath
#DFIR
40
47
238
Well folks, we raised $11,000 for the
@RuralTechFund
at
@DerbyCon
. That’ll change a lot of lives.
Thank you to everyone who came by and bought a shirt or raffle ticket.
7
44
242
For you IR folks or many-hat-wearing IT folks who got a lot busier this week... make sure you're taking breaks, eating all your meals, and getting enough sleep. Your brain (and the rest of your body) will work a lot better.
9
34
235
Shout out to
@CISAKrebs
and others like him in government service who lose their jobs doing what’s right. I’ve been there too. You’re on the right side of history and we see you.
1
21
238
I did a bit of log analysis this morning. Aggregated by type, sorted by most frequent occurrence.
17
45
235
When I retire, I think I'm just gonna hook the smoker up to the truck and drive around to all my favorite SOCs and cook BBQ for everybody. Traveling infosec tailgate.
11
4
235
I just published the third article in my series dedicated to analyzing large PCAPs.
This one focuses on distilling PCAPs down to key events with Suricata, Bro, PRADS, and more.
I also mention the
@securityonion
so-import-pcap script.
3
112
232
Investigation Scenario 🔎
A JR analyst is concerned that Cobalt Strike is running on a Windows host. They proposed steps to investigate the event.
What feedback would you give them on their proposed investigation path? What would you prioritize, deprioritize, add, or change?
31
38
231
It's been a while since I've updated on Ellen's condition. Unfortunately, her cancer has progressed significantly in the past couple of months. We recently decided to forgo further treatment and pursue hospice care as she enters her final weeks.
A year ago today, my wife Ellen had a seizure. In March, I shared that she eventually received a diagnosis of Glioblastoma, a rare form of incurable brain cancer. She's been doing well, considering what she's dealing with. Here's an update...
19
3
143
88
3
228
Couldn’t have this list without this book.
“The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage” by Clifford Stoll is a nonfiction masterpiece. The story is a first-person account of searching for a hacker while Stoll was working at the Lawrence Berkeley National Laboratory. After noticing a 75-cent 1/
10
50
261
21
16
223
Host OS logs are forensically valuable and you should take time to learn and experiment with common sequences. Here’s a few steps to help you…
FIRST, setup a Windows system using these logging recs:
And this sysmon config: . 1/
5
91
225
From recent research...
Upon notification of potential malware infection, SOC analysts tend to spend more time trying to confirm the malware infection, whereas IR/DF analysts tend to assume infection and move toward understanding impact.
11
51
221
Wife: “The 3D printer has been running for a long time. Are you making something weird?”
Me: “Nope”
Also me:
12
7
214
Investigation Scenario 🔎
TeamViewer_Desktop.exe executed on a system in your network.
What do you look for to start investigating this event?
Assume you have access to any evidence source you want.
45
40
214
One of the more unfortunate artifacts from how defensive security evolved is how fractured the SOC, IR, and DF communities are. They all rely on the same cognitive toolset, but often operate as separate professional communities much of the time. 1/
9
52
214
For those who asked about my classes, here's the packet analysis / Wireshark class. It's available on-demand:
And here's my book on packet analysis: .
6
33
208
Investigation Scenario 🔎
A system mounted a file named TXRTN_8291834.iso.
What do you look for to determine if this system is infected and identify the potential malware?
The file is no longer available but you can use any other evidence source you like.
#InvestigationPath
14
37
207
The surgery was yesterday and went well 🙌
Thanks again to everyone who sent kind replies, DMs, and emails. It really helped lift both of our spirits.
19
0
202
We're celebrating good news today, as Ellen finished her six weeks of radiation and chemo every day. She got through with only very minimal side effects and feels pretty good!
16
1
203
In the 1980’s the CIA caught a contractor stealing information because a secretary notice the last login time for her terminal was not what it should be.
Last Login Time may be one of the best bang for your buck security controls you can implement, but so few people do.
6
76
193
All the things we say about people at funerals should be said at birthdays and anniversaries and brunches and Tuesdays and so many other times as well.
7
22
194
If that wasn’t enough, during descent they had to manually reboot their radar. Brings new meaning to “just reboot it"
6
81
188
Very excited to share that we raised over $8000 for
@RuralTechFund
at
@Derbycon
. This shatters last years total. 100% of that will go to classrooms in rural areas, helping us introduce thousands of students to technical education. I’m grateful for everyone who contributed!
6
48
192
I'm pretty impressed with Brim. It's a really quick way to break down a PCAP into Zeek logs, do some quick analysis, and even pivot back into smaller PCAPs.
#SOC
Repo:
Download:
Demo:
3
84
193
Most analysts deal with decision fatigue -- a phenomenon that causes their decision making to get worse as they make a greater number of decisions. I bet you've experienced this too...🧵 1/
5
48
193
I spent a good chunk of the past week talking with teachers and helping them stock their classrooms for the upcoming school year. I want to talk a bit about some issues teachers are facing right now. 1/ 🧵
29
33
191
Y’all enjoying these weekly investigation scenarios?
30
3
186
Someone rapped about Network Time Protocol on Jeopardy tonight. What a time to be alive.
7
59
179
I've purchased about $5K worth of items off of teacher wishlists so far. I'll be doing some more tomorrow and through the weekend.
#clearthelist
🚀
123
20
183
I'm really honored to have won the SANS Difference Makers Award for my work with the RTF.
This was quite a shock, and I appreciate SANS recognizing the cause of helping expose more rural kids to technology education.
Congratulations to the winners of the 2018 Difference Makers Award! The Difference Makers Awards were created to honor the unsung heroes in
#cybersecurity
whose innovation, skill, and hard work have resulted in real successes in information security.
1
11
22
17
18
183
An Investigation Theory student asked me a good question last week -- Do you need to understand how a specific malware strain works to investigate a system where you suspect it might be present? Let's talk about it. 1/
1
42
178
@mattifestation
Another way I've heard this said is "There comes a time when you have to stop admiring the problem."
2
40
179
Investigation Scenario 🔎
A user reported their mouse moving around on the screen by itself for a few minutes. The cursor appeared to open and close a few documents on the desktop.
What do you look for to investigate whether an incident has occurred?
#InvestigationPath
#DFIR
42
35
178
Let's talk about the differences between novices and experts. But, instead of cyber security, we'll use airport baggage screeners as an example. These are the folks who use the scanner screens to find forbidden items in luggage 1/
6
58
174
Some of the work I'm most proud of from my time at Mandiant was pioneering the building of investigative actions *into detection signatures* as they were written. This had profound impact across the detection and product teams, and made the tool so much more accessible.
A good alert includes:
- Detection context
- Investigation/response context
- Orchestration actions
- Prevalence info
- Environmental context (e.g, src IP is scanner)
- Pivots/visual to understand what else happened
- Able to answer, "Is host already under investigation?"
12
246
923
4
36
179
Since I spend so much time talking to and researching SOCs and SOC analysts, I often get asked, "What the biggest difference is between high and low growth SOCs?"
The answer? Expectations.
1/
6
39
177
I'm doing research for my next book and I'd love to talk to you if:
- You've used honeypots/tokens to successfully catch bad guys
- You've been caught by honeypots/tokens as a pen tester
- You've used a non-typical type of deception tech to do cool things
RTs appreciated
29
194
177
Shout out to all the SOC analysts just trying to get through their alert queues this month while being bombarded with questions about CVEs, breaches, and the constant distractions that come with it all.
4
21
175
Good analysts ask questions to uncover evidence.
Bad analysts jump to conclusions without evidence.
Be a good analyst — ask questions.
7
67
172
I'm keynoting the SANS Threat Intel Summit two weeks from today.
This'll be my first public, in-person talk since 2020 and I'll be discussing my research on how analysts think and work through investigations.
You can attend in person or virtually:
3
25
174
Getting people interested in infosec isn’t hard. Keeping them is. How we lose people (unordered):
1) Reliance on tacit knowledge
2) A knowledge-based social economy
3) Exclusivity
4) Unclear traditional academic paths to success
5) Lack of leadership accountability
17
41
170
One of the most common questions analysts ask me -- what do I do when I get stuck in an investigation? This happens to everyone, especially when you're inexperienced. Let's talk about that... 1/
3
64
172
There's often interesting public discussion about vendor detection tools and what they detect vs expectations. There's some interesting decision making that happens behind the scenes at these vendors when it comes to how they manage detection signatures. A thread... 1/
12
57
173
Investigation Scenario 🔎
You’ve discovered regsvr32.exe running from the C:\Users\Username\Appdata\Roaming directory on a Windows system.
What do you look for to investigate whether an incident occurred?
#InvestigationPath
#DFIR
#SOC
16
26
174