I’m excited to launch our latest online course, YARA for Security Analysts.

We built this course for people who want to learn to write YARA rules for detection engineering, system triage, incident response, and threat intel research.

#Yara #DetectionEngineering #DFIR #Malware In the course, you’ll learn how to use YARA to detect malware, triage compromised systems, and collect threat intelligence. No prior YARA experience is required.

You can learn all about the course and register here: . It's discounted right now for launch.networkdefense.co/courses/yara/

There are many paths you could take with this scenario. At a high level, the big question you want to be answered is whether the user or an attacker set up the forwarding rule. But, you've got to ask other, more specific questions to figure that out. #InvestigationPath #DFIR

https://twitter.com/chrissanders88/status/1633121837336121345

A lot of great responses this week so I won't rehash every path, but there's an opportunity to explore the disposition and prevalence of the client IP, the timing of the rule creation versus AD auth, potential outgoing spam activity,

This scenario was much broader than most, and notice how that invited many more responses and a great diversity in paths to pursue. Sometimes the most challenging of an investigation is knowing which initial #InvestigationPath to take.

https://twitter.com/chrissanders88/status/1595070232426467328

Something we know from research is that the initial path (“opening move”) matters.

I shared some of this research in this blog post: chrissanders.org/2016/09/effect….

That effect is a product of the path itself and the evidence being examined.

Investigation Scenario 🔎

A workstation attempted authentication to every other Windows system on the local network.

What do you look for to start investigating this event?

Assume you have access to any evidence source you want, but no commercial EDR tools.

#InvestigationPath Response of the week goes to @DanielOfService.

When available, knowing the expected system role is helpful and sets the context for the next things you'll look for (like the process responsible for the activity). It's also easy to answer.

https://twitter.com/DanielOfService/status/1590019965121630208?s=20&t=KshSZ_yYFQ3IhqU5Kmp2hw

When an attacker gains initial access to a system on a network, common actions are:

1. Scanning the network for pivot targets
2. Pillaging the system for valuable files
3. Stealing credentials from the system

Each provides an opportunity for honeypot-based detection 🧵

1/ When an attacker is scanning the network for pivot targets, a listening honey service on a common port that is placed on that network segment is likely to receive a probe. That probe generates an alert indicating the compromised source host.

2/

One of the underappreciated benefits of the increased acceptance of remote work — it makes more jobs accessible to folks with disabilities. Since April 2020, the amount of disabled folks participating in the workforce has increased 5%. bloomberg.com/news/articles/… Even when a workplace is accessible to someone with a disability (and despite the ADA, many are not), the commute there may not be. Eliminating. that commute opens up a lot of possibilities.

I was speaking to a security team earlier this week and we spent some time talking about creating a culture of curiosity. A few things I shared... 1/ 🧵 Curiosity is the desire to know something, and it's one of the most important traits security practitioners can possess. 2/

Some definitions I operate from...

The digital forensic investigation is the systematic inquiry and examination of evidence to gain an accurate perception of whether a compromise has occurred, and to what extent. Digital forensics is... the preservation, collection, validation, identification, analysis, interpretation, documentation, and presentation of digital evidence derived from digital sources to facilitate or further... (cont.)

An Investigation Theory student asked me a good question last week -- Do you need to understand how a specific malware strain works to investigate a system where you suspect it might be present? Let's talk about it. 1/ Any time you suspect specific malware is on a system, it probably means you have some existing evidence indicating the presence of that malware. Perhaps, an IDS alert. 2/

Sometimes I dream about investigation techniques (perfectly normal). I had a dream a couple of nights ago that I was forced to use parallel construction to resolve a case.

Are you familiar with the concept or parallel construction?
🧵 1/ Parallel construction is a process an investigator uses to build a case toward a conclusion using an alternate evidentiary basis. The practice mostly comes from law enforcement. 2/

Most analysts deal with decision fatigue -- a phenomenon that causes their decision making to get worse as they make a greater number of decisions. I bet you've experienced this too...🧵 1/ I don't think most analysts realize just how many decisions they make in a day. A lot of us recognize the decision of assigning a disposition to an alert or event, but that's not even the bulk of it. 2/

We've got a week full of exciting things happening at @RuralTechFund, and it starts today with the launch of our new website: ruraltechfund.org.

https://twitter.com/RuralTechFund/status/1531646135223427072

One of our goals was to make our impact even clear and visible on our home page and a dedicated page: ruraltechfund.org/impact/.

You'll see the types of projects we've funded and where they are located. You might even find your hometown on our impact map.

An essential part of performing forensic investigations is the practice of forecasting. When you forecast, you interpret meaning from the evidence you have available and use it to predict other possible events.

You ask, "What related activity could have happened?" 1/ Breaking that down further, you're asking:

"What actions could have led to the events I've seen?"

and

"What actions could follow the events I've seen?"

In both cases, you may seek to identify malicious or benign events. 2/

I bet you appreciate the value of outlining before you write, but you might not realize the value of keeping your outline around WHILE you write. ✍️ Keeping your outline visible helps you:
- Remember your audience
- Focus on your purpose
- Better transition in/out of sections
- Recognize macro structure adjustments that you need to make

All analysts want to gain experience to get better at their jobs. One way we gain experience is by assimilating enough information that we can generalize about it, creating rules of thumb (often called heuristics) to guide future analysis. 1/ We create heuristics through a process of inductive reasoning. We recognize patterns of relationships and generalize about their characteristics for later application in similar situations. 2/

One of the bigger initial barriers for newer analysts to break through is understanding exactly where investigative work happens. Much of it happens in the web browser and search engine rather than the SIEM or command line. 1/ Analysts frequently identify novelty cues -- things that indicate the presence of an unknown threat, capability, or technology that the analyst doesn't understand well. These things all require research. 2/

One of the more unfortunate artifacts from how defensive security evolved is how fractured the SOC, IR, and DF communities are. They all rely on the same cognitive toolset, but often operate as separate professional communities much of the time. 1/ The investigative skillset within digital forensics (encompassing DF/IR/SOC) is fairly universal – I showed that in my research (chrissanders.org/2021/12/disser…). They rely mostly on the same cognitive processes and mental models for sensemaking in investigations. 2/

Let's talk about the power of self-explanation for analysts. One thing most folks know is that if you explain something to yourself, you're more likely to understand it better. There are a few places where this matters for analysts performing investigations. 1/ First, self-explanation helps analysts better sequence events. By trying to explain a sequence to yourself, you more easily spot gaps or misalignments (such as in the attack timeline). Most analysis is discrete, but good analysts take time for holistic review. 2/

Investigations include lots of decisions points. We interpret evidence to reveal cues that compel us to ask investigative questions, leading us to more evidence. The questions and evidence we pursue are the product of decisions, either made intuitively or deliberately. 1/ My research in security analysis has shown how decisions reached from deliberate thought are typically higher quality than those reached intuitively, even by experts. But, why do we often rely on intuition so much? 2/

I spent some time with this Oxford paper about SOC analyst perspectives on IDS and false positives. The key takeaway was that false positives are prevalent and frustrating, but the paper captures some useful nuance on the topic.

usenix.org/conference/use…
1/ I think most all perspectives are useful, but few conclusions are. I like qualitative studies that include the voice of participants because you get more of that perspective, and there's a lot of it to be found here. 2/

I've been thinking a lot about peer review lately (primarily in conferences CFPs and journals) and realized my opinions on review blindness weren't well-formed enough, so I've been soliciting input from many sources. I'm curious about your thoughts. 1/ The most common peer review types are:
Single Blind - Reviewers know authors, but authors don't know reviewers.
Double Blind - Reviewers and authors don't know each other. Editors know both.
Triple Blind - Nobody knows anybody.
Open - Everybody knows everybody.
2/