DFIR Skillz
Brett Shavers posted another great article in which he discussed a much-needed skill in DFIR, albeit one that isn't taught in any courses. That is, communicating to others. If you really think about it, this is incredibly, critically, vitally important. What good is it to have a good, great, or even the best threat intel or DFIR analyst, if they are unable to communicate with others and share their findings? And I'm not talking about just the end results, but also being able to clearly articulate what led to those findings. What is it that you're seeing, for example, that indicates that there's an adversary active in an environment, versus a bunch of persistence mechanisms kicking off when systems are booted? Can you articulate your reasoning, and can you articulate where the gaps are, as well?
Something to keep in mind...there is a distinct difference between being not able to clearly delineate or share findings, and simply being unwilling to do so.
DFIR Skillz - Tech Skillz
A great way to develop technical analysis DFIR skills is to practice technical analysis DFIR skills. There are a number of DFIR challenge images posted online and available for download that you can use to practice skills.
The CFReDS data leakage case provides a great opportunity to work with different types of data from a Windows 7 system, as well as from external devices.
The LoneWolf scenario at the DigitalCorpora site is pretty fascinating, as it allows you to practice using a number of tools, such as hindsight, Volatility, bulk_extractor, etc. The scenario includes an image of a Win 10 laptop with a user profile that includes browser (Chrome, IE) history, a hibernation file, a memory dump, a page file, a swap file, etc. This scenario and the accompanying data was produced by Thomas Moore, as his final project for one of Simson Garfinkel's courses at GMU. The challenge in this scenario will be learning from the image, having not taken the course.
Ali Hadi, PhD, makes a number of datasets available for download. I especially like challenge #1, as it's a great opportunity to try your hand at various analysis tasks, such as using Yara to detect webshells, etc. There are also a couple of other really cool things you can do with the available data; many thanks to @binaryz0ne for providing the scenarios and the datasets.
These are just a few examples of what's available; perhaps the best way to really get the most from these scenarios is to work with a mentor. I can see that many enthusiasts will download the images, maybe start down the road a bit, but not really get anywhere meaningful due to road blocks of some kind. Having someone that you can bounce ideas off ("how does this analysis plan look?"), seek guidance from, etc., would be a great way to move beyond where you are now, and really expand your skill sets.
Blogging
DFIRDudes (Hadar and Martin) have kicked off (here's the tweet announcing it) a new blog with an inaugural post on StartupInfo files. This is a great idea, because as Brett had mentioned previously, there's a lot of great info that is peppered on to Twitter that really needs a much more permanent home someplace, one that's a bit roomier (and more persistent) than 280 characters. The first sentence of the first post really sets the tone, and gives the blog a good push away from the dock.
If you're on the fence about starting a blog, check out Phill's post, because his answer is a resounding "yes".
Retail Breaches
HelpNetSecurity had a fascinating article recently that discusses a surge in retail breaches. While this data is based on survey, I still find it fascinating that in 2018, more organizations haven't pursued the implementations of instrumentation and visibility into their infrastructures that would provide for early detection and response. And yes, I do understand that the focus of the survey (and as a result, the data) is retailers, organizations that wouldn't necessarily have the budget for such things.
Perhaps the most telling part of the article is that, "Security spending is up but not aligning with risk."
RegRipper updates
I've received some great contributions to the repository over the past month or so; many, many thanks to those who've contributed plugins!
"..distinct difference between being not able to clearly delineate or share findings, and simply being unwilling to do so."
ReplyDeleteWhen someone is unwilling to communicate to a client/employer/court, then assumptions are created as to the 'why' no communication is happening, and none of the assumptions will be positive for the analyst.