tag:blogger.com,1999:blog-9518042.post1185574188632948228..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Tips for DFIR Analysts, pt IVUnknownnoreply@blogger.comBlogger3125tag:blogger.com,1999:blog-9518042.post-50121957047685634082021-11-10T01:00:45.089-05:002021-11-10T01:00:45.089-05:00Hi, Great blog post and totally agree with the nee...Hi, Great blog post and totally agree with the need for "context". A lot of EDRs out there create tons of alerts creating a smoke screen than helping out the blue teamers. Context clubbed with multiple other factors like baseline, frequency will help to lessen the burden on the soc teams and the burn rate.EDRBypassnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-74701016624575807622021-11-04T07:27:50.358-05:002021-11-04T07:27:50.358-05:00Andreas,
Thanks for the comment! I'm glad to ...Andreas,<br /><br />Thanks for the comment! I'm glad to see validation with respect to what's seen, as well as what's thought about what's seen...thanks!H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-67755060393872663952021-11-04T05:05:32.763-05:002021-11-04T05:05:32.763-05:00Thanks for your post and sharing your thoughts, Ha...Thanks for your post and sharing your thoughts, Harlan. <br /><br />Context is king, so true, as always, better have multiple artifacts (artifact constellation as you said in previous posts) than just one source. It's like looking for a word in a text and take only the word out of the text for analysis. It would be clear to everybody that this doesn't help. Context around that word is essential. Sometimes in detection engineering or forensic analysis we work only with extracted context-less information, like a process execution, but with no context at all. With the use of living of the land techniques the situation gets more difficult. First question is always: what's the context. What's the sentence around the word.<br /><br />You write about it in the context of forensic and analysis but that applies perfectly too to detection engineering and monitoring and also to threat hunting. Every detection will be more robust having more than one source, criticality can be increased having multiple alerts at once for the same asset and for threat hunting, the larger picture having context helps a lot. <br /><br />Furthermore, understanding the context of an attack pattern gives a lot more indicators than only loocking at a single source. Looking at various sources results in better better intel, better detections and better monitoring.<br /><br />The difficult part is having multiple sources and context at the first place and having ways to correlate them. Here automation helps to collect various sources.<br /><br /><i>Not all things are what we think they are...this is why we need to validate what we think are "findings", but are really assumptions.</i><br /><br />Totally agree.<br /><br /><i>How often do we see these assumptions, when the real reason for a dearth of Windows Event Logs covering a specific time frame is simply the passage of time?</i><br /><br />so true! :) or changes on the disk because of our security tools, or other default OS behavior, ...Andreashttps://github.com/Karneadesnoreply@blogger.com