The Targeted Forensics Series: Examination of Command Line RAR and 7-ZIP Prefetch Files (Part 2)

As an Advisory Consultant for RSA’s Advanced Cyber Defense practice, one of my objectives is show our clients how to focus on incident investigation and not just resolution. This is a holistic solution, made of many components, one of which I always recommend, is performing live response/targeted forensics. This series is focused on establishing procedures…

The Targeted Forensics Series: Examination of Command Line RAR and 7-ZIP Prefetch Files (Part 1)

As an Advisory Consultant for RSA’s Advanced Cyber Defense practice, one of my objectives is to show our clients how to focus on incident investigation and not just resolution. This is a holistic approach, made of many components, one of which I always recommend, is performing live response/targeted forensics. This series is focused on establishing…

The Targeted Forensics Series: Confirming Remote Desktop Connections (Part 2)

As an Advisory Consultant for RSA’s Advanced Cyber Defense practice, one of my goals is to get our clients to focus on incident investigation and not just resolution. Of course this is easier said than done and of course there are many different ways to do so, but one component I always recommend is performing…

The Targeted Forensics Series: Confirming Execution of Net Use (Part 1)

As an Advisory Consultant for RSA’s Advanced Cyber Defense practice, one of my goals is to get our clients to focus on incident investigation and not just resolution. Of course this is easier said than done and of course there are many different ways to do so, but one component I always recommend is performing…

The Targeted Forensics Series: Confirming Remote Desktop Connections (Part 2 of 2)

As a ACD consultant at RSA, one of my goals is to get our clients to focus on incident investigation and not just resolution. Of course this is easier said than done and of course there are many different ways to do so, but one component I always recommend is performing Live Response/Targeted forensics. This…

The Targeted Forensics Series: Confirming Remote Desktop Connections (Part 1 of 2)

As a ACD consultant at RSA, one of my goals is to get our clients to focus on incident investigation and not just resolution. Of course this is easier said than done and of course there are many different ways to do so, but one component I always recommend is performing Live Response/Targeted forensics. This…

Targeted Forensics: Mapping a Process to a Malicious Command and Control

Introduction To The Targeted Forensic Series Host and network forensics are very important parts of incident response and can provide a security operations team with additional insight and indicators into cyber attacks. However, forensics can be daunting at times, and the amount of time it takes to perform full analysis of a hard drive does…

Command and Control Encryption – Part 1

Gone are the days of clear text malware command and control communication. It wasn’t that long ago that even complex banking Trojans, such as Citigal, didn’t encrypt it’s Command and Control (C2) communication. With limited monitoring capabilities and over-reliance on firewalls of organizations, additional efforts for attackers to encrypt communications added little value. However, most…

How to Make Your Sandbox Smarter

Sandboxes are a great tool with two primary uses: A tool to assist malware analyst during their analysis and A first line security tool for Tier 1/Level 1 (T1/L1) analysts to help determine if a file exhibits malicious behavior and to rate the severity of an incident. It is the later use that I am…

To MSSP or not to MSSP?

By Justin Grosfelt, Principle Security Consultant, RSA Advanced Cyber Defense Services It’s an increasingly common question these days, and not an easy one at that. That is, do you build your security operations capabilities in house, or do you go with a Managed Security Service Provider (MSSP)? There are certainly advantages to both and bottom…