Cyberwarfare

The Targeted Forensics Series: Examination of Command Line RAR and 7-ZIP Prefetch Files (Part 2)

As an Advisory Consultant for RSA’s Advanced Cyber Defense practice, one of my objectives is show our clients how to focus on incident investigation and not just resolution. This is a holistic solution, made of many components, one of which I always recommend, is performing live response/targeted forensics. This series is focused on establishing procedures…

The Targeted Forensics Series: Examination of Command Line RAR and 7-ZIP Prefetch Files (Part 1)

As an Advisory Consultant for RSA’s Advanced Cyber Defense practice, one of my objectives is to show our clients how to focus on incident investigation and not just resolution. This is a holistic approach, made of many components, one of which I always recommend, is performing live response/targeted forensics. This series is focused on establishing…

The Targeted Forensics Series: Confirming Remote Desktop Connections (Part 2)

As an Advisory Consultant for RSA’s Advanced Cyber Defense practice, one of my goals is to get our clients to focus on incident investigation and not just resolution. Of course this is easier said than done and of course there are many different ways to do so, but one component I always recommend is performing…

The Targeted Forensics Series: Confirming Execution of Net Use (Part 1)

As an Advisory Consultant for RSA’s Advanced Cyber Defense practice, one of my goals is to get our clients to focus on incident investigation and not just resolution. Of course this is easier said than done and of course there are many different ways to do so, but one component I always recommend is performing…

The Targeted Forensics Series: Confirming Remote Desktop Connections (Part 2 of 2)

As a ACD consultant at RSA, one of my goals is to get our clients to focus on incident investigation and not just resolution. Of course this is easier said than done and of course there are many different ways to do so, but one component I always recommend is performing Live Response/Targeted forensics. This…

The Targeted Forensics Series: Confirming Remote Desktop Connections (Part 1 of 2)

As a ACD consultant at RSA, one of my goals is to get our clients to focus on incident investigation and not just resolution. Of course this is easier said than done and of course there are many different ways to do so, but one component I always recommend is performing Live Response/Targeted forensics. This…

Applying Security Intelligence to Your Enterprise Threat Mitigation Program – Introduction

Intelligence is no longer solely relegated to the world of the clandestine.  It is no longer the exclusive domain of roguish characters featured in heart pounding novels nor is it the sole dominion of the prototypical ‘geek’ pounding away on a keyboard at a secret government facility (or van) near you.  No. Threat  Intelligence is…

Keep Calm, Analyze On: The Role of the Analyst in Detecting and Monitoring for Advanced Attacks

I was quoted recently in a piece that was featured in Dark Reading that discussed the idea of monitoring environments to detect persistent adversaries.  It was a solid article and I stand behind my contribution especially my comments on the importance that the analyst (not the tools they have or are using – though those…

Understanding Indicators of Compromise (IOC) Part III

Introduction In the second installment of this blog series we built off of the first installment by discussing in greater detail many key principles and concepts for the comprehension of indicators of compromise (IOC) by security analysts.  We continued our conversation related to how IOCs relate to observables and how observables relate to measurable events…

Stalking the Kill Chain: Tying it All Together

By Alex Cox, Sr. Researcher, RSA FirstWatch team The Single Event Mentality Historically, security technologies tend to be focused in a single place, or at most, two places on the kill chain, but lack the entire context behind an event that a complete analysis system imparts. When using the phrase “stalking the kill chain”, we…