Eddie.New #cyphercon talk
Great opening.
We aren’t taught to investigate. We are taught to analyze. These are not the same.
Structure is needed.
If they ask how long, tell them what you plan to do. Shows you have a plan.
Don’t just move from unknown to known. You have to move further to provable.
Scientific method.
Observe.
Question.
Hypothesize.
Test.
Conclusion.
Approach
Have a plan. Ruskies don’t take dumps without a plan (even if it’s dumb).
Identify win conditions. Win co dictions are different for different teams.
Ask the right questions.
Plan your documentation structure.
Build templates.
Assign a scribe. (Like this. Because I already do it).
Doc method - cloud or local, txt or word doc, etc.
Know where to look. Prioritize evidence sources.
Logs
Sec tools
Threat Intel
Forensic analysis
Triage
I am so glad I’ve built these plans and procedures years ago.
Now to get the team to follow it.
DISCO
Start your hunt.
You need a baseline to know normal. Otherwise what is abnormal?
Do not chase squirrels.
How do you know when you found something?
The finding is objective. The context can have a hint of subjective. Context aids decision making.
ASSOCIATIONS
timeline things. What event directly connects to what? Is there a time gap? Capture indicators - to fuel more hunts.
Normalize.
Consistent timestamps.
Consistent terminology.
Vendor agnostic.
PROFILE
Cough attribution Cough.
Does this line up with a known adversary? More to hunt. Patterns to seek.
Document how long an investigation takes, including people hours. So management knows how we use our resources and why we need more.
Here’s his blog
cR0w 🏴☠️- Fedi
- RSS
- ...
- Vendor advisories