Eddie.1d ago

New #cyphercon talk

Great opening.
We aren’t taught to investigate. We are taught to analyze. These are not the same.

Structure is needed.

If they ask how long, tell them what you plan to do. Shows you have a plan.

Show threadEddie.1d ago
Forensics means it’s done. IR means ongoing.
Not sure I agree, this is more philosophical.
Show threadEddie.1d ago

Don’t just move from unknown to known. You have to move further to provable.

Scientific method.
Observe.
Question.
Hypothesize.
Test.
Conclusion.

Show threadEddie.1d ago
Best use of Mitre Att&ck - common taxonomy.
Consistent vocabulary.
Show threadEddie.1d ago

ADAPT

Approach
Disco
Association
Profile
Timeline

Cisco guy loves acronyms

Show threadEddie.1d ago

Approach

Have a plan. Ruskies don’t take dumps without a plan (even if it’s dumb).

Identify win conditions. Win co dictions are different for different teams.

Ask the right questions.

Plan your documentation structure.
Build templates.

Assign a scribe. (Like this. Because I already do it).

Doc method - cloud or local, txt or word doc, etc.

Show threadEddie.1d ago

Know where to look. Prioritize evidence sources.

Logs
Sec tools
Threat Intel
Forensic analysis
Triage

Show threadEddie.1d ago
Which source answers your question the fastest?
Show threadEddie.1d ago

Acquire evidence.

Have your plan, know your sources, now go get it.

Show threadEddie.1d ago

I am so glad I’ve built these plans and procedures years ago.

Now to get the team to follow it.

Show threadEddie.1d ago

DISCO

Start your hunt.

You need a baseline to know normal. Otherwise what is abnormal?

Do not chase squirrels.

Show threadEddie.1d ago
PEAK threat hunting framework? Never heard of it, worth a look.
Show threadEddie.1d ago
Document any finding even if we don’t know if it’s useful.
Show threadEddie.1d ago
Explain the relevance of the finding in the docs. It helps for others.
Show threadEddie.
Document the gaps. That will be relevant. Good context. Especially during review.
Apr 2 at 3:57pmWeb