Chris Sanders 🔎 🧠

@[email protected]
1.9K Followers
375 Following
1,048 Posts

Security Analyst, Author, and Instructor, Ed.D.

Studying the intersection of security investigation doctrine, cognitive psychology, and education.

Founder of Applied Network Defense and Rural Tech Fund

Books:
🍯 Intrusion Detection Honeypots
🦈 Practical Packet Analysis
🌐 Applied Network Security Monitoring

Former: Mandiant, InGuardians, Dept of Defense, Roadside Fruit Vendor.

A question well stated is a problem half-solved. #InvestigationTheory

https://chrissanders.org/links/

Bloghttps://chrissanders.org/
Training Courseshttp://networkdefense.co/courses/
Twitterhttps://twitter.com/chrissanders88
Bookshttps://chrissanders.org/publications
More Linkshttps://chrissanders.org/links/
Show threadChris Sanders 🔎 🧠2d ago

If you find yourself struggling to understand an attacker's next move or what to look for, grab a piece of paper and literally draw the network graph and the event relationships. Making your thinking visual can change how you process the playing field and what's happening on it.

#SOC #DFIR

Chris Sanders 🔎 🧠2d ago
Most highly effective analysts don't just read logs; they mentally map out the network and visualize the attack as physical movement. They conceptualize functional boundaries and the attack surface available at any given foothold (even if they don't realize they're doing it).
Chris Sanders 🔎 🧠3d ago

Investigation Scenario 🔎

An employee's Android phone recently made multiple connections to an IP address associated with prior malicious activity.

The /data/system/packages.xml file shows a recently installed APK named com[.]secure.update, signed with an unknown cert.

What do you look for to investigate whether an incident occurred and assess its impact?

Bonus Points: Mention which evidence sources you'd leverage to answer your questions

#InvestigationPath #DFIR #SOC

Chris Sanders 🔎 🧠4d ago
I'll be speaking about our work @RuralTechFund. Looking forward to seeing folks there.
Chris Sanders 🔎 🧠May 22

Abstraction simplifies complex data so we can process it quickly, but it also creates blind spots. We do this with domain names, timestamps, and all sorts of other fields. If your tool automatically drops certain fields or trims logs, you might be missing the full story

Metacognitive exercise: Next time you look at a dashboard or log output, ask yourself: What is this representation abstracted from? What assumptions am I making by looking at this instead of the raw data?

#DFIR #SOC

Chris Sanders 🔎 🧠May 20

Good playbooks are not just mindless checklists; they are built on inductive reasoning. We observe patterns in specific attacks and generalize them to predict the right investigative questions for future incidents.

Playbooks are meant to augment human analysts and teach investigation strategies, not replace our critical thinking. The development of the playbooks is nearly as useful a process as using them.

#SOC #DFIR #InvestigationTheory

Chris Sanders 🔎 🧠May 19

Investigation Scenario 🔎

A host on your network downloaded a file with this SHA256 hash: 9297af5f66486d11540f15b44d4b6beec6ff89dbc4dcdee898db9a7daaa76085

What do you look for to investigate whether the malware infected the host? You can only make two queries -- make them count.

#InvestigationPath #DFIR #SOC

Chris Sanders 🔎 🧠May 18
Doug BurksMay 18

🚀 OhMyPCAP 3.0 is here!

The ultimate FOSS web app for PCAP analysis just leveled up big time.

New in v3.0:
• Suricata automatically extracts files from traffic
• Runs YARA on every extracted file - new FILE ALERTS tab
• Drag & drop any file for instant YARA scanning

Runs in a single Docker/Podman container - perfect for quick testing or air-gapped environments.

All your favorite features are still there: rich alerts, Sankey diagrams, transcripts, stream carving, and more!

Perfect for malware analysis, incident response, threat hunting and teaching network forensics.

Who’s spinning this up? Drop a ❤️ and reply with your main use case (malware? CTFs? real incidents?)

cc @chrissanders88 @lennyzeltser @hal_pomeranz

Chris Sanders 🔎 🧠May 14

Many of the same people who don't understand how analysts think are trying to tell AI how to do it and sell you the results. You shouldn't trust any of them.

I’m not anti-AI. It makes me a better analyst. I’m anti pretending that complex investigative reasoning can be reduced to prompts and dashboards by people who never understood the reasoning process to begin with. It's gonna continue to be a wild ride for a bit.

Chris Sanders 🔎 🧠May 12

Investigation Scenario 🔎

You've discovered a user workstation with the Chrome Remote Desktop plugin installed. There's no business reason for the user to have this plugin, and they don't recall installing it.

What do you look for to investigate whether an incident occurred and the extent of its impact?

#InvestigationPath #DFIR #SOC