Chris Sanders πŸ”Ž 🧠

@[email protected]
1.9K Followers
375 Following
1,022 Posts

Security Analyst, Author, and Instructor, Ed.D.

Studying the intersection of security investigation doctrine, cognitive psychology, and education.

Founder of Applied Network Defense and Rural Tech Fund

Books:
🍯 Intrusion Detection Honeypots
🦈 Practical Packet Analysis
🌐 Applied Network Security Monitoring

Former: Mandiant, InGuardians, Dept of Defense, Roadside Fruit Vendor.

A question well stated is a problem half-solved. #InvestigationTheory

https://chrissanders.org/links/

Bloghttps://chrissanders.org/
Training Courseshttp://networkdefense.co/courses/
Twitterhttps://twitter.com/chrissanders88
Bookshttps://chrissanders.org/publications
More Linkshttps://chrissanders.org/links/
Chris Sanders πŸ”Ž 🧠5d ago

Investigation Scenario πŸ”Ž

You've discovered a host with multiple instances of Chrome running the --hidden option.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Chris Sanders πŸ”Ž 🧠Mar 17

Investigation Scenario πŸ”Ž

Browser history for an HR user shows repeated visits to chat.openai[.]com, followed by creation of C:\Users\chris\AppData\Local\Temp\cleanup[.]ps1. The file is not available, and the hash shows no matches in OSINT resources.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Show threadChris Sanders πŸ”Ž 🧠Mar 10
I post these scenarios every Tuesday! We're up to 135 of them so far! If you enjoy them, you'll probably like my Investigation Theory class where I work with folks directly on improving their investigative skills leverage principles from cognitive science: https://www.networkdefense.co/courses/
Courses β€” Applied Network Defense

Applied Network Defense
Chris Sanders πŸ”Ž 🧠Mar 10

Investigation Scenario πŸ”Ž

A host on your network executed the command β€œnetsh wlan show profile” for the first time.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Chris Sanders πŸ”Ž 🧠Mar 3

Investigation Scenario πŸ”Ž

Your SIEM flags an OAuth consent grant to β€œAdobe Secure Share” from a user's M365 account at 07:13 AM. The audit log shows consent to files.readwrite.all.

What do you look for to investigate whether an incident occurred?

#InvestigationPath #DFIR #SOC

Chris Sanders πŸ”Ž 🧠Feb 25
A whole unit of political science, sociology, economics, and behavioral science could be taught on this one.
Show threadChris Sanders πŸ”Ž 🧠Feb 25
Source: https://www.apa.org/pubs/journals/releases/psp-pspa0000456.pdf
Show threadChris Sanders πŸ”Ž 🧠Feb 25
...From a study that found that people with a more competitive worldview tend to see antagonistic behavior by leaders as a sign of competence and effectiveness, and are generally more tolerant of such behavior.
Show threadChris Sanders πŸ”Ž 🧠Feb 24
We fulfill them as we can. The more folks buy, the more we're able to give away. We also have a "Buy 1 + Give 1" option available on the website: http://milosmeteorite.com
Milo and the Midnight Meteorite

Are you ready to embark on a cosmic adventure? Milo and the Midnight Meteorite is a captivating children’s book that sparks curiosity about meteorites and the magnificent universe we inhabit!

Midnight Meteorites
Chris Sanders πŸ”Ž 🧠Feb 24
Big batch of FREE Milo and the Midnight Meteorite copies headed out to public schools today. Today's copies headed to schools in CA, NM, OR, MI, AL, AZ, TN, OH, KY, WI, IL, MS, and PA!