@carrier4n6.bsky.social
#DFIR Automation Series
I use 4 levels of automation ranging from none to fully automated.
I think an ideal solution is to use full automation for low risk decisions. And recommendations for higher risk.
We use recommendations in Cyber Triage by scoring each artifact. You ultimately decide.
New Forensic Resource
What to do after you find TeamViewer:
β Log files to find activity details
β Executables to find installation times
β Domains to find download source
Learn how to corroborate timelines to investigate suspicious TeamViewer.
www.cybertriage.com/blog/dfir-ne...
I'm super excited for this webinar. Sid is a super smart AI / LLM guy and it will be a good session to learn how to use AI in #DFIR and what's hype.
We'll also show Cyber Triage hooked up to an LLM so that you can query artifacts.
Automation is when the tool does the next step for you.
That doesn't mean it does the final step and concludes the investigation. Just a bunch of the needed steps in between. Automation still requires an investigator who asks the right questions and can understand context.
Digital forensics has always relied on automation and "push buttons". What's changed is how many things we automate and the technologies used.
No one ever chose to manually parse FAT12 floppy drives with a hex editor when they could have a tool list out the file names.
Adding automation to your #DFIR investigations means you have less decisions to make. Get rid of the tedious work! Focus on the fun stuff!
Here are my three thoughts on the most effective ways to add automation and which tools do them.
What are yours?
www.cybertriage.com/blog/3-ways-...
This week's Defender Fridays features @carrier4n6.bsky.social, CEO of Sleuth Kit Labs, discussing EDR, DFIR and Endpoint Triage.
Perfect for security professionals at any level looking to enhance their endpoint investigation skills.
Register here: limacharlie.io/defender-fri...
#cybersecurity
Webinar Tomorrow - Automation and AI in DFIR and the SOC.
Myself, Sentinel1, and CompassMSP will talk about pros/cons of automating DFIR and SOC tasks.
Come tell us we're wrong!
May 8. 11AM Eastern.
register.gotowebinar.com/register/672...
New Cyber Triage release with:
* New UIs to give you an overview of the endpoint
* Hyabusa integration
* Baseline
* Public key encryption on collector
* LOTS more....
Blog and Download Link: www.cybertriage.com/blog/3-14-re...
EDR Evasion 101 - Blocking
Data needs to get to the EDR server to be analyzed for attacks. Blocking techniques prevent data from getting to the server.
Example: Network filter to block packets destined to the server.
www.cybertriage.com/edr_evasion
EDR Evasion 101
Types of Evasion Tactics
1) Blinding - prevent agent from seeing
2) Blocking - prevent data from analysis
3) Hiding - prevent detections
www.cybertriage.com/blog/how-edr...
Webinar Tomorrow @ 11AM
Endpoint Triage from 4 experts (I get to moderate)
- Harlan Carvey (Huntress)
- Kai Thomsen (Dragos)
- Quinnlan Varcoe (Blueberry Security)
- Mike Wilkinson (Sleuth Kit Labs)
Each presents their top 3!
Hope to see you there: register.gotowebinar.com/register/600...
Learn from 4 IR experts on how they do Endpoint Triage.
Apr 17.
I'll MC and you'll hear from @keydet89.bsky.social (Huntress), Kai Thomsen (Dragos), @dfirmike.bsky.social (Sleuth Kit Labs) and Quinnlan Varcoe (Blueberry Security).
See you there!
register.gotowebinar.com/register/600...
EDRs miss activity! π²π±.
You should not miss webinar tmrw! π
Markus and I will talk about why EDR alerts could be days after an attack started.
We'll talk about how to do endpoint triage to see what else happened beyond the alert!
Mar 27 @ 11 Eastern
register.gotowebinar.com/register/916...
For those in the #SOC: Alert Triage vs Endpoint Triage
Blog post that is part of our Endpoint Triage series.
Alert triage focuses on validating and prioritizing the EDR/SIEM alert.
Endpoint triage focuses on prioritizing the host. How bad is it?
www.cybertriage.com/blog/alert-t...
New Autopsy release is out! π
It's been a minute, but it's out. Notable features are BitLocker support and it can run side-by-side with Cyber Triage. Plus, a bunch of library updates.
Now Cyber Triage and Autopsy can be used on the same case at the same time!
www.autopsy.com/autopsy-4-22...
I'm doing a webinar TMRW on investigation tools for endpoint triage. Basic idea is how to get quick and accurate results after an alert. EDR data plays a role in that, but it's not enough.
Endpoint Triage should be in any security team's process.
attendee.gotowebinar.com/register/281...
I put things like hash lookups to known malware, Yara, Sigma, other types of rules, AI, etc. that assess an items relevance as being automated analysis.
Do you consider that analysis?
I now can't get the image of decorated Prefetch artifacts out of my head. Some goth. Some punk. Some preppy.
3 places to automate #DFIR Endpoint Triage. Which do you do?
11.02.2025 16:00 β π 1 π 1 π¬ 1 π 0
The 3 themes we focus on for #DFIR endpoint triage. What are yours?
04.02.2025 21:47 β π 2 π 1 π¬ 0 π 0
03.02.2025 18:48 β π 2 π 1 π¬ 1 π 0
31.01.2025 14:23 β π 4 π 2 π¬ 0 π 0
Endpoint triage allows you to prioritize your response after an EDR alert.
Webinar: Tomorrow at 11 - Vendor Agnostic
register.gotowebinar.com/register/142...
Endpoint Triage: What you do after you validate the EDR alert to understand the impact.
#DFIR Webinar Thu @ 11.
register.gotowebinar.com/register/142...
Thanks! We were using categories too for a while, but I never knew what to call the things inside the categories. They werenβt artifacts in the traditional sense because we had merged Prefetch etc together. And people were frequently asking us where to find just prefetch.
27.01.2025 20:21 β π 0 π 0 π¬ 0 π 0
πNew report out today!π
Cobalt Strike and a Pair of SOCKS Lead to LockBit Ransomware
Analysis & reporting completed by @r3nzsec, @MyDFIR & @MittenSec.
Audio: Available on Spotify, Apple, YouTube and more!
thedfirreport.com/2025/01/27/c...
What term do you use? I've heard a few others at this point.
These can from:
- Data: Raw data that has little meaning on its own
- Information: Processed data that has meaning
Prefetch has meaning only after you realize it means the process ran.
We're using the term "Information Artifacts" for high-level #DFIR concepts like "Processes" and "Inbound Logins". I think they are easier to train than low-level Prefetch, UserAssist etc. (i.e. Data Artifacts). Those map to an Info Artifact (Prefetch -> Process).
www.cybertriage.com/blog/informa...
Building some #DFIR #AI agents to use TSK tools! @carrier4n6.bsky.social
13.01.2025 06:15 β π 6 π 1 π¬ 1 π 0
Cyber Triage 3.13 is the holiday gift youβve been waiting for:
Integrations that make you faster.
β MemProcFS integration
β Expanded S3 integration
β Detailed sandbox report
Complete 3.13 release notes: www.cybertriage.com/blog/release...
