WEBVTT 1 00:00:00.000 --> 00:00:02.560 Okay, let's unpack this. You ever feel like you're just 2 00:00:02.600 --> 00:00:07.719 waiting through endless cybersecurity warnings, Oh yeah, data breaches here, 3 00:00:08.279 --> 00:00:11.000 some new kind of attack there, and you're left wondering 4 00:00:11.000 --> 00:00:11.880 what it all really means. 5 00:00:11.960 --> 00:00:13.800 Right, totally, it's overwhelming. 6 00:00:13.839 --> 00:00:15.599 Maybe you're trying to wrap your head around for work, 7 00:00:15.679 --> 00:00:18.000 or maybe you just want to feel a little less 8 00:00:18.000 --> 00:00:21.239 in the dark about the digital world we live in. Huh, well, 9 00:00:21.879 --> 00:00:24.120 that's exactly what we're diving into today. 10 00:00:24.280 --> 00:00:29.679 Precisely. Think of this as your shortcut to understanding the 11 00:00:29.719 --> 00:00:33.560 core of how we tackle cyber incidents without getting lost 12 00:00:33.600 --> 00:00:35.240 in all the technical weeds. 13 00:00:34.840 --> 00:00:38.200 And today that core understanding comes from the world of 14 00:00:38.280 --> 00:00:40.479 digital forensics and incident. 15 00:00:40.119 --> 00:00:42.439 Response, right DFR. 16 00:00:42.799 --> 00:00:45.399 Now, your first thought might be that sounds like something 17 00:00:45.399 --> 00:00:47.840 for the tech giants, not me, but think of it 18 00:00:47.880 --> 00:00:53.920 this way. Understanding these principles is like understanding basic first date. 19 00:00:54.359 --> 00:00:55.439 That's great analogy. 20 00:00:55.520 --> 00:00:57.759 It might not be a doctor, but knowing what to 21 00:00:57.759 --> 00:01:00.960 do in an emergency can be crucial for anyone navigating 22 00:01:01.000 --> 00:01:01.920 our digital lives. 23 00:01:02.200 --> 00:01:04.719 That's a key point. I mean, while a major corporation 24 00:01:04.799 --> 00:01:08.000 faces threats on a different scale than say, an individual, 25 00:01:08.359 --> 00:01:12.480 the fundamental approach understanding what happened and how to respond. 26 00:01:13.400 --> 00:01:14.439 It has common. 27 00:01:14.159 --> 00:01:19.120 Threads, absolutely, and to help us navigate this fascinating but yeah, 28 00:01:19.159 --> 00:01:22.920 sometimes complex area, we've got a real treasure trove of information, 29 00:01:23.159 --> 00:01:27.120 most notably the book Digital Forensics and Incident Response, third. 30 00:01:27.040 --> 00:01:28.680 Edition, Solid resource. 31 00:01:28.799 --> 00:01:32.640 This isn't some surface level guide. It's a deep dive itself, 32 00:01:32.719 --> 00:01:37.640 covering everything from the nitty gritty of computer memory analysis 33 00:01:37.680 --> 00:01:39.680 to the strategic use of threat intelligence. 34 00:01:39.680 --> 00:01:42.560 It's definitely comprehensive. Our goal here is to pull out 35 00:01:42.560 --> 00:01:46.079 the most vital and frankly thought provoking aspects, giving you 36 00:01:46.120 --> 00:01:49.959 a clear pathway to being well informed without feeling overloaded 37 00:01:49.959 --> 00:01:51.040 by technical details. 38 00:01:51.159 --> 00:01:54.840 Yeah, aiming for that practical aha moment where things really 39 00:01:54.840 --> 00:01:57.840 click exactly. So, when something does go wrong in the 40 00:01:57.840 --> 00:02:00.959 digital realm, where do the experts even begin to sort 41 00:02:00.959 --> 00:02:01.280 it out? 42 00:02:01.519 --> 00:02:06.519 Okay, let's start with the thirty thousand foot view. Digital 43 00:02:06.560 --> 00:02:10.879 Forensics and Incident Response often shortened to DFIR. That's the 44 00:02:10.919 --> 00:02:14.919 overarching process organizations used to manage and resolve cybertax. 45 00:02:15.080 --> 00:02:17.039 DFIR the whole life cycle. 46 00:02:17.159 --> 00:02:19.280 Yeah, the entire life cycle of dealing with a digital 47 00:02:19.319 --> 00:02:20.080 security event. 48 00:02:20.120 --> 00:02:23.759 Okay, DFIR, the whole playbook for digital emergencies. What's like 49 00:02:23.879 --> 00:02:25.719 one of the first pages in that playbook. 50 00:02:25.800 --> 00:02:29.639 Well, a foundational element is the incident response or IR plan. 51 00:02:29.800 --> 00:02:33.159 The IR plan this is basically a documented roadmap. It 52 00:02:33.240 --> 00:02:37.319 outlines how an organization will prepare for, detect, contain, and 53 00:02:37.400 --> 00:02:42.120 recover from security incidents. A robust IR plan has several 54 00:02:42.639 --> 00:02:43.319 essential parts. 55 00:02:43.360 --> 00:02:45.599 Okay, lay them on us. What should a good IR 56 00:02:45.639 --> 00:02:46.439 plan include? 57 00:02:46.560 --> 00:02:50.800 Right? First and foremost preparation through training the team responsible 58 00:02:50.800 --> 00:02:55.000 for handling incidents, the Computer Security Incident Response Team or CSRT. 59 00:02:55.439 --> 00:02:56.400 They need to practice. 60 00:02:56.439 --> 00:02:58.479 Practice makes perfect, even in cyber. 61 00:02:58.280 --> 00:03:00.840 Absolutely, think of it like a sports team running drills. 62 00:03:01.000 --> 00:03:03.759 The book really highlights the value of tabletop exercises. 63 00:03:03.800 --> 00:03:06.280 Tabletop exercise like playing a game sort of. 64 00:03:06.560 --> 00:03:10.599 There's simulated incident scenarios that the entire CSART should walk 65 00:03:10.639 --> 00:03:16.800 through regularly, ideally annually. These exercises often reveal unexpected communication 66 00:03:16.919 --> 00:03:19.159 breakdowns or maybe unclear roles. 67 00:03:19.520 --> 00:03:21.800 Ah, so it's not just technical stuff, it's the human 68 00:03:21.879 --> 00:03:22.479 element too. 69 00:03:22.599 --> 00:03:26.960 Oh, definitely surprisingly effective. Communication under pressure is often a 70 00:03:27.000 --> 00:03:32.120 major stumbling block. Then there's maintenance. The digital landscape is 71 00:03:32.159 --> 00:03:37.680 constantly shifting, new technologies, evolving threats, personnel changes, you name it. 72 00:03:37.879 --> 00:03:38.919 The IR plan. 73 00:03:38.840 --> 00:03:40.400 Needs to keep up, so it can't just sit on 74 00:03:40.439 --> 00:03:41.000 a shelf. 75 00:03:41.439 --> 00:03:44.319 No way. The book recommends at least an annual review 76 00:03:44.319 --> 00:03:47.520 to ensure the plan remains relevant and effective, and lessons 77 00:03:47.599 --> 00:03:50.960 learned from exercises or you know, real incidents should be 78 00:03:51.000 --> 00:03:53.000 incorporated to make it a stronger document. 79 00:03:53.120 --> 00:03:56.439 Right, constantly updating based on experience makes sense exactly. 80 00:03:56.800 --> 00:03:59.520 And then we have playbooks. These are like specific step 81 00:03:59.520 --> 00:04:02.599 by step guides for handling common types of incidents. Think 82 00:04:02.639 --> 00:04:05.479 of it like having a checklist for different medical emergencies. 83 00:04:05.560 --> 00:04:06.120 Okay. Yeah. 84 00:04:06.120 --> 00:04:09.879 The book mentions playbooks for things like phishing attacks, malware infections, 85 00:04:10.000 --> 00:04:14.479 ransomware a big one, vulnerabilities and public systems and business 86 00:04:14.479 --> 00:04:16.759 email compromise or be EC. 87 00:04:17.120 --> 00:04:18.759 Ransomware gets its own playbook. 88 00:04:18.959 --> 00:04:22.199 It emphasizes the critical nature of ransomware and suggests a 89 00:04:22.240 --> 00:04:25.279 dedicated playbook for it. Yeah, just because of its potentially 90 00:04:25.319 --> 00:04:26.279 devastating impact. 91 00:04:26.360 --> 00:04:30.759 Okay. Playbooks the practical how to guides for when specific 92 00:04:30.839 --> 00:04:31.920 digital alarms go. 93 00:04:31.959 --> 00:04:36.000 Off precisely and within the IR plan. Clear escalation procedures 94 00:04:36.040 --> 00:04:37.000 are vital. 95 00:04:36.920 --> 00:04:39.120 Escalation, Who calls who? Basically? 96 00:04:39.199 --> 00:04:42.560 Yeah, pretty much? These define who needs to be notified 97 00:04:42.639 --> 00:04:46.439 and involved as an incident unfold from initial detection all 98 00:04:46.439 --> 00:04:49.639 the way to full blown crisis management. This helps prevent 99 00:04:49.720 --> 00:04:52.560 what the book calls see a shirt burnout burnout. 100 00:04:52.800 --> 00:04:53.720 Yeah, I can see that. 101 00:04:53.680 --> 00:04:57.199 Being a risk definitely. It ensures that the specialized skills 102 00:04:57.199 --> 00:05:01.160 of the team are deployed appropriately and important only when 103 00:05:01.240 --> 00:05:03.639 truly needed. It's like a tiered alert system. 104 00:05:03.800 --> 00:05:06.879 So when the ceesart does get engaged, what's the initial approach? 105 00:05:06.920 --> 00:05:07.839 How do they jump in? 106 00:05:08.000 --> 00:05:10.480 The book makes it pretty compelling comparison here, think of 107 00:05:10.560 --> 00:05:14.439 engaging a se sert like calling the fire department. You 108 00:05:14.519 --> 00:05:18.800 contact them, provide essential details, what's happening where, what's the 109 00:05:18.839 --> 00:05:24.399 potential impact? That info allows them to dispatch the right resources. Similarly, 110 00:05:24.839 --> 00:05:28.680 engaging a se sert follows a defined escalation path, making 111 00:05:28.680 --> 00:05:31.040 sure the right expertise is brought to bear. 112 00:05:31.160 --> 00:05:34.120 Like flagging a suspicious email that then gets escalated to 113 00:05:34.160 --> 00:05:36.480 a specialist for like a deeper. 114 00:05:36.199 --> 00:05:39.439 Look exactly, and once the seizert is on the scene, 115 00:05:39.560 --> 00:05:42.839 a primary objective in those early stages is to understand 116 00:05:42.920 --> 00:05:44.079 the scope of the incident. 117 00:05:44.279 --> 00:05:46.279 How bad is it, how far is it spread? 118 00:05:46.439 --> 00:05:48.920 Right Initially it might not be clear how far the 119 00:05:48.959 --> 00:05:52.519 compromise is spread. The CS conducts a systematic investigation to 120 00:05:52.600 --> 00:05:56.800 determine which systems data processes have been affected. They're essentially 121 00:05:56.800 --> 00:05:58.839 trying to map the boundaries of the digital fire. 122 00:05:59.040 --> 00:06:01.560 So they're like digital fire responders trying to contain the 123 00:06:01.639 --> 00:06:03.600 damage and figure out how big the problem. 124 00:06:03.279 --> 00:06:06.839 Actually is precisely, and for organizations with a more mature 125 00:06:06.879 --> 00:06:11.160 security posture, often those with a dedicated security operations center 126 00:06:11.360 --> 00:06:14.839 or SoC, or maybe a fusion center, there are technologies 127 00:06:14.879 --> 00:06:19.279 like Security Orchestration, Automation and Response or SR. 128 00:06:19.399 --> 00:06:22.040 SIR sounds like it takes a lot of the manual 129 00:06:22.079 --> 00:06:23.600 work out of incident response. 130 00:06:23.639 --> 00:06:27.759 That's the goal. Yeah. Gartner defines SOR as technologies that 131 00:06:27.800 --> 00:06:32.519 integrate incident response platforms, orchestration and automation of security tasks, 132 00:06:33.000 --> 00:06:36.639 and threat intelligence management into one unified. 133 00:06:36.160 --> 00:06:38.600 System, integrating everything right. 134 00:06:39.000 --> 00:06:43.879 It helps organizations streamline their response processes, manage incidents more efficiently, 135 00:06:44.000 --> 00:06:48.199 and even leverage automation to handle routine tasks that frees 136 00:06:48.279 --> 00:06:51.240 up human analysts for the more complex issues. 137 00:06:51.279 --> 00:06:53.639 And you can't just automate everything right point. 138 00:06:54.439 --> 00:06:57.600 A common pitfall is automating too much too soon. That 139 00:06:57.639 --> 00:07:01.160 can lead to inflexible playbooks that don't handle novel attacks effectively. 140 00:07:01.519 --> 00:07:02.959 So it's about smart automation. 141 00:07:03.160 --> 00:07:05.360 Smart automation, not yeah yeah exactly. 142 00:07:06.120 --> 00:07:09.160 So our platform typically includes an incident response platform for 143 00:07:09.199 --> 00:07:13.399 managing workflows and tracking investigations, a security orchestration and automation 144 00:07:13.519 --> 00:07:17.800 engine for automating tasks like isolating infected computers, and a 145 00:07:17.879 --> 00:07:21.480 threat intelligence platform for gathering and enriching information about threats. 146 00:07:21.839 --> 00:07:24.759 Automation insecurity. That makes a lot of sense for dealing 147 00:07:24.839 --> 00:07:27.959 with the sheer volume of alerts these days. Now, Okay, 148 00:07:28.279 --> 00:07:31.319 once you know you have an incident, a critical next 149 00:07:31.319 --> 00:07:33.759 step must be containing it, stopping the bleeding. 150 00:07:33.879 --> 00:07:37.199 Absolutely. Containment is about limiting the spread and impact of 151 00:07:37.199 --> 00:07:40.720 the attack. Think of it as building a firewall metaphorically speaking, 152 00:07:41.000 --> 00:07:42.639 around the affected areas you. 153 00:07:42.600 --> 00:07:45.040 Want to stop the digital infection from spreading further. 154 00:07:45.279 --> 00:07:50.120 The book discusses both physical and logical containment. Physical containment 155 00:07:50.199 --> 00:07:55.160 might involve actually physically disconnecting an infected machine from the network, 156 00:07:55.399 --> 00:07:58.839 unplugging the network cable or turning off Wi Fi one 157 00:07:58.879 --> 00:08:03.279 that plug. Yeah, but in large organizations, quickly locating and 158 00:08:03.399 --> 00:08:07.480 isolating multiple affected systems can be a huge logistical challenge. 159 00:08:07.519 --> 00:08:10.360 Oh yeah, imagine trying to find one compromised laptop in 160 00:08:10.399 --> 00:08:11.519 a massive office. 161 00:08:11.199 --> 00:08:15.319 Building precisely so, then you have logical containment. This involves 162 00:08:15.439 --> 00:08:20.480 using software configurations to isolate systems or network segments, for example, 163 00:08:20.680 --> 00:08:24.519 implementing new firewall rules or using network segmentation. 164 00:08:24.199 --> 00:08:25.360 Using software barriers. 165 00:08:25.680 --> 00:08:29.160 Right. This is often more scalable, but it does require 166 00:08:29.279 --> 00:08:32.399 a well designed network architecture in the first place. 167 00:08:32.360 --> 00:08:35.440 So it's often a combination of physically cutting off connections 168 00:08:35.960 --> 00:08:39.320 and using software to create those digital barriers. 169 00:08:39.320 --> 00:08:42.600 Correct and after the immediate crisis has been addressed, there's 170 00:08:42.639 --> 00:08:45.240 a vital step for learning and improvement called the after 171 00:08:45.320 --> 00:08:47.000 action review or AAR. 172 00:08:47.279 --> 00:08:49.399 The AAR, what's that involved? 173 00:08:49.480 --> 00:08:52.440 It's a structured process of looking back at the incident, 174 00:08:52.559 --> 00:08:56.000 what went well, what could have been handled better, and crucially, 175 00:08:56.039 --> 00:08:58.679 what changes need to be made to ce sart policies 176 00:08:58.679 --> 00:09:01.679 and procedures. The goal is continuous. 177 00:09:01.000 --> 00:09:03.639 Improvement, turning every incident into a learning. 178 00:09:03.399 --> 00:09:07.080 Opportunity, exactly making your security stronger over time, like a 179 00:09:07.120 --> 00:09:07.919 feedback loop. 180 00:09:08.039 --> 00:09:11.519 Got it? Okay? Now shifting focus slightly to the digital 181 00:09:11.559 --> 00:09:14.679 forensic side of dfire. You mentioned a principle. 182 00:09:15.039 --> 00:09:18.879 Ah, yes, there's a fundamental principle that underpins a lot 183 00:09:18.919 --> 00:09:21.240 of the work. Low cards exchange principle. 184 00:09:21.320 --> 00:09:23.919 Low cards exchange principle. Okay, sounds like something from a 185 00:09:23.919 --> 00:09:25.039 detective novel, It. 186 00:09:25.039 --> 00:09:27.600 Kind of is. It's a cornerstone of forensic science, stating 187 00:09:27.639 --> 00:09:29.519 that every contact leaves a trace. 188 00:09:29.759 --> 00:09:31.360 Every contact leaves a trace. 189 00:09:31.360 --> 00:09:34.559 In the digital world. This means that attackers, even if 190 00:09:34.559 --> 00:09:37.279 they try to be stealthy and cover their tracks, will 191 00:09:37.440 --> 00:09:42.679 inevitably leave digital footprints. The challenge and the skill of 192 00:09:42.720 --> 00:09:46.440 digital forensics lies in having the right tools and expertise 193 00:09:46.519 --> 00:09:49.120 to uncover these traces and connect them back to the 194 00:09:49.159 --> 00:09:50.200 malicious activity. 195 00:09:50.480 --> 00:09:53.360 So even deleting files or wiping a hard drive doesn't 196 00:09:53.399 --> 00:09:57.440 necessarily mean all evidence is gone for good not always no. 197 00:09:57.879 --> 00:10:01.320 Skilled forensic analysts can often rec covered deleted data or 198 00:10:01.399 --> 00:10:04.960 find remnants of malicious activity that might not be immediately obvious. 199 00:10:05.320 --> 00:10:07.759 It takes work, but it's often possible. 200 00:10:08.000 --> 00:10:10.600 Interesting and speaking of things that might not be obvious, 201 00:10:10.639 --> 00:10:14.080 you mentioned incident response has legal implications. 202 00:10:13.600 --> 00:10:15.440 Oh, absolutely significant one. 203 00:10:15.320 --> 00:10:17.519 John, Just dealing with the technical side, definitely. 204 00:10:17.720 --> 00:10:22.320 These can range from mandatory breach notification requirements, which depend 205 00:10:22.440 --> 00:10:25.279 heavily on the type and volume of data compromised and 206 00:10:25.399 --> 00:10:26.480 the jurisdiction right. 207 00:10:26.519 --> 00:10:28.200 Those laws seem to change all the time. 208 00:10:28.279 --> 00:10:31.519 They do, and then there are various privacy regulations, plus 209 00:10:31.600 --> 00:10:34.600 the rules of evidence if legal action is pursued. The 210 00:10:34.639 --> 00:10:38.039 book even mentions the Economic Espionage Act of nineteen ninety six, 211 00:10:38.240 --> 00:10:40.759 which criminalizes the theft of trade secrets. 212 00:10:41.279 --> 00:10:44.120 So how you handle a cyber incident and the evidence 213 00:10:44.159 --> 00:10:47.799 you collect can have really serious legal consequences down the line. 214 00:10:47.799 --> 00:10:51.879 Precisely, evidence collection and preservation must adhere to establish legal 215 00:10:51.919 --> 00:10:55.080 standards to be admissible in court. This involves maintaining a 216 00:10:55.159 --> 00:10:56.799 queer chain of custody. 217 00:10:56.480 --> 00:10:59.399 Chain of custody, proving who had the evidence. 218 00:10:59.039 --> 00:11:02.679 When exactly, ensuring the integrity of the data through techniques 219 00:11:02.720 --> 00:11:06.559 like hashing, and using forensically sound methods for acquisition. You 220 00:11:06.600 --> 00:11:07.960 can't just copy paste files. 221 00:11:08.000 --> 00:11:10.200 This is clearly a lot more involved than just, you know, 222 00:11:10.360 --> 00:11:12.440 running an anti virus scan and calling it a day. 223 00:11:12.679 --> 00:11:15.840 It certainly is. And just for a bit of historical context, 224 00:11:16.080 --> 00:11:19.120 the field of digital forensics really began to take shape 225 00:11:19.120 --> 00:11:21.879 within law enforcement back in the mid nineteen eighties as 226 00:11:21.879 --> 00:11:25.960 computers became more integral to criminal activity. The eighties, Wow, yeah, 227 00:11:26.120 --> 00:11:29.559 agencies like the FBI established specialized units such as the 228 00:11:29.559 --> 00:11:32.080 Computer Analysis and Response Team or. 229 00:11:32.080 --> 00:11:35.840 CART the FBI CART, so they were early pioneers in 230 00:11:35.879 --> 00:11:36.399 this field. 231 00:11:36.440 --> 00:11:40.279 Indeed, and the book highlights a really pivotal early case, 232 00:11:40.679 --> 00:11:44.200 the intrusion into the Lawrence Berkeley National Laboratory by a 233 00:11:44.240 --> 00:11:47.679 hacker named Marcus Hess. Okay, this activity might have gone 234 00:11:47.799 --> 00:11:50.440 unnoticed were it not for the work of Clifford's Stole. 235 00:11:51.480 --> 00:11:55.360 He devised this clever method to track the intruder his efforts, 236 00:11:55.360 --> 00:11:57.559 which he read about in his book The Cuckoo's Egg. 237 00:11:57.720 --> 00:11:59.399 The Cuckoo's Egg, I've heard of it, Yeah. 238 00:11:59.279 --> 00:12:02.159 It's a classic. It not only led to the hacker's 239 00:12:02.240 --> 00:12:06.559 prosecution for espionage, but also really underscored the critical importance 240 00:12:06.600 --> 00:12:10.559 of digital forensics expertise in our connected world even back then. 241 00:12:10.679 --> 00:12:13.320 That sounds like a fascinating story and still relevant today. 242 00:12:13.639 --> 00:12:15.840 It's amazing to see how much the feel has evolved 243 00:12:15.879 --> 00:12:17.039 since Stoles times. 244 00:12:16.840 --> 00:12:20.159 And it has evolved dramatically. Today we have highly specialized 245 00:12:20.159 --> 00:12:23.639 tools and methodologies for acquiring and analyzing digital evidence from 246 00:12:23.679 --> 00:12:27.360 a huge multitude of sources. Speaking of which, let's maybe 247 00:12:27.399 --> 00:12:30.039 delve into some of those key areas of evidence. A 248 00:12:30.080 --> 00:12:34.120 fundamental concept in digital forensics is the distinction between volatile 249 00:12:34.159 --> 00:12:35.600 and non volatile data. 250 00:12:36.120 --> 00:12:38.440 Volatile versus non volatile. Break that down for. 251 00:12:38.440 --> 00:12:42.799 Us, sure, volatile data is temporary information. It exists only 252 00:12:42.840 --> 00:12:45.360 while a system is powered on, and it's lost when 253 00:12:45.360 --> 00:12:47.879 the power is turned off. Think of the data held 254 00:12:47.919 --> 00:12:51.000 in a computer's random access memory or RAM. 255 00:12:51.240 --> 00:12:52.320 Stuff in RAM, got it. 256 00:12:52.799 --> 00:12:55.679 Non Vogal data, on the other hand, is persistent. It 257 00:12:55.720 --> 00:12:58.480 remains stored even when the system is powered down, So 258 00:12:58.559 --> 00:13:00.679 like the data on a hard drive or a solid 259 00:13:00.720 --> 00:13:02.039 state drive SSD. 260 00:13:02.279 --> 00:13:05.480 Okay. So if you're responding to a live incident, capturing 261 00:13:05.480 --> 00:13:10.440 that volatile memory the RAM quickly is crucial because it 262 00:13:10.519 --> 00:13:14.000 might contain fleeting evidence that just disappears the moment the 263 00:13:14.039 --> 00:13:16.200 machine is shut down or rebooted exactly. 264 00:13:16.240 --> 00:13:18.759 That's often priority number one. Now, let's talk about specific 265 00:13:18.879 --> 00:13:21.600 types of digital evidence, maybe starting with network evidence. 266 00:13:21.639 --> 00:13:22.440 Network evidence, ok. 267 00:13:22.559 --> 00:13:25.200 Our book emphasizes that network traffic can provide a wealth 268 00:13:25.200 --> 00:13:28.080 of information for reconstructing a security incident. 269 00:13:28.279 --> 00:13:31.480 Network traffic that sounds like an overwhelming amount of data. 270 00:13:31.519 --> 00:13:33.000 Where do you even begin to look? 271 00:13:33.159 --> 00:13:36.480 Yeah, it can be. Key starting points usually include firewall and. 272 00:13:36.480 --> 00:13:38.799 Proxy logs firewall and proxy logs. 273 00:13:39.039 --> 00:13:42.720 These logs can provide valuable insights into the initial stages 274 00:13:42.759 --> 00:13:46.919 of an attack, showing which internal systems communicated with external 275 00:13:47.039 --> 00:13:51.279 potentially malicious websites or IP addresses. They can also help 276 00:13:51.320 --> 00:13:55.200 identify command and control or C two traffic. 277 00:13:55.360 --> 00:13:58.159 C two that's a communication back to the attacker, right. 278 00:13:58.279 --> 00:14:02.440 The communication channel between an infected system and the attacker's infrastructure. 279 00:14:03.000 --> 00:14:05.639 Think of firewall and proxy logs as kind of the 280 00:14:05.679 --> 00:14:08.120 digital equivalent of border patrol logs. 281 00:14:08.200 --> 00:14:10.200 Okay, so they give you a picture of what's coming 282 00:14:10.200 --> 00:14:12.559 in and going out of your network perimeter precisely. 283 00:14:12.759 --> 00:14:16.519 Then there's NetFlow NetFlow. While firewall and proxy logs primarily 284 00:14:16.600 --> 00:14:20.759 focus on traffic crossing the network perimeter, NetFlow provides visibility 285 00:14:20.759 --> 00:14:24.320 into internal network traffic what the book calls east west. 286 00:14:24.039 --> 00:14:26.559 Traffic east west, so communication within the. 287 00:14:26.519 --> 00:14:30.200 Network exactly, Yeah, showing how systems inside the network are 288 00:14:30.200 --> 00:14:33.440 communicating with each other. This can be invaluable for detecting 289 00:14:33.480 --> 00:14:34.240 lateral movement. 290 00:14:34.440 --> 00:14:36.919 Lateral movement like an attacker who got in one place 291 00:14:37.399 --> 00:14:40.639 and is now trying to spread sideways to other machines inside. 292 00:14:40.759 --> 00:14:44.360 That's it exactly. NetFlow helps you track those internal maneuvers, 293 00:14:44.759 --> 00:14:48.240 and for a much much deeper level of analysis, there's 294 00:14:48.360 --> 00:14:49.080 packet capture. 295 00:14:49.120 --> 00:14:51.240 Packet capture grabbing the actual data. 296 00:14:51.799 --> 00:14:54.919 Tools like TCP dump on Linux and raw cap or 297 00:14:54.919 --> 00:14:57.759 wind pee cap on Windows allow you to capture the 298 00:14:57.879 --> 00:15:00.879 actual data packets being transmitted cross the network. 299 00:15:00.919 --> 00:15:01.200 Wow. 300 00:15:01.279 --> 00:15:04.159 You can even apply filters to these captures to focus 301 00:15:04.159 --> 00:15:08.000 on specific types of traffic, like communication within known malicious 302 00:15:08.039 --> 00:15:11.279 IP address or specific protocols, so you're not just drowning 303 00:15:11.279 --> 00:15:11.960 in data. 304 00:15:12.120 --> 00:15:15.039 Capturing the raw network data that's like recording every single 305 00:15:15.080 --> 00:15:18.559 digital conversation happening on your network must be huge files. 306 00:15:18.720 --> 00:15:22.159 They can be enormous, yes, and analyzing these massive amounts 307 00:15:22.159 --> 00:15:25.600 of data requires specialized tools. Wire Shark is a very 308 00:15:25.639 --> 00:15:29.639 widely used GUI based tool for both capturing and analyzing 309 00:15:29.639 --> 00:15:31.000 network traffic in detail. 310 00:15:31.039 --> 00:15:32.440 Wire Shark, Yeah, I heard of that one. 311 00:15:32.519 --> 00:15:35.440 It allows you to inspect individual packets, follow the flow 312 00:15:35.480 --> 00:15:39.039 of communication between systems, filter based on a huge range 313 00:15:39.039 --> 00:15:41.840 of criteria. The book highlights its use for both live 314 00:15:41.879 --> 00:15:44.799 capture and in depth post capture analysis, so you can. 315 00:15:44.679 --> 00:15:47.000 Watch traffic live or dig through recordings later. 316 00:15:47.399 --> 00:15:50.519 Right. For example, you can filter to see only HTTP 317 00:15:50.679 --> 00:15:54.159 traffic and then examine the specific web pages or urs 318 00:15:54.200 --> 00:15:55.120 that were accessed. 319 00:15:55.320 --> 00:15:59.159 Wire Shark sounds incredibly powerful, like a microscope for network data. 320 00:15:59.240 --> 00:16:03.600 It really is, and for analyzing very large packet captures offline, 321 00:16:03.639 --> 00:16:07.279 there are tools like arkhim arkim Yeah. The book shows 322 00:16:07.320 --> 00:16:10.159 how you can load a captured file into arkham and 323 00:16:10.159 --> 00:16:14.080 then efficiently examine things like HDVP sessions and the specific 324 00:16:14.080 --> 00:16:17.240 web addresses that were visited. Wire Shark also has handy 325 00:16:17.240 --> 00:16:20.360 features like display filters to zero in on relevant traffic 326 00:16:20.399 --> 00:16:23.720 and coloring rules to visually highlight different types of packets, 327 00:16:23.879 --> 00:16:26.399 which makes the analysis process a bit more manageable. 328 00:16:26.440 --> 00:16:29.559 S galuring rules that sounds helpful for spotting patterns it 329 00:16:29.559 --> 00:16:30.440 can be, and. 330 00:16:30.480 --> 00:16:34.159 For detecting more subtle malicious activity, like an infected system 331 00:16:34.200 --> 00:16:38.200 periodically beaconing back to a command and control server by 332 00:16:38.320 --> 00:16:41.759 quiet check In beconing right, the book introduces Rata. Rita 333 00:16:41.840 --> 00:16:45.639 uses behavioral analysis to identify these recurring patterns in network 334 00:16:45.639 --> 00:16:48.480 traffic that might otherwise get lost in the noise. Beconing 335 00:16:48.679 --> 00:16:51.879 like that regular quiet signal that an infected machine is 336 00:16:51.879 --> 00:16:55.200 still under the attacker's control. ARIDA helps you pick up 337 00:16:55.200 --> 00:16:56.320 on those faint signals. 338 00:16:57.240 --> 00:17:00.440 Very cool that's right. Okay. So now let's shift our 339 00:17:00.480 --> 00:17:04.359 focus from the network to individual computers and discuss host 340 00:17:04.440 --> 00:17:05.599 based evidence. 341 00:17:05.720 --> 00:17:07.599 Okay, evidence on the actual machines. 342 00:17:07.640 --> 00:17:10.279 As we touched on earlier, a critical first step in 343 00:17:10.359 --> 00:17:14.519 many investigations is acquiring the volatile memory, grabbing. 344 00:17:14.119 --> 00:17:16.839 That ram before the power goes off. What are the 345 00:17:16.839 --> 00:17:20.039 go to tools for that? You mentioned volatile data earlier, right. 346 00:17:20.359 --> 00:17:23.680 The book mentions win p mem as a tool specifically 347 00:17:23.720 --> 00:17:27.559 designed for acquiring a memory image from Windows systems. It 348 00:17:27.599 --> 00:17:30.480 creates a raw bit for big copy of the system's 349 00:17:30.480 --> 00:17:31.519 physical memory. 350 00:17:31.279 --> 00:17:33.240 The snapshot of the live memory. 351 00:17:32.880 --> 00:17:36.599 Exactly, which can then be analyzed offline using specialized memory 352 00:17:36.640 --> 00:17:39.599 forensics tools like volatility, which is another powerful tool. 353 00:17:39.759 --> 00:17:42.240 So you take that memory snapshot and analyze it later 354 00:17:42.319 --> 00:17:44.079 for clues that might not be present on the hard 355 00:17:44.160 --> 00:17:44.799 drive at all. 356 00:17:44.720 --> 00:17:50.119 Correct things like running processes, network connections, passwords potentially gotcha. 357 00:17:50.799 --> 00:17:54.640 What about acquiring the persistent data, the stuff stored on 358 00:17:54.640 --> 00:17:58.160 the computer's storage devices, the hard drives or SSDs. 359 00:17:58.599 --> 00:18:01.680 For acquiring non volatile evidence, there are tools like silar 360 00:18:02.000 --> 00:18:04.960 SLR is designed to efficiently collect log files and other 361 00:18:05.000 --> 00:18:06.440 protected files from a system. 362 00:18:06.720 --> 00:18:08.799 SILR for logs and protected stuff. 363 00:18:08.960 --> 00:18:12.839 Yeah, and another powerful tool is KPE. That's the Kinetic 364 00:18:12.960 --> 00:18:18.039 Artifact Parser and Extractor. KP allows for highly targeted collection 365 00:18:18.079 --> 00:18:22.119 of specific types of evidence based on predefined configurations or targets. 366 00:18:22.519 --> 00:18:25.559 This is much more efficient than just grabbing absolutely everything. 367 00:18:25.920 --> 00:18:28.759 Targeted collection focusing on the most likely sources of evidence. 368 00:18:28.759 --> 00:18:30.599 That saves a lot of time and I guess storage 369 00:18:30.599 --> 00:18:31.119 space too. 370 00:18:31.359 --> 00:18:34.720 Exactly. Then there's the crucial concept of forensic imaging. 371 00:18:34.920 --> 00:18:36.960 Imaging making a copy of the drive. 372 00:18:36.880 --> 00:18:39.680 Right, creating a complete bit for bit copy of a 373 00:18:39.720 --> 00:18:43.880 storage device. The book distinguishes between physical images, which capture 374 00:18:43.920 --> 00:18:48.000 the entire drive, including unallocated space where deleted files might linger, 375 00:18:48.319 --> 00:18:52.839 and logical images, which capture only specific partitions or files. 376 00:18:52.839 --> 00:18:55.279 Physical versus logical, which is better. 377 00:18:55.160 --> 00:18:59.119 Well for traditional hard disk drives HDDs, physical images are 378 00:18:59.119 --> 00:19:02.640 generally preferred because they preserve everything, potentially allowing for the 379 00:19:02.680 --> 00:19:06.240 recovery of deleted data. Okay, However, the book points out 380 00:19:06.319 --> 00:19:10.319 that solid state drives SSDs present unique challenges. Why is 381 00:19:10.359 --> 00:19:14.200 that because of a process called trim. Trim is designed 382 00:19:14.200 --> 00:19:18.279 to improve SSD performance, but it can securely erase deleted 383 00:19:18.319 --> 00:19:22.440 data pretty quickly, making recovery much more difficult, sometimes impossible. 384 00:19:22.640 --> 00:19:26.200 Ah So SSDs can make the job of recovering deleted 385 00:19:26.240 --> 00:19:29.599 files way more challenging for forensic investigators. 386 00:19:30.119 --> 00:19:33.000 That's often the case. Yeah. For creating these forensic images, 387 00:19:33.359 --> 00:19:36.799 tools like FTK emitter are widely used. FTK imager it 388 00:19:36.839 --> 00:19:41.319 can create forensically sound images, meaning it calculates cryptographic hashes 389 00:19:41.400 --> 00:19:44.119 like digital fingerprints of the original drive and the image 390 00:19:44.119 --> 00:19:47.000 file to ensure the integrity of the copy, proof that 391 00:19:47.039 --> 00:19:48.000 it hasn't been tampered with. 392 00:19:48.160 --> 00:19:50.680 Hashes right verifying the copy is exact, and. 393 00:19:50.640 --> 00:19:54.559 The book also emphasizes the critical importance of using right blockers. 394 00:19:54.720 --> 00:19:55.960 Right blockers these. 395 00:19:55.759 --> 00:19:59.480 Are hardware or sometimes software tools that prevent any accidental 396 00:19:59.480 --> 00:20:03.000 modific case of the original evidence drive during the imaging process. 397 00:20:03.559 --> 00:20:06.400 They ensure you don't accidentally change the evidence you're collecting. 398 00:20:06.559 --> 00:20:10.759 Right blockers absolutely essential for preserving the integrity of the 399 00:20:10.759 --> 00:20:14.279 evidence and making sure it's admissible in court. Makes sense. 400 00:20:14.720 --> 00:20:18.480 What if you can't take a system offline to create 401 00:20:18.480 --> 00:20:21.160 an image like a critical server? 402 00:20:21.279 --> 00:20:25.559 Good question. In some critical high availability environments, shutting down 403 00:20:25.559 --> 00:20:28.839 a system just isn't an option in those scenarios. For 404 00:20:28.920 --> 00:20:32.079 virtual machines, you might create a VMware snapshot. 405 00:20:32.200 --> 00:20:35.440 A snapshot, yeah, like freezing it in time exactly. 406 00:20:35.599 --> 00:20:38.480 This captures the exact state of the virtual machine at 407 00:20:38.480 --> 00:20:41.319 a specific point in time, including its memory and disk. 408 00:20:41.880 --> 00:20:44.720 This allows for analysis of the live system state without 409 00:20:44.799 --> 00:20:47.079 directly altering the original underlying data. 410 00:20:47.240 --> 00:20:47.559 Okay. 411 00:20:47.720 --> 00:20:51.440 The book also briefly mentions using bootable USB devices containing 412 00:20:51.440 --> 00:20:55.359 Linux based forensic distributions for imaging physical Linux systems, again 413 00:20:55.400 --> 00:20:57.880 trying to minimize impact on the original system. 414 00:20:58.160 --> 00:21:01.960 So different environments and can straints call for different evidence 415 00:21:02.000 --> 00:21:07.720 acquisition techniques. Very adaptable. Now, once you have that forensic image, 416 00:21:08.160 --> 00:21:10.839 that big copy of the drive, how do you actually 417 00:21:10.880 --> 00:21:13.000 go about analyzing all that store data? 418 00:21:13.079 --> 00:21:15.799 Right? This is where forensic analysis platforms come into play. 419 00:21:15.839 --> 00:21:19.480 The book introduces Autopsy, which is a very popular open 420 00:21:19.519 --> 00:21:22.759 source forensic platform built on top of another tool set 421 00:21:22.839 --> 00:21:23.640 called the sleuth kit. 422 00:21:23.880 --> 00:21:26.200 Autopsy Oh open source, that's good. 423 00:21:26.279 --> 00:21:29.480 Yeah. It provides a user friendly graphical interface for examining 424 00:21:29.519 --> 00:21:32.519 disk images and offers a wide array of powerful. 425 00:21:32.079 --> 00:21:33.880 Features like what cut of features. 426 00:21:33.599 --> 00:21:39.519 Things like timeline analysis, which displays events, file modifications, program executions, 427 00:21:39.720 --> 00:21:43.799 web visits in chronological order to help reconstruct the sequence 428 00:21:43.799 --> 00:21:44.400 of activity. 429 00:21:44.480 --> 00:21:47.319 Timeline super useful for figuring out what happened when. 430 00:21:47.440 --> 00:21:52.160 Absolutely also keyword searching to quickly find specific terms or freezes, 431 00:21:52.480 --> 00:21:55.720 and the ability to automatically parse and analyze web artifacts 432 00:21:55.759 --> 00:22:00.240 like browser history, cookies, download history, all that juicy stuf 433 00:22:00.400 --> 00:22:01.240 web artifacts. 434 00:22:01.319 --> 00:22:04.039 Yeah, that tells a story. The book even illustrates how 435 00:22:04.039 --> 00:22:06.279 to start a new case in autopsy and add evidence 436 00:22:06.319 --> 00:22:07.000 sources to it. 437 00:22:07.119 --> 00:22:09.240 Exactly. It walks you through the basics. You can drill 438 00:22:09.319 --> 00:22:12.720 down into the filesystem, examine metadata associated with files like 439 00:22:12.759 --> 00:22:17.400 creation times, modification times, identify installed software, and see a 440 00:22:17.440 --> 00:22:20.759 list of recently accessed documents which can provide valuable clues 441 00:22:20.759 --> 00:22:21.839 about user activity. 442 00:22:22.319 --> 00:22:26.160 Autopsy sounds like a central workbench for digital forensic investigations. 443 00:22:26.480 --> 00:22:29.599 What about getting even deeper into the filesystem details For a. 444 00:22:29.599 --> 00:22:33.200 Deeper understanding of filesystem activity. On Windows systems, there's the 445 00:22:33.359 --> 00:22:38.119 Master Filetable or MFT MFT Master Filetable. It's essentially the 446 00:22:38.160 --> 00:22:43.839 index of the entire NTFS filesystem. Tools like MFTSCMD can 447 00:22:43.920 --> 00:22:48.119 parse the MFT, allowing investigators to track file creation, modification, 448 00:22:48.319 --> 00:22:51.480 access and deletion times, providing a really detailed history of 449 00:22:51.480 --> 00:22:52.720 filesystem interactions. 450 00:22:52.799 --> 00:22:55.519 The MFT, like a detailed ledger of all file related 451 00:22:55.559 --> 00:22:59.200 actions on a Windows system, even deleted one sometimes precisely. 452 00:22:59.440 --> 00:23:03.279 Remnants often remain, And even if an executable file itself 453 00:23:03.279 --> 00:23:05.759 has been deleted, you might still find traces of its 454 00:23:05.799 --> 00:23:09.720 execution through prefetch files. In Windows prefisch files, what are those? 455 00:23:09.880 --> 00:23:13.319 Windows creates them to speed up application loading. Tools like 456 00:23:13.400 --> 00:23:16.920 pecmd can analyze these prefetch files to determine if a 457 00:23:16.920 --> 00:23:19.599 program has been run, when it was last run, and 458 00:23:19.680 --> 00:23:22.000 how many times, even if the program's gone. 459 00:23:22.039 --> 00:23:25.680 Wow, prefetch files a historical record of executed programs, even 460 00:23:25.680 --> 00:23:27.160 if they've been subsequently deleted. 461 00:23:27.680 --> 00:23:31.359 That's sneaky evidence. What at the Windows registry, It seems 462 00:23:31.359 --> 00:23:34.640 like that holds a vast amount of system configuration information. 463 00:23:34.799 --> 00:23:37.599 Oh, it absolutely does. It's a gold mine. Autopsy can 464 00:23:37.640 --> 00:23:40.680 parse the registry, allowing you to examine various registry keys 465 00:23:40.680 --> 00:23:41.119 and values. 466 00:23:41.160 --> 00:23:42.880 What can you find in the registry. 467 00:23:42.519 --> 00:23:46.160 Crucial information such as connected USB devices including their vendor 468 00:23:46.240 --> 00:23:48.880 and product IDs vidps AH. 469 00:23:48.559 --> 00:23:50.519 So you can see if a specific USB drive was 470 00:23:50.519 --> 00:23:51.559 plugged in exactly. 471 00:23:51.799 --> 00:23:55.880 Very helpful in tracking potential data expiltration or maybe the 472 00:23:55.920 --> 00:23:59.720 introduction of malware via external media. You can also find network, 473 00:23:59.759 --> 00:24:04.240 hit street, user account information, recently run programs, tons of stuff, 474 00:24:04.720 --> 00:24:05.680 so much information. 475 00:24:05.960 --> 00:24:08.759 The book notes that registry analysis is a deep and 476 00:24:08.839 --> 00:24:12.920 specialized area, but even a basic analysis can often uncover 477 00:24:13.079 --> 00:24:14.720 valuable investigative leads. 478 00:24:15.480 --> 00:24:18.720 Okay, So from the network, to volatile memory to persistent 479 00:24:18.759 --> 00:24:22.240 storage like hard drives and the registry, there are numerous 480 00:24:22.279 --> 00:24:25.960 layers of potential evidence to examine. And then we have 481 00:24:26.279 --> 00:24:30.119 the often overlooked but critical area of log files. Ah. 482 00:24:30.279 --> 00:24:33.519 Yes, log files often the first place investigators turn to 483 00:24:33.559 --> 00:24:36.119 understand what happened on a system or network. 484 00:24:36.200 --> 00:24:38.960 But there are so many logs there are. 485 00:24:38.960 --> 00:24:41.440 Which is why the book emphasizes the importance of a 486 00:24:41.480 --> 00:24:45.880 well defined log management policy within an organization. The c 487 00:24:46.079 --> 00:24:49.279 search should play a crucial role in specifying what types 488 00:24:49.319 --> 00:24:52.160 of events should be logged and importantly, for how long 489 00:24:52.160 --> 00:24:53.119 the log should be retained. 490 00:24:53.160 --> 00:24:55.079 You need a plan for your logs, definitely. 491 00:24:55.480 --> 00:24:59.480 NIST provides excellent guidance on establishing effective log management practices. 492 00:25:00.200 --> 00:25:02.000 We can't investigate what you don't have a record of. 493 00:25:02.279 --> 00:25:05.000 Absolutely, So what are some key considerations when it comes 494 00:25:05.000 --> 00:25:07.519 to log files and incident response? How do you manage them? 495 00:25:07.680 --> 00:25:11.480 Well? A security information in event management or SEAM system 496 00:25:11.839 --> 00:25:15.799 is an invaluable tool for log aggregation and retention, particularly 497 00:25:15.799 --> 00:25:19.240 in larger organizations that generate massive amounts of log data. 498 00:25:19.359 --> 00:25:21.839 A SEAM collects all logs in one place. 499 00:25:21.680 --> 00:25:25.000 Exactly, a SEAM collects logs from various sources across the 500 00:25:25.039 --> 00:25:30.720 infrastructure servers, firewalls, workstations into a central platform. This makes 501 00:25:30.720 --> 00:25:34.640 it much easier to search, correlate events from different systems, 502 00:25:34.880 --> 00:25:36.599 and identify suspicious. 503 00:25:36.079 --> 00:25:39.480 Patterns correlation seeing how an event on one system relates 504 00:25:39.480 --> 00:25:40.359 to another right. 505 00:25:40.680 --> 00:25:44.000 The elastic stack, with tools like elastic Search, log Stash, 506 00:25:44.079 --> 00:25:48.240 and Kibana, is another powerful option for centralized log analysis, 507 00:25:48.599 --> 00:25:51.680 offering near real time search capabilities and visualization. 508 00:25:52.200 --> 00:25:55.119 SEM and elastic stack essential for making sense of that 509 00:25:55.200 --> 00:25:58.920 overwhelming volume of log data. What about analyzing Windows event 510 00:25:58.960 --> 00:26:01.119 logs specifically on a single machine. 511 00:26:01.160 --> 00:26:04.079 Sure, the built in event viewer in Windows allows you 512 00:26:04.119 --> 00:26:06.640 to view these logs. Of course, the raw log files 513 00:26:06.680 --> 00:26:09.319 themselves are typically stored in the c Windows System thirty 514 00:26:09.359 --> 00:26:12.440 two WINEVAD logs directory, and there are several key event 515 00:26:12.519 --> 00:26:15.799 IDs that investiators often look for, specific numbers that mean 516 00:26:15.839 --> 00:26:19.440 specific things like what, For example, event ID four six 517 00:26:19.480 --> 00:26:23.160 twenty four indicates a successful account log on four six 518 00:26:23.200 --> 00:26:26.440 three four signifies an account log off. A high volume 519 00:26:26.480 --> 00:26:29.359 of event ID four six twenty five, which indicates failed 520 00:26:29.400 --> 00:26:32.160 log on attempts might suggest a brute force attack. 521 00:26:32.279 --> 00:26:36.400 Four six twenty five lots of failed logins red flag. 522 00:26:36.200 --> 00:26:38.759 Big red Flag and event ID forty one O four 523 00:26:38.880 --> 00:26:42.160 records the execution of PowerShell scripts, which are very often 524 00:26:42.279 --> 00:26:45.640 used in malicious activities these days. These specific evn IDs 525 00:26:45.640 --> 00:26:47.119 can act like digital breadcrumbs. 526 00:26:47.200 --> 00:26:50.039 Those specific event IDs sound like crucial indicators to look 527 00:26:50.079 --> 00:26:52.839 for when sifting through Windows logs, really useful. 528 00:26:52.640 --> 00:26:55.960 Nuggets precisely, and there are tools to help. Deep Blue Cli, 529 00:26:56.079 --> 00:26:58.799 which is a PowerShell script itself, can help automate the 530 00:26:58.799 --> 00:27:02.400 analysis of Windows of events by identifying known suspicious events 531 00:27:02.400 --> 00:27:05.680 and patterns based on those ideas and other heuristics automating 532 00:27:05.720 --> 00:27:10.480 the log search Yeah Event log Explorer offers more events filtering, searching, 533 00:27:10.519 --> 00:27:13.920 and reporting capabilities than the built in event viewer, and 534 00:27:14.079 --> 00:27:16.680 for situations where you need to collect logs remotely and 535 00:27:16.720 --> 00:27:19.720 correlate them with other data sources, tools like Scotti can 536 00:27:19.759 --> 00:27:20.559 be very useful. 537 00:27:20.880 --> 00:27:24.200 So a combination of built in Windows tools and specialized 538 00:27:24.279 --> 00:27:27.960 utilities can help you extract meaningful insights from those often 539 00:27:28.039 --> 00:27:31.160 verbose event logs. Okay, let's move on to a topic 540 00:27:31.160 --> 00:27:34.079 that I think many find particularly concerning malware. 541 00:27:34.279 --> 00:27:40.000 Indeed, malware malware analysis is a critical component of incident response, 542 00:27:40.039 --> 00:27:40.559 no question. 543 00:27:40.720 --> 00:27:43.279 What are the main goals when analyzing malware? 544 00:27:43.400 --> 00:27:46.680 The primary goals are first to understand how the malware 545 00:27:46.680 --> 00:27:50.000 works its behavior, Second, what are its capabilities? What can 546 00:27:50.039 --> 00:27:53.400 it do? And third to identify indicators IOCs that can 547 00:27:53.400 --> 00:27:56.319 be used to detect and eradicate it from infected systems. 548 00:27:56.480 --> 00:27:57.720 Understand it, find it, kill it. 549 00:27:57.839 --> 00:28:01.720 Pretty much. The book introduces the concept of a malware sandbox. 550 00:28:01.880 --> 00:28:03.680 Sandbox like a safe play. 551 00:28:03.440 --> 00:28:07.400 Area, exactly, a safe isolated environment. This can be either 552 00:28:07.519 --> 00:28:10.160 a local virtual machine you set up yourself or a 553 00:28:10.160 --> 00:28:13.680 cloud based service. It's where you can execute and analyze 554 00:28:13.720 --> 00:28:17.519 malware samples without risking your actual production network or data. 555 00:28:17.640 --> 00:28:22.559 A controlled laboratory for studying dangerous software makes sense precisely. 556 00:28:22.920 --> 00:28:26.279 There are two main types of analysis, static and dynamic. 557 00:28:26.599 --> 00:28:30.559 Static analysis involves examining the malware's code and structure without 558 00:28:30.599 --> 00:28:31.559 actually running. 559 00:28:31.279 --> 00:28:33.000 It, looking at the blueprint right. 560 00:28:33.279 --> 00:28:36.799 Tools like pay studio can help you analyze the files metadata, 561 00:28:37.279 --> 00:28:40.960 identify imported functions, what Windows features it uses, and look 562 00:28:41.000 --> 00:28:44.200 for suspicious strings or patterns that might indicate malicious behavior, 563 00:28:44.359 --> 00:28:47.640 things like references to known malicious URLs or command and 564 00:28:47.640 --> 00:28:48.400 control servers. 565 00:28:48.440 --> 00:28:52.240 Okay, static analysis examining it while it's inert, what's dynamic. 566 00:28:52.440 --> 00:28:55.440 Dynamic analysis, on the other hand, involves observing the malwur's 567 00:28:55.440 --> 00:28:58.000 behavior while it's running in that safe sandbox. 568 00:28:57.599 --> 00:28:59.200 Environment, watching it in action. 569 00:28:59.519 --> 00:29:03.440 YEP. Tools like Process Explorer or process monitor can be 570 00:29:03.519 --> 00:29:06.599 used to monitor its activity, like the processes it creates, 571 00:29:06.640 --> 00:29:10.759 the files it modifies, the registry keys changes, and crucially, 572 00:29:10.880 --> 00:29:13.359 the network connections it attempts to establish. 573 00:29:13.480 --> 00:29:17.559 So static analysis is like examining the blueprint, while dynamic 574 00:29:17.640 --> 00:29:20.519 analysis is like watching how it actually behaves in that 575 00:29:20.559 --> 00:29:21.559 controlled environment. 576 00:29:21.759 --> 00:29:23.880 That's a good way to put it. And there are 577 00:29:23.920 --> 00:29:28.039 online sand boxing services like in teaser analyze an you 578 00:29:28.160 --> 00:29:28.720 run Joe. 579 00:29:28.680 --> 00:29:30.240 Sandbox online sandbox. 580 00:29:30.400 --> 00:29:33.319 Yeah, these can automate much of this dynamic analysis process. 581 00:29:33.599 --> 00:29:36.200 You upload the suspicious file and they run it and 582 00:29:36.240 --> 00:29:39.039 give you back detailed reports on its actions. They can 583 00:29:39.079 --> 00:29:43.160 even identify similarities to known malware families based on code 584 00:29:43.160 --> 00:29:44.240 reused analysis. 585 00:29:44.359 --> 00:29:47.599 Very useful automation, again handling the heavy lifting exactly. 586 00:29:48.000 --> 00:29:51.640 The book also introduces yarra rules ya air rules. They're 587 00:29:51.720 --> 00:29:55.000 essentially pattern matching rules. They allow you to identify malware 588 00:29:55.039 --> 00:29:59.240 based on specific textual or binary characteristics like unique strings 589 00:29:59.279 --> 00:30:00.240 or sequences. 590 00:29:59.799 --> 00:30:02.920 Of like a custom search pattern for malware precisely. 591 00:30:03.400 --> 00:30:06.480 Tools like Loki can scan systems for files that match 592 00:30:06.559 --> 00:30:09.119 a given set of yar rules, and yargen can help 593 00:30:09.160 --> 00:30:11.240 you generate your own yar or rules based on a 594 00:30:11.279 --> 00:30:14.440 sample of malware you've found. These rules act like digital 595 00:30:14.440 --> 00:30:16.960 fingerprints for known threats or even new variants. 596 00:30:17.680 --> 00:30:21.079 YARR rules sound like a powerful way to proactively hunt 597 00:30:21.079 --> 00:30:24.240 for known malware on your systems or even variations of it. 598 00:30:24.319 --> 00:30:27.119 They are very powerful, yes, and that naturally leads us 599 00:30:27.160 --> 00:30:29.200 to the crucial area of threat intelligence. 600 00:30:29.279 --> 00:30:32.000 Right connecting the dots, What is threat intelligence exactly? 601 00:30:32.119 --> 00:30:36.799 Correct? Threat intelligence is essentially information about existing and emerging threats. 602 00:30:37.200 --> 00:30:40.200 It helps organizations better understand their adversaries, who they are, 603 00:30:40.359 --> 00:30:44.160 their motivations, and their tactics, techniques and procedures, their TTPs, 604 00:30:44.400 --> 00:30:47.839 understanding the enemy exactly. That understanding allows for a more 605 00:30:47.880 --> 00:30:52.400 proactive and informed security posture rather than just reacting. The 606 00:30:52.440 --> 00:30:56.640 book outlines different types of threat intelligence, strategic high level risks, 607 00:30:57.160 --> 00:31:03.440 tactical attacker methodologies, operational details of specific attacks, and technical 608 00:31:03.680 --> 00:31:06.759 specific indicators like ips or hashes. 609 00:31:06.599 --> 00:31:08.440 Different levels of intel for different needs. 610 00:31:08.640 --> 00:31:11.400 Right. It also introduces the pyramid of pain. 611 00:31:11.640 --> 00:31:14.000 Pyramid of pain sounds painful. 612 00:31:14.240 --> 00:31:16.759 Well, it's a really useful model. It illustrates the value 613 00:31:16.759 --> 00:31:19.039 and the difficulty for an attacker to change different types 614 00:31:19.039 --> 00:31:21.960 of indicators. At the bottom, you have things like HASH 615 00:31:22.079 --> 00:31:25.759 values and IP addresses, easy for attackers to change. At 616 00:31:25.759 --> 00:31:28.680 the top, you have TTPs, much harder for them to change. 617 00:31:28.680 --> 00:31:31.240 So focusing your defenses there causes them more pain. 618 00:31:31.480 --> 00:31:36.279 Ah okay, so focus on detecting their behavior TTPs, not 619 00:31:36.359 --> 00:31:40.359 just the specific tools hashes they use today makes sense. 620 00:31:40.640 --> 00:31:43.480 So how does an organization actually go about using threat 621 00:31:43.519 --> 00:31:44.759 intelligence effectively? 622 00:31:45.000 --> 00:31:48.799 It's a cycle, really, a continuous process that involves several stages. 623 00:31:49.079 --> 00:31:51.920 Planning what intel do we need? Collection, where do we 624 00:31:51.960 --> 00:31:58.079 get it? Processing, making sense of raw data, analysis, extracting insights, dissemination, 625 00:31:58.319 --> 00:32:00.000 getting it to the right people, and feedback. 626 00:32:00.160 --> 00:32:02.680 Did it help the thread intelligence life cycle? Where do 627 00:32:02.759 --> 00:32:03.519 you get this intel? 628 00:32:03.759 --> 00:32:06.720 Various sources. It can include internally generated data from your 629 00:32:06.759 --> 00:32:10.079 own incidence, commercial threat intelligence feeds you subscribe to, and 630 00:32:10.319 --> 00:32:11.880 open source intelligence or. 631 00:32:11.759 --> 00:32:14.680 Ocinth ocynth publicly available. 632 00:32:14.200 --> 00:32:19.039 Stuff exactly, information from reputable sources like sands, Internet Storm Center, 633 00:32:19.400 --> 00:32:24.000 user advisories, security blogs, vendor reports, and platforms like Alien 634 00:32:24.079 --> 00:32:27.000 volved OTX. There's a huge man out there if you 635 00:32:27.039 --> 00:32:27.680 know where to look. 636 00:32:27.799 --> 00:32:30.839 Okay, ocent sounds like a valuable resource. But how do 637 00:32:30.880 --> 00:32:34.240 you make sense of all that diverse information, especially the 638 00:32:34.279 --> 00:32:35.880 attack or TTPs you mentioned. 639 00:32:35.920 --> 00:32:38.799 That's where the miter att and CK framework comes in. 640 00:32:38.839 --> 00:32:40.160 It's become indispensable. 641 00:32:40.400 --> 00:32:42.799 Miter att ANDCK here they mentioned a lot. 642 00:32:42.960 --> 00:32:48.119 It's a structured and incredibly comprehensive knowledge base of adversary tactics, 643 00:32:48.200 --> 00:32:52.480 techniques and procedures TTPs observed in real world cyber attacks. 644 00:32:52.519 --> 00:32:53.480 It's all mapped. 645 00:32:53.200 --> 00:32:55.599 Out a catalog of attack methods pretty much. 646 00:32:55.640 --> 00:32:57.880 You can use the ATT and CK Navigator, which is 647 00:32:57.880 --> 00:33:00.920 a web based tool to visually explore are these TTPs 648 00:33:00.920 --> 00:33:04.200 and understand how different thread actors operate at various stages 649 00:33:04.240 --> 00:33:07.599 of an attack life cycle, from initial access to data xfiltration, 650 00:33:07.880 --> 00:33:11.240 visualizing the attack chain exactly. The book stress is the 651 00:33:11.240 --> 00:33:14.680 importance of working with indicators of compromise or IOCs. 652 00:33:14.920 --> 00:33:18.240 Biocs like file hash is, malicious ips right. 653 00:33:18.200 --> 00:33:21.519 Pieces of forensic evidence that suggests the system has been compromised, 654 00:33:21.839 --> 00:33:25.799 and also indicators of attack or ioas ioas. 655 00:33:25.960 --> 00:33:26.720 How are they different? 656 00:33:26.839 --> 00:33:29.720 Ioas focus more on the actions than attacker is taking 657 00:33:29.759 --> 00:33:33.920 the behaviors regardless of the specific tools or IOCs involved. 658 00:33:34.240 --> 00:33:38.400 Think detecting credential dumping activity versus detecting a specific known 659 00:33:38.480 --> 00:33:41.559 credential dumping tools. Hash ioas are often more. 660 00:33:41.480 --> 00:33:44.000 Robust detecting what not just the how exactly. 661 00:33:44.480 --> 00:33:46.640 The key though, is to focus on the data, whether 662 00:33:46.720 --> 00:33:50.480 IOCs or ioas, that is most relevant and actionable for 663 00:33:50.599 --> 00:33:54.839 your specific organization and environment. Don't just collect everything right. 664 00:33:55.000 --> 00:33:58.920 Focus is key. Themar E ATT and CK framework like 665 00:33:58.960 --> 00:34:02.240 a comprehensive cat log of attacker behaviors, helping you understand 666 00:34:02.240 --> 00:34:05.559 your adversaries. So, how do you actually integrate this threat 667 00:34:05.599 --> 00:34:08.159 intelligence into your incident response efforts? How does it help 668 00:34:08.159 --> 00:34:09.480 the CSR? Good question. 669 00:34:09.960 --> 00:34:13.360 Many forensic analysis tools like autopsy, which we mentioned, have 670 00:34:13.480 --> 00:34:18.199 the capability to ingest threat intelligence feeds, for instance, lists 671 00:34:18.239 --> 00:34:22.239 of known malicious file hashes or IP addresses autopsy can 672 00:34:22.280 --> 00:34:25.800 then automatically flag files or network artifacts on a compromise 673 00:34:25.880 --> 00:34:30.440 system that match those known bad indicators during an investigation. 674 00:34:29.960 --> 00:34:31.559 So the tool does the matching for you. 675 00:34:31.719 --> 00:34:34.559 Saves a lot of time. Maltago is another powerful tool, 676 00:34:34.719 --> 00:34:38.440 more for visualization. It can be used for graphically analyzing 677 00:34:38.440 --> 00:34:42.639 the relationships between different pieces of threat intelligence like IP addresses, 678 00:34:43.000 --> 00:34:46.880 domain names, malware samples, email addresses, helping to build a 679 00:34:46.880 --> 00:34:49.719 clearer picture of an attack campaign and infrastructure. 680 00:34:49.800 --> 00:34:52.239 Altago for seeing the connections exactly. 681 00:34:52.639 --> 00:34:56.159 The book even provides a practical example using IOCs associated 682 00:34:56.199 --> 00:34:58.280 with the hffn IM threat. 683 00:34:58.039 --> 00:35:01.199 Group khifn i AM Change Attackers. 684 00:35:00.719 --> 00:35:03.079 That's the one active in twenty twenty one. It shows 685 00:35:03.119 --> 00:35:06.360 sourcing IOCs from alien Vault OTX and then using a 686 00:35:06.400 --> 00:35:10.079 tool called CTI encoder to convert these iics into queries 687 00:35:10.119 --> 00:35:12.639 that can be used directly with various security tools like 688 00:35:12.719 --> 00:35:14.039 signs or eder platform. 689 00:35:14.119 --> 00:35:17.000 Inverting intel into actual search queries very practical. 690 00:35:17.119 --> 00:35:19.159 Yeah, and you can also leverage Jura and low key, 691 00:35:19.199 --> 00:35:20.559 which we discussed earlier. 692 00:35:20.239 --> 00:35:22.679 With malware right the pattern matching to. 693 00:35:22.679 --> 00:35:27.559 Scan your systems for files matching known malware signatures or 694 00:35:27.599 --> 00:35:30.599 behaviors identified through your threat intelligence feeds. 695 00:35:30.960 --> 00:35:34.440 So you're taking what you know about known attackers and 696 00:35:34.480 --> 00:35:38.480 their methods and actively looking for evidence of those activities 697 00:35:38.480 --> 00:35:41.519 within your own environment. That's a proactive use of intelligence. 698 00:35:41.599 --> 00:35:43.800 That's exactly it, and that leads us directly into the 699 00:35:43.800 --> 00:35:47.760 concept of thread hunting right using intel to hunt exactly. 700 00:35:48.159 --> 00:35:51.920 Thread hunting is a proactive security activity. It's where security 701 00:35:51.920 --> 00:35:55.320 analysts actively search for threats that might have evaded existing 702 00:35:55.360 --> 00:35:57.360 automated security controls. 703 00:35:57.119 --> 00:35:59.519 Going looking for trouble before it finds you. 704 00:35:59.800 --> 00:36:01.920 That's a good way to put it. It's about going 705 00:36:01.920 --> 00:36:05.880 beyond just reacting to alerts and actively seeking out potential 706 00:36:05.920 --> 00:36:09.599 indicators of compromise or malicious activity that might be lurking 707 00:36:09.960 --> 00:36:11.440 undetected in your environment. 708 00:36:11.719 --> 00:36:15.519 Assuming compromise, sometimes threat hunting actively going on the offensive 709 00:36:15.599 --> 00:36:18.440 to find threats before they trigger an alert. How do 710 00:36:18.480 --> 00:36:21.000 you even begin a threat hunt? It sounds like looking 711 00:36:21.039 --> 00:36:22.239 for a needle in a haystack. 712 00:36:22.400 --> 00:36:25.719 It can be. The book emphasizes the crucial role of 713 00:36:25.760 --> 00:36:27.079 forming a hypothesis. 714 00:36:27.159 --> 00:36:31.320 First hypothesis like a specific guess about what might be. 715 00:36:31.280 --> 00:36:36.800 Wrong exactly based on initiating events, maybe unusual network traffic patterns, 716 00:36:37.239 --> 00:36:41.280 suspicious log entries you notice, and also leveraging threat intelligence 717 00:36:41.320 --> 00:36:46.079 about known adversary PTPs relevant to your industry or technology stack. 718 00:36:46.360 --> 00:36:48.360 You don't just randomly start searching. 719 00:36:48.079 --> 00:36:49.320 Okay, start with a theory. 720 00:36:49.480 --> 00:36:51.519 You need a specific idea of what you're looking for, 721 00:36:51.719 --> 00:36:55.880 informed by potential threats and observed anomalies. Then you plan 722 00:36:55.960 --> 00:37:00.119 your hunt, decide which systems, logs, network traffic you'll examine. 723 00:37:00.559 --> 00:37:04.159 You'll often use digital forensic techniques and tools, plus maybe 724 00:37:04.280 --> 00:37:08.440 endpoint detection and response or EDR tools for broader. 725 00:37:08.079 --> 00:37:10.599 Searching, using forensic skills proactively right. 726 00:37:10.840 --> 00:37:13.360 The outcome of a thread hunt can range from confirming 727 00:37:13.440 --> 00:37:17.039 a previously unknown compromise, which means the HUT was successful 728 00:37:17.079 --> 00:37:20.280 even if it's bad news finding something bad, to validating 729 00:37:20.280 --> 00:37:24.079 the effectiveness of your existing security controls finding nothing which 730 00:37:24.079 --> 00:37:27.400 is good, or maybe identifying blind spots in your detection 731 00:37:27.480 --> 00:37:29.760 capabilities where you should have seen something that didn't. 732 00:37:30.079 --> 00:37:34.639 So it's a continuous cycle of learning, hypothesizing, searching, and 733 00:37:34.719 --> 00:37:38.119 refining your security posture based on what you find or 734 00:37:38.159 --> 00:37:38.760 don't find. 735 00:37:38.880 --> 00:37:40.480 Precisely, it's an ongoing effort. 736 00:37:40.599 --> 00:37:42.639 Now, let's try to tie a lot of this together 737 00:37:42.960 --> 00:37:46.079 with a real world example that unfortunately we hear about 738 00:37:46.119 --> 00:37:48.000 all too often. Ransomware. 739 00:37:48.320 --> 00:37:51.639 Uh, ransomware, Yes, it has become such a pervasive and 740 00:37:51.679 --> 00:37:55.280 costly threat. The book uses the Kanti ransomware group as 741 00:37:55.320 --> 00:37:56.599 a detailed case study. 742 00:37:56.840 --> 00:37:59.360 Kanti they were huge for a while, weren't they. There' 743 00:37:59.360 --> 00:38:00.480 stuff leaks on line too? 744 00:38:00.599 --> 00:38:04.840 They were, and yes, those leaks provided a lot of insight. Kanti, 745 00:38:05.199 --> 00:38:08.039 often associated with the Wizard Spider and trick Bot thread 746 00:38:08.079 --> 00:38:12.119 actors operated on a ransomware as a service or RIOS. 747 00:38:11.760 --> 00:38:13.880 Model rios, meaning they rented out their. 748 00:38:13.840 --> 00:38:17.159 Ransomware essentially, yes, making it accessible to a wider range 749 00:38:17.199 --> 00:38:20.000 of cyber criminals, not just the core developers. The book 750 00:38:20.000 --> 00:38:21.519 outlines their common tactics. 751 00:38:21.559 --> 00:38:23.199 What kind of tactics did Kanti use? 752 00:38:23.360 --> 00:38:26.519 Things like using tools like proc dump to bump credentials 753 00:38:26.559 --> 00:38:31.000 like passwords from compromise system's memory, leveraging standard Windows protocols 754 00:38:31.039 --> 00:38:34.400 like SMB and RDP for lateral movement across the network. 755 00:38:34.199 --> 00:38:35.920 Moving sideways using normal. 756 00:38:35.639 --> 00:38:40.400 Tools exactly, utilizing frameworks like Cobalt strike for command and control, 757 00:38:41.039 --> 00:38:47.079 and crucially exfiltrating sensitive data via SFTP or HTTPS before 758 00:38:47.199 --> 00:38:49.800 encrypting local files. The double extortion. 759 00:38:49.480 --> 00:38:53.000 Tactic steal the data, then encrypt it nasty gary. 760 00:38:53.280 --> 00:38:57.400 Understanding these specific tactics is crucial for both prevention and response. 761 00:38:57.840 --> 00:39:01.559 Kanty's a stark reminder of the sophistication and potential damage 762 00:39:01.559 --> 00:39:05.559 of modern ransomware operations. What are some key steps organizations 763 00:39:05.599 --> 00:39:08.519 can take to prepare for and respond to such an attack? 764 00:39:08.719 --> 00:39:10.280 Based on this kind of intel. 765 00:39:10.280 --> 00:39:13.039 The book highlights the importance of a layered security approach, 766 00:39:13.119 --> 00:39:17.199 focusing on both network and endpoint resilience defence in depth right. 767 00:39:17.400 --> 00:39:21.320 This includes deploying robust eder solutions for endpoint monitoring and 768 00:39:21.360 --> 00:39:26.000 threat detection. Disabling unnecessary administrative shares on network systems, common 769 00:39:26.079 --> 00:39:30.079 lateral movement paths, Implementing network segmentation using vlands to limit 770 00:39:30.079 --> 00:39:32.559 the blast radius if one part gets hit, segmenting the 771 00:39:32.599 --> 00:39:38.039 network oh containing the fire exactly. Utilizing Microsoft's Local Administrator 772 00:39:38.079 --> 00:39:42.639 Password Solution or LAPS to manage local admin passwords securely 773 00:39:42.760 --> 00:39:46.360 so they're not all the same. Disabling credential caching where 774 00:39:46.440 --> 00:39:50.039 possible to prevent attackers from easily stealing credentials left in memory. 775 00:39:50.239 --> 00:39:52.440 Lots of practical hardening steps. 776 00:39:52.159 --> 00:39:57.039 Yes, and CSRT preparedness is also paramount Having well defined 777 00:39:57.079 --> 00:40:01.440 procedures for rapidly isolating infected systems to prevent further spread. 778 00:40:01.360 --> 00:40:02.719 Is key quick isolation. 779 00:40:02.960 --> 00:40:06.280 The book also touches on analyzing initial access methods like 780 00:40:06.400 --> 00:40:10.119 malicious macros and documents, using tools like ola dump, dot 781 00:40:10.159 --> 00:40:14.119 PIY and cyber chef to deconstruct them, and investigating lateral 782 00:40:14.159 --> 00:40:17.719 movement by examining Windows security event logs for specific indicators 783 00:40:18.079 --> 00:40:20.280 like that event ID four six x two four type 784 00:40:20.320 --> 00:40:23.000 three log on we mentioned, which can indicate network based 785 00:40:23.079 --> 00:40:24.400 logins between machines. 786 00:40:24.519 --> 00:40:27.559 So a combination of proactive security measures, good hygiene, and 787 00:40:27.599 --> 00:40:30.800 a well drilled incident response team are essential for minimizing 788 00:40:30.880 --> 00:40:32.400 the impact of ransomware. 789 00:40:31.920 --> 00:40:33.760 Attach Absolutely, preparation is key. 790 00:40:33.920 --> 00:40:37.239 Finally, after an incident has been contained and eradicated, oh lovely, 791 00:40:37.639 --> 00:40:41.039 how do you properly document everything that happened? Reporting seems crucial? 792 00:40:41.280 --> 00:40:45.119 It is thorough. Incident reporting is a critical final step 793 00:40:45.199 --> 00:40:48.440 in the incident response life cycle. You're not done until 794 00:40:48.440 --> 00:40:51.840 the report is done. The book emphasizes the importance of 795 00:40:51.920 --> 00:40:56.320 creating documentation tailored to different audiences within the organization. 796 00:40:56.159 --> 00:40:57.599 Different reports for different people. 797 00:40:57.679 --> 00:41:01.800 Yes, an executive summary provides a high level overview for leadership, 798 00:41:01.880 --> 00:41:05.599 c suite board members. It covers the root cause, the impact, 799 00:41:05.760 --> 00:41:09.840 and key recommendations for preventing future occurrences, all in business terms. 800 00:41:09.960 --> 00:41:12.039 The quick version for the bosses pretty much. 801 00:41:12.559 --> 00:41:16.719 Then, the investigation details section provides a more comprehensive narrative 802 00:41:16.840 --> 00:41:22.400 of the incident, timeline, the detailed findings identified indicators of compromise. 803 00:41:23.039 --> 00:41:26.480 This is for both leadership and technical personnel. More detail, 804 00:41:26.639 --> 00:41:30.320 and finally, a detailed forensic report provides the real technical 805 00:41:30.360 --> 00:41:33.880 specifics of the evidence analysis tools used, step by step 806 00:41:33.920 --> 00:41:37.840 findings data analysis. This is for the technical teams, maybe 807 00:41:37.920 --> 00:41:38.599 legal counsel. 808 00:41:38.800 --> 00:41:41.760 Different reports for different levels of understanding and different needs. 809 00:41:42.199 --> 00:41:44.679 What are some key elements that should be included across 810 00:41:44.719 --> 00:41:45.360 these reports? 811 00:41:45.599 --> 00:41:48.639 The book stresses the importance of a clear and accurate 812 00:41:48.679 --> 00:41:53.039 timeline of events. Detailing when different activities occurred during the 813 00:41:53.079 --> 00:41:55.679 incident is fundamental to understanding the narrative. 814 00:41:55.840 --> 00:41:57.039 The timeline is critical. 815 00:41:57.159 --> 00:42:01.360 Absolutely, detailed note taking throughout the investmentation is also crucial. 816 00:42:01.400 --> 00:42:04.280 You can't rely on memory weeks later. The book even 817 00:42:04.320 --> 00:42:07.559 suggests tools like monolith notes for effective note taking and 818 00:42:07.760 --> 00:42:09.719 organization during a chaotic response. 819 00:42:10.199 --> 00:42:11.599 Kee good notes, Yes. 820 00:42:11.639 --> 00:42:14.400 And the language use in the reports should be appropriate 821 00:42:14.440 --> 00:42:19.480 for the intended audience. Executive summaries need that business oriented narrative, 822 00:42:19.840 --> 00:42:23.559 while forensic reports will be highly technical and detail oriented. 823 00:42:23.599 --> 00:42:27.880 Tailor the language makes sense. Comprehensive documentation is vital not 824 00:42:27.920 --> 00:42:30.920 only for internal learning and improvement, but also for any 825 00:42:31.159 --> 00:42:33.440 potential legal or regulatory requirements. 826 00:42:33.519 --> 00:42:37.239 Right absolutely, it serves as the official record of what transpired, 827 00:42:37.559 --> 00:42:40.320 how it was handled, and the lessons learned. It can 828 00:42:40.360 --> 00:42:44.079 be invaluable for demonstrating due diligence and for strengthening future 829 00:42:44.119 --> 00:42:45.039 security efforts. 830 00:42:45.280 --> 00:42:48.719 Wow, okay, we've covered an incredible amount of ground in 831 00:42:48.719 --> 00:42:52.159 this deep dive, huh, from the fundamental principles of DFIR 832 00:42:52.599 --> 00:42:57.519 to the intricate details of evidence acquisition analysis, the strategic 833 00:42:57.719 --> 00:43:01.239 use of threat intelligence, all in formed by the comprehensive 834 00:43:01.239 --> 00:43:04.639 insights of digital forensics and incident response. 835 00:43:04.960 --> 00:43:08.239 Indeed, it's a huge field. We hope that you, our listener, 836 00:43:08.599 --> 00:43:12.599 now have a much clearer understanding of the processes, the tools, 837 00:43:12.639 --> 00:43:17.119 and frankly, the thinking involved in responding to and investigating 838 00:43:17.239 --> 00:43:18.159 cyber incidents. 839 00:43:18.519 --> 00:43:21.559 Yeah, you should now be able to approach discussions about cybersecurity, 840 00:43:21.880 --> 00:43:25.199 or even just the news headlines with a more informed perspective, 841 00:43:25.519 --> 00:43:29.639 recognizing the underlying methodologies and technologies that security professionals rely 842 00:43:29.719 --> 00:43:30.719 on every single day. 843 00:43:31.079 --> 00:43:33.559 So maybe a question for you to ponder considering the 844 00:43:33.599 --> 00:43:37.400 sophisticated techniques employed in ransomware attacks like CONTI, what are 845 00:43:37.440 --> 00:43:40.199 some specific immediate steps that come to mind for enhancing 846 00:43:40.239 --> 00:43:42.960 your own digital security practices, whether that's at home or 847 00:43:43.000 --> 00:43:44.280 in your workplace. 848 00:43:44.079 --> 00:43:46.840 That's a good one. Or thinking about the other side, 849 00:43:47.119 --> 00:43:51.039 given the ever increasing complexity and sophistication of the threat landscape, 850 00:43:51.480 --> 00:43:54.960 how critical do you now perceive proactive threat hunting to 851 00:43:55.000 --> 00:43:58.639 be for organizations striving to stay ahead of potential attacks? 852 00:43:59.320 --> 00:44:00.719 Is reacting enough anymore? 853 00:44:01.039 --> 00:44:04.000 Yeah? Great questions. We really encourage you to delve deeper 854 00:44:04.039 --> 00:44:07.039 into any of the specific topics that particularly sparked your 855 00:44:07.079 --> 00:44:10.599 interest today. Perhaps explore some of the powerful tools we mentioned, 856 00:44:10.840 --> 00:44:14.480 like volatility for advanced memory analysis, or maybe delve further 857 00:44:14.559 --> 00:44:19.000 into the wealth of knowledge contained within the ITTNCK framework. 858 00:44:18.519 --> 00:44:22.320 Online, because in the dynamic and ever evolving field of cybersecurity, 859 00:44:22.760 --> 00:44:26.199 continuous learning and just plain curiosity are probably your most 860 00:44:26.280 --> 00:44:27.199 valuable assets. 861 00:44:27.360 --> 00:44:31.480 Well said, until our next deep dive, stay curious, stay informed, 862 00:44:31.599 --> 00:44:32.440 and stay secure.