 |
| One team. |
Earlier this week I had referred a friend to my own work about understanding how timestamps in packets work and various command line options for working with them. I had also admired the length, ingenuity, and clarity of a recent post by my friend Carrie about cracking passwords with special characters. Those moments were inspiring enough that I knew it was finally time to share something more than a tweet's length about what I'd been up to for the last months. So in tribute to my no frills blog title "Computer Forensics blog - Searching to find what's really going on...," here is "what's been going on." The goal is just to briefly shout-out some projects I've been working on, and introduce several upcoming diaries that I've drafted over this past year and will share soon.
I'm focusing professionally at the moment on the relationship between "advanced defense" strategies (the first couple that come to mind would be threat-hunting and deception tactics) and live detection and response. How far should we take defense-in-depth at the expense of having overlapping signatures? How can we decrease detection times? In an up-coming post later this week, you'll see that when Peter Kim (innovative red-teamer and author of The Hacker Playbook series of books) came live onto our Brakeing Down Security [sic] Book Club call for an interview and discussion, he said that an ideal maximum detection time for blue-teamers would be somewhere around 4 minutes for an initial access or specific action of an adversary. Beyond that a skilled technician would be long gone, pivoted on to the next box, or gone forever, tracks-covered and all.
Speaking of threat-hunting, I had the opportunity to volunteer a few weeks ago at the Sans Threat-Hunting and Incidence Response Summit in New Orleans, which was a really intense experience. I worked at the summit, made a lot of new friends, and as well helped-out with Matt Bromiley's FOR508 class, which I had never attended before; and as well there my team won the FOR508 Challenge Coin, which was a very powerful experience because of the huge amount of competition in the room. We found a lot of forensic data early on in the event, but kept working hard and fast until the very last minute of the challenge. A lot of our success was due to the experienced forensicators on our team, but none of us would have won alone. So much more could be said about team-work, diligence, and humility! Although there was no hidden message to decrypt though on the coin, like on my SEC503 coin. You should expect to read a few reports from me eventually about things I've learned at the summit.
I relocated my whole family in the past year, all the way from Berlin (you may have noticed the "Molecule Man" sculpture staring cameo in some of my past posts) back to the USA, because of an amazing work opportunity. As you can imagine this has brought also a lot of excitement to our lives, so the past year was heavily focused on family as well.
I do still have interest in OSX (and unix in general), as well as the (gentoo-based) ChromeOS platform, which with the beta "Linux mode" is arguably the first affordable, ready-to-go Linux laptop anyone around the world can grab for even less than $100. The up-coming post I mentioned above with Peter Kim will launch the publication of a co-author/guest-series of blogs which I've worked on over the past year, but never published. There will be another post co-authored by a special guest, about using Linux on ChromeOS. There have also been a couple of other topics I've researched, for example the evolution of the packet filtering on OSX, which I found so much public information readily available on, that I don't need to blog about, but I'd love to share some of my favorite other-folks'-work on it soon. I've been also generally supporting the efforts of Mental Health Hackers. Hudson Harris gave a great, related talk at Sp4rkCon By the Bay last week--including a section about procrastination and anxiety--which was targeted at security professionals.
I started up a Lean-In Circle at work, called the InfoSec Book Club. It's open to everyone, but the mission is to help fight anything that remains of gender-bias in InfoSec. This is based on the BrakeSec Book club, which I co-lead with David Cybuck. We're about to finish up Attacking Network Protocols there (we also just finished also an awesome "Summer Reading Series" led my David, including some author interviews, it was amazing to get to know Mastermind author Evan Ratliff as well). I've enjoyed contributing to the Atomic Red Team Project with several friends, thanks again to Carrie Roberts to introducing me to this project. It's been cool to also meet a few members of the Red Canary team, such great folks. I continue to remain active in the DShield/Internet Storm Center community and manage some honeypots. My goal this year for this blog is actually to migrate slowly out of these guest posts and catch-ups, and over the next year or so release more diaries about threat-hunting and other forensic investigations, getting back to the roots of why I started blogging. Additionally I've recently been trying to spread the word about Roberto and Jose Rodriguez's new efforts on building a community around their awesome open-source tools: many of which are now collected in a single place, The Hunters' Forge; I met them at the summit a few weeks ago, and I'm excited to see where that goes.
I'm gearing-up to take the GCFA and another test over the next weeks, so that is my very short-term focus, and of course, adjusting to the season and the holidays with my family. Contact me on Twitter or leave a comment below if any of this has given you an idea or inspiration in any way, or if you're working on any of the same topics. I look forward to learning with you, as well.
No comments:
Post a Comment