Waiting vs Passivity in DFIR

From the New York Times: “Review: ‘Hamilton,’ Young Rebels Changing History and Theater” Give it a second, I’ll explain the Hamilton reference to DFIR, but for now let me share one of my favorite songs. Aaron Burr thinks Alexander Hamilton is a brash aggressive brute and believes Hamilton thinks him slow and unwilling to make a decision. Burr then sings this song to explain his true goals: Wait for It by the cast of Hamilton....

December 10, 2016 · 3 min · Scott J Roberts

Python for CND

One thing I constantly harp on while talking to people beginning in the security community is the importance of learning to code. I think it is awful that we have so many security professionals cannot write a line of code. It’s useful for automating common tasks, gathering & manipulating data, almost anything you can imagine. I think everyone should learn some coding and Python is the best place to start....

November 30, 2016 · 6 min · Scott J Roberts

Intelligence Collection Priorities

One of the hardest things when starting a threat intelligence program is deciding where to start collection. This begins with an initial set of requirements and evolves from there. Everyone will give you a different opinion and insist on a different approach probably biased by their favorite collection sources. As for me I think the best approach is to start with the small things, the easy things, and build up from there....

November 23, 2016 · 5 min · Scott J Roberts

Golang for DFIR

One of my goals for this year was getting comfortable with a new programming language. I’ve been a Python devotee for a long time and it’s almost always gets the job done, but I wanted a little bit more. There are times Python works against you: Dependency Nightmares: While virtualenv and a requirements.txt file work ok for developers it can often make use by non-developers or some deployment stories quite complicated....

July 18, 2016 · 8 min · Scott J Roberts

CTI SquadGoals — Setting Requirements

Requirements. The first part of the intelligence cycle and the most neglected. According to the appendix of Joint Publication 2–0: Joint Intelligence intelligence requirement. 1. Any subject, general or specific, upon which there is a need for the collection of information, or the production of intelligence. 2. A requirement for intelligence to fill a gap in the command’s knowledge or understanding of the operational environment or threat forces. Intelligence requirements (or just requirements) are key questions (as @cyint_dude calls them) that stakeholders (the CERT, leadership, etc) want the intelligence team to answer....

March 30, 2016 · 6 min · Scott J Roberts