One part of intrusion response that rarely gets enough attention in DFIR circles is the communications victim companies make to their own customers. This is almost always the only real information the public (and even security community) see about an intrusion and communicating what happened effectively is crucial to minimizing damage, both to customers and to your organization’s reputation. The 5 Keys to Incident Response Communication It’s difficult to investigate many intrusions. It’s often even more difficult to explain them, especially to less technical individuals, but it remains crucial that the communication about what happened be straightforward, ideally limited to a 5th grade reading level. Without this understanding victims will remain confused and critics will remain skeptical. This clarity has to go beyond one message by making sure messaging stays consistent across multiple messages and mediums. ...

I started writing this at the end of March right after two trips in a row. I’ve since done another type of packing, moved, and now I’m finally catching up, so forgive some out of date thoughts. I’ve basically traveled non stop for the last two weeks, home only for last weekend. Back to back travel of fairly similar lengths makes it easy to compare, experiment, and plan a bit better. ...

At the end of last year I was invited few places (CentralPA Open Source, BSidesDFW, & BayThreat) and gave a talk about some of the work I’ve done to adapt Hubot, GitHub’s friendly-ish chatbot, and GitHub’s Chat Ops workflow for DFIR. While it was great to get the ideas out there’s a lot to deploying, using, and customizing VTR. So this is my extended breakdown of ChatOps, Hubot, Hubot-VTR, and building modules in CoffeeScript. My Presentation Building Your Own DFIR Sidekick ...

On 5/5 was lucky enough to be invited to speak at an education technical conference Tech Talk Live Cyber Security Symposium. I wanted to do something new, something different. I’ve long been an advocate of intelligence driven incident response, but had never seen a sufficiently useful presentation to introduce this complex but powerful work flow to others. So I tried to make one. Presentation Overall I was pleased with how the talk was received. Schools face a myriad of cyber threats from the mundane to the sophisticated, but lack resources in terms of money, people, and time. I don’t know if central PA schools are going to see booming intel driven IR programs, but I hope there were some interesting ideas for them that may be useful. ...

Update: Yeah… Jekyll was great and I had a lot of fun with it, but I’ve since moved off it to Medium. There’s lots of cool stuff you can do with Jekyll, but in the end the need to develop posts with a text editor and a Ruby environment lost out to a convenient iOS app. So it’s been more days than I’d like since my last blog, sadly since I’ve been dealing with some discomfort in my arms along the lines of an RSI, something I plan on discussing more. That said I’m on the mend, and wanted at least a small post so I don’t feel like such a slacker. ...

I’ve been lucky enough to play in a number of computer attack & defend (sometimes only one or the other) Capture The Flags. They’ve been some of the best learning experiences I’ve ever had and a ton of fun. It really compresses all of cyber security, minus that boring policy stuff, into a smaller time frame. Even with all the benefits there is one tough part: you can’t always spend a weekend in a friends basement with a pallet of Redbull or on the floor at DefCon CTF. Until CTF season rolls around this spring there are two new all online CTFs from big name companies: ...

In an effort to improve my “Unix” skills I’m trying to do more and more on the command line, such as writing this blog. This has worked out for me in a lot of ways, making much of my work faster, less environment dependent, and easier to reproduce/script. I’ve learned lots of tricks to help with this, but recently came across one of the best ones: Aspell. First a confession: people get into the computer industry for lots of reasons. My reasons were kind of different: I couldn’t spell and have terrible handwriting. In 4th grade being told this magic box would make my ideas legible and spelled correctly was game changing for me. But I digress. ...

So working at GitHub it is no surprise I believe in and use a lot of open source software. I think especially for security this makes sense, for a number of reasons: We need tools we can trust, so transparency is key We need tools we can modify, since we often need things that don’t exist We need tools that are cross platform And the list goes on. I try to support these projects, with code, with feedback, with use, and sometimes, with praise. So, in sort of a weird security “Oprah like” favorite things list here are a few of my favorite open source security tools: ...

I’m a big believer in mentoring. Classes are great, self learning is hugely important, but there are few things that help someone grow as much as having someone a little bit farther down the road to give a little bit of guidance. I’ve been lucky enough throughout my life to have had many mentors in a number of aspects of my career and life. These people have been invaluable. I’m not the only one. A few months ago Coby Chapple, one of GitHub’s amazing designers, did a talk at a company event about the importance of mentoring, based on the Distributed Mentoring movement. Coby even put his code where his mouth is, adding a page to his personal site stating his support of mentoring and offering to mentor those who put themselves out there and email him. Going a step further he even made it easy for others to follow his lead by forking his mentoring repo creating a mentoring page of your own. ...

So as initially suggested I haven’t been good about blogging yet. I’ve been quite busy with work. But I did want to pass along one small tip I’ve picked up. A lot of the work I’ve been doing has been a combination of Ruby/Python and command line data parsing. In much of this shell I’m working through JSON documents on the command line, often using commands like: $ cat foo.txt | grep “foo” | sort | uniq I’ve learned a lot about composing commands and the beauty of the Unix philosophy, it’s been great. But I hit a lot of issues with some tools that initially spit out “ugly”, overly terse JSON: ...