Golang for DFIR

One of my goals for this year was getting comfortable with a new programming language. I’ve been a Python devotee for a long time and it’s almost always gets the job done, but I wanted a little bit more. There are times Python works against you: Dependency Nightmares: While virtualenv and a requirements.txt file work ok for developers it can often make use by non-developers or some deployment stories quite complicated. Speed & Scale: This is a funny one. 99% of the time Python is more than fast enough and scales widely enough. Except when it doesn’t. Chewing through a few hundred megabytes of logs? No big deal. Gigabytes or terabytes? Not so much. Hundreds of network connections? Sure. Hundreds of thousands or millions? You might need something more. Discipline: Python is easy. Almost too easy sometimes. It lets you cut corners, it takes care of a lot in the background. It’s a great language for getting things done but sometimes I want to learn/control/understand more. Beyond that sometimes I want software that’s more than functional, I want it to be engineered. More structure, more safety, etc. Working for company made up of largely developers there’s always talk about new development tools and languages. Rust and Golang have been hotly discussed in these circles (along with Erlang/Elixer/Node). I was considering both until I had a discussion at ArchCon with Liam Randall who effused about how great Golang had been for his organization. Good enough for Liam is good enough for me, so I dove in. ...

July 18, 2016 · 8 min · Scott J Roberts

CTI SquadGoals — Setting Requirements

Requirements. The first part of the intelligence cycle and the most neglected. According to the appendix of Joint Publication 2–0: Joint Intelligence intelligence requirement. 1. Any subject, general or specific, upon which there is a need for the collection of information, or the production of intelligence. 2. A requirement for intelligence to fill a gap in the command’s knowledge or understanding of the operational environment or threat forces. Intelligence requirements (or just requirements) are key questions (as @cyint_dude calls them) that stakeholders (the CERT, leadership, etc) want the intelligence team to answer. Requirements set the entire priority of your intelligence cycle, what sources you collect from, what types of processing you need to do, and what methods of dissemination will meet the need. Where your team is focusing, aka Squad Goals. Lets get started… ...

March 30, 2016 · 6 min · Scott J Roberts

osquery 101 — Getting Started

I admit it… I’m a fanboy. A straight up osquery fanboy. Oh… what is osquery you ask? Good question there sport. osquery allows you to easily ask questions about your Linux and OSX infrastructure. Whether your goal is intrusion detection, infrastructure reliability, or compliance, osquery gives you the ability to empower and inform a broad set of organizations within your company. That’s how Facebook describes it. I’d say osquery is the most effective way available to monitor an OSX or Linux host for security. But that’s just me. Still not bad no matter which definition you prefer. ...

January 26, 2016 · 4 min · Scott J Roberts

Travel OpSec

Last year I was lucky enough to go to the FIRST2015 conference in Berlin. It was a great conference, good talks (including yours truly), and an even better hallway track. I’d never been to Berlin, or Germany in general, and I enjoyed seeing this amazing city a little bit as well. Traveling to a new country as a security minded person is always a bit jarring. Even a country as friendly as Germany bares consideration when it comes to laptops, tablets, phones, etc. A conference like FIRST has people coming from all over the place, including people from countries at odds (US, China, Iran, Germany, etc). As a result those IT security concerns are even more heightened. As a result we ended up having some academic conversations about operational security while traveling internationally (or traveling generally). ...

January 20, 2016 · 9 min · Scott J Roberts

Introduction to DFIR

One of my favorite things is talking to students and people new to the security field. It feels like yesterday I was wandering around the first Shmoocon as a student in awe of the people I met and the work they were doing. Now I’m 10 years into my career and have a whole different perspective (though still in awe with those folks). Starting a career in infosec isn’t easy and while there are better general introductions I wanted to add my perspective on getting started in Digital Forensics and Incident Response (DFIR). ...

January 11, 2016 · 15 min · Scott J Roberts

Intelligence Concepts — The Intelligence Cycle

I can’t talk about important intelligence concepts for security without talking about the grand daddy, the original: the Intelligence Cycle. This should be great discussion fodder for anyone who has to talk to someone who claims they’re selling some form of Threat Intelligence product, given in most cases they seem to be using the phrase in place of the word smart. Intelligence vs smart couldn’t be farther from the truth. ...

December 16, 2015 · 8 min · Scott J Roberts

Crisis Communications for IR (The Preso!)

In September I wrote about Crisis Communications in Incident Response and after some great feedback I expanded it and built a presentation. I gave this presentation in June at FIRST and today (July 8th) at SANS DFIR Summit. Both were great events and I highly recommend them. My Slides Check them out on SpeakerDeck: Crisis Communications for Incident Response I’m going to actually do a post soon (I hope) on building security presentations. In case you’re curious I built this deck using Deckset. Here’s the Gist of my presentation markdown (with speaker notes). ...

July 8, 2015 · 1 min · Scott J Roberts

FIRST 2015

I’m lucky enough to get to go to FIRST 2015 in Berlin. I’ll be speaking on Tuesday afternoon, but one of the best things about conferences like this is being able to attend other sessions. I’ve never been to FIRST before, and this year looks jam packed. Here are the talks I’m most excited about and you’ll be likely to find me in. Monday June 15: Time Presentation Presenter Notes 11:00 Building instantly exploitable protection for yourself and your partners against targeted cyber threats using MISP Mr. Andras IKLODY (CIRCL) MISP is one of the bigger open source threat intelligence platforms (along with CRITs). I’m pretty familiar with CRITs, but I’m curious to see what mature MISP can do. 13:00 –3J4E — JIGSAW, JUMPSTART, JUNCTURE: Three Ways to Enhance Cyber-Exercise-Experience Mr. Stefan RITTER (National IT-Situation Centre and CERT-Bund, German Federal Office for Information Security BSI) I’m really interested in writing better table top exercises. This seems like a dramatically different approach. 14:00 So You Want a Threat Intelligence* Function (*But Were Afraid to Ask) Mr. Gavin REID (Lancope) So this sounds along the lines of a talk that Kyle Maxwell and I put together for BlackHat USA (but unfortunately didn’t get accepted). I’ve thought a lot about how to build useful directed Threat Intelligence, so this is super curious. 16:00 Incident Response Programming with R Mr. Eric ZIELINSKI (Nationwide) I don’t write R, not sure I ever would, but better data analysis is super important for better incident response. Also Nationwide is from my current hometown, so I’m happy to support the local guy. This is going to be a full day, which is a great thing for me. Lots of great talks, a wide variety of topics. Should be fun. ...

June 11, 2015 · 6 min · Scott J Roberts

How I Atom

Update - April 2019: To be honest I don’t Atom anymore. I switched to Visual Studio Code in the middle of 2017 while writing TypeScript and Golang and haven’t looked back. During the time I’ve been at GitHub one of the coolest projects to come out has been Atom, GitHub’s own text editor. I’ve been using it since the day it got released internally at GitHub and I can say Atom is one of my 3 top used applications and an essential part of my work flow. ...

June 6, 2015 · 5 min · Scott J Roberts

Intelligence Concepts  -  The SANS Incident Response Process

Getting away from the abstract to something a bit more distinctly DFIR we get to the (in)famous SANS Incident Response Process. The basis of SANS 504: Incident Response & Hacker Techniques this process attempts to codify the typical incident process into key steps. This is an essential process that helps form a cogent understanding of the incident process, but it’s limitations need to be just as well understood. SANS Incident Response Process ...

May 18, 2015 · 4 min · Scott J Roberts