Incident Response Hunting Tools

Great, you’ve decided to move beyond reactive incident response and start hunting. While hunting is primarily a way of thinking about incident response it does rely on your technical capabilities, so what tools should you use? The focus for me is always on open source tools with tools with wide ranging applications. Here are my favorites: Endpoint Alerting Tools: Facebook osquery osquery is a tool from Facebook that describes itself as:...

April 21, 2015 · 5 min · Scott J Roberts

APT is a Who not a What… And Why it doesn’t Matter

A small number of topics get intelligence driven incident responders incredibly frustrated: Using intelligence to mean smart (I’ll share more about that later this week) Bad attribution based on incomplete information and bad assumptions Misuse of the term APT (in most cases by marketing departments) Advanced Persistent Threat remains the buzzword of choice for vendors, but it’s used incorrectly, and lots of people know that and don’t say anything. As a result I want to go on the record and correct a couple key misnomers....

February 16, 2015 · 5 min · Scott J Roberts

The Perils of (Mis)Attribution

It’s impossible to be involved in the information security community right now and to avoid the incident going on at Sony. All of the details of the attack by “The Guardians of Peace” may never be publicly known, but it is safe to say that this has become one of the defining computer security events from a public perspective. Plenty of people are addressing this from a variety of angles so I just want to speak to one, somewhat tertiary but none the less key issue, the “attribution” debate....

January 4, 2015 · 10 min · Scott J Roberts

Crisis Communication for Incident Response

One part of intrusion response that rarely gets enough attention in DFIR circles is the communications victim companies make to their own customers. This is almost always the only real information the public (and even security community) see about an intrusion and communicating what happened effectively is crucial to minimizing damage, both to customers and to your organization’s reputation. The 5 Keys to Incident Response Communication It’s difficult to investigate many intrusions....

September 22, 2014 · 7 min · Scott J Roberts

Using Robots to Fight Bad Guys

At the end of last year I was invited few places (CentralPA Open Source, BSidesDFW, & BayThreat) and gave a talk about some of the work I’ve done to adapt Hubot, GitHub’s friendly-ish chatbot, and GitHub’s Chat Ops workflow for DFIR. While it was great to get the ideas out there’s a lot to deploying, using, and customizing VTR. So this is my extended breakdown of ChatOps, Hubot, Hubot-VTR, and building modules in CoffeeScript....

May 14, 2014 · 5 min · Scott J Roberts