Book: Incident Response & Computer Forensics 3rd edition

As part of the training I took this year, GCFA ( https://www.sans.org/course/advanced-incident-response-threat-hunting-training) I was given this book together with the course. Thumbs up for the people at SANS again. I came across this book, a lot before I attended my GCFA training however I never bought it, I believe I did not see benefits in it…

The top 10 windows logs event’s used to catch hackers

Very interesting presentation by Michael Gough from SecureWorks. It goes through some malware attack examples and the importance of the windows event id’s for their detection. Another must read. The top 10 windows logs event id's used v1.0 from Michael Gough

Intrusion Detection with Windows Event ID’s

This paper is the best I have ever read on how to build IOC’s with Windows Event ID’s. I highly recommend you to read it, it contains very useful information and some very interesting behavioural examples of attacker activity. If you are looking to enhance your detection in your core network this is the document! http://tinyurl.com/zpggnfq

Hunting down Threat Infrastructure (1)

In this two article series, I am going to explain how to spot anomalous activity in proxies and DNS queries coming out of your network. Additionally, I am also explaining how to recognize suspicious threat infrastructure, what elements you need to pay attention to, how this infrastructure behaves, what are the challenges for the defender and…

The evil side of DNS

Detection on this phase of the kill chain is not extremely complex, however from a business perspective it is critical for the organization to find this activity. An attacker who has progressed his attack to the C&C phase may be a dangerous and impactful threat for the business. Whether your organization is part of botnet…

Threat hunting quick fix

Are you currently threat hunting and not finding much? I do not support this threat hunting modality however it is true that I use it when I do not have the time to go on a hunting trip and keep focused. This is not a silver bullet but it is true that it can help…

Cyber Threat Hunting (3): Hunting in the perimeter

In this third post we are going to see what we need to look at when hunting and detecting adversaries in the perimeter. We are also going to look at some of the firewall technologies and their log formats in order to detect anomalies in the inbound and outbound traffic in your network.    …

Security Monitoring and attack detection planning guide

Today, I had some time to read the “The security Monitoring and Attack Detection Planning Guide” by Microsoft. I have read different documents in the last couple of months aimed at security monitoring in the Microsoft endpoint however this document it is completely up to date and can help organizations to understand the requirements they…

Cyber Threat Hunting (2): Getting Ready

In my previous post I went through the basics of hunting and its benefits for the organization and for analysts. To continue the journey, today I am going to cover the preparations you need to do before you go out there and hunt. We are covering preparations and locations to hunt. As you need some…

Cyber Threat Hunting (1): Intro

After some long months debating whether to write a white paper, and what potential topics I could write about – I just decided that I do not have enough time to go through the process of writing a research paper for the next 6 to 12 months. Instead, I am taking some of my research and current…