BigSnarf blog

Infosec FTW

Monthly Archives: November 2014

Incident Response -> Digital Forensics

First IR book I got my hands on above. My first computer conference was It’s no wonder I’m a Blue Team kinda person. Here is my common process IR braindump.

  • Test your process? What automation is gonna help IR -> DF?
  • Finding the trail …
  • What kind of system are you looking at?
  • Do you have remote access? Root access?
  • What evidence do you wish to collect from the system?
  • Remote acquisition of HDD, Ram or interactive query?
  • VM? Cloud? Local? Remote Office? Laptop? OS?
  • Custom tools? Audit scripts? Forensics Automation?
  • pslist, malfind, filescan, sockets, connscan, and connections with Volatility Framework?
  • Who’s talking to
  • Did you check your DNS logs?
  • Did you check your Firewall logs?
  • Did you check the outbound proxy?
  • Who’s internal address is on
  • What is that computer?
  • Who logged into that computer?
  • Did you check the DHCP logs?
  • Is that a static assignment?
  • OMG that’s a Windows XP box?
  • When was that last patched? Was it phished?
  • Is it exploited?
  • What did anti-virus or host based IDS say?
  • Facebook OSQuery installed on box?
  • GRR installed? MIG?
  • Can I remote image the HDD? Can I remote image the Mem?
  • What’s the baseline on the box?
  • Any sysinternal tools on the box for process monitoring baselines?
  • Files changed? Local logs?
  • Did Windows XP box at communicate with anyone?
  • Did this box do anything? Scans? Talk to any systems locally? Exfil?
  • Did you check the proxies?
  • Did you check the mapped drives?
  • Did you check the SIEM? NTOP? Logs?
  • What are the IOCs? C&C communications?
  • Surricata? Bro? Snort? Security Onion? MIDAS?
  • Are there PCAPs? Network packet logging?
  • Moloch? Packet Pig? DNS Pig? PCAP-RPC? MHN?
  • Is it time for forensics? Do you need to contain? Observe?
  • Remote or local acquisition? Mem or HDD?
  • Process extraction? File extraction? PySSDeep?
  • What tools you gonna use? Volatility? Bulk extractor? Cuckoo? YARA? DNS Graph? Communications graph?
  • Correlate to threat intelligence? Situational awareness? Vulns? Activate other processes? Protect data?
  • What box do I got to get to next? Follow the white rabbit?

Top 25 Programming-Code Links that get clicked every day on this blog

Misc Algebird

Use cases for probabilistic data structures in Infosec metrics

Use Cases for monitoring counts on anything and for network monitoring

  • Network Login counts
  • Failed attempts per user
  • Failed attempts per groups
  • Failed attempts per role
  • Success counts for above
  • Passwords reset volumes per day, month, year
  • Counts for credentials per person
  • Password age
  • Password change day counts
  • Password lengths
  • User accounts counts for overall issued
  • Time elapsed for provision
  • Time elapsed for decommission
  • Time elapsed for authorization for changes
  • Number of privilege accounts per person
  • Infection counts per user
  • Infection counts per machine
  • Infection counts per IP
  • New account provisioning counts per hour, day, week, month, year
  • Success and failed for each IP per user counts
  • Counts of logins devices
  • Counts of login unique destinations
  • Packet Counts
  • Port Counts
  • DNS request counts per host
  • DNS over all
  • DNS request to internal devices
  • DNS request for each device
  • Per device aggregation of all types of traffic
  • Comparing the increase of the number of DNS requests per second with respect to the average number of DNS requests per second
  • DHCP request counts
  • Segment DHCP counts for lease requests
  • Availability
  • Packet Delay
  • Packet Reordering
  • Packet Loss
  • Packet Inter-arrival Jitter
  • Types of packets counters for each host
  • Bandwidth Measurements (Capacity, Achievable Throughputs)
  • Counts for twitter per user
  • Counts of tweets from user to user
  • Counts of uses of words in tweets
  • Counts of uses of hashtag in tweets
  • Counts of uses of any word or hashtag from specific locations
  • Device counts
  • Software counts
  • Application patch level counts
  • Active user counts
  • Inactive user counts
  • Remote login per country counts
  • Remote login per IP address counts
  • Website visit counts per user
  • Email counts
  • Email attachment counts
  • SPAM counts
  • Statistics for developer
  • Stats on access per application, IP address, service, user

Reading – Probabilistic Programming & Bayesian Methods for Hackers

Statistical Analysis

Data collection: We will use data from a large national survey that was de- signed explicitly with the goal of generating statistically valid infer- ences about the U.S. population.

Descriptive statistics: We will generate statistics that summarize the data concisely, and evaluate different ways to visualize data.

Exploratory data analysis: We will look for patterns, differences, and other features that address the questions we are interested in. At the same time we will check for inconsistencies and identify limitations.

Hypothesis testing: Where we see apparent effects, like a difference be- tween two groups, we will evaluate whether the effect is real, or whether it might have happened by chance.

Estimation: We will use data from a sample to estimate characteristics of the general population.



Infosec Big Data Stack Developer

Nice explanation of Adaptive Machine Learning in a Streaming enivronment

Automated Security Testing

  1. Nikto
  2. Nmap
  3. Openvas
  4. Spiderfoot
  5. Sslscan
  6. Sqlmap
  7. Xsser
  8. Dns_Malware
  9. Geoip
  10. Punkspider
  11. Shodan
  12. Plecost
  13. Default Error Page
  14. Directory Listing
  15. Exploit-DB
  16. Fingerprint Web
  17. Brute Directories
  18. Brute Dns
  19. Brute Extensions
  20. Brute Permutations
  21. Brute Predictables
  22. Brute Prefixes
  23. Brute Suffixes

Still interesting work