BigSnarf blog

Infosec FTW

Category Archives: Thoughts

Happy Pancake Stack

Brute Force D3.js Visualization

Running Apache Spark EMR and EC2 scripts on AWS with read write S3

Rsyslog Remotes sending to ElasticSearch and Kibana

Apache Spark 1.0.0 EMR via command line

Facebook Security At Scale 2014 videos

 

Incident Response -> Digital Forensics

First IR book I got my hands on above. My first computer conference was http://www.first.org/. It’s no wonder I’m a Blue Team kinda person. Here is my common process IR braindump.

  • Test your process? What automation is gonna help IR -> DF?
  • Finding the trail …
  • What kind of system are you looking at?
  • Do you have remote access? Root access?
  • What evidence do you wish to collect from the system?
  • Remote acquisition of HDD, Ram or interactive query?
  • VM? Cloud? Local? Remote Office? Laptop? OS?
  • Custom tools? Audit scripts? Forensics Automation?
  • pslist, malfind, filescan, sockets, connscan, and connections with Volatility Framework?
  • Who’s talking to badguy.com?
  • Did you check your DNS logs?
  • Did you check your Firewall logs?
  • Did you check the outbound proxy?
  • Who’s internal address is on 10.187.10.112?
  • What is that computer?
  • Who logged into that computer?
  • Did you check the DHCP logs?
  • Is that a static assignment?
  • OMG that’s a Windows XP box?
  • When was that last patched? Was it phished?
  • Is it exploited?
  • What did anti-virus or host based IDS say?
  • Facebook OSQuery installed on box?
  • GRR installed? MIG?
  • Can I remote image the HDD? Can I remote image the Mem?
  • What’s the baseline on the box?
  • Any sysinternal tools on the box for process monitoring baselines?
  • Files changed? Local logs?
  • Did Windows XP box at 10.187.10.112 communicate with anyone?
  • Did this box do anything? Scans? Talk to any systems locally? Exfil?
  • Did you check the proxies?
  • Did you check the mapped drives?
  • Did you check the SIEM? NTOP? Logs?
  • What are the IOCs? C&C communications?
  • Surricata? Bro? Snort? Security Onion? MIDAS?
  • Are there PCAPs? Network packet logging?
  • Moloch? Packet Pig? DNS Pig? PCAP-RPC? MHN?
  • Is it time for forensics? Do you need to contain? Observe?
  • Remote or local acquisition? Mem or HDD?
  • Process extraction? File extraction? PySSDeep?
  • What tools you gonna use? Volatility? Bulk extractor? Cuckoo? YARA? DNS Graph? Communications graph?
  • Correlate to threat intelligence? Situational awareness? Vulns? Activate other processes? Protect data?
  • What box do I got to get to next? Follow the white rabbit?

Top 25 Programming-Code Links that get clicked every day on this blog

Misc Algebird

Use cases for probabilistic data structures in Infosec metrics

Use Cases for monitoring counts on anything and for network monitoring

  • Network Login counts
  • Failed attempts per user
  • Failed attempts per groups
  • Failed attempts per role
  • Success counts for above
  • Passwords reset volumes per day, month, year
  • Counts for credentials per person
  • Password age
  • Password change day counts
  • Password lengths
  • User accounts counts for overall issued
  • Time elapsed for provision
  • Time elapsed for decommission
  • Time elapsed for authorization for changes
  • Number of privilege accounts per person
  • Infection counts per user
  • Infection counts per machine
  • Infection counts per IP
  • New account provisioning counts per hour, day, week, month, year
  • Success and failed for each IP per user counts
  • Counts of logins devices
  • Counts of login unique destinations
  • Packet Counts
  • Port Counts
  • DNS request counts per host
  • DNS over all
  • DNS request to internal devices
  • DNS request for each device
  • Per device aggregation of all types of traffic
  • Comparing the increase of the number of DNS requests per second with respect to the average number of DNS requests per second
  • DHCP request counts
  • Segment DHCP counts for lease requests
  • Availability
  • Packet Delay
  • Packet Reordering
  • Packet Loss
  • Packet Inter-arrival Jitter
  • Types of packets counters for each host
  • Bandwidth Measurements (Capacity, Achievable Throughputs)
  • Counts for twitter per user
  • Counts of tweets from user to user
  • Counts of uses of words in tweets
  • Counts of uses of hashtag in tweets
  • Counts of uses of any word or hashtag from specific locations
  • Device counts
  • Software counts
  • Application patch level counts
  • Active user counts
  • Inactive user counts
  • Remote login per country counts
  • Remote login per IP address counts
  • Website visit counts per user
  • Email counts
  • Email attachment counts
  • SPAM counts
  • Statistics for developer
  • Stats on access per application, IP address, service, user

https://bigsnarf.wordpress.com/2013/02/08/probabilistic-data-structures-for-data-analytics/

Follow

Get every new post delivered to your Inbox.

Join 50 other followers