Last weekend my wife and I had a chance to head to Bsides in New Orleans. There was a mixture of presentations but the ones I liked most were around hunting and what to look for on endpoints. Devon Kerr presented artifacts mapped to Mandiant’s attack lifecycle while Wesley Riley from RSA presented on what artifacts to collect if your budget is slim. Michael Gough’s presentation was also along these lines but focusing on windows audit logging and what event IDs are of value plus a new tool called Log+MD which helps to audit systems by comparing the audit policy to recommended settings found on Michael’s website malwarearcheology.com.
What really struck a chord with me is the artifacts that were mentioned, for example
-Auto start entry points
Among others….these are artifacts that most in the DFIR field recognize. Why are they mentioned repeatedly?
Because THEY WORK. They are useful if you are trying to find suspicious or malicious behavior on an endpoint. But in order for these artifacts to be relevant it’s not about running a tool whether commercial or open source and analyzing the output or trusting the logic of said tool to flag maliciousness. No, it is the analyst’s responsibility to understand the artifacts. Through this understanding the analyst will choose the artifacts sources relevant to the investigation they are performing.
As Wesley mentioned in his presentation, the best tool in a cyber security organization is a highly motivated analyst. Which is why it is important if you are starting out in this field, read and reread material that is available on some of these artifacts and DFIR in general. Tool specific training will only get you so far.
I will be posting learning materials in a separate page that I have found useful for DFIR work.
Keep on the good fight! Until next time...