Author Archives: user

There’s a flawed logic that exists within many tech and cyber teams. High-performing individual contributors are offered leadership opportunities, because there’s an assumption their technical expertise translates to leadership expertise. The truth is: being a great leader requires a specialized skill set. Below is a list of books every leader needs to read, digest, and […]

Building an Insider Threat Program: Essential Resources Insider threats are often downplayed, but they pose a significant risk to organizations, as employees, contractors, and business partners often have access to sensitive systems and data. Unlike external cyber threats, insider threats originate from individuals with legitimate credentials, making them harder to detect and mitigate. These threats […]

As I reflect on my early days learning about digital forensics and incident response, I recall a particularly challenging experience that had an impact on my approach to threat hunting. It was during a SANS FOR500 course where we were presented with a case involving a missing person’s laptop hard drive. The capstone task was: […]

Hypothesis chaining is a method that enables threat hunters to narrow down search results during a hunt by appending or branching off of their original hypothesis. This technique helps threat hunters take an overwhelming output from a hunt and continue their investigation without being hindered by a large volume of results. For example, a threat […]

Running a “ipport:53” process search in Carbon Black has helped to locate hosts and/or processes performing an abnormal number of DNS queries, however recently I wanted to hunt processes generating punycode IDN DNS queries on a client network. Alerts were triggered by their SIEM, which was ingesting Microsoft Server DNS logs. The Sumo Logic alert […]

Before starting, big shout out to Eric Zimmerman (https://github.com/EricZimmerman/) for creating so many great free DFIR tools. KAPE can be downloaded here: https://www.kroll.com/en/insights/publications/cyber/kroll-artifact-parser-extractor-kape KAPE is a standalone program that does not need to be installed. Decompress the zip file to a directory of your choosing and you are ready to go. KAPE requires administrator rights […]

I often get asked which books are worth reading for an aspiring InfoSec pro. While there are many great books out there, each serving a unique purpose, here are my general recommendations. The Basics: Wireshark 101: Essential Skills for Network Analysis – Second Edition: Wireshark Solution Series Practical Packet Analysis, 3E: Using Wireshark to Solve […]