Books Every Cybersecurity Leader Needs to Read

There’s a flawed logic that exists within many tech and cyber teams. High-performing individual contributors are offered leadership opportunities, because there’s an assumption their technical expertise translates to leadership expertise. The truth is: being a great leader requires a specialized skill set. Below is a list of books every leader needs to read, digest, and […]

Insider Threat Training & Program Development

Building an Insider Threat Program: Essential Resources Insider threats are often downplayed, but they pose a significant risk to organizations, as employees, contractors, and business partners often have access to sensitive systems and data. Unlike external cyber threats, insider threats originate from individuals with legitimate credentials, making them harder to detect and mitigate. These threats […]

Insider Threat Hunting PRECEED Framework

As I reflect on my early days learning about digital forensics and incident response, I recall a particularly challenging experience that had an impact on my approach to threat hunting. It was during a SANS FOR500 course where we were presented with a case involving a missing person’s laptop hard drive. The capstone task was: […]

Threat Hunting: Hypothesis Chaining

Hypothesis chaining is a method that enables threat hunters to narrow down search results during a hunt by appending or branching off of their original hypothesis. This technique helps threat hunters take an overwhelming output from a hunt and continue their investigation without being hindered by a large volume of results. For example, a threat […]

Hunting Punycode IDNs Using Carbon Black EDR

Running a “ipport:53” process search in Carbon Black has helped to locate hosts and/or processes performing an abnormal number of DNS queries, however recently I wanted to hunt processes generating punycode IDN DNS queries on a client network. Alerts were triggered by their SIEM, which was ingesting Microsoft Server DNS logs. The Sumo Logic alert […]

Acquiring a Triage Image Using KAPE and Carbon Black Go Live

Before starting, big shout out to Eric Zimmerman (https://github.com/EricZimmerman/) for creating so many great free DFIR tools. KAPE can be downloaded here: https://www.kroll.com/en/insights/publications/cyber/kroll-artifact-parser-extractor-kape KAPE is a standalone program that does not need to be installed. Decompress the zip file to a directory of your choosing and you are ready to go. KAPE requires administrator rights […]