Blog
How to Orient During the Incident Response Process: OODA for DFIR 2020
In this post, you’ll learn how to approach the “Orient” phase of OODA during your incident response process. This post continues the one from 2 weeks ago on the “Observe” ...
Learn moreHow to Observe During the Incident Response Process: OODA for DFIR 2020
The holidays are over, we’ve caught up on our work, and it's time to reload the concept of the endpoint triage OODA loop back into our brains. In this post, ...
Learn moreVersion 2.11 Features: Investigation History, Timeline Filtering, and More!
Cyber Triage has two sets of users and we do our best to make them both happy (even though they want different features). The most recent 2.11 release focused on ...
Learn moreHow to Use OODA Loop in Your Incident Response Process in 2020
In this post, we'll cover a unique approach to applying the principles of OODA loop to your incident response process. In the Intro to DFIR series, we talked about specific technical ...
Learn moreCyber Triage 2.10 Features: Visualization, Exporting, and More
Cyber Triage 2.10 came out last month right before our workshop at OSDFCon, and we wanted to highlight a few user-requested features (recommendation engine visualization, flagging unseen files, and CSV ...
Learn moreHow to Detect System Configuration Changes – Intro to Incident Response Triage (Part 9) in 2019
This post outlines how you can identify system configuration changes that were made by an intruder during an incident response investigation. We were on a roll with this Intro to Incident ...
Learn moreHow to Detect Malware Remnants – Intro to Incident Response Triage (Part 8) in 2019
In this post, we are going to review how to detect malware remnants during an incident response investigation. A fundamental step in any DFIR triage scenario is to determine if there ...
Learn moreHow to Detect Running Malware – Intro to Incident Response Triage (Part 7)
Finding evidence of running malware is critical in DFIR, and this 7th post in my “Intro to Incident Response” series focuses on that. We’re going to cover how malicious code gets ...
Learn moreIncident Response Recommendation Engine: “You may like this process based on your interest in this file”
We’ve gotten used to websites suggesting products based on our past purchases and browsing habits. Now, your DFIR tool can do the same (well, it will recommend artifacts and not ...
Learn moreIntro to Incident Response Triage (Part 6) in 2019: Malware Persistence
This post tackles how to investigate malware persistence during incident response. We’re on a roll on this Intro to Incident Response series after its 2-year vacation. We’re up to posting #6, ...
Learn moreIntro to Incident Response Triage (Part 5) in 2019: User Activity
In this 5th article on our Intro to Incident Response series, we dive into investigating user activity. It’s the last that focuses on users, helping investigators understand if an account ...
Learn moreHow to Investigate User Logins – Intro to Incident Response Triage (Part 4) in 2019
In this post in our Intro to Incident Response series, we’re going to focus on investigating user logins to find suspicious user activity. This helps to identify user accounts that ...
Learn moreCollect Arbitrary Files Any Time During Incident Response
As we’ve talked about many times before on this blog, speed is of the essence during incident response and endpoint triage. To get quick answers, digital forensics and incident response ...
Learn moreIntro to Incident Response Triage (Part 3) in 2019: User Enumeration
Two years ago, I started to write a series of blog posts introducing incident response triage that evolved out of DFIR talks I was giving at conferences. I got two ...
Learn moreHow to Speed Up Incident Response in 2019: Faster Scoping
In our final post in our series on increasing incident response speed, we’re talking about scoping. As a reminder, we’ve reviewed these digital forensics and incident response (DFIR) phases: Start ...
Learn moreQueue Incident Response Collections to Triage and Prioritize
When DFIR consultants or law enforcement get to a customer site, it can be hard to know where to start a digital investigation, or how to prioritize incident response collections. ...
Learn moreHow to Speed Up Incident Response in 2019: Faster Analysis (Part 2)
In the last post, we talked about the types of DFIR analysis techniques. Now, we’re going to focus on incident response analysis tools and their role in speeding up investigations. The ...
Learn moreFinding Intrusion Evidence in the Same Folder
Finding digital evidence during DFIR is hard and often involves identifying something suspicious and investigating. One technique is to look in the same folder as a suspicious item to see ...
Learn moreHow to Speed Up Incident Response in 2019: Analyze Faster (Part 1)
This post (and the next) will focus on the best strategies to reduce the time it takes to analyze data during incident response. If you’re wondering why we focus on ...
Learn moreHow to Speed Up Incident Response in 2019: Faster Artifact Collection
This post will focus on the best strategies to accelerate data collection during incident response (IR). But, before we lay any strategies on the table, let’s discuss why speed during collection ...
Learn moreHow to Speed Up Incident Response in 2019: Start the Investigation Faster
To improve overall speed in digital forensics and incident response (DFIR), the time it takes to execute each step in the process shown below has to be reduced: Start the ...
Learn moreIncident Response KPIs: SPEED Is Critical. Here Are Five Reasons Why.
In the world of digital forensics and incident response (DFIR), speed is everything. While costs of slow performance can be hard to assess in other professions, the consequences of poor incident ...
Learn moreCollect Faster by Collecting Less
With its agentless approach, the latest Cyber Triage release gives users more control over what endpoint forensic artifacts are collected. This enables: Faster data collection Faster decision making. The 2.6 release ...
Learn moreReversingLabs Integration Improves Malware Scanning
With the latest 2.5.0 release of Cyber Triage, users get access to enterprise-grade malware scanning from ReversingLabs. This service provides more accurate scan results and is not typically available to incident ...
Learn moreDemisto Integration Provides Faster Responses for Cyber Triage Users
Cyber Triage users now have another option when looking for Security Orchestration and Automation Response (SOAR) solutions because Demisto can now launch a Cyber Triage investigation. Orchestration solutions allow companies ...
Learn moreUse of PsExec That Doesn’t Reveal Password Hashes
Cyber Triage is an agentless incident response system and one of the methods that we use to get data from a compromised endpoint is to send our collection tool out ...
Learn moreIt’s About Time(lines)!
https://www.youtube.com/embed/9G7mwfck2KQ Using timestamps to determine what happened before or after an event is vital when investigating your endpoints. Timestamps allow you to see what programs were run or websites visited that ...
Learn moreVolatility integration in Cyber Triage to Analyze Memory
Sometimes the only evidence on an intrusion is in memory and not on disk. In these cases, memory forensics provides crucial evidence to your investigation. Cyber Triage now integrates with ...
Learn moreSearch For Advanced Malware In Cyber Triage Using Yara Rules
You can now use Yara signatures in Cyber Triage to search endpoints for new or advanced malware during incident response. Yara allows malware researchers to define binary patterns that can ...
Learn moreIntegrate with Splunk for Faster Alert Triage
With the 2.1.10 Cyber Triage release, you can now integrate with Splunk. This allows you to remotely start collections about suspicious endpoints and bring the results back to Splunk for ...
Learn morePhantom Integration Allows for Faster Responses
The Cyber Triage team likes to build stuff around themes and one of our current themes is about integrations. It has been a growing feature request. This blog post talks ...
Learn moreMore Changes To Make Your Response Faster
Time is critical during incident response. Every minute you have an attacker roaming around your network can compromise valuable information and do irreparable damage to your systems. The latest Cyber ...
Learn moreAnalytics Make User Account Investigations Easier
When investigating an endpoint you need to look at user activity in addition to malware and system change indicators. Cyber Triage now provides analytics about user login behavior and activity. ...
Learn moreIntro to IR Triage (Part 2): Analysis Categories
In the 2nd post in our Intro to IR Triage series, we’re going to take a big picture view. I want to give you the roadmap of how we are ...
Learn moreIntro to IR Triage (Part 1): Buyer’s Guide
.two-col tr td:first-child {width: 25%; background-color: #f1f2f5; font-weight: bold;} Part 1: Host Triage Tool Buyer’s Guide I often encounter companies who are starting to think more formally about incident response and how to properly ...
Learn moreGet Free Incident Response Software
Organizations need to be able to respond to alerts and investigate their computers, but not every organization has an incident response budget or dedicated personnel. The newly released Cyber Triage ...
Learn moreCyber Triage Has a New Look
Cyber Triage 2.0 has been released with a new user interface and can be used for free (with a reduced feature set). The new UI allows you to make better ...
Learn moreExposing More Data to Save Time
The new Cyber Triage release allows you to better understand the impact of a threat. Now, you can automatically see what registry keys reference a file with malware, what ...
Learn moreFinding Suspicious Program Activity
The 1.6.1 release of Cyber Triage added a new automated analysis technique to make the life of an incident responder easier and more efficient. The new technique focuses on the ...
Learn moreDig Deeper: Find More IOCs and Fast Flux Domains
Find more evidence on an endpoint with the latest Cyber Triage release. Last week’s 1.6.0 release expands on Cyber Triage’s thoroughness and ease of use. We’ll talk about two new ...
Learn moreAutomating Incident Response: Setting the Stage
Overview Many companies want to improve their incident response capabilities and make them more effecient. Automation is often touted as way to improve the response times, but what does automation (or orchestration) mean ...
Learn moreMaturing towards Team-Based Incident Response
In our last blog post, we talked about how, as an organization’s security posture matures (often along with the organization itself), its strategy starts to move beyond prevention to focus ...
Learn moreMake Better Use of IDS Alerts for Incident Response
If your organization’s security posture is maturing beyond prevention and beginning to focus on detection, you may find yourself evaluating a host of new security technologies. Among the most attractive for ...
Learn moreCan DIY Incident Response Scale?
If you’ve ever purchased a house or vehicle, you may also, as many people do, have gone to the local hardware store to buy a starter kit of tools. You ...
Learn moreTailoring the Triage Process for Better Results
An incident first response is only as good as the time a responder can save. While automation can help scale the prioritization of many endpoints, as we wrote in our ...
Learn morePrioritizing Endpoints Helps to Focus Incident Response
As part of a responding flyaway team, it’s probably common for you to arrive at your client’s offices, only to be pointed to a set of boxes to start analyzing. ...
Learn moreUnderstanding Your Client’s “Normal”
Detecting an incident means one of two things. You have to see either a known problem -- such as high-risk malware infecting one or more client endpoints -- or something ...
Learn moreCan Security Infrastructure Work for Fly-Away Incident Responders?
Third-party incident response consultants face unique challenges when helping a company respond to an incident. Unlike internal incident responders, you’re unlikely to have full visibility into all of the client’s ...
Learn moreReducing Response Time with Whitelisting
When triaging a host during incident response, it is critical to be able to quickly focus on the suspicious data. Whitelisting gives you the ability to ignore known safe files, ...
Learn moreMaximizing Your Non-Persistent Agent’s Effectiveness
As we noted in our previous blog post about persistent agents, endpoint security and investigation can be a sticking point for many organizations. Particularly for those whose security posture is ...
Learn moreDo You Need Persistent Agents to Fight Persistent Threats?
When you think about how your organization can deal with network intrusions and Advanced Persistent Threats (APT), you’ll eventually start to think about your incident response procedures and capabilities. Many ...
Learn moreWhat is in your CSIRT First Responder’s Jump Kit?
Like other services, effective Computer Security Incident Response Teams (CSIRTs) are tiered. The First Responder on a CSIRT is much like the EMT who assess the situation and either deals ...
Learn moreCyber Triage: Act Faster!
If you are responsible for protecting digital information, then you will need to respond to a security incident at some point. However, many challenges arise during a response: Unfocused tools ...
Learn more