Blog
Our 100% Unbiased 4:cast Awards Nominations
Every year, Lee Whitfield asks everyone in DFIR what stood out in the space—what tools, people, content, etc. defined the last 12 months. It’s an awesomely democratic process, and we ...
Learn moreCyber Triage 2.14.3 Upload DFIR Artifacts to S3 Using Temporary Credentials
S3 buckets are an increasingly common way to get DFIR data from one site to another. Our latest Cyber Triage release allows you to use temporary credentials with an S3 ...
Learn moreCyber Triage 2.14.2 Adds Features Based on SolarWinds Orion Incident
Our latest Cyber Triage release has a few DFIR features that came directly from customer requests while they hunted around their environments for signs of SolarWinds-based incidents. This post covers ...
Learn moreHow to Get Your Data & Services Back Online: Ransomware Recovery 2021
In this post, we are going to show you what role the DFIR team can play to get data and services back online after a ransomware attack. This is the ...
Learn moreHow to Beat Ransomware in 2021: Key Questions that Make or Break Your Response
Ransomware is everywhere these days, and we want to help DFIR investigators take a methodical approach to responding to an attack. In this post, we’re going to talk about briefly ...
Learn moreCyber Triage 2.14: Upload Your DFIR Artifacts to S3
The major theme of the Cyber Triage 2.14 release was making it easier to get artifacts from remote systems. To that end, the collection tool can now: Directly upload the ...
Learn moreCyber Triage 2.13.1: Feedback-Driven Upgrades (See, We Listen!)
It’s been quite a summer! On top of managing the COVID world, our engineering team has been both satisfying customer requests & ripping the internals of Cyber Triage to make version ...
Learn moreCyber Triage 2.13: Offline Malware Scanning Now Available
We love customer feedback and the Cyber Triage 2.13 release is all about solving challenges brought to us by our users. The first challenge is how to interface with malware ...
Learn moreHow to Execute During Incident Response: OODA for DFIR 2020
We’re at the final post in our OODA and endpoint triage series where we’ve been talking about using the OODA loop during the investigative process. It’s time to execute (or ...
Learn moreCyber Triage 2.12: Online File Reputation Service is Released
We are happy to introduce the new Cyber Triage Online File Reputation Service that reduces the configuration overhead for our users and gives them more information about collected files. This service ...
Learn moreHow to Make Data-Based Decisions During Incident Response: OODA for DFIR 2020
We’re on post #4 of our OODA and endpoint triage series, and it's time to talk about how to make data-based decisions during incident response. I was reminded by the series ...
Learn moreHow to Orient During the Incident Response Process: OODA for DFIR 2020
In this post, you’ll learn how to approach the “Orient” phase of OODA during your incident response process. This post continues the one from 2 weeks ago on the “Observe” ...
Learn moreHow to Observe During the Incident Response Process: OODA for DFIR 2020
The holidays are over, we’ve caught up on our work, and it's time to reload the concept of the endpoint triage OODA loop back into our brains. In this post, ...
Learn moreVersion 2.11 Features: Investigation History, Timeline Filtering, and More!
Cyber Triage has two sets of users and we do our best to make them both happy (even though they want different features). The most recent 2.11 release focused on ...
Learn moreHow to Use OODA Loop in Your Incident Response Process in 2020
In this post, we'll cover a unique approach to applying the principles of OODA loop to your incident response process. In the Intro to DFIR series, we talked about specific technical ...
Learn moreCyber Triage 2.10 Features: Visualization, Exporting, and More
Cyber Triage 2.10 came out last month right before our workshop at OSDFCon, and we wanted to highlight a few user-requested features (recommendation engine visualization, flagging unseen files, and CSV ...
Learn moreHow to Detect System Configuration Changes – Intro to Incident Response Triage (Part 9) in 2019
This post outlines how you can identify system configuration changes that were made by an intruder during an incident response investigation. We were on a roll with this Intro to Incident ...
Learn moreHow to Detect Malware Remnants – Intro to Incident Response Triage (Part 8) in 2019
In this post, we are going to review how to detect malware remnants during an incident response investigation. A fundamental step in any DFIR triage scenario is to determine if there ...
Learn moreHow to Detect Running Malware – Intro to Incident Response Triage (Part 7)
Finding evidence of running malware is critical in DFIR, and this 7th post in my “Intro to Incident Response” series focuses on that. We’re going to cover how malicious code gets ...
Learn moreIncident Response Recommendation Engine: “You may like this process based on your interest in this file”
We’ve gotten used to websites suggesting products based on our past purchases and browsing habits. Now, your DFIR tool can do the same (well, it will recommend artifacts and not ...
Learn moreIntro to Incident Response Triage (Part 6) in 2019: Malware Persistence
This post tackles how to investigate malware persistence during incident response. We’re on a roll on this Intro to Incident Response series after its 2-year vacation. We’re up to posting #6, ...
Learn moreIntro to Incident Response Triage (Part 5) in 2021: User Activity
In this 5th article on our Intro to Incident Response series, we dive into investigating user activity. It’s the last that focuses on users, helping investigators understand if an account ...
Learn moreHow to Investigate User Logins – Intro to Incident Response Triage (Part 4) in 2019
In this post in our Intro to Incident Response series, we’re going to focus on investigating user logins to find suspicious user activity. This helps to identify user accounts that ...
Learn moreCollect Arbitrary Files Any Time During Incident Response
As we’ve talked about many times before on this blog, speed is of the essence during incident response and endpoint triage. To get quick answers, digital forensics and incident response ...
Learn moreIntro to Incident Response Triage (Part 3) in 2019: User Enumeration
Two years ago, I started to write a series of blog posts introducing incident response triage that evolved out of DFIR talks I was giving at conferences. I got two ...
Learn moreHow to Speed Up Incident Response in 2019: Faster Scoping
In our final post in our series on increasing incident response speed, we’re talking about scoping. As a reminder, we’ve reviewed these digital forensics and incident response (DFIR) phases: Start ...
Learn moreQueue Incident Response Collections to Triage and Prioritize
When DFIR consultants or law enforcement get to a customer site, it can be hard to know where to start a digital investigation, or how to prioritize incident response collections. ...
Learn moreHow to Speed Up Incident Response in 2019: Faster Analysis (Part 2)
In the last post, we talked about the types of DFIR analysis techniques. Now, we’re going to focus on incident response analysis tools and their role in speeding up investigations. The ...
Learn moreFinding Intrusion Evidence in the Same Folder
Finding digital evidence during DFIR is hard and often involves identifying something suspicious and investigating. One technique is to look in the same folder as a suspicious item to see ...
Learn moreHow to Speed Up Incident Response in 2019: Analyze Faster (Part 1)
This post (and the next) will focus on the best strategies to reduce the time it takes to analyze data during incident response. If you’re wondering why we focus on ...
Learn moreHow to Speed Up Incident Response in 2019: Faster Artifact Collection
This post will focus on the best strategies to accelerate data collection during incident response (IR). But, before we lay any strategies on the table, let’s discuss why speed during collection ...
Learn moreHow to Speed Up Incident Response in 2019: Start the Investigation Faster
To improve overall speed in digital forensics and incident response (DFIR), the time it takes to execute each step in the process shown below has to be reduced: Start the ...
Learn moreIncident Response KPIs: SPEED Is Critical. Here Are Five Reasons Why.
In the world of digital forensics and incident response (DFIR), speed is everything. While costs of slow performance can be hard to assess in other professions, the consequences of poor incident ...
Learn moreCollect Faster by Collecting Less
With its agentless approach, the latest Cyber Triage release gives users more control over what endpoint forensic artifacts are collected. This enables: Faster data collection Faster decision making. The 2.6 release ...
Learn moreReversingLabs Integration Improves Malware Scanning
With the latest 2.5.0 release of Cyber Triage, users get access to enterprise-grade malware scanning from ReversingLabs. This service provides more accurate scan results and is not typically available to incident ...
Learn moreDemisto Integration Provides Faster Responses for Cyber Triage Users
Cyber Triage users now have another option when looking for Security Orchestration and Automation Response (SOAR) solutions because Demisto can now launch a Cyber Triage investigation. Orchestration solutions allow companies ...
Learn moreUse of PsExec That Doesn’t Reveal Password Hashes
Cyber Triage is an agentless incident response system and one of the methods that we use to get data from a compromised endpoint is to send our collection tool out ...
Learn moreIt’s About Time(lines)!
https://www.youtube.com/embed/9G7mwfck2KQ Using timestamps to determine what happened before or after an event is vital when investigating your endpoints. Timestamps allow you to see what programs were run or websites visited that ...
Learn moreVolatility integration in Cyber Triage to Analyze Memory
Sometimes the only evidence on an intrusion is in memory and not on disk. In these cases, memory forensics provides crucial evidence to your investigation. Cyber Triage now integrates with ...
Learn moreSearch For Advanced Malware In Cyber Triage Using Yara Rules
You can now use Yara signatures in Cyber Triage to search endpoints for new or advanced malware during incident response. Yara allows malware researchers to define binary patterns that can ...
Learn moreIntegrate with Splunk for Faster Alert Triage
With the 2.1.10 Cyber Triage release, you can now integrate with Splunk. This allows you to remotely start collections about suspicious endpoints and bring the results back to Splunk for ...
Learn morePhantom Integration Allows for Faster Responses
The Cyber Triage team likes to build stuff around themes and one of our current themes is about integrations. It has been a growing feature request. This blog post talks ...
Learn moreMore Changes To Make Your Response Faster
Time is critical during incident response. Every minute you have an attacker roaming around your network can compromise valuable information and do irreparable damage to your systems. The latest Cyber ...
Learn moreAnalytics Make User Account Investigations Easier
When investigating an endpoint you need to look at user activity in addition to malware and system change indicators. Cyber Triage now provides analytics about user login behavior and activity. ...
Learn moreIntro to IR Triage (Part 2): Analysis Categories
In the 2nd post in our Intro to IR Triage series, we’re going to take a big picture view. I want to give you the roadmap of how we are ...
Learn moreIntro to IR Triage (Part 1): Buyer’s Guide
.two-col tr td:first-child {width: 25%; background-color: #f1f2f5; font-weight: bold;} Part 1: Host Triage Tool Buyer’s Guide I often encounter companies who are starting to think more formally about incident response and how to properly ...
Learn moreGet Free Incident Response Software
Organizations need to be able to respond to alerts and investigate their computers, but not every organization has an incident response budget or dedicated personnel. The newly released Cyber Triage ...
Learn moreCyber Triage Has a New Look
Cyber Triage 2.0 has been released with a new user interface and can be used for free (with a reduced feature set). The new UI allows you to make better ...
Learn moreExposing More Data to Save Time
The new Cyber Triage release allows you to better understand the impact of a threat. Now, you can automatically see what registry keys reference a file with malware, what ...
Learn moreFinding Suspicious Program Activity
The 1.6.1 release of Cyber Triage added a new automated analysis technique to make the life of an incident responder easier and more efficient. The new technique focuses on the ...
Learn moreDig Deeper: Find More IOCs and Fast Flux Domains
Find more evidence on an endpoint with the latest Cyber Triage release. Last week’s 1.6.0 release expands on Cyber Triage’s thoroughness and ease of use. We’ll talk about two new ...
Learn moreAutomating Incident Response: Setting the Stage
Overview Many companies want to improve their incident response capabilities and make them more effecient. Automation is often touted as way to improve the response times, but what does automation (or orchestration) mean ...
Learn moreMaturing towards Team-Based Incident Response
In our last blog post, we talked about how, as an organization’s security posture matures (often along with the organization itself), its strategy starts to move beyond prevention to focus ...
Learn moreMake Better Use of IDS Alerts for Incident Response
If your organization’s security posture is maturing beyond prevention and beginning to focus on detection, you may find yourself evaluating a host of new security technologies. Among the most attractive for ...
Learn moreCan DIY Incident Response Scale?
If you’ve ever purchased a house or vehicle, you may also, as many people do, have gone to the local hardware store to buy a starter kit of tools. You ...
Learn moreTailoring the Triage Process for Better Results
An incident first response is only as good as the time a responder can save. While automation can help scale the prioritization of many endpoints, as we wrote in our ...
Learn morePrioritizing Endpoints Helps to Focus Incident Response
As part of a responding flyaway team, it’s probably common for you to arrive at your client’s offices, only to be pointed to a set of boxes to start analyzing. ...
Learn moreUnderstanding Your Client’s “Normal”
Detecting an incident means one of two things. You have to see either a known problem -- such as high-risk malware infecting one or more client endpoints -- or something ...
Learn moreCan Security Infrastructure Work for Fly-Away Incident Responders?
Third-party incident response consultants face unique challenges when helping a company respond to an incident. Unlike internal incident responders, you’re unlikely to have full visibility into all of the client’s ...
Learn moreReducing Response Time with Whitelisting
When triaging a host during incident response, it is critical to be able to quickly focus on the suspicious data. Whitelisting gives you the ability to ignore known safe files, ...
Learn moreMaximizing Your Non-Persistent Agent’s Effectiveness
As we noted in our previous blog post about persistent agents, endpoint security and investigation can be a sticking point for many organizations. Particularly for those whose security posture is ...
Learn moreDo You Need Persistent Agents to Fight Persistent Threats?
When you think about how your organization can deal with network intrusions and Advanced Persistent Threats (APT), you’ll eventually start to think about your incident response procedures and capabilities. Many ...
Learn moreWhat is in your CSIRT First Responder’s Jump Kit?
Like other services, effective Computer Security Incident Response Teams (CSIRTs) are tiered. The First Responder on a CSIRT is much like the EMT who assess the situation and either deals ...
Learn moreCyber Triage: Act Faster!
If you are responsible for protecting digital information, then you will need to respond to a security incident at some point. However, many challenges arise during a response: Unfocused tools ...
Learn more