Webinars

The wire fraud cost the company millions.

They had to know what happened.

Called in to investigate, Quinnlan Varcoe started with the EDR data — only to discover it had no evidence. 

Her next move? 

Find out how Quinnlan and her team found a way in this webinar. 

Speakers: 

• Brian Carrier, Cyber Triage (host)
• Quinnlan Varcoe, Blueberry Security
• Greg Kutzbach, Exhibit A Cyber

Get Recording

After alert validation comes the endpoint investigation

Now, one thing determines the fate of the investigation: 

The ability of the investigator to find and interpret digital clues. 

In this webinar, DFIR experts Brian Carrier and Brett Shavers will explain what digital clues are and how to find them. Too often, investigators will get buried in the hundreds (or thousands) of data points from collection tools or historical EDR data.

But if you have a system, you can succeed.

Get Recording

Data sprawl, evolving threats, and an expanding attack surface are asking SOCs new questions. The generic answer: 

AI and automation.

But where can and should you apply this stuff?

Join DFIR experts from SentinelOne, CompassMSP, and Cyber Triage as they debate AI, automation, and the future of the SOC.

You’ll learn:

• Good: Where SOCs are winning 
• Bad: Where SOCs are (mostly) failing
• Ugly: Where SOCs are wasting their time

Speakers: 

• Brian Carrier, Cyber Triage
• Mike McGrail, SentinelOne
• Ryan Benson, CompassMSP

Get Recording

Attackers are essentially always active before an alert. 

70% of SOC managers often or always worry about persistent threats after analyst review.

Why? 

SOC teams often struggle with the step after alert triage: 

Endpoint Triage.  

In this webinar hosted by Brian Carrier, you’ll learn Endpoint Triage strategies from: 

• Dragos: Kai Thomsen, Director of Global IR Services
• Huntress: Harlan Carvey, Staff Threat Intel Analyst
• Sleuth Kit Labs: Mike Wilkinson, Director of Training
• Blueberry Security: Quinnlan Varcoe, Founder

Each expert will present the top 3 things they focus on to assess how compromised an endpoint is. You’ll hear the latest strategies and get your chance to ask hard questions.

Maybe even join a heated discussion over the value of time stamps, memory, and IOCs!

Get Recording

Attackers are essentially always active before an alert. 

According to Mandiant, they usually have 10 days of free reign. 

That’s 240 hours of activity you won’t know about from EDR alerts alone. In this webinar, Brian Carrier and Markus Schober explain how SOCs can investigate the attack before the alert.

We cover: 

• The attack life cycle.
• EDR evasion tactics.
• How attacks are detected.
• How to find pre-alert activity.

Get Recording

EDRs are like a house alarm system: They alert you to suspicious activity. And just like you sweep a house after an alarm goes off, you must sweep endpoints after alerts. You must check for intruders.

But EDRs aren’t built for sweeping. 

In this webinar, Brian Carrier explains why you need to combine EDRs with DFIR tools to ensure you quickly collect and analyze data after an EDR alert is generated. 

We cover: 

• Endpoint Triage recap.
• EDR limitations for DFIR.
• The EDR + DFIR process.

Get Recording

Everyone in corporate security should understand endpoint triage. Triage investigations are how you understand what happened and how to prioritize the response. In this webinar, DFIR expert Brian Carrier will teach you the basics of endpoint triage, especially for SOCs.

What we’ll cover:

• When to triage an endpoint.
• How to triage an endpoint.
• What is needed to triage.

Who it’s for:

• SOC Analysts will learn how to endpoint triage.
• SOC Managers will learn how to adopt it in their process.
• MSSP customers will learn how to use it when given an alert.

No matter who you are, this vendor-agnostic webinar will help you better respond to threats.

Get Recording

Rclone is a favorite of ransomware operators.

The “Swiss Army Knife of cloud storage,” Rclone is perfect for exfiltrating data. And every DFIR investigator should know how to spot it by the telltale artifacts it can leave behind — including credentials you can use to access the attacker’s toolbox.

Learn how in this CT University mini-class.

Agenda:

• Cyber Triage investigation fundamentals (10 min).
• Rclone data exfil investigation with Cyber Triage (5 min).
• Office hours/AMA with Professor Mike (15 min).

Get Recording

It is relatively trivial for an attacker to make unique malware executables for each victim host or organization. This can be a challenge for an incident responder who is scoping an incident or trying to identify if a unique file is malicious.

In this webinar, we will talk about the various ways of making “fuzzy matches” between executables. We’ll cover techniques that are better for searching for similar files versus techniques that are better at comparing two files. We’ll look at ImpHash, ssdeep, TLSH, and others. Some detection and hunting systems employ these techniques while others are exact match only.

This webinar is intended for both incident responders and SOC managers who want an understanding of what is possible and what to expect in terms of finding malware variations.

Get Recording

EDR is a critical part of a robust cyber security system, but attackers often find ways of avoiding or delaying detection. These evasion techniques mean the EDR doesn’t have all of the information you’ll need to conduct alert validation or a forensic investigation.

In this webinar, we’ll look at how EDR evasion works and its implications for investigating alerts. Namely, that an attacker could have been evading the EDR for several days before triggering an alert and the EDR does not have visibility about what happened.

Collecting additional digital forensics and incident response (DFIR) artifacts for your investigation is critical. We will talk about types of DFIR collection tools that you can use and how to integrate them with your EDR.

Get Recording