In July, Eric & Whitney gave a talk titled "Breaches Be Crazy" at the SANS DFIR Summit outlining Recon’s unique approach at scaling enterprise forensic timelining.

The Center for Threat-Informed Defense at MITRE recently released their Adversary Emulation Plans Library on Github.

We've been big fans of the Thinkst platform for a while now. We may have mentioned them a time or two :) Like many others, we get a lot of mileage out of their Canaries and Canary Tokens.

As part of the #OpenSOC event Recon InfoSec recently conducted, we wanted to visualize where all of our participants were coming from. We had several data points to work from, and there are plenty of open tools available, so it is just a matter of cobbling those items together to create a sweet, sweet map.

Staying on-top of the latest adversarial methodologies means quickly adjusting to new TTPs and requires a thorough and constant understanding of your own detection capabilities. Given a rapidly changing, dynamic environment, this level of attention can't be a manual process, it requires the magic of automation.

If you couldn't tell by now, we love Graylog. We may have mentioned them a time or two :)

Part of our job at Recon relies on fine tuning our threat signatures that make up the bulk of our pipeline rules in our Graylog environment.

When I joined the OpenSOC team at the beginning of this year, everything resided on 3 Intel Skull Canyon NUC's, a couple other systems for scenarios or applications with hardware requirements, a Ubiquiti WAP, a Synology NAS, and various other things.

Often times during incident response activities, the responder is overwhelmed with data. The need for tools to automate the analysis and enhancement of this data is crucial.

Running a Security Operations Center requires fighting a constant battle to increase analyst efficiency, speed and accuracy. Fast and effective communication coupled with automation is the only answer. So why not have both in the same platform?