In July, Eric & Whitney gave a talk titled "Breaches Be Crazy" at the SANS DFIR Summit outlining Recon’s unique approach at scaling enterprise forensic timelining.
Scaling Enterprise Forensic Timelining
Oct 6, 2021 2:29:00 PM / by Eric Capuano posted in Automation, DFIR, Velociraptor, Incident Response, Forensics, Operations, SecOps, Security, SOC, Open Source
Mapping Adversary Emulation Plans
Sep 18, 2020 11:17:00 AM / by Brian Greunke posted in Automation, Threat Hunting, NDR, Defense, MITRE ATT&CK
The Center for Threat-Informed Defense at MITRE recently released their Adversary Emulation Plans Library on Github.
Integrating Thinkst Canaries with TheHive
Sep 16, 2020 11:33:00 AM / by Whitney Champion posted in Automation, DFIR, Incident Response, Forensics, SecOps, Canaries, InfoSec, Thinkst, Training, Python, TheHive, Cortex
We've been big fans of the Thinkst platform for a while now. We may have mentioned them a time or two :) Like many others, we get a lot of mileage out of their Canaries and Canary Tokens.
Visualizing Geo IP Information using Python
Apr 17, 2020 1:11:00 PM / by Brian Greunke posted in Automation, Python, BlackHat
As part of the #OpenSOC event Recon InfoSec recently conducted, we wanted to visualize where all of our participants were coming from. We had several data points to work from, and there are plenty of open tools available, so it is just a matter of cobbling those items together to create a sweet, sweet map.
Automating Detection Coverage Analysis with ATT&CK Navigator
Feb 13, 2020 1:52:00 PM / by Brian Greunke posted in Automation, DFIR, SecOps, Security, Threat Hunting, Defense, Graylog, Continuous Integration, MITRE ATT&CK
Staying on-top of the latest adversarial methodologies means quickly adjusting to new TTPs and requires a thorough and constant understanding of your own detection capabilities. Given a rapidly changing, dynamic environment, this level of attention can't be a manual process, it requires the magic of automation.
Integrating Graylog With TheHive
Jan 31, 2020 2:11:00 PM / by Whitney Champion posted in Automation, DFIR, Incident Response, SecOps, Security, Defense, Python, Graylog, DevOps, TheHive, Cortex, API
If you couldn't tell by now, we love Graylog. We may have mentioned them a time or two :)
Automating Graylog Pipelines
Jun 18, 2019 3:02:00 PM / by Whitney Champion posted in Automation, DFIR, SecOps, Security, Python, Graylog, Continuous Integration, DevOps, Ansible
Part of our job at Recon relies on fine tuning our threat signatures that make up the bulk of our pipeline rules in our Graylog environment.
The Infrastructure
Aug 27, 2018 3:57:00 PM / by Whitney Champion posted in Automation, SecOps, OpenSOC, DEFCON, DevOps, Infrastructure
When I joined the OpenSOC team at the beginning of this year, everything resided on 3 Intel Skull Canyon NUC's, a couple other systems for scenarios or applications with hardware requirements, a Ubiquiti WAP, a Synology NAS, and various other things.
Auditing G Suite Login Activity
Sep 3, 2017 4:36:00 PM / by Eric Capuano posted in Automation, DFIR, Forensics, Google
Often times during incident response activities, the responder is overwhelmed with data. The need for tools to automate the analysis and enhancement of this data is crucial.
Slacking at Security Operations
Oct 24, 2016 4:58:00 PM / by Eric Capuano posted in Automation, Operations, Defense, Intel Sharing, Slack
Running a Security Operations Center requires fighting a constant battle to increase analyst efficiency, speed and accuracy. Fast and effective communication coupled with automation is the only answer. So why not have both in the same platform?