Audit Active Directory Attack Paths with Bloodhound

Apr 18, 2023 5:15:25 PM / by Eric Capuano posted in SecOps, Security, Open Source, InfoSec, Defense

In our experience working with SMB and enterprise IT teams, it is often unknown just how far and wide their Active Directory (AD) environment truly is and how many possible attack paths exist for a would-be threat actor. This is true because it's a non-trivial activity to sit down and map these environments out in a way that makes it possible to begin hardening and mitigating attack paths. 

Read More

Every Organization Needs Centralized Logging

Oct 18, 2022 6:03:30 PM / by Eric Capuano posted in DFIR, Incident Response, Open Source, Defense, Monitoring, Graylog, Logging, Compliance

Logs are on the systems, why do I need this?

Because Digital Forensics & Incident Response is expensive -- likely the highest billable rate among most IT/security practices.

Why? Because it is a very skilled, but meticulous and time-consuming activity and my team has done our fair share of it. Most often, the bulk of the time is spent collecting often volatile evidence from countless systems in hopes that enough of the attacker activity is still traceable. The best evidence sources are often the ones least available at the time of the investigation -- logs. Why? Because they roll over, or get deleted, etc.

If I walked into an organization that had centralized logging, I could probably cut the IR effort in half because a huge amount of the data I need is there ready to be queried. This allows me to perform deeper forensic analysis only on systems that exhibited noteworthy activity.
 
Read More

Scaling Enterprise Forensic Timelining

Oct 6, 2021 2:29:00 PM / by Eric Capuano posted in Automation, DFIR, Velociraptor, Incident Response, Forensics, Operations, SecOps, Security, SOC, Open Source

In July, Eric & Whitney gave a talk titled "Breaches Be Crazy" at the SANS DFIR Summit outlining Recon’s unique approach at scaling enterprise forensic timelining.

Read More
View RSS Feed