Monday, June 24, 2013

Daily Blog #1 More about 'Offensive Forensics' aka For 668

Hello Reader, it's Day 1 of the Zelster challenge,
                I like to always start my blogs with a small hello because I want to make sure you get a feeling of direct and informal communication when you read this. I really enjoy talking to the wide range of people who make up the DFIR industry (especially those looking to enter it), the different perspectives are fascinating and for their situations correct (which is hard to understand at first). The more perspectives you can learn the easier it is to understand what's important to people. The majority of my work since 1999 is acting as an expert in civil litigation and for years that was my only perspective, I really didn't understand the wide depth that DFIR was becoming, in fact I just really knew about DF and not IR. I'd like to think in the last couple years I've become more aware of how wide the space has become and appreciated all the knowledge, tools and work that has come out of those approaching the same artifacts and problems but from different angles.

With all that said, let's talk about 'Offensive Forensics'. I said in the prior post I'm writing a course with Alissa Torres and Jake Williams, two people who have a very wide range of experience not only in forensics but in fighting advanced threats, network security and reverse engineering malware. I would like to think that what I'm bringing to the table is my perspective on traditional digital forensics and the research we've built over the years, especially the Triforce.

The idea behind the course is different than anything else I've seen out there. Many people are taking courses for penetration testing that teach you how to break into a system. Lots of people are taking incident response classes teaching you how to deal with the effects after the break in, triage and remediate. Others are taking classic digital forensic classes learning how to investigate the artifacts and do 'deep dive analysis' . What is missing from all those things is the time between the break in, and the response. It is this time of access, ex-filtration and persistence that we will be focusing in on for Offensive Forensics.

Each module of the class will reveal an advanced adversary technique, seen in the wild from Alissa and Jake. You will learn how to do the same type of techniques the attacker does, using the same tools. You'll then clean up your tracks like an attacker and see what tools exist that allow for what appears to be a clean getaway. Lastly using our research and entirely new techniques we will be developing for this class (very excited about this!) you will learn how to defeat and/or detect the prior technique shown to allow the attacker attempts at stealth to shine a light on their motives, activities and methods.

It's a 6 day class with 5 days of hands on instructions (we have so many labs planned) and ending with a challenge day with a Netwars style competition to see who can solve the puzzle with the techniques taught. We are in the process of writing it now so I hope to keep you apprised of our progress as we move it forward. I don't want to go much deeper than this since the course is in the process of being development and things will change but that is the overall goal we are planning to achieve and we have a heck of an outline to do it with.

If you have questions, feel free to comment below and I'll answer them if I can!

So Day 1 down, 364 more days to go. Talk to you tomorrow!

(This entry is part of the Daily Blog series! Click Here for the next entry.)