Over 80% of all breach victims learn of a compromise from third-party notifications, not from internal security teams. In most cases, adversaries have been rummaging through your network undetected for months or even years.
Incident response tactics and procedures have evolved rapidly over the past several years. Data breaches and intrusions are growing more complex. Adversaries are no longer compromising one or two systems in your enterprise; they are compromising hundreds. Your team can no longer afford antiquated incident response techniques that fail to properly identify compromised systems, provide ineffective containment of the breach, and ultimately fail to rapidly remediate the incident.
A thorough understanding of many detailed areas is required for success, including a mastery of the following fundamental skills covered by the SANS Digital Forensics and Incident Response (DFIR) RU-vid Channel.
Is there a way you can see when logs were deleted? I noticed about a week or two ago. When I went to event viewer in security logs I saw my laptop turn on when I was not even using it! Tonight, I went on to check logs and it didn't even go past the previous day. I turned it off and back on, now I can see past today. Whats going on, can anyone help?
Interesting perspective on threat intelligence! Could you elaborate on why you believe it might be a fallacy? What alternative approaches do you suggest?
Still trying to figure out how the streetlight effect joke was politically incorrect at all. Seems like people just say that without thinking about it. Like I once had a girlfriend claim it was “so P.C.” that a coffee shop put “Caution: Hot” on their coffee cups 😂 wtf Great talk otherwise though 10/10
14,4KB IS 16KB OK I GOT IT FINALY...Im just in the middle of moving 3 games that is 62gb but also the size on disc size 93gb so a huge difference on the size(oooh yes a big difference ( But i now understand this finaly after about 2 years w thoughts about this SIZE thing n why there is 2 kinds of NR..... But 60 vs 90gb is alot of difference in size(so alot of unused space "Kind of"!) Thanks 4 this great video-finaly explained this for me so i understand why the difference can be so huge!!
It's actually very simple. Pull the drive of the affected machine, and plug into known good machine as a non booting drive, point your scanners at the affected drive, probably labeled e: or f: remove the ransomware once detected by your scanner. Alternatively you can boot a malware removal disc like Dr web, and point it at scanning the drive.
doesn't matter, you're not booting the drive. there are tools you can run to remove the infection, i have removed ransomware and free av and many scareware this way. The encrypted files are not removed.
Thank you for sharing your passion. I'm in my late 40s and I'm just starting the climb to DF. Feels overwhelming but you and others, who genuinely are passionate about this field keep me in the fight.
Wow the presented data is quite a few years out of date. All major CDNs block host and SNI mismatches. So while you can still theoretically put a C2 server behind a CDN, you can no longer use domain fronting to obfuscate it. Also, RITA has supported bimodal analysis for a number of years now. Its specifically designed to detect the use case described (beacon timing at idle is different than timing when active).
While there are some good nuggets. She generally starts a point then allows to hang unfinished. She says to ignore trends yet relies on causality. The nuance of these ideas is lost. Great topic, poor presentation.
