How to Investigate Rclone Data Exfil with Cyber Triage
Wednesday, November 13 – Register Below
A Webinar with Professor Mike Wilkinson
Rclone is a favorite of ransomware operators.
The “Swiss Army Knife of cloud storage,” Rclone is perfect for exfiltrating data. And every DFIR investigator should know how to spot it by the telltale artifacts it can leave behind — including credentials you can use to access the attacker’s toolbox.
Learn how in this CT University mini-class.
Agenda:
- Cyber Triage investigation fundamentals (10 min)
- Rclone data exfil investigation with Cyber Triage (5 min)
- Office hours/AMA with Professor Mike (15 min)
Fuzzy Malware Matching Methods for DFIR – How to Scope Incidents
Tuesday, July 23 – Recording Available
A Webinar with Brian Carrier and Chris Ray
It is relatively trivial for an attacker to make unique malware executables for each victim host or organization. This can be a challenge for an incident responder who is scoping an incident or trying to identify if a unique file is malicious.
In this webinar, we will talk about the various ways of making “fuzzy matches” between executables. We’ll cover techniques that are better for searching for similar files versus techniques that are better at comparing two files. We’ll look at ImpHash, ssdeep, TLSH, and others. Some detection and hunting systems employ these techniques while others are exact match only.
This webinar is intended for both incident responders and SOC managers who want an understanding of what is possible and what to expect in terms of finding malware variations.
EDR Evasion and Incident Response
Thursday, May 30 – Recording Available
A Webinar with Brian Carrier and Mike Wilkinson
EDR is a critical part of a robust cyber security system, but attackers often find ways of avoiding or delaying detection. These evasion techniques mean the EDR doesn’t have all of the information you’ll need to conduct alert validation or a forensic investigation.
In this webinar, we’ll look at how EDR evasion works and its implications for investigating alerts. Namely, that an attacker could have been evading the EDR for several days before triggering an alert and the EDR does not have visibility about what happened.
Collecting additional digital forensics and incident response (DFIR) artifacts for your investigation is critical. We will talk about types of DFIR collection tools that you can use and how to integrate them with your EDR.