Advances in Digital Forensics through Artificial Intelligence - Call for papers
๐ฃdigicat
๐@malwr
๐ฃdigicat
๐@malwr
Elsevier
Advances in Digital Forensics through Artificial Intelligence - Call for papers - Computers & Security - Journal - Elsevier
Computers & Security is one of the most respected journals in IT security, being recognized worldwide as THE primary source of reference for IT security reseaโฆ
Infrastructure Resilience Planning Framework (IRPF) - v1.1 - November 2022 - from CISA
๐ฃdigicat
๐@malwr
๐ฃdigicat
๐@malwr
Cybersecurity and Infrastructure Security Agency CISA
Infrastructure Resilience Planning Framework (IRPF) | CISA
This planning framework provides processes and a series of tools and resources for incorporating critical infrastructure resilience considerations into planning activities.
Department of Defense Releases Zero Trust Strategy and Roadmap > U.S. Department of Defense > Release
๐ฃdigicat
๐@malwr
๐ฃdigicat
๐@malwr
U.S. Department of Defense
Department of Defense Releases Zero Trust Strategy and Roadmap
The Department of Defense released its Zero Trust Strategy and Roadmap and intends to implement distinct capabilities and activities as outlined in the strategy by FY27.
Places to find a mentor?
Does anyone have any resources or places to possibly find a mentor for the IR space? Iโm an early professional, and started on an IR team a few months ago and am looking for a mentor to guide me more of the technical aspects of DFIR.
Thanks!
๐ฃhoolahoop222
If you have a job and it is a big company they tend to host mentorships.
If you are in college there tends to host mentorships programs. At least back in the day they used to have FBI and Government employees stop by and help with mentoring and shadowing.
It seems tho with everyone being a university student and graduating but here asking the same question idk if University do this stuff anymore.
๐คMDCDF
?? Donโt you usually find mentors through networking or at your place of employment?
๐คucfmsdf
Take a look at CFCE from IACIS. You will learn a lot and will be assigned a coach to help you.
๐คlithium630
๐@malwr
Does anyone have any resources or places to possibly find a mentor for the IR space? Iโm an early professional, and started on an IR team a few months ago and am looking for a mentor to guide me more of the technical aspects of DFIR.
Thanks!
๐ฃhoolahoop222
If you have a job and it is a big company they tend to host mentorships.
If you are in college there tends to host mentorships programs. At least back in the day they used to have FBI and Government employees stop by and help with mentoring and shadowing.
It seems tho with everyone being a university student and graduating but here asking the same question idk if University do this stuff anymore.
๐คMDCDF
?? Donโt you usually find mentors through networking or at your place of employment?
๐คucfmsdf
Take a look at CFCE from IACIS. You will learn a lot and will be assigned a coach to help you.
๐คlithium630
๐@malwr
reddit
Places to find a mentor?
Does anyone have any resources or places to possibly find a mentor for the IR space? Iโm an early professional, and started on an IR team a few...
RtlQueueWorkItemLoadLibrary: Loads a DLL by queuing a work item (RtlQueueWorkItem) with the address of LoadLibraryW and a pointer to the buffer on Windows
๐ฃdigicat
๐@malwr
๐ฃdigicat
๐@malwr
GitHub
misc/RtlQueueWorkItemLoadLibrary.c at main ยท rad9800/misc
miscellaneous scripts and programs. Contribute to rad9800/misc development by creating an account on GitHub.
Using yara rules in a large scale enterprise
I've always wondered how yara rules could be used in a large scale enterprise to detect nalware.
I understand the premise of yara rules and how they work, and understand how individual files can be scanned using a number of yara rules each designed to detect a specific piece of malware, or how an individual yara rule can be run against a large number of files - but I do not understand how this can be used at scale in a large, segmented network.
I've read that sigma rules can be integrated into azure sentinel and threat hunts performed where logs are aggregated there but does anyone know if similar functionality exists for yara rules? Or whether there are other industry best practices that should be used?
๐ฃJoeBeOneKenobi
Velociraptor can do yara scans on the hosts in mass. Other tools that let you interrogate endpoints may have this capability as well.
Kansa might, or you could probably build a module that will allow you to do it.
๐คjumpinjelly789
I've seen YARA pitched as a detection capability (implying enterprise-wide) but rarely see orgs using it that way. Here are a couple notes/resources I've been compiling around this.
If your org uses an internal sandbox, you could run the YARA rules there for malware classification and maybe provide leads for further hunting.
One way to "use" YARA without actually deploying rules at scale is to take advantage of feeds of IOCs derived from large-scale YARA scanning (e.g. over VT) and use those IOCs for further correlation/detection/blocking in your own org. See for example the long list of hashes here, and this is just for one of many rules: https://valhalla.nextron-systems.com/info/rule/SUSP\_RAR\_With\_File\_MacroEnabled\_MsOffice\_Content\_Jun22
Then there are a bunch of apparent ways to scale up YARA deployment, but I can't say I've really seen orgs using many/any of these with success (besides maybe the first couple that rely on commercial capabilities). I'm always reminded of pieces like this that highlight the performance issues of YARA deployment at scale.
I recall seeing a few EDR that can apparently run their own or in some cases user-submitted YARA at scale (Tanium, CB, Cybereason), even SOAR (XSOAR). Sorry I don't have links handy
Executing yara with powershell on domain computers
[Loki](https://www.nextron-systems.com/loki/) \- Python-based open sourced IOC scanner from the publisher of a large library of yara rules
"YARA as Endpoint" using Go
[YARA-based scanning with osquery](https://osquery.readthedocs.io/en/stable/deployment/yara/)
How to integrate YARA with Wazuh
[Using YARA rules in ClamAV](https://www.clamav.net/documents/using-yara-rules-in-clamav)
A large repository of other tools
๐คTrop_Chaud
Stream files extracted from Zeek to something that will process them through YARA, and then put the results in a SIEM
๐คtoop4
๐@malwr
I've always wondered how yara rules could be used in a large scale enterprise to detect nalware.
I understand the premise of yara rules and how they work, and understand how individual files can be scanned using a number of yara rules each designed to detect a specific piece of malware, or how an individual yara rule can be run against a large number of files - but I do not understand how this can be used at scale in a large, segmented network.
I've read that sigma rules can be integrated into azure sentinel and threat hunts performed where logs are aggregated there but does anyone know if similar functionality exists for yara rules? Or whether there are other industry best practices that should be used?
๐ฃJoeBeOneKenobi
Velociraptor can do yara scans on the hosts in mass. Other tools that let you interrogate endpoints may have this capability as well.
Kansa might, or you could probably build a module that will allow you to do it.
๐คjumpinjelly789
I've seen YARA pitched as a detection capability (implying enterprise-wide) but rarely see orgs using it that way. Here are a couple notes/resources I've been compiling around this.
If your org uses an internal sandbox, you could run the YARA rules there for malware classification and maybe provide leads for further hunting.
One way to "use" YARA without actually deploying rules at scale is to take advantage of feeds of IOCs derived from large-scale YARA scanning (e.g. over VT) and use those IOCs for further correlation/detection/blocking in your own org. See for example the long list of hashes here, and this is just for one of many rules: https://valhalla.nextron-systems.com/info/rule/SUSP\_RAR\_With\_File\_MacroEnabled\_MsOffice\_Content\_Jun22
Then there are a bunch of apparent ways to scale up YARA deployment, but I can't say I've really seen orgs using many/any of these with success (besides maybe the first couple that rely on commercial capabilities). I'm always reminded of pieces like this that highlight the performance issues of YARA deployment at scale.
I recall seeing a few EDR that can apparently run their own or in some cases user-submitted YARA at scale (Tanium, CB, Cybereason), even SOAR (XSOAR). Sorry I don't have links handy
Executing yara with powershell on domain computers
[Loki](https://www.nextron-systems.com/loki/) \- Python-based open sourced IOC scanner from the publisher of a large library of yara rules
"YARA as Endpoint" using Go
[YARA-based scanning with osquery](https://osquery.readthedocs.io/en/stable/deployment/yara/)
How to integrate YARA with Wazuh
[Using YARA rules in ClamAV](https://www.clamav.net/documents/using-yara-rules-in-clamav)
A large repository of other tools
๐คTrop_Chaud
Stream files extracted from Zeek to something that will process them through YARA, and then put the results in a SIEM
๐คtoop4
๐@malwr
Reddit
From the blueteamsec community on Reddit
Explore this post and more from the blueteamsec community
From Coercion to Invasion: The Theory and Execution of Chinaโs Cyber Activity in Cross-Strait Relations
๐ฃdigicat
๐@malwr
๐ฃdigicat
๐@malwr
Recordedfuture
From Coercion to Invasion: The Theory and Execution of Chinaโs Cyber Activity in Cross-Strait Relations | Recorded Future
With Taiwan in focus, Insikt Groupยฎ analyzes Chinaโs weishe coercion theory and assess Chinaโs strategies, preparations, and capabilities in cyber warfare.
The Windows Subsystem for Linux in the Microsoft Store is now generally available on Windows 10 and 11
๐ฃplawwell
Microsoft might just be the coolest Linux company in 2022.
๐คplawwell
Iโm staying on the LSL
๐คoscarbeebs2010
So what have I been using for the past couple of years?!
๐คDrate_Otin
๐@malwr
๐ฃplawwell
Microsoft might just be the coolest Linux company in 2022.
๐คplawwell
Iโm staying on the LSL
๐คoscarbeebs2010
So what have I been using for the past couple of years?!
๐คDrate_Otin
๐@malwr
Microsoft News
The Windows Subsystem for Linux in the Microsoft Store is now generally available on Windows 10 and 11
Today the Windows Subsystem for Linux (WSL) in the Microsoft Store is dropping its โPreviewโ label and becomes generally available with our latest release! We are also making the Store version of WSL the default for new users who run wsl --install and easilyโฆ