Examining DFIR Techniques to Optimize Incident Response

Presented by

Nick Cavalancia, Zach Paul, Eric Van Tyne

About this talk

It’s one thing to realize you have become the victim of a vulnerability-based attack. It’s entirely another thing to know this in a timely manner where you have insightful context empowering you to do something about it to both remediate the current threat actions and mitigate any further actions from taking place. Being able to quickly piece together digital artifacts left on file systems, within the Registry, in memory, or within system logs is an imperative part of any digital forensics and incident response (DFIR) effort. Attacks like the recent PrintNightmare vulnerability – which included both remote code execution and elevation of privileges – involved not one, but three CVEs and related patches and affected millions of Windows desktop and server operating systems worldwide. Attacks using this vulnerability had the potential to provide threat actors with unfettered access to compromised systems, with tools like Cobalt Strike used for remote access and engaging in further threat actions.So, how can you use DFIR techniques to use digital artifacts to identify attacks early and stop them from continuing? In this real-training-for-free session, Microsoft MVP and cybersecurity expert Nick Cavalancia will cover: 1) common digital forensics capabilities, artifacts, and processes, 2) How DFIR fits into your security strategy, 3) A brief primer on PrintNightmare and Cobalt Strike. IR Consultants from Rapid7, who will showcase the free open source DFIR solution, Velociraptor, demonstrating common DFIR techniques that will improve the efficiency and effectiveness of your forensics and response efforts. Zach will first cover Velociraptor and walk through a PrintNightmare use case, identifying impacted systems using collected digital artifacts. Then Eric will use Velociraptor and walk through an attack involving Cobalt Strike. The goal is to demonstrate how you can use open source tools to successfully investigate and address attacks.

Related topics:

More from this channel

Upcoming talks (10)
On-demand talks (290)
Subscribers (25706)
Rapid7 is advancing security with visibility, analytics, and automation delivered through our Insight platform. Our solutions simplify the complex, allowing security teams to work more effectively with IT and development to reduce vulnerabilities, monitor for malicious behavior, investigate and shut down attacks, and automate routine tasks. Over 9,300 customers rely on Rapid7 technology, services, and research to improve security outcomes and securely advance their organizations. For more information, visit our website rapid7.com.