Mehmet Ergene · Feb 1, 2022 · 6:35 PM UTC

Mehmet Ergene

Mehmet Ergene

@Cyb3rMonk

1 Feb 2022

Why do many #DFIR reports lack about network forensics? I don't think finding the C2 address is enough. Why don't you create a timeline using the network data? Like 👇 "C2 comm started with 5min sleep, then was changed to 10sec and data transfer was observed during this period...

106

coffee.exe · Feb 2, 2022 · 1:43 AM UTC

coffee.exe @highonc0ffee

2 Feb 2022

Because 9 times out of 10 this data doesn’t exist in the clients environment. Lucky to get Windows event logs that haven’t rolled…

Hal Pomeranz · Feb 2, 2022 · 2:06 AM UTC

Hal Pomeranz @hal_pomeranz

2 Feb 2022

A-fucking-men!

Jake Williams · Feb 2, 2022 · 2:10 AM UTC

Jake Williams @MalwareJake

2 Feb 2022

Seconded (not that you need it, nobody who does IR in real life should be arguing with you)

Hal Pomeranz · Feb 2, 2022 · 2:17 AM UTC

Hal Pomeranz · Feb 2, 2022 · 2:17 AM UTC

Hal Pomeranz @hal_pomeranz

2 Feb 2022

Replying to @MalwareJake @highonc0ffee @Cyb3rMonk

Our perspective is colored by being third-party IR teams. Orgs that have good network telemetry are generally mature enough to have working IR capability in-house and so would never call us.

Feb 2, 2022 · 2:17 AM UTC

Mehmet Ergene · Feb 2, 2022 · 8:29 AM UTC

Mehmet Ergene

@Cyb3rMonk

2 Feb 2022

Replying to @hal_pomeranz @MalwareJake @highonc0ffee

And they don't publish their findings probably. Why don't we have regulations for this? At least for some specific industries :/