@ImposeCost But, it's specifically written as an "also" statement to, by design/definition, imply no priority.
Still trying to figure out the animosity here... hard to imagine we're not actually on the same page, given our shared tenure in the industry.
@ImposeCost Saying that posting anything on X is a priority in my life would certainly make a lot of people laugh ๐
But, to answer your question, likely for the same reason(s) you posted yours? Just guessing, though.
I apologize, I can't tell if this is hostile/rhetorical or genuine.
Today I have decided that I am the best developer in the world.
Nothing you say can prevent me from thinking this.
Thank you for your attention to this matter.
Interestingly enough, this is one big reason I went out on my own. So many people need the tenured expertise, but think it's too much $$$$. Ironically, it ends up being very similar in cost. Charge 4x a junior, but do it in .25x of the time = same cost, BUT deliver 10x value.
Why are consultants young. Iโd rather consult a white haired wizard thatโs lived a thousand years and only appears in the ghastly Tower when lightning hits it on a full moon (youโll have to solve three riddles to enter). Instead I get a hungover 23 yo from coalfire.
@DirectoryRanger This looks eerily like a paraphrased and copy/pasted version of one of my blog posts from way back in 2018 (with some typos - 1179 is not the correct Event ID). ๐ง
Full version below (or just Google "Windows RDP Investigation" - it's the first result):
https://t.co/McSEaxtsQz
@georgemporter If it's the second time and it remains a largely impactful issue, I'd definitely recommend researching and implementing the variety of relatively easy mechanisms that exist to both prevent and reactively detect such situations with your account(s). Pay now or pay later (again).
#DFIR public speakers/presenters:
Is it acceptable to you, as a speaker, to receive no travel or accommodation assistance for a paid attendance speaking event?
If yes/no, please share your thoughts/experiences.
@OpenAI relies on models (vast amounts of SME) for #AI and @MsftSecIntel (i.e., Security CoPilot) relies on models (again, SME skills/experience).
Common denominator is deep/wide SME knowledge.
Where are we getting this with our current dearth of #DFIR talent/expertise? ๐ค
@hashishrajan@CloudSecPod Important clarification here.
CloudTrail Event History maintains 90 days of management events ONLY. You will NOT have any data events like you will if you create a dedicated Trail.
This is incredibly important to understand if you decide against creating a Trail.
My customized more granular IR lifecycle didn't make it in, but many other things did. ๐
This is the result of a lot of work from smart folks passionate about creating more prescriptive and informative #DFIR guidance for folks operating in #AWS.
Feedback always welcome!
๐ชWe've updated the #AWS Security Incident Response Guide to more clearly explain what you should do before, during, and after a security event.
Below are highlights of a some of the changes and instructions on how to use the updated guide ๐ #cybersecurity#incidentresponse
@jhencinski Man, I wonder how this works out in practice.
Wondering if an effective "detection + immediate notification + response requirement" mechanism is a better balance of flexibility with security.
Just thinking out loud.
Any insights from your experience?
@cyb3rops Perhaps the most clear and overarching highlight here is that the USN Journal $J is a great mechanism for identifying system/file activity, especially for non-resident files (paired with $Secure for identifying ownership/permissions), so long as it's still in the buffer.
@binaryz0ne@professorbike@bettersafetynet If you only care about the memory (for testing), then the methodology you are using should be just fine.
Just FYI, based on your needs and what you're looking to do.
Good luck in your research/testing!
@binaryz0ne@professorbike@bettersafetynet Keep in mind by adding a drive and attaching it to the system, you are introducing modification/alteration of system artifacts, which is something we try to avoid as a best practice for response. Snapshot is the easiest mechanism to mitigate that and capture both memory and disk.
@hal_pomeranz@WWHackinFest I'll answer one ๐
(With filesystem mounted at "/mnt/X/")
$ zdump /mnt/X/etc/timezone
$ zdump /mnt/X/etc/localtime
$ cat /mnt/X/etc/timezone
$ ls -l /mnt/X/etc/localtime
$ readlink /mnt/X/etc/localtime
Did I miss any?