Send us a textKey Takeaways:Introduction to Hayabusa: Hayabusa is an open-source Windows Event Log Analysis Tool used for processing EVTX logs to detect suspicious activities in Windows environments.Critical Alerts Detection: The tool is capable of detecting a variety of suspicious activities, including WannaCry ransomware and unauthorized Active Directory replication.Efficient Incident Response: Hayabusa is ideal for incident response workflows, enabling teams to quickly triage and analyze W...
Send us a textIn this episode of Traffic Light Protocol, Clint Marsden is joined by Jonathan Thompson, a developer and AI enthusiast currently studying at Macquarie University. Together, they dive into how artificial intelligence (AI) is transforming the cybersecurity landscape and discuss Jon’s insights into AI’s potential applications in digital forensics, incident response, and everyday IT operations. The conversation touches on ethical considerations, potential job impacts, and how AI can...
Send us a textEpisode 13 is another giant episode with a focus on what its like be in the mud working on real life forensic investigations. Jacob and Clint talk about ELK EDR, using Sysmon.Sandbox Environments: Jacob discusses the creation of a sandbox environment using an ELK stack combined with Sysmon, enabling in-depth malware analysis by capturing and analyzing detailed system activity.Automation in Investigations: Jacob emphasizes the importance of automating repetitive tasks, such as bu...
Send us a textQuotes:“In the fast-paced world of DFIR, you are a mission critical system. Your job isn’t just to uncover what happened during an incident, but to do so in a way that gets results fast.”“Specialists bring expertise that pushes the entire industry forward, while generalists offer versatility and adaptability in the ever-changing landscape of cybersecurity.”“The choice between specializing and generalizing doesn’t always need to be a conscious decision. Often, you just fall into ...
Send us a textIn this episode of Traffic Light Protocol, we sit down with Myles, a cybersecurity veteran with over 15 years of Cyber experience and background as a Combat Engineer in the Army. Myles brings his unique perspective on integrating automation and cloud technologies into cybersecurity infrastructure deployment (Used specifically when deploying Velciraptor- an advanced open-source endpoint monitoring, digital forensic and cyber response platform). We delve into his journey fro...
Send us a textQuotes:"Phishing targets the human element, the 'wetware,' often the weakest link in any security chain." - Clint Marsden"Phishing isn't just about poorly spelled emails anymore; it's about sophisticated campaigns that even cyber-aware individuals can fall victim to." - Clint Marsden"Effective defense against phishing involves not just technology but ongoing education and a culture of security awareness." - Clint MarsdenKey Takeaways: Phishing attacks continue to evolve and...
Send us a textEpisode Title: "Unmasking APT40: Tactics, Challenges, and Defense Strategies"Key Takeaways:APT40 is a sophisticated Chinese state-sponsored cyber espionage group active since 2009.They target various sectors including academia, aerospace, defense, healthcare, and maritime industries.APT40 uses advanced tactics such as spear phishing, watering hole attacks, and living off the land binaries (LOLBINS).Digital forensics faces challenges in detecting APT40 due to their use of legitim...
Send us a textIn this episode, Clint Marsden goes straight into 4 practical strategies that enable better forensics and stop data exfiltration, no matter the size of your budget.Clint covers deploying Sysmon for enhanced monitoring, and using Group Policy to tighten print and USB security. Event log cleared: Event ID 1102ACSC Sysmon: https://github.com/AustralianCyberSecurityCentre/windows_event_loggingSwift on security Sysmon: https://github.com/SwiftOnSecurity/sysmon-configPrinter fore...
Send us a textIn todays episode of TLP - Traffic Light Protocol, Clint Marsden talks about Defending Against Scattered Spider: Understanding Their Tactics, Techniques, and Procedures.Key Takeaways Understanding Scattered Spider: Scattered Spider, also known as Roasted Octopus or Octo Tempest, utilizes various legitimate tools for malicious purposes. Common Tools and Techniques: They employ tools for reconnaissance (PingCastle, ADRecon), credential dumping (Mimikatz, Lazagne), Remote...
Send us a text In this episode, we speak with Phil Ngo, a Primary Investigator in Accenture's global cyber response team. As a primary investigator, he is responsible for helping clients recover from major incidents as well as delivering proactive cyber services, such as threat hunting and tabletop exercises. Philip started his career as a high school teacher, before moving into IT support and eventually into cyber security six years ago. Philip has a worked across multiple industri...
Send us a textThis is the biggest episode from a content perspective so far. I'm excited to share it with you.Episode Highlights:How to run post-incident debriefs and post-mortems.Involving external teamsUsing lessons learned to form actionable insights.Key questions to address in incident analysis.Effective report writing strategies, including timelines and executive summaries.Evaluating and improving incident response procedures and tools preparation.Engaging broader teams in the debr...
Send us a text Show Notes: Episode on Containment, Eradication, and RecoveryIn this episode of Traffic Light Protocol, Clint Marsden explores the containment, eradication, and recovery phases of the NIST SP 800-61 framework for computer security incident handling.Key Topics Covered:Containment Strategies: Choosing appropriate containment methods based on the incident type, potential damage, service availability, and evidence preservation. Examples include power disconnection ...
Send us a textIn this conclusion of the Detection phase, Clint wraps up Incident Prioritisation. This includes Functional impacts of the incident, information impact of the incident and the recoverability of the incident.Not all of these are needed, or relevant when tracking your incident and Clint explains when to categorise incidents using these factors.To finish off, Clint discusses incident notification - Who are the stakeholders that need to be informed and included in your incident resp...
Send us a textIn this 45 minute episode Clint covers a lot of ground based on the Detection phase of NIST 800-61.Attack vectors for digital security incidents, including insider threats and weaponized USBs.Cybersecurity incident response and detection, including NIST guidelines and Sysmon logging augmentationThe importance of following temporal linearity in Forensic Investigations, expanding analysis to 5-10 minutes prior to and after events, particularly in Internet History and Memory ...
Send us a textIn this Episode Clint Marsden talks about the first phase of Computer Security Incident Handling according to NIST. Listen to real world examples of how to get prepared before a Cyber Security Incident arrives.Show notes:Link to NIST SP 800-61 PDFhttps://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdfBro has been renamed to Zeek. https://zeek.org/Rita is Real Intelligence Threat Analytics. Created by Active Countermeasures - Available from https://github....
Send us a textIn this first episode we kick off with Clint Marsden, the host of Traffic Light Protocol (TLP) where he talks about what its like to work in DFIR, how to get started with Cyber training, what to expect in future episodes, and of course a light touch on AI Forensics!Join us for the first episode. The next episodes coming up talk about the NIST SP 800-61 where we break down Preparation, Detection, Eradication and Recovery.Highlights:Current trends and best practices in digital for...