Incident Response. The most common Lessons Learned and how to get them right.
Security incidents as unwanted as they are can be turned into a great opportunity for improvement. Listen to my speech at the Forensik Conference where I go through what I consider the top common lessons learned after IR.
‘Motive – Opportunity – Impunity’ cycle shapes the cybersecurity threat landscape for years
Motive – Opportunity – Impunity: without breaking this cycle in the global private and public sectors cooperation, there’ll be no end to cybercrime nor to politically motivated hacks. Motive Money. That’s what’s directly behind the majority of cyber attacks today. Another much less frequent but very dangerous motive is politics with state actors seeking influence…
Super timeline initial triage with Jupyter and Pandas
While Pandas may not care much about time then incident responders should. Timeline creation and analysis are the core activities of many deep dive digital forensics investigations. Run log2timeline/plaso on logs and other common evidence data and you’ll get a nice csv file with parsed events together with their associated time. This allows to correlate…
Analyzing binaries in place with Velociraptor and CAPA
Velociraptor aims to provide the “last step” in the process of digital forensic investigations, security monitoring and threat hunting. CAPA detects capabilities in executable files. You run it against a PE file or shellcode and it tells you what it thinks the program can do. For example, it might suggest that the file is a…
Threat hunting with Microsoft Defender – Valid Accounts
In the previous post I explained how to hunt for exact same scenario using CrowdStrike. I thought it’d be fun to see how would it look like with Microsoft Defender for Endpoint using its Advanced Hunting module and the Kusto query language.
Threat hunting with CrowdStrike – Valid Accounts
Techniques of interest: https://attack.mitre.org/techniques/T1078/ https://attack.mitre.org/techniques/T1021/ |_ Remote Services: Remote Desktop Protocol |_ Remote Services: SMB/Windows Admin Shares Hypothesis: If a Threat Actor (TA) would successfully employ the above-mentioned sub-techniques of T1021 then in Windows Active Directory environment it should demonstrate itself by Windows logon events with types 3 and 10 being generated on target machines. If we were able to identify any single user…
How to make smart investments in cybersecurity
Developing and prioritizing investment needs is not an easy task for most of the CISOs out there. Most of them face strong budgeting constraints and need to extensively justify every penny they request. Some will only get significant spending approved after their organization experienced a significant breach. This article aims to provide a noninclusive list…
Subjective list of the 5 most important things you should be doing to improve cybersecurity in your organization
Have the response team No matter how good your organization is in risk management and implementing security measures it is certain that sooner or later it will experience a severe security incident or a breach. When this happens the only thing that can effectively minimize the impact and quickly recover from the incident is the…
Proactive Threat Hunting – no longer a whim
Originally posted in 2018. We are undoubtedly in the era of huge security alert fatigue. This has been caused by the vast number of false positive alerts generated every day by countless security products that organizations put in place to improve their defences. Because of this, it’s hard to justify resources who would essentially focus…
What can we learn from the GAO report on the US Weapon Systems Cybersecurity
Posted on: October 23, 2018 At the beginning of this month the United States Government Accountability Office released a public report titled: “WEAPON SYSTEMS CYBERSECURITY DOD Just Beginning to Grapple with Scale of Vulnerabilities” The assessment was performed as the US Department of Defense “(…) plans to spend about $1.66 trillion to develop its current portfolio of…
Let’s start with the basics. Windows security events monitoring.
Originally published in 2015. Security logs collection and analysis is crucial for security incident detection and response. There are many tools that can help in this activity but they can be only as good as the data that is sent to them. This guide concentrates on providing recommendations and ideas to consider when planning log…
Let me mine some coin with your browser, Alice!
Originally published in 2017. Recently while I was reviewing AV logs in a large organization one of the things that caught my attention was a large number of hits categorized as JavaScript with the word ‘Miner’ in the threat’s signature name. I looked up some of the files’ hashes in VirusTotal and downloaded some samples.…
Finding newly registered domains for hunting and blocking.
Originally published in 2015. Email addresses in freshly registered short lived domains are increasingly used to send spam and malware. They are also used in spear phishing campaigns often combined with bitsquatting/typosquatting techniques to fool users into trusting the message content. The same applies to websites serving malicious content that are linked by the phishing…

About Me
I’ve been working in the cybersecurity field since 2️⃣0️⃣0️⃣8️⃣ and somehow I still love this job. Mostly because it’s completely different now than it was when I started.
Lukasz Olszewski 🇪🇺 🚵🏼
Cybersecurity is a race between awareness and a breach.
Network location does not imply trust.
NIST SP 800-207
It’s okay to spend a lot of time arguing about which route to take to San Francisco when everyone wants to end up there, but a lot of time gets wasted in such arguments if one person wants to go to San Francisco and another secretly wants to go to San Diego.
S. Jobs