Beyond ‘Check The Box’ - Powering Intrusion Investigations

Explore a comprehensive conference talk that delves into advanced techniques for conducting intrusion investigations. Learn how to move beyond basic "check the box" approaches and leverage powerful capabilities to uncover critical insights. Discover various use cases, understand the context of investigations, and explore high-level questions that drive effective inquiries. Examine essential data points, including DHCP logging, Kerberos service tickets, and authentication events. Gain insights into the intrusion life cycle, possible explanations for suspicious activities, and the differences between Windows 2003 and 2008 logging. Master the art of tracking DNS resolutions, identifying indicators of compromise, and recognizing network-based signs of intrusion. Enhance your cybersecurity skills with practical examples, commercial simulation insights, and expert guidance on logging best practices.

Introduction
Capabilities
Use Cases
Who I am
Context on investigations
Selfidentified
Questions
Example
High Level Questions
Data Points
DHCP Logging
Systems
Bottom Line
Life Cycle
Possible explanations
Kerberos service tickets
Commercial Sim example
Windows 2003 vs Windows 2008
Logging Authentication Events
Events to Log
Net Float
Tracking DNS Resolutions
The Simple Case
Logging DNS
Identifying indicators of compromise
Network indicators of compromise
Summary
QA