All news with #dfir tag

🔁 Enterprises must assume cyber incidents are inevitable and prioritize fast, coordinated recovery to limit costs, disruption, and re-compromise. Experts recommend sharpening response-team skills, emphasizing early scoping and containment, establishing situational awareness, engaging external DFIR partners, and prioritizing restorations by business criticality. Disciplined execution using frameworks like NIST 800-61 and clear RACI roles helps preserve integrity and reduce downtime.

🗃️ This post outlines a secure, automated framework for collecting forensic artifacts into Amazon S3, emphasizing least privilege, time-limited AWS STS credentials, and compatibility with existing forensic tools. It recommends S3 hardening—encryption in transit, CMK-based server-side encryption, CloudTrail data events, object versioning and Object Lock—to preserve chain of custody. The post demonstrates vending scoped temporary credentials and an AWS CDK reference implementation that automates collection using SQS, Lambda, Step Functions, and Systems Manager.

🔒 Ten years after the February 2016 operation that attempted to steal $951 million via fraudulent SWIFT messages, the Bangladesh Bank heist remains a defining case for cyber resiliency. Attackers attributed to the Lazarus Group used spear-phishing, backdoors, keyloggers and printer sabotage to capture credentials and erase audit trails, enabling 35 fraudulent transfer attempts. The incident exposed basic control failures—lack of network segregation, exposed SWIFT systems, and limited endpoint monitoring—and helped drive mandatory measures such as the SWIFT Customer Security Program.

🔐 Unit 42 recovered a rogue VM created by Muddled Libra (aka Scattered Spider, UNC3944) during a September 2025 incident, revealing an operational playbook of reconnaissance, credential theft, lateral movement and data access. The actors abused legitimate tools and stolen certificates, persisted via an SSH tunnel (Chisel), and copied NTDS.dit and SYSTEM hives. Unit 42 recommends strengthening identity controls and adopting Advanced WildFire and Cortex defenses.

🕒 The opening moments after detection — often referred to as the first 90 seconds — determine whether an incident becomes manageable or spirals out of control. Responders must quickly decide what to preserve, what to examine first, and whether a single affected host reflects broader compromise. Prioritize evidence of execution and retain backward telemetry rather than immediately restoring services. Consistent discipline, environment knowledge, and repeatable procedures are what let teams scale investigations with confidence.

🛡️ Stay calm and avoid rash moves when ransomware hits: shutting down systems can cause 'forensic suicide' by destroying volatile evidence such as RAM. Joanna Lang-Recht recommends isolating affected hosts from networks rather than powering them off, preserving forensic images, and engaging specialized incident response teams. Prioritize containment, secure offline backups, and clear crisis roles. Treat negotiation as an economic decision and rely on trained negotiators rather than emotional engagement.

🔍 Cyber Centaurs conducted a forensic investigation after a client reported ransomware activity and found a RainINC variant executed from the PerfLogs directory. Analysts discovered artifacts tied to Restic — renamed binaries, PowerShell scripts (notably new.ps1 with Base64-encoded commands) and hardcoded S3 credentials — indicating long-lived attacker-controlled backup repositories. Using a controlled, non-destructive enumeration they recovered encrypted backups for 12 unrelated U.S. organizations across healthcare, manufacturing, technology, and services, preserved copies, and notified law enforcement. The team published findings, a list of tools observed in INC infrastructure, and YARA/Sigma rules to help defenders detect suspicious Restic usage and renamed binaries.

🔍 Organizations often overemphasize detection and response at the expense of thorough investigation. While IDS, firewalls, and response teams are essential to stop immediate damage, investigation provides the root-cause insights—examining exploited vulnerabilities, attacker entry paths, and post-compromise activity—that prevent recurrence. Investing in deep packet inspection and forensic analysis turns incidents into learning opportunities and strengthens long-term resilience.

🔍 Post-incident reviews are a structured means to understand security incidents and improve future defenses. Conducted promptly, they preserve fresh details and enable accurate timelines that reveal where delays or failures occurred. Reviews must include root-cause analysis, evaluation of detection and response performance, and assessment of business impact. Involving legal, governance, finance, HR, and board stakeholders helps connect technical findings to policy and risk decisions, while avoiding blame and assigning concrete, timebound follow-up is essential.

🔒 AWS Security Incident Response is now available in ten additional opt-in AWS Regions across Africa, Asia Pacific, Europe, and the Middle East. The service streamlines the incident response lifecycle through automated security finding monitoring and triage, AI-powered investigation, and containment capabilities. Customers also receive 24/7 direct access to a dedicated AWS security team that responds within minutes, helping scale operations, accelerate recovery, and reduce operational overhead.

🔍 FortiGuard IR analysts discovered that an obscure ETL file, AutoLogger-Diagtrack-Listener.etl, can retain historical process execution data useful for post-incident forensics. Parsing ETW payloads exposed ProcessStarted events including ImageName, ProcessID, ParentProcessID and sometimes CommandLine entries that revealed deleted tools. Controlled testing showed creating the autologger and setting AllowTelemetry=3 often produced an empty file, indicating the DiagTrack service may populate the file only under undocumented conditions. Further research is needed to understand when and how this telemetry is written.

⚠️ Multiple London local authorities, including the Royal Borough of Kensington and Chelsea (RBKC) and Westminster City Council, are responding to a serious cybersecurity incident identified on Monday. Both councils have informed the ICO and are working with the NCSC while invoking business continuity and emergency plans to protect critical services. A number of systems, including phone lines and shared IT services, are affected across boroughs. RBKC reports successful mitigations are in place and recovery work is continuing.

🔍 Huntress Labs detailed a Qilin ransomware investigation in which visibility was constrained because their agent was installed after the compromise and only on a single endpoint. Analysts correlated managed antivirus alerts, Windows Event Logs, AmCache, PCA logs, and VirusTotal to reconstruct a timeline showing a rogue ScreenConnect RMM deployment, attempts to run infostealer binaries, tampering with Windows Defender, and likely ransomware execution from another host. The report stresses validating artifacts across multiple sources to avoid false assumptions and inform accurate remediation.

🛰️ Cisco Talos revisits the Feb. 24, 2022 KA‑SAT incident where attackers abused a VPN appliance vulnerability to access management systems and deploy the AcidRain wiper. The malware erased modem and router firmware and configs, disrupting satellite communications for many Ukrainian users and unexpectedly severing remote monitoring for ~5,800 German Enercon wind turbines. The piece highlights forensic gaps, links to VPNFilter-era tooling, and the operational choices defenders face when repair or replacement are on the table.

🕒 This post introduces Time Travel Debugging (TTD) via WinDbg as a high-value tool for accelerating analysis of obfuscated, multi-stage .NET droppers that perform process hollowing. The authors demonstrate recording a TTD trace, querying the Debugger Data Model with LINQ to find CreateProcess and WriteProcessMemory calls, and extracting a hidden AgentTesla payload. It highlights practical tips, tooling (TTD.exe, FLARE-VM), and limitations such as user-mode scope and proprietary trace formats.

🛠️ This post introduces dynamic binary instrumentation (DBI) and provides a hands-on guide to building DBI tooling using DynamoRIO on Windows 11. It explains the difference between static and dynamic instrumentation and highlights practical uses such as malware analysis, anti-anti-analysis techniques, runtime de-obfuscation, and automated unpacking. The tutorial includes example clients, build instructions, and a GitHub repository with sample code to help researchers get started.

🔒 In August 2025 Volvo Group North America disclosed a breach that originated in its third‑party HR provider, Miljödata, and a slow timeline of detection and notification has raised questions about forensic readiness. Reported exposed records included Social Security numbers and sensitive employee identifiers, and Volvo offered 18 months of identity‑protection services. The author provides five practical recommendations to preserve evidentiary integrity: embed forensics from day zero, align IR and forensic priorities, automate collection and triage, contractually manage vendor response, and coordinate legal messaging to reduce litigation and regulatory risk.

🛡️ Mandiant Academy’s new Basic Static and Dynamic Analysis course teaches foundational techniques for safely examining and triaging Windows binaries. The hands-on curriculum combines PE file inspection, metadata and strings extraction, and controlled execution in a provided virtual machine to observe behavior, network activity, and memory artifacts. No advanced programming prerequisites are required, though familiarity with command-line basics, hexadecimal data, and operating system concepts is recommended.

🔎 Digital forensics professionals investigate breaches to determine access methods, affected systems, and attacker actions, with the goal of preventing future incidents. This article reviews a curated list of a dozen certifications that span vendor-neutral and vendor-specific tracks, including mobile, cloud, network, memory, and Windows forensics. Each entry summarizes scope, target audience, exam format, validity period, renewal or CPE requirements, and typical training and exam fees to help practitioners choose the most appropriate credential.

🛡️ CISA, in partnership with Sandia National Laboratories, released Thorium, an automated, scalable malware and forensic analysis platform that consolidates commercial, custom, and open-source tools into unified, automated workflows. Thorium is configured to ingest over 10 million files per hour per permission group and schedule more than 1,700 jobs per second, enabling rapid, large-scale binary and artifact analysis while maintaining fast query performance. It scales on Kubernetes with ScyllaDB, supports Dockerized tools and VM/bare-metal integrations, and enforces strict group-based access controls along with tag and full-text filtering for results.