“We are what we repeatedly do. Excellence, then, is not an act, but a habit.”
- Will Durant
LOLBAS. The Living Off the Land Binary and Scripts (LOLBAS) Project is a Github repo that was introduced to me by a co-worker of mine. He uses the repo to identify different techniques he can utilize as a threat emulator. I have found that resources that Red Team members utilize are great for Blue Team members. The LOLBAS-Project does an amazing job of detailing the various methods to Live off the Land. I find this as a valuable resource as attackers are utilizing these techniques more and more.
MITRE ATT&CK. The MITRE ATT&CK does not need much introduction. I was first introduced to the ATT&CK framework in 2016 when I took SANS FOR500. The framework is a collection of Tactics, Techniques, and Procedures (TTPs) of adversaries. The knowledge base breaks down the TTPs into the ATT&CK Matrix for a user to pivot from a Tactic, such as Persistence, into a technique like Registry Run Keys/Startup Folder. The description that is provided in the techniques has allowed me to create specific Threat Profiles and Hypotheses that are beneficial to threat hunting activities.
Palantir ADS Framework. The Specter Ops team introduced me to the Palantir Alerting Detection Strategy (ADS) Framework. This resource is something that I wish I knew about when I first began. For the previous four years, my team has been attempting to find a strategy to document the reasons behind we are building signatures for multiple tools. We found that the people involved were able to easily understand the quick notes in the operator logs, but individuals coming in later did not have a clue what happened. The ADS Framework outlines the Goal, Categorization, Strategy Abstract, Technical Context, Blind Spots and Assumptions, False Positives, Validation, Priority, and Response. As new team members come in, they have responded well to being able to read an ADS for a specific activity and are more engaged to go test the ADS.
SmarterForensics. The Smarter Forensics blog site is the site of Heather Mahalik. The site is a resource that I use to see some of the latest information in smartphone forensics. Heather does an amazing job at documenting the various smartphone investigations that will be useful to the community.
SANS Reading Room. SANS is known for their Information Security courses that cover a variety of domains. I find that after I have attended a course I am curious about topics that I have learned about in the course. The SANS Reading Room is a great resource to get information through a good read. I have found papers within the Reading Room that have triggered ideas for how I can better myself in my career field.