One thing that is often overlooked, is that intrusion sets (esp for hifi attribs) must have qualified crime scenes. Not just connected data points floating in space, but the data must be grounded in compromised assets, or seen at positively identified victims of intrusion crimes.

#DFIRaimi

QUANTUMSTRAND beta 1 released: built for analysts to quickly understand *where* strings are, *what* they might be, and *how* important they are, without getting lost in a sea of undifferentiated text. Thanks Moritz and the crew at Mandiant (part of Google Cloud) FLARE github.com/mandiant/flare…

One thing I continue to hate about most security tooling is that they often show me data without helping me understand what it means, with context to things like prevalence and relationships. *This* is not just the future of strings, but the future of analysis tooling.

Interesting tool if you are looking for a complement to strings, stringsifter and floss. StrangerStrings uses a trigram-based scoring model to calculate probabilities of character sequences. 👇 github.com/closed-systems…

I think of the NFL as less of a "sport" and more of an unscripted reality show. The ups & downs, fights, drama, the underdogs, the heroes. Once you think of it as a reality entertainment, it becomes less about stats and winning, and more about stories of the human experience.

Smarter is not always better. A tale about YARA and YARA-X heuristics and optimizations. virustotal.github.io/yara-x/blog/sm…

For GTI / VT enterprise users: Do you use YARA rules outside of VT? How do you use them? Is there something they can do that other things cannot?

For GTI / VT enterprise users: would you like the ability to do livehunt and retrohunt with Suricata rules, over pcap files (including sandbox, generated pcap)? Amongst many promising possibilities, what would you use this for?

I've heard from several folks that their orgs are using YARA for 'sweeps' across file and memory content for targeted endpoints. Whether the scanning is done on-host or off, I would guess this could be in support of IR, hunting, or for assets that can't run typical EDR products.

I am a big believer in Stairwell's strategy and platform. Scalable file analysis has been historically out of reach for most orgs. Imagine if you could run YARA across all your files, pivot via metadata, understand prevalence, identify impacted assets, see timelines & more

The thing is, I *have* to finish all the little side quests before I get back to the main quest line, or else I'll always be wondering how all those loose threads might've woven into the fabric of the bigger picture.

Steve YARA Synapse Miller Debuggers on malware are like the old roguelike RPGs with no formal save game feature and perma-death. You are following a linear path through the dungeon avoiding antianalysis traps and collecting loot in the form of IOCs. The graphics are much worse than those old RPGs.

This is mostly correct, MCP is a standardized framework around api calls (that you likely implement yourself based on your remote interface). Back in 2023 when I first hooked up LLMs to custom tools that’s exactly how I thought about it. Still I believe the industry itself will