nightHawkResponse 2.0: Open source forensics rebirthed |
Presenter: Daniel Eden
Format: 30 mins Track: Main Location: The Amphitheatre Time: Saturday 11:30am Abstract
Breaking into a network leaves a lot of artefacts.. Periodically sweeping your endpoints and storing that data can be invaluable.. Can you tell what’s different between today, yesterday and last week? Can you quickly scope your investigation in a matter of minutes and begin triaging? nightHawk Response can. nightHawk Response is an open source platform we developed using Elastic as a search engine, Redline/HX/MIR audits as a data source and GO as our parsing engine. It was thought up over a Saturday morning coffee when we realised there was no tool to help our colleague analysts perform incident response triage and hunting at scale. This is version 2.0, it has been stripped back, dejunkafied and optimised. New features including docker and cloud deployment will make it easier for you to get it up and running in minutes. Our integration has taken a new direction and we have included a "technology add-on"; a nightHawk Kibana Plugin, abstracting away our old UI to give the user a closer integration with the underlying search functionality. Speaker Bio: Daniel is one half of nightHawkResponse and recently teamed up as co director of Caccia Cyber, an Australian cyber security company focusing on forensics, incident response and analytics. Daniel has worked for NBNco, ANZ Bank (CSIRT) and Secureworks as a lead incident responder and log analysis mega nerd. He holds both the GREM and GXPN certifications and has presented a Ruxcon and Melbourne Reverse Engineering conferences on numerous topics including forensics, open source technology and malware RE. |