I’m a person who loves a good presentation. I love building them, giving them, and watching them. I’m also a person who knows they take time and effort. Like any creative process what that time and effort looks like is different for everyone. Here is my process:

Write The Abstract

Now I’m very aware step one should of course be doing all the research and then building the presentation, but that never happens. Step one is almost aways writing an abstract for most folks I know.

This is a bad idea in a wide variety of cases. …

Image for post
Image for post
Source: FinancialTribune

There’s a lot to ICS networks, the systems they run, and the protocols that control them. This is the barest treatment, and I have more to do, but I wanted to share what I have learned so far. Also it is a lot (and I mean a lot even for me) of lists, links, references, and embedded resources like videos and PDFs. You’ve been warned.

When I started this series it was really all about the things I didn’t know (and mostly still don’t). I didn’t know about the adversary. I didn’t know about the campaign against Ukrainian power beyond…

Image for post
Image for post
Source: Public Domain Pictures

In the first post of the CRASH OVERRIDE Chronicles I outlined my plan for reviewing Drago’s CRASHOVERRIDE report in order to build an understanding of the ICS threat landscape, key technologies, and ultimately one of the major actors involved. This second installment is a run through of the whole report calling out areas I need to focus on learning & investigating.

The first step was simple: Read the report. The second step was also simple: Read the report again; this time with a critical eye. The first read through is for familiarity. The second read through is not simply to…

I’ve been lucky and had a really wide variety of experiences in information security throughout my career. Government & non-government. Vendor & practitioner. Finance & dotcom. I’ve seen a lot of stuff. It’s to the point that I get even more excited about the stuff I’ve never done. One of those moments happened a few weeks ago when the Dragos team released their Crash Override report.

Full Disclosure: I know a few of the folks over at Dragos and consider them friends but friends that value good, even critical, analysis.

Image for post
Image for post
Source: Crash Override Report by Dragos

The Crash Override report is an investigation into a campaign…

Here’s a familiar scenario:

A new threat is being whispered about. Maybe your office has someone with special access of some kind and they’re being a bit more secret squirrely than usual. The mailing lists you’re on are a buzz about a new piece of malware or vendor code name. You keep hearing about a paid only report that tells all. APT 46: EMPEROR PENGUIN is coming! When your boss asks about EMPEROR PENGUIN you have to say you don’t know much… but you’ve heard they’re very good, very advanced, well funded, with great opsec… obviously a serious threat aimed…

Image for post
Image for post

A few weeks ago while teaching SANS FOR578 one of my students asked a great question by a student: What books or papers should a new cyber threat intelligence analyst read first? It’s a question I’d meant to answer before so instead of just sending back an email (I mean, I emailed back, HI MATT, but along with that) I figured I’d write up my list and have something to reference next time I get asked. So here’s my list of things you should read when getting started in cyber threat intelligence:


Get that library card or Amazon account ready…

On second thought Medium is a nice platform and tweaking my Jekyll blog often gets in the way of writing. For that reason I’m back!

So using Medium to blog was an experiment. It’s a nice platform, but I miss having the control that comes with Jekyll. So with that I’m moving back.

Please feel free to follow me on blog: sroberts.github.io.

Image for post
Image for post
Source: Screenshot

Go into a tech interview, especially one for operations or security, and you’re more than likely going to get an interview question like this:

“What happens when you put a URL in the address bar of a browser and hit enter?”

I’ve been on both ends of this question, asked it and answered it. I’d like to look at what the answer is (or at least one answer), why it’s good, why it’s bad, and what could be better.

My Answer

Like many good things in life the answer to this question is a recipe in two parts.

Well… it’s sorta cooking……

Image for post
Image for post
Source: Flickr

Ahh January 4th. It’s that time of year to review 2016 and think about what’s coming in 2017. Let’s start by looking at what I kicked off 2016 with:

Did I get it all done or fail miserably?

Image for post
Image for post
Kremlin from the River. Source: Wikipedia.

Here it is. After weeks of wondering if and how the United States Government might respond the United States White House, State Dept, Treasury, and US-CERT have released information on and sanctions against the Russian government’s efforts to influence the United States elections. I offer all this without too much analysis given I’ve just seen it myself and expect it will take a long time to digest.

First the technical response, the US-CERTs information which included IOCs and a Joint Analysis Report with technical descriptions of TTPs:

You can find the extracted IOCs at the end of the article (Note…

Scott J Roberts

Network Defender, developer, speaker, writer, author of O’Reilly’s Intelligence Driven Incident Response, & SANS instructor. Bad guy catcher.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store