Drawing inspiration from observing military special forces and over five years of hands-on DFIR experience, Clint explores the mindset, habits, and tactical processes that set top-performing IR teams apart. Clint Marsden explores the mindset, habits, and tactical processes that set top-performing IR teams apart.
From threat intelligence workflows and detection-first thinking to deep forensic analysis and clear executive reporting, this episode is packed with real-world lessons, relatable stories, and practical advice. Whether you're running your first threat hunt or leading an enterprise SOC, you'll walk away with a clearer vision for building a resilient, high-performing IR capability.
You’ll learn:
- Why elite IR teams focus on boring repetition and clarity over cool tools
- How to track threat groups and adapt detection rules in real time
- Where most SOCs fail with SIEM tuning and memory forensics
- How to communicate findings that actually move leadership to act
Check out the blog: www.dfirinsights.com
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
(00:00):
Hi, I'm Clint Marsden, and todaywe are discussing what makes a
great incident response team.
And this is more than followinga playbook and having good team
culture.
It's not about after a bigincident, we all go down to the
(00:22):
pub and have some beers and asteak.
It's a little bit more thanthat.
I've.
I've been working in incidentresponse teams for years, over
five years at this point, andbased on that real world
experience, I wanted to explainwhat makes a great incident
(00:44):
response team.
And I've also done some researchto bring some additional things
together because it's somethingthat's interested me for a long
time.
The correlation between themilitary special forces and what
they do, how they train, and howthis can be implemented in
(01:10):
civilian life.
So I'm not an ex Special Forcesmember.
I've always looked up to thoseguys for a few reasons.
The the most obvious one, Iguess, is just their resilience,
especially going throughtraining.
Go on YouTube and you watch thevideos about how they are going
(01:30):
through that selection course.
It is very, very hard work.
It is, it is grueling.
Uh, as someone who has spenttheir life behind a computer, I
look at the, the stuff thatthose guys have to go through
and, and just go, wow.
It's, it is so impressive.
(01:50):
The stories that you hear.
About people who have made it,people who haven't made it.
It's not always the guys wholook the biggest act, the
toughest are the alpha malesthat make it through.
And that is because theseselection courses are designed
(02:12):
to break you and they will takeyou to your limits, and then
they push you further than yourlimits.
And for some people, they'reable to dig deep.
And they discover more aboutthemselves and then they tap
into something bigger, are ableto complete selection.
(02:33):
And sometimes it's the guys thatare the small ones.
Jocko Willink is a guy who's gotsome great books on, on
leadership and obviously very,very much outside the, the topic
of, of today's episode and thepodcast in general.
Jocko Willink is this podcaster,ex US Forces Marine, special
(02:54):
Forces Marine, I'm sorry, hassome great books like Discipline
Equals Freedom LeadershipStrategies and Tactics.
In one of his books, he talksabout the best teams and the
guys that were some of the mostsuccessful were in the SEAL
teams during one of theselection courses.
(03:14):
They were, I think they calledthem the, the small guys.
They were.
Not six foot tall, massive guys,but somehow they managed to just
win and succeed against all theodds.
And so that's where my interesthas come from in, in this,
looking up to them and, andidentifying what are the traits
(03:38):
that these guys have.
And it's not about us trying tocarry logs or gigantic tires in
incidents, of course, right.
But when the heat is on, whatare those guys doing to get
there?
How did they get there?
Because they weren't born NavySeals.
(03:59):
They were born like everyoneelse and they worked hard.
They got to where they arebecause they had systems and
they had training and did thingsover and over again.
Especially the boring stuff, theway that we can.
Get like this.
The way that we can becomeexperts, we can become highly
(04:22):
trained, we can be comfortablein high process situations, is
by practicing over and overagain and looking at what the
best teams in the world aredoing, and then looking at how
can we implement that in ourteam.
And a great IR team doesn't justrespond to alerts.
(04:45):
Especially during the downtime.
In fact, what a great IR teamdoes, they try and anticipate
what is coming down the wire, soto speak.
And you might think, well, youknow, how on earth do we, how on
earth do we anticipate threats?
We, we are dealing with a numberof unknown adversaries on the
(05:10):
other side.
You've got.
Teenagers on the other side ofthe world hacking from their
bedrooms.
You have nation state threatactors.
You have bot or botnet activity.
You have users who are justgetting caught up in downloading
(05:32):
malware and their victims ofsearch engine optimization or
search engine poisoning, andthey're getting lumous Steeler.
Even just talking about thosedifferent vectors, that gives us
a clue on how we can protect thenetwork, how we can protect the
(05:52):
organization at large, becausethey're all different types of
threats.
We can't just wait for anindicator of compromise to show
up, to get this understanding ofwhat is coming down the wire.
We have to do things liketracking threat groups, tracking
(06:15):
malware families, and their TTPsand the threat group TTPs the
tactics, techniques andprocedures.
And you can do this in realtime.
If you have that capability.
Maybe you've engaged the partnerthat provides this to you, or
(06:36):
maybe you are doing it morecasually.
It becomes more of a dailychecklist type item, and the
team are doing that by reviewingcertain websites.
They're reviewing blogs likedefer insights.com, for example,
my blog.
(06:56):
Occasionally we'll do writeupson TTPs or threat groups.
Did one on Scattered Spider lastyear.
Did one on a PT 40 as well.
It takes time to kind of buildout what you want, build out a
quality curated list.
You might use news readers, youmight use things like Feedly to
(07:20):
keep track of all of thesedifferent sources.
Using an RSS reader used to bethe thing.
I think RSS is kind of dyingnow.
It's a bit bit harder to, bitharder to find sources that have
easily published or very.
Readily available.
RSS feeds.
Another great source of Intel isyour local government agency.
(07:42):
So in Australia we have a fewdifferent ones that can help.
At an Australian federal level,we have the Australian Signals
Directorate.
We also have the AustralianCybersecurity Center.
We also have a ZO anintelligence organization.
They're a little bit morealigned to to more traditional
(08:03):
security threats.
They do provide content on cyberthreats too, or the State of New
South Wales has resourcesavailable through the Joint
Cybersecurity Center, the JCSC.
All the states have A-J-C-S-Cresource that you can work with
and get threat intelligencereports.
The reports that you get accessto give you things like TTPs
(08:27):
that are maybe not published toeveryone else and maybe not as
public.
They can be broken down byindustry.
So if you're not sure where tostart, thinking about the
industry that you are in iswhere you should start and use
that to then look for threatintelligence sources that
(08:49):
specifically rate relate to yourindustry.
Look at a PT groups as a realsimple one that's been done to
death.
Look at a PT groups thattargeting your specific industry
vertical.
Your team upon getting access tothose reports should pivot
(09:10):
immediately into looking forevidence of compromise.
Indicators of compromise, usingthat group's known Mitre
techniques.
So following the Mitre attackframework, maybe do some threat
hunts.
Update your detection rules asappropriate.
You don't have to copy everysingle IOC because your firewall
(09:31):
might already have these things.
You might have an email gatewayin place that is looking for
evidence of these types ofphishing attacks.
You need to understand yourinfrastructure as well.
Adding manual IOCs can augmentthose additional or those
existing capabilities.
And then you might also have alittle bit of a briefing amongst
(09:54):
the people who work.
Alongside the security team tolet them know this is what we
are now looking at.
We've just received a threatintelligence briefing.
This particular threat group isactive right now.
They're targeting our industryvertical.
To counteract this, we have goneand started blocking do one
(10:17):
files at the email gateway, youknow, for the OneNote
attachment.
Malware that was going around afew years ago.
Just as an example, if you'vegot some budget, you might look
at implementing open CTI or youmight look at getting threat
feeds from other organizations.
(10:39):
Mandiant recorded future.
Setting up a misp.
Setting up MISP is not an easytask.
Just want to flag that.
It is useful if you have a teamwho have the resources and the
time available to review them,to review the threat
intelligence that you get fromrunning a MISP malware
(11:01):
intelligence sharing platform.
It's great that you've got thedata.
You also need the time to thengo and hunt for specific use
cases and threat hunting basedoff intelligence sources, which
is a great way to do it, is anentire different.
Podcast in itself, but let'sleave it there for now.
(11:23):
The next thing that the best IRteams are implementing a
detection mindset.
The way that they're doing thatis they're focusing on what the
adversaries are doing.
What is the adversary behavior?
How are they operating in theenvironment with ai, this is
(11:45):
changing.
It may not be such a case ofit's changing rapidly and may be
more.
Just the techniques are justbecoming a bit more creative at
the core level.
What are we dealing with?
We're dealing with computers,we're dealing with software,
we're dealing with securitysolutions.
(12:06):
Have they changed?
Well, yeah.
They're constantly evolving.
Also, they're not evolving thatquickly.
These things have been around.
For so long.
It is just AI is enabling adifferent thought process.
It's, it's coming up withdifferent ideas.
It is.
(12:26):
It is reinventing the wheel aswe see it, but behind this, what
is the logic?
This is gonna be relevant forquite some time because we're
still dealing with humans whoare launching these attacks.
System-based attacks are coming.
Yeah, sure.
Okay.
Let's get worried about that.
Well.
(12:46):
We can't because we need tofight fire with fire and look at
implementing AI tools to detectand prevent and come up with
TTPs and come up with differentways of defending not getting
carried away.
If we're still focusing on howhumans are doing things, we have
(13:07):
patterns, we have patterns ofbehavior.
There are always attacks thatare occurring the same way.
It starts with SEO poisoning.
Okay?
What happens with SEO poisoning?
Alright, someone goes todownload Audacity and they
download Audacity and instead ofaudacity, well, they get an info
stealer.
(13:28):
They get luma stealer, or theyget quack bott or whatever it
is, or they get ransomware orit's a phishing attack.
They click on the link, theyenter their creds, goes into a
database.
The organization doesn't haveMFA, boom, they're popped.
Or they get phished and theyclick on a link and it steals
their tokens.
(13:50):
Okay, so these are some basicattack types.
These are the detections.
How can we detect these types ofattacks?
It's not about buying more toolsat this point.
You go, oh, well we don't havebudget for this.
Great.
You don't need the budget.
What have you got already?
(14:12):
How can we.
Use what we've got.
Attackers are living off theland.
Can we live off the land too?
Sure.
What have, what have we got?
What security platforms arebeing used right now?
Years ago I was working at asmall cyber consulting firm or a
cyber, MSSP.
One of our clients was gettingsmashed with ransomware.
(14:35):
This is when ransomware was inits peak?
It was.
It was in its heyday.
This was before ransomware.
Big game hunting kind of existedor had been coined as a term,
and everyone was just gettingransomed.
And this is also when Bitcoinwas, you know,$5,000 a Bitcoin.
And this client, they didn'thave a massive cybersecurity
(14:59):
budget.
They probably should haveconsidering the industry
vertical that they were in, butthis is a common theme.
They had purchased an antivirussolution from us.
This antivirus solution had beensold to them as it has anti
ransomware protection.
After they got hit a few times,they spoke to us and said, what
(15:20):
is going on?
This is, this should not behappening.
One of our guys, an expert inthat particular AV suite, went
out to the client, did aconfiguration review, spent a
day going through everything,write up a nice little report.
At the end, he was on sitewithin the first hour.
He found that they didn't haveanti ransomware protection
(15:41):
turned on, turned it on, theproblems went away overnight.
The point is, you don't need tobuy more stuff.
Look at your existing stuff,review the technical
documentation, become an SME inall of your tools, vendors are
constantly releasing newfeatures, new functionality.
(16:01):
It's useful.
If you turn it on, if youconfigure it, if you tune it,
some of them will be easier touse than others.
You'll have to figure it out asyou go along.
And then if you then decide,we've turned everything on, we
are still getting attacked.
Okay, sure.
But at least you've started.
At least you've worked with whatyou've got.
And then you can present toleadership.
(16:22):
Hey, we've turned on everythingwe've tried.
We're still getting hit.
We now need to make a moresignificant investment.
Now moving into the namesake ofthis podcast, forensics, having
the ability, having the skillsetto go beyond what is presented
to you on the surface.
(16:43):
Looking at memory forensics,looking at what's on disc,
looking at what is not on discanymore, looking at the
registry, processing significantamounts of log data.
Is really a non-negotiable skillfor cyber teams that really want
(17:05):
to kick ass.
I will say, and we are lookingfor so much more than evidence
of what has been run.
It's the first thing that we alldo.
(17:26):
We get an alert for malware andwe go to the system and we talk
to the user.
They say, yeah, I was, ifthey're really honest, and this
is rare.
I was trying to downloadAudacity and I clicked on a link
and downloaded this tool andhere it is, and it says Audacity
(17:46):
installer, xe.
And you run that through virustotal and it shows, well, it's
got Luma Steeler in there.
What about all the rest of it?
How did we get here?
How did this get past ourdefenses?
Has it gotten past EDR?
(18:08):
Did it get past web proxy?
Why has it affected this user?
Okay, for Audacity?
Sure.
They're running windows.
Why did the user go to Google toget the software?
They just needed it and theythought, Hey, I'll just go to
Google and.
I'll download it and install it.
Why did they decide to go toGoogle instead of going to the
(18:31):
company portal, for example?
Good questions and can becovered by some mitigations.
They've gone to Google todownload the software and
install it.
Maybe because they haven't beengiven user awareness training,
they may have gone to thecompany portal and found that
there was no option.
(18:52):
For audio editing softwarecompany might have a
subscription to Adobe, butaudition wasn't available in the
company portal, or maybe theuser decided, I don't know how
to use audition.
That comes down to a userawareness problem, and this is
good for the incident report asto root cause analysis, but
(19:16):
coming back to the forensic sideof it.
To get that information requiresa really good investigation and
it covers off.
We needing to talk to the userto understand how we actually
got here.
So having a good interviewstructure, having a good little
interview plan to identify whatha what has happened is what is
(19:38):
needed there, and that is askill that is absolutely needed.
It's a skill that gets betterwith time as you practice.
I dunno if it can be a littlebit difficult, but.
It's easy for us to kind of fallinto a rapid fire question of
the user.
Where did you get this?
Why did you do this?
And, and from, from the otherperson's side, from the user's
(19:59):
side, it doesn't feel great.
Look, they know.
They know that they've screwedup.
They know because maybe thewhole company has ransomware or
they know because the cyber teamare talking to them and they're
worried and.
They dunno what's gonna happennext.
So it is, requires a little bitof finesse and using AI to
(20:21):
generate a interview plan isactually quite helpful here.
Using church PT to develop aforensic investigation plan with
an interview, a set of interviewquestions is really helpful.
And giving it some context aboutwe need to treat this as a
sensitive matter.
(20:41):
We don't wanna appear like thisis an interrogation.
We want to understand the bestway to obtain the information
that we want without the personbecoming defensive, building
trust and building rapport withthe interviewee to get the most
amount of information possibleso that we can reverse engineer
(21:01):
the problem, get to root causeanalysis, and move forward.
And finally, part of thecomputer investigation.
We're looking at what themalware has touched, and to get
the best answers for this,you've gotta do a lot of
evidence acquisition.
(21:22):
Some of this needs to happenbefore you even turn the power
off or take the machine away.
And when a user calls up, andthis is important to explain to
your frontline people, your helpdesk teams, your desktop support
teams, when a user calls up andsays, Hey.
I think I've got some malware.
(21:43):
I think I've got a problem here.
The frontline teams need to beinstructed to one, thank the
user for reporting it, becauseno one should feel apprehensive
or scared to report cyberincidents.
We need to create a culture oftrust, so thank them for that.
(22:03):
And then explain disabling wifi,pulling the network cable out.
Let's isolate the machine.
Then when we get on site, thefirst thing that we wanna do is
we wanna take a memory imageusing a memory forensics tool.
I used to use FTK Imager to dothis over time.
(22:25):
That's caused a few problems inreliability, and it's been
reported that it's modifying, Ithink, up to about 64 megabytes
of Ram.
During that capture process,obviously it has to run in
memory too.
And every memory forensics toolhas to execute in memory.
I think dump it is the preferredtool these days.
(22:51):
So if you wanna use FTK, yes itgets the job done, but I think
dump it is A, is a better one touse.
Plunk that onto A USB and justremember that, uh, once you plug
a USB into a system that hasactive malware.
You might consider that that USBcan then not be used ever again
to get the malware, to get thememory image off, you would most
(23:15):
likely be plugging it into asystem that's booted into Linux.
And then once the image has beencopied off and duplicated as
part of your standard forensicprocess, of course probably best
to put a sticker on thatmalware.
Probably best to put a stickeron that USB key that it's got
(23:38):
malware on it because we justdon't know.
And then you can decide whetheryou want to use it on Linux
systems only, or whether youwanna physically destroy it.
We've got the memory image.
Fantastic.
This has been so helpful in manyinvestigations and without the
memory image, we wouldn't havefound out what's, what's going
(24:00):
on.
A lot of the time, memory imagesare not taken.
People forget.
They just, it's too much effort.
The system gets rebooted, shutdown.
Just make the effort.
It is, it is worth it a hundredpercent.
Get the memory dump and thenprocess it with volatility.
(24:20):
Volatility three is now theofficial standard.
Everything has been moved fromvolatility two to volatility
three, according to theVolatility Foundation.
So we're good to go usingvolatility three.
Volatility three is much easierto use.
Automatic detection of memoryimage profiles or the operating
(24:40):
system that's being used hasbeen improved greatly from
volatility.
Two.
And overall, you'll find it.
It's a much more simple andpleasant tool to use.
Once you've got memory, you alsoneed to extract disc artifacts.
And my favorite way of doingthat is using Cape is available
(25:03):
from Kroll, K-R-O-L-L.
They have a license model thatallows you to use it internally.
If you're using it for DFI orinvestigations commercially,
you'll need to get a licensefrom them, but using it
internally is totally okay.
And the benefit of Cape is thatit can grab all the artifacts
(25:24):
that you ever need.
From Windows Systems, and itdoes that by using answer files
that are just text files thatyou can pre-configure if you, if
you want to, or you can justcheck the box and grab them.
The benefit of Cape is that italso not only extracts the
artifacts, pulls them off thesystem in a forensically sound
(25:47):
manner, but it can also leveragethe use of Eric Zimmerman's
tools to then process them.
So you can extract them andprocess them, and then you've
got them ready to go, which isif you're taking a disc image,
then using something like Plazaor log the timeline as it used
to be known.
And then if you really wanna getfancy getting that image at the
time, sketch a web-basedinterface that allows you to
(26:11):
review the contents of the imagea little bit more graphically.
You can use that graphicalinterface to filter and drill
down and go deep and then comeback to the 30,000 foot view.
It's great.
The next thing that great IRteams are doing is focusing on
(26:34):
improving their processes forscalability.
These elite teams are doingtheir best to automate the
collection of artifacts, theanalysis of them, and then how
to report on them as well.
The collection, analysis andreporting are the three things
(26:56):
that make up an incident.
Sometimes the collection andanalysis can take quite a long
time, but reporting and theconstant editing and reviewing
and rewriting can take a lot oftime as well.
If you put the time into.
(27:18):
The collection and analysisphase and documenting as you go,
it really makes the reporting alot easier.
And now with AI generatingsummaries and generating those
reports is much easier If you'restill using a public LLM.
(27:39):
If you're using a chat T or aClaude, you're gonna have to be
really careful with anonymizing.
The contents of the report.
So you're gonna have to replacethings with some variables.
You're gonna have to bereplacing IP addresses,
usernames, people's names,organization names, email
addresses, all those IOCs thatcan be used to identify the
(28:01):
organization could be used ifthe LLM database was compromised
or accessed by a nation state,for example, if they control.
The LLM, which is a potential,uh, liability with, uh, with
deep seek.
As we, as we understand, that'sunconfirmed, but it is a
(28:23):
potential risk.
You might need to put in alittle bit of time to swap those
out, and you might need to justhave a spreadsheet that maps
that out for you.
You have a key for yourself sothat you can.
Control H, find and replace inWord and swap that out.
(28:43):
And then if you upload that toan LLM, it's anonymized.
Then when it comes back, itbeing the report, it being the
summary, it being the notes thatyou are emailing as part of your
daily or weekly updates, you canthen find and replace those
values and off you go.
(29:06):
This also demonstrates thevalue.
Of running a local LLM toprocess your evidence, to do
your event summaries and do yourreporting, and that takes us to
the last section of what theseelite teams are doing, and you
can run a perfect investigation.
(29:26):
You can understand patient zero.
You know that this person was ontheir home computer and they.
Google for something, and thenthey wrote themselves an email
to their corporate account witha link from a Google search.
And then they clicked on thatlink and then they downloaded
(29:49):
malware and then they droppedthat onto the file server.
And then the file server forsome reason executed the malware
and it spread.
And you have all the technicalinformation about that.
You have memory dumps, you havenetwork traffic, you've got P
caps.
That is fantastic.
(30:09):
How are you communicating this?
Your boss might be technical.
Your boss.
Your boss might not betechnical.
What about your boss's boss?
What is the likelihood that theyunderstand what a mem dump is?
What a PCAP is?
What about volatility plugins?
Do they know?
Do they care?
No, because your boss's boss,guess what?
(30:30):
They have to report to theirboss.
And how are they gonna do that?
Well, they need a summary of theincident.
They need bullet points that areexplained like I'm five.
They need to be succinct.
They need to be non-technical.
They need to talk to impact.
They need to talk to risk.
(30:51):
They need to talk to the factsof we have contained the
incident.
We have determined the rootcause.
We have resolved vulnerability.
That caused the incident and wehave assessed the impact, and
(31:12):
depending on where you'reworking, no personal information
was disclosed.
The customer database is okay.
The credit card information thatwe hold on file has not been
accessed.
Personal information is safe.
Great.
Then that needs to be in a bigreport depending on the type of
incident that it is, dependingon the culture of your
(31:32):
organization.
Maybe a one page post-incidentreport is sufficient.
Maybe it's a, a sufficientpost-mortem.
Maybe what I used to do, whichis write 20 and 40 page reports.
Yeah, it takes a few weeks towrite a few revisions over.
Time gets easier.
You just have to understand youraudience.
(31:53):
But the reporting needs to beclear.
It needs to have layers.
The layers are differentaudience in different sections
of the report.
If there's an executive summary,there are findings, there are
detailed findings, then thereare recommendations.
Those layers are written fordifferent audience members.
(32:18):
The executive summary is meantto be a summary of the entire
report.
Don't write the executivesummary until you've completed
the report.
The executive summary needs tosummarize exactly what's in the
report.
You can't have information inthe exec sum that is unique.
That has not been spoken aboutbefore, and then it needs to be
very simple, very direct, clear.
(32:38):
Again, talking to business risk,business impact, and the
recommended actions.
That technical analysis withthose findings needs to include
the root cause, the TTPs, thetools that we use by the
attacker.
Detailed findings.
Go hard, right?
Dump it all in there.
(32:59):
If you need to use appendices.
Use spreadsheets as attachments,PDFs.
Depends if there's, there's somuch evidence it's gonna make
the report just blow out.
It's gonna go beyond 20, 40pages and he's just causing the
reader just to scroll and scrolland scroll.
That's just an information dump.
And as a report writer, it'syour responsibility to curate
(33:23):
that information better.
That's why we use appendices.
If you wanna see more.
Scroll to the end.
Read appendix B for the DNSproxy logs for this user for the
past two days, where we candemonstrate that they were
looking for how to hack anactive domain controller, how to
(33:44):
hack an active directory domaincontroller, for example,
downloading, hacking tutorials,showing a path of intent, if you
like.
So circling back, what are theseelite teams doing?
How can we become like an eliteteam?
(34:04):
They have various capabilities.
First, they're threatintelligence driven.
They rely on tools to give themthreat intelligence, to allow
them to do more targetedresponse.
To identify that root cause, toclose the gap.
They're detection, first,they're restructured.
(34:28):
That allows them to detect.
What is going on earlier.
It allows them to detect what isgoing on after helping them
understand whether the attackersare still in the network.
They have excellent forensicskills.
This helps identify the rootcause.
It helps identify the impact.
(34:51):
Finally, reporting clarity.
They're doing this by writingreports in layers, by
communicating to their audience.
And by ensuring that they'reacquiring all of the evidence
that is required first up, andthat the analysis that they're
performing is detailed andmethodical.
(35:13):
Great IR teams are not born.
They are acquired over years ofexperience.
They invest in themselves.
They invest in threatintelligence skills in.
Detection, engineering, forensicdepth, and their learning
(35:33):
communication skills.
Any team, any person can movetowards this elite tier, this
elite way of operating.
They have to have the desire todo so.
They've gotta have the mindsetto do it.
They need to train consistentlyand they need to have a certain
(35:54):
level of operational maturity,not just.
Having a large budget.
I really hope that today'sepisode has helped get you
thinking about how you and yourteam can get that elite digital
forensics and incident responseskills.
(36:16):
I'd love to hear the techniquesthat your team are using to
level up and the skillset thatyou are building.
That is all for now.
I'll see you in the next episodewhere we will talk about Erco.
The incident response copilot, acustom GPT that I've built is
available now in chat T.
(36:36):
It's IRCO.
It's the incident responsecopilot.
That is our next episode.
Really looking forward tosharing it with you, and I can't
wait till then.
Thanks for listening.
I'll see you in the nextepisode.
Hi, I'm Clint Marsden, and todaywe are discussing what makes a
great incident response team.
And this is more than followinga playbook and having good team
culture.
It's not about after a bigincident, we all go down to the
(00:22):
pub and have some beers and asteak.
It's a little bit more thanthat.
I've.
I've been working in incidentresponse teams for years, over
five years at this point, andbased on that real world
experience, I wanted to explainwhat makes a great incident
(00:44):
response team.
And I've also done some researchto bring some additional things
together because it's somethingthat's interested me for a long
time.
The correlation between themilitary special forces and what
they do, how they train, and howthis can be implemented in
(01:10):
civilian life.
So I'm not an ex Special Forcesmember.
I've always looked up to thoseguys for a few reasons.
The the most obvious one, Iguess, is just their resilience,
especially going throughtraining.
Go on YouTube and you watch thevideos about how they are going
(01:30):
through that selection course.
It is very, very hard work.
It is, it is grueling.
Uh, as someone who has spenttheir life behind a computer, I
look at the, the stuff thatthose guys have to go through
and, and just go, wow.
It's, it is so impressive.
(01:50):
The stories that you hear.
About people who have made it,people who haven't made it.
It's not always the guys wholook the biggest act, the
toughest are the alpha malesthat make it through.
And that is because theseselection courses are designed
(02:12):
to break you and they will takeyou to your limits, and then
they push you further than yourlimits.
And for some people, they'reable to dig deep.
And they discover more aboutthemselves and then they tap
into something bigger, are ableto complete selection.
(02:33):
And sometimes it's the guys thatare the small ones.
Jocko Willink is a guy who's gotsome great books on, on
leadership and obviously very,very much outside the, the topic
of, of today's episode and thepodcast in general.
Jocko Willink is this podcaster,ex US Forces Marine, special
(02:54):
Forces Marine, I'm sorry, hassome great books like Discipline
Equals Freedom LeadershipStrategies and Tactics.
In one of his books, he talksabout the best teams and the
guys that were some of the mostsuccessful were in the SEAL
teams during one of theselection courses.
(03:14):
They were, I think they calledthem the, the small guys.
They were.
Not six foot tall, massive guys,but somehow they managed to just
win and succeed against all theodds.
And so that's where my interesthas come from in, in this,
looking up to them and, andidentifying what are the traits
(03:38):
that these guys have.
And it's not about us trying tocarry logs or gigantic tires in
incidents, of course, right.
But when the heat is on, whatare those guys doing to get
there?
How did they get there?
Because they weren't born NavySeals.
(03:59):
They were born like everyoneelse and they worked hard.
They got to where they arebecause they had systems and
they had training and did thingsover and over again.
Especially the boring stuff, theway that we can.
Get like this.
The way that we can becomeexperts, we can become highly
(04:22):
trained, we can be comfortablein high process situations, is
by practicing over and overagain and looking at what the
best teams in the world aredoing, and then looking at how
can we implement that in ourteam.
And a great IR team doesn't justrespond to alerts.
(04:45):
Especially during the downtime.
In fact, what a great IR teamdoes, they try and anticipate
what is coming down the wire, soto speak.
And you might think, well, youknow, how on earth do we, how on
earth do we anticipate threats?
We, we are dealing with a numberof unknown adversaries on the
(05:10):
other side.
You've got.
Teenagers on the other side ofthe world hacking from their
bedrooms.
You have nation state threatactors.
You have bot or botnet activity.
You have users who are justgetting caught up in downloading
(05:32):
malware and their victims ofsearch engine optimization or
search engine poisoning, andthey're getting lumous Steeler.
Even just talking about thosedifferent vectors, that gives us
a clue on how we can protect thenetwork, how we can protect the
(05:52):
organization at large, becausethey're all different types of
threats.
We can't just wait for anindicator of compromise to show
up, to get this understanding ofwhat is coming down the wire.
We have to do things liketracking threat groups, tracking
(06:15):
malware families, and their TTPsand the threat group TTPs the
tactics, techniques andprocedures.
And you can do this in realtime.
If you have that capability.
Maybe you've engaged the partnerthat provides this to you, or
(06:36):
maybe you are doing it morecasually.
It becomes more of a dailychecklist type item, and the
team are doing that by reviewingcertain websites.
They're reviewing blogs likedefer insights.com, for example,
my blog.
(06:56):
Occasionally we'll do writeupson TTPs or threat groups.
Did one on Scattered Spider lastyear.
Did one on a PT 40 as well.
It takes time to kind of buildout what you want, build out a
quality curated list.
You might use news readers, youmight use things like Feedly to
(07:20):
keep track of all of thesedifferent sources.
Using an RSS reader used to bethe thing.
I think RSS is kind of dyingnow.
It's a bit bit harder to, bitharder to find sources that have
easily published or very.
Readily available.
RSS feeds.
Another great source of Intel isyour local government agency.
(07:42):
So in Australia we have a fewdifferent ones that can help.
At an Australian federal level,we have the Australian Signals
Directorate.
We also have the AustralianCybersecurity Center.
We also have a ZO anintelligence organization.
They're a little bit morealigned to to more traditional
(08:03):
security threats.
They do provide content on cyberthreats too, or the State of New
South Wales has resourcesavailable through the Joint
Cybersecurity Center, the JCSC.
All the states have A-J-C-S-Cresource that you can work with
and get threat intelligencereports.
The reports that you get accessto give you things like TTPs
(08:27):
that are maybe not published toeveryone else and maybe not as
public.
They can be broken down byindustry.
So if you're not sure where tostart, thinking about the
industry that you are in iswhere you should start and use
that to then look for threatintelligence sources that
(08:49):
specifically rate relate to yourindustry.
Look at a PT groups as a realsimple one that's been done to
death.
Look at a PT groups thattargeting your specific industry
vertical.
Your team upon getting access tothose reports should pivot
(09:10):
immediately into looking forevidence of compromise.
Indicators of compromise, usingthat group's known Mitre
techniques.
So following the Mitre attackframework, maybe do some threat
hunts.
Update your detection rules asappropriate.
You don't have to copy everysingle IOC because your firewall
(09:31):
might already have these things.
You might have an email gatewayin place that is looking for
evidence of these types ofphishing attacks.
You need to understand yourinfrastructure as well.
Adding manual IOCs can augmentthose additional or those
existing capabilities.
And then you might also have alittle bit of a briefing amongst
(09:54):
the people who work.
Alongside the security team tolet them know this is what we
are now looking at.
We've just received a threatintelligence briefing.
This particular threat group isactive right now.
They're targeting our industryvertical.
To counteract this, we have goneand started blocking do one
(10:17):
files at the email gateway, youknow, for the OneNote
attachment.
Malware that was going around afew years ago.
Just as an example, if you'vegot some budget, you might look
at implementing open CTI or youmight look at getting threat
feeds from other organizations.
(10:39):
Mandiant recorded future.
Setting up a misp.
Setting up MISP is not an easytask.
Just want to flag that.
It is useful if you have a teamwho have the resources and the
time available to review them,to review the threat
intelligence that you get fromrunning a MISP malware
(11:01):
intelligence sharing platform.
It's great that you've got thedata.
You also need the time to thengo and hunt for specific use
cases and threat hunting basedoff intelligence sources, which
is a great way to do it, is anentire different.
Podcast in itself, but let'sleave it there for now.
(11:23):
The next thing that the best IRteams are implementing a
detection mindset.
The way that they're doing thatis they're focusing on what the
adversaries are doing.
What is the adversary behavior?
How are they operating in theenvironment with ai, this is
(11:45):
changing.
It may not be such a case ofit's changing rapidly and may be
more.
Just the techniques are justbecoming a bit more creative at
the core level.
What are we dealing with?
We're dealing with computers,we're dealing with software,
we're dealing with securitysolutions.
(12:06):
Have they changed?
Well, yeah.
They're constantly evolving.
Also, they're not evolving thatquickly.
These things have been around.
For so long.
It is just AI is enabling adifferent thought process.
It's, it's coming up withdifferent ideas.
It is.
(12:26):
It is reinventing the wheel aswe see it, but behind this, what
is the logic?
This is gonna be relevant forquite some time because we're
still dealing with humans whoare launching these attacks.
System-based attacks are coming.
Yeah, sure.
Okay.
Let's get worried about that.
Well.
(12:46):
We can't because we need tofight fire with fire and look at
implementing AI tools to detectand prevent and come up with
TTPs and come up with differentways of defending not getting
carried away.
If we're still focusing on howhumans are doing things, we have
(13:07):
patterns, we have patterns ofbehavior.
There are always attacks thatare occurring the same way.
It starts with SEO poisoning.
Okay?
What happens with SEO poisoning?
Alright, someone goes todownload Audacity and they
download Audacity and instead ofaudacity, well, they get an info
stealer.
(13:28):
They get luma stealer, or theyget quack bott or whatever it
is, or they get ransomware orit's a phishing attack.
They click on the link, theyenter their creds, goes into a
database.
The organization doesn't haveMFA, boom, they're popped.
Or they get phished and theyclick on a link and it steals
their tokens.
(13:50):
Okay, so these are some basicattack types.
These are the detections.
How can we detect these types ofattacks?
It's not about buying more toolsat this point.
You go, oh, well we don't havebudget for this.
Great.
You don't need the budget.
What have you got already?
(14:12):
How can we.
Use what we've got.
Attackers are living off theland.
Can we live off the land too?
Sure.
What have, what have we got?
What security platforms arebeing used right now?
Years ago I was working at asmall cyber consulting firm or a
cyber, MSSP.
One of our clients was gettingsmashed with ransomware.
(14:35):
This is when ransomware was inits peak?
It was.
It was in its heyday.
This was before ransomware.
Big game hunting kind of existedor had been coined as a term,
and everyone was just gettingransomed.
And this is also when Bitcoinwas, you know,$5,000 a Bitcoin.
And this client, they didn'thave a massive cybersecurity
(14:59):
budget.
They probably should haveconsidering the industry
vertical that they were in, butthis is a common theme.
They had purchased an antivirussolution from us.
This antivirus solution had beensold to them as it has anti
ransomware protection.
After they got hit a few times,they spoke to us and said, what
(15:20):
is going on?
This is, this should not behappening.
One of our guys, an expert inthat particular AV suite, went
out to the client, did aconfiguration review, spent a
day going through everything,write up a nice little report.
At the end, he was on sitewithin the first hour.
He found that they didn't haveanti ransomware protection
(15:41):
turned on, turned it on, theproblems went away overnight.
The point is, you don't need tobuy more stuff.
Look at your existing stuff,review the technical
documentation, become an SME inall of your tools, vendors are
constantly releasing newfeatures, new functionality.
(16:01):
It's useful.
If you turn it on, if youconfigure it, if you tune it,
some of them will be easier touse than others.
You'll have to figure it out asyou go along.
And then if you then decide,we've turned everything on, we
are still getting attacked.
Okay, sure.
But at least you've started.
At least you've worked with whatyou've got.
And then you can present toleadership.
(16:22):
Hey, we've turned on everythingwe've tried.
We're still getting hit.
We now need to make a moresignificant investment.
Now moving into the namesake ofthis podcast, forensics, having
the ability, having the skillsetto go beyond what is presented
to you on the surface.
(16:43):
Looking at memory forensics,looking at what's on disc,
looking at what is not on discanymore, looking at the
registry, processing significantamounts of log data.
Is really a non-negotiable skillfor cyber teams that really want
(17:05):
to kick ass.
I will say, and we are lookingfor so much more than evidence
of what has been run.
It's the first thing that we alldo.
(17:26):
We get an alert for malware andwe go to the system and we talk
to the user.
They say, yeah, I was, ifthey're really honest, and this
is rare.
I was trying to downloadAudacity and I clicked on a link
and downloaded this tool andhere it is, and it says Audacity
(17:46):
installer, xe.
And you run that through virustotal and it shows, well, it's
got Luma Steeler in there.
What about all the rest of it?
How did we get here?
How did this get past ourdefenses?
Has it gotten past EDR?
(18:08):
Did it get past web proxy?
Why has it affected this user?
Okay, for Audacity?
Sure.
They're running windows.
Why did the user go to Google toget the software?
They just needed it and theythought, Hey, I'll just go to
Google and.
I'll download it and install it.
Why did they decide to go toGoogle instead of going to the
(18:31):
company portal, for example?
Good questions and can becovered by some mitigations.
They've gone to Google todownload the software and
install it.
Maybe because they haven't beengiven user awareness training,
they may have gone to thecompany portal and found that
there was no option.
(18:52):
For audio editing softwarecompany might have a
subscription to Adobe, butaudition wasn't available in the
company portal, or maybe theuser decided, I don't know how
to use audition.
That comes down to a userawareness problem, and this is
good for the incident report asto root cause analysis, but
(19:16):
coming back to the forensic sideof it.
To get that information requiresa really good investigation and
it covers off.
We needing to talk to the userto understand how we actually
got here.
So having a good interviewstructure, having a good little
interview plan to identify whatha what has happened is what is
(19:38):
needed there, and that is askill that is absolutely needed.
It's a skill that gets betterwith time as you practice.
I dunno if it can be a littlebit difficult, but.
It's easy for us to kind of fallinto a rapid fire question of
the user.
Where did you get this?
Why did you do this?
And, and from, from the otherperson's side, from the user's
(19:59):
side, it doesn't feel great.
Look, they know.
They know that they've screwedup.
They know because maybe thewhole company has ransomware or
they know because the cyber teamare talking to them and they're
worried and.
They dunno what's gonna happennext.
So it is, requires a little bitof finesse and using AI to
(20:21):
generate a interview plan isactually quite helpful here.
Using church PT to develop aforensic investigation plan with
an interview, a set of interviewquestions is really helpful.
And giving it some context aboutwe need to treat this as a
sensitive matter.
(20:41):
We don't wanna appear like thisis an interrogation.
We want to understand the bestway to obtain the information
that we want without the personbecoming defensive, building
trust and building rapport withthe interviewee to get the most
amount of information possibleso that we can reverse engineer
(21:01):
the problem, get to root causeanalysis, and move forward.
And finally, part of thecomputer investigation.
We're looking at what themalware has touched, and to get
the best answers for this,you've gotta do a lot of
evidence acquisition.
(21:22):
Some of this needs to happenbefore you even turn the power
off or take the machine away.
And when a user calls up, andthis is important to explain to
your frontline people, your helpdesk teams, your desktop support
teams, when a user calls up andsays, Hey.
I think I've got some malware.
(21:43):
I think I've got a problem here.
The frontline teams need to beinstructed to one, thank the
user for reporting it, becauseno one should feel apprehensive
or scared to report cyberincidents.
We need to create a culture oftrust, so thank them for that.
(22:03):
And then explain disabling wifi,pulling the network cable out.
Let's isolate the machine.
Then when we get on site, thefirst thing that we wanna do is
we wanna take a memory imageusing a memory forensics tool.
I used to use FTK Imager to dothis over time.
(22:25):
That's caused a few problems inreliability, and it's been
reported that it's modifying, Ithink, up to about 64 megabytes
of Ram.
During that capture process,obviously it has to run in
memory too.
And every memory forensics toolhas to execute in memory.
I think dump it is the preferredtool these days.
(22:51):
So if you wanna use FTK, yes itgets the job done, but I think
dump it is A, is a better one touse.
Plunk that onto A USB and justremember that, uh, once you plug
a USB into a system that hasactive malware.
You might consider that that USBcan then not be used ever again
to get the malware, to get thememory image off, you would most
(23:15):
likely be plugging it into asystem that's booted into Linux.
And then once the image has beencopied off and duplicated as
part of your standard forensicprocess, of course probably best
to put a sticker on thatmalware.
Probably best to put a stickeron that USB key that it's got
(23:38):
malware on it because we justdon't know.
And then you can decide whetheryou want to use it on Linux
systems only, or whether youwanna physically destroy it.
We've got the memory image.
Fantastic.
This has been so helpful in manyinvestigations and without the
memory image, we wouldn't havefound out what's, what's going
(24:00):
on.
A lot of the time, memory imagesare not taken.
People forget.
They just, it's too much effort.
The system gets rebooted, shutdown.
Just make the effort.
It is, it is worth it a hundredpercent.
Get the memory dump and thenprocess it with volatility.
(24:20):
Volatility three is now theofficial standard.
Everything has been moved fromvolatility two to volatility
three, according to theVolatility Foundation.
So we're good to go usingvolatility three.
Volatility three is much easierto use.
Automatic detection of memoryimage profiles or the operating
(24:40):
system that's being used hasbeen improved greatly from
volatility.
Two.
And overall, you'll find it.
It's a much more simple andpleasant tool to use.
Once you've got memory, you alsoneed to extract disc artifacts.
And my favorite way of doingthat is using Cape is available
(25:03):
from Kroll, K-R-O-L-L.
They have a license model thatallows you to use it internally.
If you're using it for DFI orinvestigations commercially,
you'll need to get a licensefrom them, but using it
internally is totally okay.
And the benefit of Cape is thatit can grab all the artifacts
(25:24):
that you ever need.
From Windows Systems, and itdoes that by using answer files
that are just text files thatyou can pre-configure if you, if
you want to, or you can justcheck the box and grab them.
The benefit of Cape is that italso not only extracts the
artifacts, pulls them off thesystem in a forensically sound
(25:47):
manner, but it can also leveragethe use of Eric Zimmerman's
tools to then process them.
So you can extract them andprocess them, and then you've
got them ready to go, which isif you're taking a disc image,
then using something like Plazaor log the timeline as it used
to be known.
And then if you really wanna getfancy getting that image at the
time, sketch a web-basedinterface that allows you to
(26:11):
review the contents of the imagea little bit more graphically.
You can use that graphicalinterface to filter and drill
down and go deep and then comeback to the 30,000 foot view.
It's great.
The next thing that great IRteams are doing is focusing on
(26:34):
improving their processes forscalability.
These elite teams are doingtheir best to automate the
collection of artifacts, theanalysis of them, and then how
to report on them as well.
The collection, analysis andreporting are the three things
(26:56):
that make up an incident.
Sometimes the collection andanalysis can take quite a long
time, but reporting and theconstant editing and reviewing
and rewriting can take a lot oftime as well.
If you put the time into.
(27:18):
The collection and analysisphase and documenting as you go,
it really makes the reporting alot easier.
And now with AI generatingsummaries and generating those
reports is much easier If you'restill using a public LLM.
(27:39):
If you're using a chat T or aClaude, you're gonna have to be
really careful with anonymizing.
The contents of the report.
So you're gonna have to replacethings with some variables.
You're gonna have to bereplacing IP addresses,
usernames, people's names,organization names, email
addresses, all those IOCs thatcan be used to identify the
(28:01):
organization could be used ifthe LLM database was compromised
or accessed by a nation state,for example, if they control.
The LLM, which is a potential,uh, liability with, uh, with
deep seek.
As we, as we understand, that'sunconfirmed, but it is a
(28:23):
potential risk.
You might need to put in alittle bit of time to swap those
out, and you might need to justhave a spreadsheet that maps
that out for you.
You have a key for yourself sothat you can.
Control H, find and replace inWord and swap that out.
(28:43):
And then if you upload that toan LLM, it's anonymized.
Then when it comes back, itbeing the report, it being the
summary, it being the notes thatyou are emailing as part of your
daily or weekly updates, you canthen find and replace those
values and off you go.
(29:06):
This also demonstrates thevalue.
Of running a local LLM toprocess your evidence, to do
your event summaries and do yourreporting, and that takes us to
the last section of what theseelite teams are doing, and you
can run a perfect investigation.
(29:26):
You can understand patient zero.
You know that this person was ontheir home computer and they.
Google for something, and thenthey wrote themselves an email
to their corporate account witha link from a Google search.
And then they clicked on thatlink and then they downloaded
(29:49):
malware and then they droppedthat onto the file server.
And then the file server forsome reason executed the malware
and it spread.
And you have all the technicalinformation about that.
You have memory dumps, you havenetwork traffic, you've got P
caps.
That is fantastic.
(30:09):
How are you communicating this?
Your boss might be technical.
Your boss.
Your boss might not betechnical.
What about your boss's boss?
What is the likelihood that theyunderstand what a mem dump is?
What a PCAP is?
What about volatility plugins?
Do they know?
Do they care?
No, because your boss's boss,guess what?
(30:30):
They have to report to theirboss.
And how are they gonna do that?
Well, they need a summary of theincident.
They need bullet points that areexplained like I'm five.
They need to be succinct.
They need to be non-technical.
They need to talk to impact.
They need to talk to risk.
(30:51):
They need to talk to the factsof we have contained the
incident.
We have determined the rootcause.
We have resolved vulnerability.
That caused the incident and wehave assessed the impact, and
(31:12):
depending on where you'reworking, no personal information
was disclosed.
The customer database is okay.
The credit card information thatwe hold on file has not been
accessed.
Personal information is safe.
Great.
Then that needs to be in a bigreport depending on the type of
incident that it is, dependingon the culture of your
(31:32):
organization.
Maybe a one page post-incidentreport is sufficient.
Maybe it's a, a sufficientpost-mortem.
Maybe what I used to do, whichis write 20 and 40 page reports.
Yeah, it takes a few weeks towrite a few revisions over.
Time gets easier.
You just have to understand youraudience.
(31:53):
But the reporting needs to beclear.
It needs to have layers.
The layers are differentaudience in different sections
of the report.
If there's an executive summary,there are findings, there are
detailed findings, then thereare recommendations.
Those layers are written fordifferent audience members.
(32:18):
The executive summary is meantto be a summary of the entire
report.
Don't write the executivesummary until you've completed
the report.
The executive summary needs tosummarize exactly what's in the
report.
You can't have information inthe exec sum that is unique.
That has not been spoken aboutbefore, and then it needs to be
very simple, very direct, clear.
(32:38):
Again, talking to business risk,business impact, and the
recommended actions.
That technical analysis withthose findings needs to include
the root cause, the TTPs, thetools that we use by the
attacker.
Detailed findings.
Go hard, right?
Dump it all in there.
(32:59):
If you need to use appendices.
Use spreadsheets as attachments,PDFs.
Depends if there's, there's somuch evidence it's gonna make
the report just blow out.
It's gonna go beyond 20, 40pages and he's just causing the
reader just to scroll and scrolland scroll.
That's just an information dump.
And as a report writer, it'syour responsibility to curate
(33:23):
that information better.
That's why we use appendices.
If you wanna see more.
Scroll to the end.
Read appendix B for the DNSproxy logs for this user for the
past two days, where we candemonstrate that they were
looking for how to hack anactive domain controller, how to
(33:44):
hack an active directory domaincontroller, for example,
downloading, hacking tutorials,showing a path of intent, if you
like.
So circling back, what are theseelite teams doing?
How can we become like an eliteteam?
(34:04):
They have various capabilities.
First, they're threatintelligence driven.
They rely on tools to give themthreat intelligence, to allow
them to do more targetedresponse.
To identify that root cause, toclose the gap.
They're detection, first,they're restructured.
(34:28):
That allows them to detect.
What is going on earlier.
It allows them to detect what isgoing on after helping them
understand whether the attackersare still in the network.
They have excellent forensicskills.
This helps identify the rootcause.
It helps identify the impact.
(34:51):
Finally, reporting clarity.
They're doing this by writingreports in layers, by
communicating to their audience.
And by ensuring that they'reacquiring all of the evidence
that is required first up, andthat the analysis that they're
performing is detailed andmethodical.
(35:13):
Great IR teams are not born.
They are acquired over years ofexperience.
They invest in themselves.
They invest in threatintelligence skills in.
Detection, engineering, forensicdepth, and their learning
(35:33):
communication skills.
Any team, any person can movetowards this elite tier, this
elite way of operating.
They have to have the desire todo so.
They've gotta have the mindsetto do it.
They need to train consistentlyand they need to have a certain
(35:54):
level of operational maturity,not just.
Having a large budget.
I really hope that today'sepisode has helped get you
thinking about how you and yourteam can get that elite digital
forensics and incident responseskills.
(36:16):
I'd love to hear the techniquesthat your team are using to
level up and the skillset thatyou are building.
That is all for now.
I'll see you in the next episodewhere we will talk about Erco.
The incident response copilot, acustom GPT that I've built is
available now in chat T.
(36:36):
It's IRCO.
It's the incident responsecopilot.
That is our next episode.
Really looking forward tosharing it with you, and I can't
wait till then.
Thanks for listening.
I'll see you in the nextepisode.
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Crime Junkie
Does hearing about a true crime case always leave you scouring the internet for the truth behind the story? Dive into your next mystery with Crime Junkie. Every Monday, join your host Ashley Flowers as she unravels all the details of infamous and underreported true crime cases with her best friend Brit Prawat. From cold cases to missing persons and heroes in our community who seek justice, Crime Junkie is your destination for theories and stories you won’t hear anywhere else. Whether you're a seasoned true crime enthusiast or new to the genre, you'll find yourself on the edge of your seat awaiting a new episode every Monday. If you can never get enough true crime... Congratulations, you’ve found your people. Follow to join a community of Crime Junkies! Crime Junkie is presented by audiochuck Media Company.
Ridiculous History
History is beautiful, brutal and, often, ridiculous. Join Ben Bowlin and Noel Brown as they dive into some of the weirdest stories from across the span of human civilization in Ridiculous History, a podcast by iHeartRadio.