Stephan Berger
Stephan Berger has over a decade of experience in cybersecurity. Currently working with the Swiss-based company InfoGuard, Stephan investigates breaches and hacked networks as Head of Investigation of the Incident Response team. An avid Twitter user under the handle @malmoeb, he actively shares insights on cybersecurity trends and developments. Stephan also authors the blog DFIR.ch, where he provides in-depth analysis and commentary on digital forensics and incident response. Stephan has spoken at numerous conferences, sharing his expertise with audiences worldwide.
Sessions
This talk, "In-Depth Study of Linux Rootkits," will provide a comprehensive examination of the evolution of Linux rootkits, from their inception to the sophisticated variants seen today. Participants will gain insights into advanced rootkit techniques, effective detection strategies, and the future landscape for defenders. By exploring the historical context, current methodologies, and emerging threats, attendees will be equipped with the knowledge and tools necessary to safeguard Linux systems against rootkit attacks.
How to become an Incident Response Rockstar?
After conducting hundreds of Incident Response cases, more data is not always better. Focusing on the most relevant forensic data can speed up the investigation process rapidly. In this talk, we will discuss the importance of various event logs to track down lateral movement paths from the attackers, how to find planted (and seemingly legitimate) backdoors, and how you can work smarter, not harder – which also holds true in digital forensics.
As a bonus, we will discuss less-known artifacts like MPLogs and the bitmap cache.
By attending this talk, participants will be better and more efficient Incident Responders as they can focus on key aspects of an investigation.
After this talk, the audience understands the top artifacts evaluated in every incident response case. For example, we will discuss a variety of event logs, starting from the classic Security event logs to the Remote Desktop event logs, to Amcache, Shimcache, Prefetch files, and more.
This discussion will lay the groundwork for how we approach large-scale incident response investigations, how we can track down remote access tools installed by attackers as legitimate backdoors, or how to spot new and unusual services within the environment in no time.
As one must work smarter, not harder, we extensively use the Velociraptor artifact DetectRaptor from Matt Green, which works for Rapid7 now. This Velociraptor hunts will find evil within minutes, allowing the Incident Responders responsible for the investigation to concentrate on other aspects of the case or to dig deeper into the hosts where the detections occurred.
At the end of the presentation, we will discuss lesser-known artifacts like the Defender MPLogs, which can be a goldmine, the bitmap cache, or the SRUM database.