Thomas Chopitea (Digital Forensics, Google)
Thomas has been a DFIR practitioner for 10+ years. He's currently a Security Engineer in the DFIR team at Google who loves running towards the proverbial cyber fires. He enjoys detective work and poking malware with a long stick, and has given talks about DFIR, malware analysis, and threat intelligence at many conferences throughout Europe and the US.
Sessions
Yeti was initially created in 2017, when a very operational french financial CERT had the need for managing threat-intelligence related indicators. When responding to incidents, they wanted quick answers to DFIR-related questions like “where have I seen this kind of filesystem activity before?”, or “is any of this network traffic suspicious”. Yeti was created to fulfill that need.
Fast forward to 2024, open-source threat intelligence platforms (or TIPs) have now proliferated, and yet these questions are not always easy to answer. As environments are now more complex than ever (think cloud providers, kubernetes, terraform, etc.) and attackers get more creative, DFIR teams need to find a way to structure their operations to be able to keep up with the operational tempo. What’s the query that you used to query cloud logs? How do I query a system for that persistence mechanism that was explained in that blogpost? How do I structure investigations to make sure that my team on the other side of the world can pick up where I left and knows what to look for?
This talk will show how Yeti has changed to respond to the need for a “forensics intelligence” repository, integrating with various other OSS projects such as Timesketch, DFIQ, ForensicArtifacts, MISP to leverage collective forensic knowledge and supercharge forensic analysis. We’ll introduce newcomers to Yeti, explain our reasoning behind these new capabilities, take a tour of all these other open-source projects, and showcase some of the possible synergies.
This workshop will show participants how to set up instances of Yeti and Timesketch and interconnect them. After the infrastructure is set up, participants will learn how to add data, run feeds, and set up Yeti to automatically augment Timesketch sketches with useful threat and forensics intelligence data. Once all that is ready, we’ll upload some forensics data to Timesketch and run through a full investigation, using intelligence from Yeti to hit the ground running. We’ll also curate intelligence as we go, and see how this intelligence will be fed back into Yeti, and be made accessible in future cases. If time permits, we’ll do an end-to-end run of the OSS DFIR pipeline using GRR and dfTimewolf.