dfir it!

responding to incidents with candied bacon

DFIR.IT! On Tour - CONFidence 2015 Cracow

DFIR.IT on tour continues! This time we’ve decided to visit one of the longest-lasting and the best conferences in Poland. Expectations were high as it was our first event with all DFIR.IT members ready to roll, geek out and have fun. Unfortunately I am coming back a bit disappointed.

First and foremost

Big THANK YOU to :

  • CONFidence Team for creating the event
  • Dragon Sector Team for organizing CTF
  • Presenters for sharing research, ideas and thoughts
  • Attendees. Meeting open-minded people with passion is always an amazing experience x
    CONFidence badge

Thoughts and observations

I wanted to use this section to describe the presentations that influence me in one way or another and are worth spreading. Please don’t get me wrong. It is not that there was nothing interesting at CONFidence this year. The last thing I intend to do is to sound like a troll or hater. There are a few things that CONFidence got me thinking about and I really need to get it off my chest.

Defense can be sexy?!

Defenders need to get better at making their work more visible. It’s tough! I know. You might have heard a few times phrase ‘Defense is not sexy’. Even I mentioned this in the past. But then again I am starting to realize that maybe we don’t put enough effort to make it interesting for others. Inspire people by showing how responding to real threats and defending customers is one of the biggest challenges in the industry. There’s an awful lot of young guys in my team with mindset of becoming pentesters because it’s cool to pop a shell here or there. I’ve seen people passing OSCP, which is not the easiest thing to do, and struggle to find evil. Defending is hard, defending is challenging, let’s make it more visible, interesting and inspiring!

Pentest != IR

I’ve seen a lot of brainy guys who were amazing pentesters that eventually got bored and transitioned into IR and were very successful at it. However it was a process - not something they did over night. The thing I am trying to emphasize here is just because you know how to attack does not mean you know how to defend. Pentesters can become awesome defenders but pentesters by default ARE NOT awesome defenders.

APT != ‘Advance(d)’ Penetration Testing

Please don’t say that just because you wrote your own piece of basic code that installs on the machine and beacons out, you are offering APT testing. Providing a service that is basically what industry understands as pentest with one or two things you got from random APT report is not fair towards your customers. Put more effort to either understand the concept of TTP based on the REAL case scenarios or if you don’t have access to such information, make new friends in the industry. Conferences like CONFidence are a great opportunity to do that! Guys who look at alerts and respond to incidents day in, day out will help you understand the biggest challenges companies face when defending against APT guys. It will make you a better pentester, give your customers a REAL value and provide defenders with an opportunity to share the experience. Win-Win-Win.


Presenting is not easy. Important thing to remember is that you are presenting your research to someone (audience). Try to keep in mind that:

  • Awesome presentations are a mixture of good humor and technical stuff
  • Define your goal, emphasize main message, proof your point
  • Organize your thoughts in visible and interesting way
  • Ask a non-technical person to review your presentation, and ask if he/she enjoys the presentation ‘look and feel’
  • For the love of God! Catchy titles are nice but don’t exaggerate! If the main theme from your title is not the main topic of your presentations something went horribly wrong and people will be disappointed


Quality of talks and research (or lack of research!). We were trying to discuss the reasons why and came up with different ideas:

  • CTF is a new cool thing to do,
  • Quantity not Quality. There is just too many security conferences and often with two or more tracks
  • Vendors (sponsors) want to sell products - crypto marketing
  • Consulting companies (sponsors) want to sell services - crypto marketing
  • Don’t know…


The main reason why I felt in love with community is the wealth and availability of the information, research, tools, ideas, knowledge, collaboration which everyone can be part of and everyone can use. The main reason why we decided to create DFIR.IT is because we felt we want to give back to the community. I could give you plenty of examples how we helped different customers to not get cyber bullied, extorted or exfiltrated, just because some unnamed heroes carried out research, that someone turned into an amazing tool and shared with others! I cannot express my appreciation of those guys and everyone that tries to make a difference. Conferences are important part of community and a framework to meet, share and learn from each other. Let’s try to do whatever we can to keep it that way!