Voice AI is moving fast — but so are the attackers.

In this episode of the Traffic Light Protocol Podcast, Clint and Myles break down how scammers are exploiting Voice AI platforms with the same tricks that wrecked email and telecom decades ago:

• Premium-rate fraud dressed up in AI clothing
• Bot-driven spam that floods calendars and burns ops teams
• Consent loopholes where “user input” becomes an attacker’s best weapon

This isn’t FUD. It’s happening right now, and the industry risks walking into the same “secure it later” trap we’ve seen before.

We dig into why this matters for anyone deploying AI into customer-facing systems, what patterns connect it to broader cybercrime trends, and the hard questions leaders should be asking before they put an AI agent on the phone network.

If you care about AI, fraud, and the future of secure automation then this one’s for you.

Join the AI Cyber Security Skool Group
Inside the group, you’ll learn how to defend against prompt injections, lock down API keys, and stop your automations from turning into costly incidents. It’s a space for cyber pros, engineers, and AI builders to share playbooks, tools, and real-world lessons on keeping AI secure.
https://www.skool.com/ai-automation-security-5754/about?ref=3e3ebf81027c4bceb6f7cbfdbabe22ea

In this episode of Traffic Light Protocol, we kick off our AI series with a hard look at how voice AI agents are being targeted; and how fast small businesses and startups can rack up serious bills overnight.

Guest Myles Agnew returns to unpack how old-school telecom tricks are being repurposed in the age of SIP/VoIP and AI: caller ID spoofing, open SIP trunks, and automated call loops that tie up your agents and quietly burn cash. We break down how easy it is to spin up a low-cost PABX, why authentication is weak in SIP land, and what practical controls you can turn on today to reduce fraud and noise.

What we cover:

• How SIP (Session Initiation Protocol) is abused to hit voice AI agents
• Why caller ID “verification” often isn’t verification at all
• The $5–$10/month attacker vs. your $/minute billing problem
• Channels/lines, trunk limits, and how attackers amplify cost
• Geo-fencing, call gating, and rate limits that actually help
• “Stop loss” ideas for web and voice agents
• How provider security maturity (and defaults) drives your risk
• Where laws and policies are heading (AU, US) and what to watch

If you’re building or buying voice AI, this is a must-listen before you scale.

Free course (limited time): The AI Cybersecurity Starter Pack

 Get practical checklists, templates (incident response, HIPAA/GDPR/APPs), and step-by-step hardening for AI apps and AI voice agents. 

Join the Skool community and learn how to protect your voice AI from abuse.

https://www.skool.com/ai-automation-security-5754/about?ref=3e3ebf81027c4bceb6f7cbfdbabe22ea

Join the AI Cyber Security Skool Group
Inside the group, you’ll learn how to defend against prompt injections, lock down API keys, and stop your automations from turning into costly incidents. It’s a space for cyber pros, engineers, and AI builders to share playbooks, tools, and real-world lessons on keeping AI secure.
https://www.skool.com/ai-automation-security-5754/about?ref=3e3ebf81027c4bceb6f7cbfdbabe22ea

Unlock the secrets behind digital forensic investigations into AI chat platforms like ChatGPT, Claude, and Google's Gemini in this insightful episode. Learn the precise methods for discovering, extracting, and interpreting digital evidence across Windows, Mac, and Linux environments, whether it's browser caches, memory forensics, network logs, or cloud-based data exports.

From identifying subtle signs of malicious AI usage and attempts to evade security controls, to piecing together forensic timelines, this podcast provides practical, hands-on guidance tailored for cybersecurity professionals, forensic analysts, and IT investigators. Tune in now and boost your expertise in this emerging field of AI-driven digital forensics.

You'll learn:

AI Chat Evidence Locations
Discover exactly where to find critical forensic evidence from ChatGPT, Claude, and Gemini across Windows, Mac, and Linux systems.

Extracting and Analyzing Chat Data
Learn practical techniques to extract, review, and interpret digital artifacts, including browser caches, local storage, memory dumps, and network logs.

Identifying AI Jailbreaking and Misuse
Understand how to spot attempts to bypass AI guardrails and recognize malicious prompts or suspicious activity within chat logs.

Cloud vs Local Forensic Challenges
Explore unique challenges associated with investigating cloud-based AI platforms versus local installations, and how to overcome them.

Building Effective Forensic Timelines
Master the art of assembling comprehensive forensic timelines by integrating timestamps, metadata, network traffic, and other key sources of digital evidence.

Links and references

https://help.openai.com/en/articles/7260999-how-do-i-export-my-chatgpt-history-and-data

https://pvieito.com/2024/07/chatgpt-unprotected-conversations

https://www.scribd.com/document/818273058/Conversational-AI-forensics#:~:text=of%20Gemini%20are%20stored%20in,based%20mobile%20app

https://ar5iv.labs.arxiv.org/html/2505.23938v1#:~:text=source%20for%20corroborating%20evidence,of%20the%20NationalSecureBank%20phishing%20email

aletheia.medium.com

Join the AI Cyber Security Skool Group
Inside the group, you’ll learn how to defend against prompt injections, lock down API keys, and stop your automations from turning into costly incidents. It’s a space for cyber pros, engineers, and AI builders to share playbooks, tools, and real-world lessons on keeping AI secure.
https://www.skool.com/ai-automation-security-5754/about?ref=3e3ebf81027c4bceb6f7cbfdbabe22ea

Link to IRCO- Incident Response Copilot on Chat  GPT

https://chatgpt.com/g/g-68033ce1b26481919b26df0737241bac-irco-incident-response-co-pilot

In this episode of TLP: The Digital Forensics Podcast, Clint dives deep into IRCO (a custom GPT designed specifically for DFIR and SOC analysts). From real-world cyber incidents to post-incident reporting and CTF training, IRCO acts like your AI-powered colleague: fast, focused, and built for real investigations or even CTF's.

Learn how this tool understands your forensic workflows, decodes technical jargon, and supports smarter, faster investigations. Clint shares how to start using IRCO, common use cases, how to keep your data safe, and why many in the field are underestimating its capability.

Whether you're writing reports, analyzing logs, or stuck mid-incident, IRCO can give you the 1% edge you need to  solve tricky DFIR investigations and communicate reports more quickly.

🔍 Topics covered:
 – What is IRCO?
 – How to integrate AI into digital forensics workflows
 – Using  IRCO  for live incidents, CTFs, and training
 – Privacy and responsible AI use in SOC environments
 – Actionable prompts and use cases

🎧 Subscribe to TLP now and give IRCO a test run. You might just find your new secret weapon in responding to incidents quicker than ever. 

 https://chatgpt.com/g/g-68033ce1b26481919b26df0737241bac-irco-incident-response-co-pilot 

Drawing inspiration from observing military special forces and over five years of hands-on DFIR experience, Clint explores the mindset, habits, and tactical processes that set top-performing IR teams apart. Clint Marsden explores the mindset, habits, and tactical processes that set top-performing IR teams apart.

From threat intelligence workflows and detection-first thinking to deep forensic analysis and clear executive reporting, this episode is packed with real-world lessons, relatable stories, and practical advice. Whether you're running your first threat hunt or leading an enterprise SOC, you'll walk away with a clearer vision for building a resilient, high-performing IR capability.

You’ll learn:

• Why elite IR teams focus on boring repetition and clarity over cool tools
• How to track threat groups and adapt detection rules in real time
• Where most SOCs fail with SIEM tuning and memory forensics
• How to communicate findings that actually move leadership to act

Check out the blog: www.dfirinsights.com

Join the AI Cyber Security Skool Group
Inside the group, you’ll learn how to defend against prompt injections, lock down API keys, and stop your automations from turning into costly incidents. It’s a space for cyber pros, engineers, and AI builders to share playbooks, tools, and real-world lessons on keeping AI secure.
https://www.skool.com/ai-automation-security-5754/about?ref=3e3ebf81027c4bceb6f7cbfdbabe22ea

Clint Marsden breaks down a critical cybersecurity report from intelligence agencies including the CSA, NSA, and FBI about the growing threat of AI data poisoning. Learn how malicious actors can hijack AI systems for as little as $60, turning machine learning models against their intended purpose by corrupting training data.

Clint explains the technical concept of data poisoning in accessible terms, comparing it to teaching a child the wrong labels for objects. He walks through the six-stage framework where AI systems become vulnerable, from initial design to production deployment, and covers the ten security recommendations intelligence agencies are now promoting to defend against these attacks.

The episode explores real-world examples of AI systems gone wrong, from shopping bots buying drugs on the dark web to coordinated attacks by online communities. You'll discover practical mitigation strategies including cryptographic verification, secure data storage, anomaly detection, and the importance of "human in the loop" safeguards.

Whether you're a cybersecurity professional, AI developer, or simply curious about emerging digital threats, this episode provides essential insights into protecting AI systems from manipulation and understanding why data integrity has become a national security concern.

Key Topics Covered:

• Split view poisoning and expired domain attacks
• Data sanitization and anomaly detection techniques
• Zero trust principles for AI infrastructure
• The role of adversarial machine learning in cybersecurity
• Why defenders must learn AI as quickly as attackers
  
  The PDF from CISA etc al: https://www.ic3.gov/CSA/2025/250522.pdf

Join the AI Cyber Security Skool Group
Inside the group, you’ll learn how to defend against prompt injections, lock down API keys, and stop your automations from turning into costly incidents. It’s a space for cyber pros, engineers, and AI builders to share playbooks, tools, and real-world lessons on keeping AI secure.
https://www.skool.com/ai-automation-security-5754/about?ref=3e3ebf81027c4bceb6f7cbfdbabe22ea

This episode features the complete narration of my ebook: Mastering Sysmon – Deploying, Configuring, and Tuning in 10 Easy Steps, providing a step-by-step guide to getting Sysmon up and running for better threat detection and incident response.

If you’re in security operations, digital forensics, or incident response, this episode will help you:

• Deploy Sysmon efficiently.
• Tune Sysmon logs for maximum insight while reducing noise.
• Use Sysmon for investigations—from process creation tracking to network monitoring.
• Understand real-world use cases of how Sysmon can catch adversaries in action.

Key Topics Covered:

• Why Sysmon Matters – A deep dive into how Sysmon enhances Windows logging.
• Common Mistakes & How to Avoid Them – Logging misconfigurations, tuning issues, and evidence handling best practices.
• Step-by-Step Deployment Guide – From downloading Sysmon to configuring it for lean detections.
• Tuning for Performance & Relevance – How to tweak Sysmon settings to avoid excessive log volume.
• Investigating Security Events – Key Sysmon event IDs that provide forensic gold.
• Real-World Use Cases – Examples of how Sysmon has caught attackers in action.
• Sysmon Bypass Techniques – How adversaries evade detection and how to stay ahead.

Resources Mentioned:

1. Sysmon Download – Microsoft Sysinternals
2. Sysmon Configuration Files – Olaf Hartong’s Sysmon-Modular
3. MITRE ATT&CK Framework – MITRE ATT&CK
4. ACSC Sysmon Config Guide – ACSC GitHub

Key Takeaways:

• Sysmon provides deep system visibility – if tuned correctly.
•  Tuning is essential – Avoid log overload while keeping useful data.
•  Use a structured deployment process – From baselining performance to verifying logs.
•  Sysmon alone isn’t enough – It works best when combined with other detection tools.
•  Be aware of bypass techniques – Attackers can disable Sysmon, so defense in depth is key.

Join the AI Cyber Security Skool Group
Inside the group, you’ll learn how to defend against prompt injections, lock down API keys, and stop your automations from turning into costly incidents. It’s a space for cyber pros, engineers, and AI builders to share playbooks, tools, and real-world lessons on keeping AI secure.
https://www.skool.com/ai-automation-security-5754/about?ref=3e3ebf81027c4bceb6f7cbfdbabe22ea

So You Want to Build Your Own DFIR CTF? 

Ever wanted to build your own Digital Forensics and Incident Response (DFIR) Capture the Flag (CTF) challenge but weren’t sure where to start? In this episode of Traffic Light Protocol, we share the how-to of CTF builders, making it easy for anyone—no pentesting skills required!

Today's episode includes:

•  Choosing Your CTF Theme – Using MITRE ATT&CK and APT tracking to craft a realistic attack scenario.
• Setting Up the Lab – Spinning up a Windows VM, configuring Sysmon, and enabling forensic logging.
• Running the Attack Simulations – Using Atomic Red Team to generate forensic artifacts.
• Testing & Troubleshooting – Making sure your tests actually work before unleashing them on your team.
• Building an Engaging Story – Crafting a compelling incident narrative that challenges analysts to think like investigators.

Resources mentioned in the podcast:

https://drive.google.com/drive/folders/1vF3y-OlsowjX9LUOi7ywDy8VgcfhWcUX?usp=sharing

Join the AI Cyber Security Skool Group
Inside the group, you’ll learn how to defend against prompt injections, lock down API keys, and stop your automations from turning into costly incidents. It’s a space for cyber pros, engineers, and AI builders to share playbooks, tools, and real-world lessons on keeping AI secure.
https://www.skool.com/ai-automation-security-5754/about?ref=3e3ebf81027c4bceb6f7cbfdbabe22ea

Kicking off 2025, we're getting back to basics with something every cyber investigator needs to master—starting an investigation the right way. Too often, investigations get derailed because the right questions weren’t asked at the outset, evidence wasn’t properly handled, or reporting lacked clarity.

In this episode, we cover how to build an investigation plan that keeps you on track, ensures consistency, and leads to better results. We talk about evidence volatility, log retention, structuring reports that make sense to non-technical stakeholders, and how to ask the right questions from the start.

Join the AI Cyber Security Skool Group
Inside the group, you’ll learn how to defend against prompt injections, lock down API keys, and stop your automations from turning into costly incidents. It’s a space for cyber pros, engineers, and AI builders to share playbooks, tools, and real-world lessons on keeping AI secure.
https://www.skool.com/ai-automation-security-5754/about?ref=3e3ebf81027c4bceb6f7cbfdbabe22ea

Key Takeaways:

• Introduction to Hayabusa: Hayabusa is an open-source Windows Event Log Analysis Tool used for processing EVTX logs to detect suspicious activities in Windows environments.
• Critical Alerts Detection: The tool is capable of detecting a variety of suspicious activities, including WannaCry ransomware and unauthorized Active Directory replication.
• Efficient Incident Response: Hayabusa is ideal for incident response workflows, enabling teams to quickly triage and analyze Windows logs to detect potential breaches or malicious activity.
• Importance of Informational Alerts: Informational alerts can indicate early reconnaissance phases of attacks and should not be dismissed.
• Hypothesis-Driven Threat Hunting: Build a threat hunting hypothesis using MITRE ATT&CK or industry-specific threat intelligence to narrow the focus of the search.
• Integration with SIEM and TimeSketch: Hayabusa supports integration with security tools like SIEM and can export logs into TimeSketch for further analysis and visualization.
• Open-source and Free: Hayabusa is freely available to the cybersecurity community, making it an essential tool for threat detection without added cost.

In this episode of Traffic Light Protocol, Clint Marsden is joined by Jonathan Thompson, a developer and AI enthusiast currently studying at Macquarie University.

Together, they dive into how artificial intelligence (AI) is transforming the cybersecurity landscape and discuss Jon’s insights into AI’s potential applications in digital forensics, incident response, and everyday IT operations.

The conversation touches on ethical considerations, potential job impacts, and how AI can be harnessed to streamline tasks like log analysis, bug detection, and threat identification.


Daniel Kahneman - Thinking Fast and Slow
https://amzn.to/47Cpfjo

The pyramid of pain by David J Bianco: http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

Join the AI Cyber Security Skool Group
Inside the group, you’ll learn how to defend against prompt injections, lock down API keys, and stop your automations from turning into costly incidents. It’s a space for cyber pros, engineers, and AI builders to share playbooks, tools, and real-world lessons on keeping AI secure.
https://www.skool.com/ai-automation-security-5754/about?ref=3e3ebf81027c4bceb6f7cbfdbabe22ea

Episode 13 is another giant episode with a focus on what its like be in the mud working on real life forensic investigations. Jacob and Clint talk about ELK EDR, using Sysmon.

Sandbox Environments: Jacob discusses the creation of a sandbox environment using an ELK stack combined with Sysmon, enabling in-depth malware analysis by capturing and analyzing detailed system activity.

Automation in Investigations: Jacob emphasizes the importance of automating repetitive tasks, such as business email compromise investigations, to streamline processes and improve efficiency.

Pen Testing and Red Teaming: Jacob shares insights into the importance of understanding both offensive (red teaming) and defensive (blue teaming) techniques to better anticipate and mitigate threats.

Practical Learning: Jacob advocates for hands-on experience in digital forensics, highlighting the limitations of theoretical knowledge and the value of real-world application.

Resources Mentioned:

• ELK Stack: Used for creating a detailed sandbox environment for malware analysis. Learn more about ELK Stack here.
• Sysmon: Essential tool for capturing detailed logs on Windows systems. Explore Sysmon here.
• Axiom: A commercial digital forensics tool praised for its comprehensive and reliable results. More about Axiom here.
• Cellebrite: A tool used for mobile device forensics, particularly for logical acquisitions. Discover Cellebrite here.
• Splunk: Utilized for automating the investigation process by analyzing large datasets quickly. More on Splunk here.

Jacob Wilson's LinkedIn: https://www.linkedin.com/in/jacob--wilson/?originalSubdomain=au

Join the AI Cyber Security Skool Group
Inside the group, you’ll learn how to defend against prompt injections, lock down API keys, and stop your automations from turning into costly incidents. It’s a space for cyber pros, engineers, and AI builders to share playbooks, tools, and real-world lessons on keeping AI secure.
https://www.skool.com/ai-automation-security-5754/about?ref=3e3ebf81027c4bceb6f7cbfdbabe22ea

Quotes:

• “In the fast-paced world of DFIR, you are a mission critical system. Your job isn’t just to uncover what happened during an incident, but to do so in a way that gets results fast.”
• “Specialists bring expertise that pushes the entire industry forward, while generalists offer versatility and adaptability in the ever-changing landscape of cybersecurity.”
• “The choice between specializing and generalizing doesn’t always need to be a conscious decision. Often, you just fall into one or the other depending on the work you do day to day.”

Resources Mentioned:

• LinkedIn - Follow TLP Podcast: Follow us on Linked in, and share your thoughts on this episode. Follow TLP Podcast on LinkedIn
• B-Sides Brisbane Presentation by Ben Gittins: A shout-out was given to Ben Gittins for his presentation on the topic of generalists vs. specialists at B-Sides Brisbane. More about B-Sides Brisbane
• Volatility - Memory Forensics Tool: Developed by Andrew Case, Volatility is highlighted as an essential tool for memory forensics. Download Volatility

Action Points:

• Reflect on Your Career Path: Consider whether you are currently on the path of specialization or generalization in DFIR. Reflect on how this aligns with your career goals and the needs of your organization.
• Engage with the Community: The host invites listeners to share their thoughts on the specialist vs. generalist debate on LinkedIn. Join the discussion to see how others in the field are navigating their careers.
• Stay Updated: Follow the TLP podcast on LinkedIn for more discussions and updates on digital forensics and incident response topics.

In this episode of Traffic Light Protocol, we sit down with Myles, a cybersecurity veteran with over 15 years of Cyber experience and background as a Combat Engineer in the Army. Myles brings his unique perspective on integrating automation and cloud technologies into cybersecurity infrastructure deployment (Used specifically when deploying Velciraptor-  an advanced open-source endpoint monitoring, digital forensic and cyber response platform).

We delve into his journey from the military to his current role in deploying and managing advanced cloud infrastructure using docker containers and kubernetes orchestration platforms.

Quotes from Myles:

• "My time in the Army taught me the value of precision and strategy, which I now apply to cybersecurity."
•  "Cloud environments offer flexibility, but they also demand a new level of vigilance and control." 
• "With containerization, we’re not just deploying applications; we're creating a more secure and manageable environment." 

Key takeaways:

Strategic Integration: Integrating automation and cloud technologies can significantly enhance both the efficiency and effectiveness of cybersecurity practices.

• Proactive Security Measures: Shifting from reactive to proactive security strategies is essential for staying ahead of emerging threats.
• Cloud Security Fundamentals: Understanding the fundamentals of containerization and orchestration is crucial for maintaining a secure cloud environment.
• Efficiency Through Automation: Automation not only speeds up response times but also reduces the likelihood of human error in security processes.
• Vigilance in Cloud Environments: While cloud technologies offer numerous benefits, they also introduce new security challenges that require continuous vigilance and adaptation.
• Role of Military Experience: Insights gained from military experience can offer valuable perspectives on discipline, strategy, and precision in cybersecurity practices.
• Future Trends: Keeping up with trends in automation and cloud security will be key to adapting to future cybersecurity challenges.

Links and resources:

Contact Myles

Website: MylesAgnew.com
Github: https://github.com/mylesagnew

ASD threat intel:
https://www.asd.gov.au/about/what-we-do/cyber-security

Tools:
Cuckoo Sandbox- https://github.com/cuckoosandbox
Wordfence - Available in Wordpress plugins
WPS Scan (on Kali Linux) for scanning your own Wordpress site for vulnerabilities
Yara Signator: https://github.com/fxb-cocacoding/yara-signator 

Join the AI Cyber Security Skool Group
Inside the group, you’ll learn how to defend against prompt injections, lock down API keys, and stop your automations from turning into costly incidents. It’s a space for cyber pros, engineers, and AI builders to share playbooks, tools, and real-world lessons on keeping AI secure.
https://www.skool.com/ai-automation-security-5754/about?ref=3e3ebf81027c4bceb6f7cbfdbabe22ea

Quotes:

"Phishing targets the human element, the 'wetware,' often the weakest link in any security chain." - Clint Marsden
"Phishing isn't just about poorly spelled emails anymore; it's about sophisticated campaigns that even cyber-aware individuals can fall victim to." - Clint Marsden
"Effective defense against phishing involves not just technology but ongoing education and a culture of security awareness." - Clint Marsden

Key Takeaways:

•  Phishing attacks continue to evolve and remain a significant cybersecurity threat despite advances in technology.
•  Attackers leverage sophisticated techniques including AI and social engineering to exploit human psychology.
•  Effective defense strategies involve a multi-layered approach including user education, advanced email gateway technologies, and stringent access controls.

Action Points:

1.  Implement ongoing and evolving user education programs to enhance awareness of phishing tactics.
2.  Ensure email gateways are configured with DKIM, SPF, and DMARC protocols, and ensure the SEG is tuned appropriately to filter out malicious emails 
3.  Follow the Essential 8 guidelines, focusing on restricting Microsoft Office macros and restricting admin privileges. If you've got the capacity, go straight into application control.
4.  Implement multi-factor authentication (MFA) across all public-facing and internal systems to add an additional layer of security against phishing attempts.

Links and references:

Mitre ATT&CK - Phishing

https://attack.mitre.org/techniques/T1566/

ASD Essential 8:

https://www.cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight

IDN Homograph attacks:

https://shahjerry33.medium.com/idn-homograph-attack-reborn-of-the-rare-case-99fa1e342352


Phishing Landscape 2023 by Interisle Consulting and APWG:

https://www.interisle.net/PhishingLandscape2023.pdf

Anti Phishing Working Group:

https://apwg.org/trendsreports/

Episode Title: "Unmasking APT40: Tactics, Challenges, and Defense Strategies"
Key Takeaways:

APT40 is a sophisticated Chinese state-sponsored cyber espionage group active since 2009.
They target various sectors including academia, aerospace, defense, healthcare, and maritime industries.
APT40 uses advanced tactics such as spear phishing, watering hole attacks, and living off the land binaries (LOLBINS).
Digital forensics faces challenges in detecting APT40 due to their use of legitimate tools and anti-forensics techniques.
Effective defense against APT40 requires a comprehensive, layered security approach.

Engaging Quotes:
"APT40 represents a significant and evolving threat in the cyber landscape. Their sophisticated attacks, large scope targets and state sponsorship make them a formidable adversary." - Clint Marsden
"Defense against groups like APT40 it is not about implementing a single solution. What matters is creating a comprehensive and layered security approach that can adapt to evolving threats." - Clint Marsden

Resources Mentioned:

MITRE ATT&CK Framework: https://attack.mitre.org/
Pyramid of Pain by David J. Bianco: https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
NIST Computer Security Incident Handling Guide: https://csrc.nist.gov/pubs/sp/800/61/r2/final
Sysmon (System Monitor): https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon

Action Points:

Implement robust email security measures, including secure email gateways and employee training.
Keep all systems and software up-to-date to reduce vulnerabilities.
Use multi-factor authentication to protect against credential theft.
Implement network segmentation to limit lateral movement.
Deploy advanced endpoint detection and response (EDR) tools.
Conduct regular threat hunting exercises.
Implement data loss prevention (DLP) solutions.
Develop a comprehensive cloud security strategy.

In this episode, Clint Marsden goes straight into 4 practical strategies that enable better forensics and stop data exfiltration, no matter the size of your budget.

Clint covers deploying Sysmon for enhanced monitoring, and using Group Policy to tighten print and USB security. 

Event log cleared: Event ID 1102
ACSC Sysmon: https://github.com/AustralianCyberSecurityCentre/windows_event_logging
Swift on security Sysmon: https://github.com/SwiftOnSecurity/sysmon-config
Printer forensics: https://eventlogxp.com/blog/how-to-track-printer-usage-with-event-logs/

In todays episode of TLP - Traffic Light Protocol, Clint Marsden talks about Defending Against Scattered Spider: Understanding Their Tactics, Techniques, and Procedures.

Key Takeaways

 Understanding Scattered Spider: Scattered Spider, also known as Roasted Octopus or Octo Tempest, utilizes various legitimate tools for malicious purposes.

 Common Tools and Techniques: They employ tools for reconnaissance (PingCastle, ADRecon), credential dumping (Mimikatz, Lazagne), Remote access (Screen Connect, Team Viewer), and VPN (Tailscale).

Social Engineering Tactics: Their methods include impersonation, MFA fatigue (MFA bombing), and SIM swapping to gain access.

Persistence Mechanisms: They maintain access through methods like automatic account linking and adding additional MFA tokens 

Defense Strategies: Implement strong identity verification, monitor for unusual activity, and educate users social engineering & smishing

Quotes

"By understanding their tactics, techniques, and procedures, or TTPs, you can better defend your network and improve its security posture."
 "There's a lot of push on recognizing phishing emails and hovering over links and verifying the sender, but not enough focus on social engineering training for staff"

Action Points

Review Service Desk Processes: Ensure robust identity verification to prevent social engineering.
Monitor for Unusual Activity: Regularly audit and set up automated alerts for suspicious MFA changes or logins.
Educate Users: Conduct training on recognizing phishing and social engineering techniques.
Test Tools in a Lab: Use the mentioned tools to simulate attacks and improve defensive measures by analyzing security logs and infrastructure.

Mentioned Resources

Remote monitoring and management or RMM tools

Fleetdeck.io
Level.io
Ngrok Mitre Ref: [S0508]   
Screenconnect  
Splashtop
Teamviewer      
Pulseway
Tactical RMM

Reconnaissance:

PingCastle - https://www.pingcastle.com/
ADRecon - https://github.com/sense-of-security/ADRecon
Advanced IP Scanner - https://www.advanced-ip-scanner.com/
Govmomi - https://github.com/vmware/govmomi

Cred dumpers:

Mimikatz - https://github.com/ParrotSec/mimikatz
Hekatomb - https://github.com/ProcessusT/HEKATOMB
Lazagne - https://github.com/AlessandroZ/LaZagne
gosecretsdump - https://github.com/C-Sto/gosecretsdump
smbpasswd.py - (as part of Impacket) - https://github.com/fortra/impacket/blob/master/examples/smbpasswd.py
LinPEAS - https://github.com/peass-ng/PEASS-ng/tree/master/linPEAS
ADFSDump - https://github.com/mandiant/ADFSDump 

VPN:

Tailscale -   Provides virtual private networks (VPNs) to secure network communications





 

 In this episode, we speak with Phil Ngo, a Primary Investigator in Accenture's global cyber response team. 

As a primary investigator, he is responsible for helping clients recover from major incidents as well as delivering proactive cyber services, such as threat hunting and tabletop exercises. Philip started his career as a high school teacher, before moving into IT support and eventually into cyber security six years ago. Philip has a worked across multiple industries and through his experience, has built up a solid cyber forensics and response skillset. 

Get some tactical assistance with Phil's real life high-pressure incident experience. In this episode we cover:

Challenges in Digital Forensics: 
Obstacles in digital forensics and incident response - working people and systems
Frequent vulnerabilities exploited in breaches 
The potential impact of AI on digital forensics and incident response
 Essential qualities and resources for aspiring cybersecurity professionals 

Connect with Phil on LinkedIn here:
https://www.linkedin.com/in/phil-ngo1337/

Youtube channels for additional learning:

13 Cubed www.youtube.com/@13Cubed
Network Chuck: http://www.youtube.com/@NetworkChuck
http://www.youtube.com/@SANSForensics

Join the AI Cyber Security Skool Group
Inside the group, you’ll learn how to defend against prompt injections, lock down API keys, and stop your automations from turning into costly incidents. It’s a space for cyber pros, engineers, and AI builders to share playbooks, tools, and real-world lessons on keeping AI secure.
https://www.skool.com/ai-automation-security-5754/about?ref=3e3ebf81027c4bceb6f7cbfdbabe22ea

This is the biggest episode from a content perspective so far. I'm excited to share it with you.

Episode Highlights:

• How to run post-incident debriefs and post-mortems.
• Involving external teams
• Using lessons learned to form actionable insights.
• Key questions to address in incident analysis.
• Effective report writing strategies, including  timelines and executive summaries.
• Evaluating and improving incident response procedures and tools preparation.
• Engaging broader teams in the debrief process for better cooperation.
• Tracking and documenting incident response efforts for continuous improvement.

Key Takeaways:

• Post-incident debriefs and post-mortems afford the most value for learning, improving incident response and preventing reoccurance.
• Using structured frameworks and guidelines, like NIST 800-61, provide valuable direction for how to run your debrief and post-mortem meeting.
• Effective communication, documentation, and cooperation across teams enhance incident handling and future preparedness.

Join the AI Cyber Security Skool Group
Inside the group, you’ll learn how to defend against prompt injections, lock down API keys, and stop your automations from turning into costly incidents. It’s a space for cyber pros, engineers, and AI builders to share playbooks, tools, and real-world lessons on keeping AI secure.
https://www.skool.com/ai-automation-security-5754/about?ref=3e3ebf81027c4bceb6f7cbfdbabe22ea

 Show Notes: Episode on Containment, Eradication, and Recovery

In this episode of Traffic Light Protocol,  Clint Marsden explores the containment, eradication, and recovery phases of the NIST SP 800-61 framework for computer security incident handling.

Key Topics Covered:

• Containment Strategies:  Choosing appropriate containment methods based on the incident type, potential damage, service availability, and evidence preservation. Examples include power disconnection and network isolation.
• Real-World Example: Clint shares an incident response case where premature action against attackers led to a total domain takeover.
• Evidence Gathering and Handling: The use of tools like write blockers to preserve evidence integrity.
• Threat Analysis: Highlights passive techniques for analysing threats without alerting attackers, such as remote log analysis and OPSEC to track attackers
• Restoration and Recovery: Covers steps to restore systems to normal operations, including vulnerability patching, backup restoration, and password resets.
• Future Considerations: Suggests engaging with external vendors for comprehensive incident response and utilizing threat intelligence platforms.

Join Clint Marsden as he guides you through the intricacies of incident response, helping you enhance your digital forensics skills. Follow Clint Marsden on LinkedIn (https://www.linkedin.com/in/clintmarsden/) and TLP on Linked In https://www.linkedin.com/company/traffic-light-protocol-the-digital-forensics-podcast-tlp for more updates and insights. 

In this conclusion of the Detection phase, Clint wraps up Incident Prioritisation. This includes Functional impacts of the incident, information impact of the incident and the recoverability of the incident.

Not all of these are needed, or relevant when tracking your incident and Clint explains when to categorise incidents using these factors.

To finish off, Clint discusses incident notification - Who are the stakeholders that need to be informed and included in your incident response process, and how will they be notified?

Auscert: www.auscert.org.au

In this 45 minute episode Clint covers a lot of ground based on the Detection phase of NIST 800-61.

Attack vectors for digital security incidents, including insider threats and weaponized USBs.
Cybersecurity incident response and detection, including NIST guidelines and Sysmon logging augmentation
The importance of following temporal linearity in  Forensic Investigations, expanding analysis to 5-10 minutes prior to and after events, particularly in Internet History and Memory Dumps
Building a baseline of activity through network pcaps and log analysis
Why synchronised clocks are important?
How detailed notes help in your investigations

Join the AI Cyber Security Skool Group
Inside the group, you’ll learn how to defend against prompt injections, lock down API keys, and stop your automations from turning into costly incidents. It’s a space for cyber pros, engineers, and AI builders to share playbooks, tools, and real-world lessons on keeping AI secure.
https://www.skool.com/ai-automation-security-5754/about?ref=3e3ebf81027c4bceb6f7cbfdbabe22ea

In this Episode Clint Marsden talks about the first phase of Computer Security Incident Handling according to NIST. Listen to real world examples of how to get prepared before a Cyber Security Incident arrives.

Show notes:

Link to NIST SP 800-61 PDF

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf


Bro has been renamed to Zeek. https://zeek.org/

Rita is Real Intelligence Threat Analytics. Created by Active Countermeasures - 

Available from https://github.com/activecm/rita

Join the AI Cyber Security Skool Group
Inside the group, you’ll learn how to defend against prompt injections, lock down API keys, and stop your automations from turning into costly incidents. It’s a space for cyber pros, engineers, and AI builders to share playbooks, tools, and real-world lessons on keeping AI secure.
https://www.skool.com/ai-automation-security-5754/about?ref=3e3ebf81027c4bceb6f7cbfdbabe22ea

In this first episode we kick off with Clint Marsden, the host of Traffic Light Protocol (TLP) where he talks about what its like to work in DFIR, how to get started with Cyber training, what to expect in future episodes, and of course a light touch on AI Forensics!

Join us for the first episode. The next episodes coming up talk about the NIST SP 800-61 where we break down Preparation, Detection, Eradication and Recovery.

Highlights:

Current trends and best practices in digital forensics, emphasizing the importance of preparation, experience across different domains, and the challenges of acquiring artifacts. Clint highlights the need for a wide breadth of experience and stressed the importance of continuous learning, while  emphasising the need for a broad range of tools and methods. 
Finally, we also discussed various methods for learning cybersecurity without spending money, including exploring free resources and leveraging AI.