CactusCon

CactusCon13
February 14-15, 2025
Mesa, AZ

Linux IR: Windows of Opportunity

This talk aims to expose individuals to incident response in a Linux environment. Many talks and trainings primarily focus on Windows environments with little to no mention of the unique challenges that exist within Linux environments. We will be working through a sample from the SystemdMiner family and highlighting it's behavior as captured by open source tooling (ELK/OSQuery/Suricata/Zeek). I'll showcase how Linux incident response differs from Windows as well as where both worlds collide.

Jon Wade has spent close to the last decade wearing as many security hats as possible while being a security engineer at GoDaddy. He enjoys tackling interesting challenges and punching miscreants whenever possible. He believes that all you need to perform initial triage in Linux is the lsof command.