Project Authors: Jack Wesley Riley, RSA Incident Response; Joshua Trabing, RSA Incident Response
The GOAT-TARDIS Project is a project to create an integrated, flexible, and powerful analysis and investigation platform for use by analysts of the RSA Incident Response and Discovery Practice. Some of the over-arching goals of this project are as follows:
- A single-source platform able to ingest almost any data source that IR analysts may run into on engagements
- Baseline all investigative datasources with a timeline focus
- Identify, track, and build the profile of malicious activity while analysis is being conducted
- Automate, as much as possible, the reporting requirements of analysts during IR engagements, leaving more resources for actual analysis
- Build evidence collection and historical correlation of engagements and attacker activity into automation around analysis activities
- Automate the implementation of threat intelligence into evidence gathering and triage analysis efforts
- Apply analytics and ML models across evidence at analysis time to more effectively identify malicious activity
- Additional goals as identified
This project is being designed in two primary parts: GOAT, which serves as the analysis platform and toolkit for use during IR engagements, and TARDIS, which serves as the threat intelligence, engagement correlation, and content creation platform.