Project Authors: Jack Wesley Riley, RSA Incident Response; Joshua Trabing, RSA Incident Response

The GOAT-TARDIS Project is a project to create an integrated, flexible, and powerful analysis and investigation platform for use by analysts of the RSA Incident Response and Discovery Practice. Some of the over-arching goals of this project are as follows:

• A single-source platform able to ingest almost any data source that IR analysts may run into on engagements
• Baseline all investigative datasources with a timeline focus
• Identify, track, and build the profile of malicious activity while analysis is being conducted
• Automate, as much as possible, the reporting requirements of analysts during IR engagements, leaving more resources for actual analysis
• Build evidence collection and historical correlation of engagements and attacker activity into automation around analysis activities
• Automate the implementation of threat intelligence into evidence gathering and triage analysis efforts
• Apply analytics and ML models across evidence at analysis time to more effectively identify malicious activity
• Additional goals as identified

This project is being designed in two primary parts: GOAT, which serves as the analysis platform and toolkit for use during IR engagements, and TARDIS, which serves as the threat intelligence, engagement correlation, and content creation platform.