Article

Autopsies of Recent DFIR Investigations

JL Peck

Lead Consultant
Back to the News Desk

Preparing for Incident Response Can Save Organizations up to $1.23M During a Breach*

In his presentation to BlueHat Seattle, John-Luke Peck, D-CISO and Senior Security Consultant at CI Security, reviews in hindsight and retrospect several recent incident response engagements performed recently by CI Security's Incident Response team. All presented examples and incidents described in this presentation have been de-identified to maintain and protect privacy and operational security.

As a prediction for 2020, John-Luke describes the importance of remote DFIR services and what organizations need to do prepare their environments for remote digital forensics and virtual incident response. An important note is that this presentation was made in late 2019 - and John-Luke predicts at 20:20 that the time for remote DFIR has arrived.

 

Remote Digital Forensics and Incident Response (DFIR) Requirements 

The "autopsies" that John-Luke covers are enlightening. From considering what went well to what did not go well during the various engagements, he highlights the particular the data, services, and support available from Microsoft & Office 365, and AzureAD. Furthermore, he covers how they were and were not able to be leveraged during the various engagements, which were performed virtually.

Data requirements were also discussed, and what organizations need to do to prepare for virtual incident response and digital forensics investigations conducted remotely. John-Luke explains how he dealt with data that was and wasn't there, including:

  • Necessary data was not available because the client had not taken, or were unaware of the need to take, steps to enable collection of the data
  • The data & services available were successfully used during response efforts

 

Lessons Learned from Office 365, AzureAD, and Incident Response

John Luke also highlighted the following:

  • Lessons learned about Office365/AzureAD and Incident Response
  • How Office365, AzureAD, and ATP services and data were used in the response efforts
  • Recommendations for Office365/AzureAD tenants to assess cybersecurity risks & build DFIR capabilities before an incident occurs

 

source: 2019 Cost of a Data Breach Report, https://www.ibm.com/security/data-breach