Event banner

Microsoft Detection and Response Team (DART) AMA

Event Ended
Tuesday, Mar 15, 2022, 09:00 AM PDT
In-Person

Event details

We are very excited to announce our Microsoft Detection and Response Team (DART) AMA!   About DART: Our job is to respond to compromises and help our customers become cyber-resilient. This is al...
Trevor_Rusher
Updated Feb 16, 2022
AMA
Chad_Munkelt's avatar
Chad_Munkelt
Copper Contributor
Mar 15, 2022
For someone who is trying to build out their internal DFIR capabilities, what are a few key areas you would recommend they focus on? What are your thoughts on live triage vs traditional forensics (disk images etc.)?
  • kshitijk's avatar
    kshitijk
    Icon for Microsoft rankMicrosoft
    Mar 15, 2022
    Have a playbook to follow -- identify your requirements and needs before an incident strikes. What are your requirements to gather a disk image or triage data? What tools do you need, and do you have them ready? What stakeholders need to be made aware, for legal and compliance reasons? Do site managers know what they need to do to actually acquire the evidence you need? Plan ahead so that execution can be efficient. It probably won't be perfect even then, but it'll still get your team answers faster. As for live triage vs. deadbox analysis, abide by organizational/evidence preservation/legal and compliance requirements first 🙂 That said, live triage data can be collected and analyzed much more quickly than a disk image can be obtained...
    • Chad_Munkelt's avatar
      Chad_Munkelt
      Copper Contributor
      Mar 15, 2022
      Thank you Kshitij, those are great points! SaltyMunk
  • aymansiraj's avatar
    aymansiraj
    Copper Contributor
    Mar 15, 2022
    Live Triage is the way to go, it's fast and aligns best with business objectives of least impact to business downtime. Most data on computers isn't forensically/threat hunting relevant. Disk Images are usually necessary if you are trying to carve for a file no longer on disk or litigation/lawyers come in. One key thing to focus on is employees who know how to use 5 tools well are more well prepared to defend vs throwing 10 shiny tools at them. On many engagements we see customers with all the tools, but the security folks aren't well versed in how to use them or don't gain a deep enough understanding as they are switching between tools/portals.
  • Jamesmoe's avatar
    Jamesmoe
    Icon for Microsoft rankMicrosoft
    Mar 15, 2022
    Identity is the mechanism by which most attacks execute on their objectives. They may get in several different ways; however, the real question is how did they privilege escalate from a normal user to a privileged user? So making sure you are implementing identity detections is key to stitching together the various artifacts into a true attack timeline.
  • richarddavis2197's avatar
    richarddavis2197
    Icon for Microsoft rankMicrosoft
    Mar 15, 2022
    Hi Chad, to answer your question: 99% of the data on a given drive is probably not of forensic interest. Triage is where it's at -- until there is a reason to go deep into a system. As far as where to start -- Gain executive support for a formalized IR program and start with the documentation surrounding that. This is an absolutely critical first step.
Date and Time
Mar 15, 20229:00 AM - 10:00 AM PDT