Event banner

Microsoft Detection and Response Team (DART) AMA

Event Ended
Tuesday, Mar 15, 2022, 09:00 AM PDT
In-Person

Event details

We are very excited to announce our Microsoft Detection and Response Team (DART) AMA!   About DART: Our job is to respond to compromises and help our customers become cyber-resilient. This is al...
Trevor_Rusher
Updated Feb 16, 2022
AMA
Chad_Munkelt's avatar
Chad_Munkelt
Copper Contributor
Mar 15, 2022
For someone who is trying to build out their internal DFIR capabilities, what are a few key areas you would recommend they focus on? What are your thoughts on live triage vs traditional forensics (disk images etc.)?
aymansiraj's avatar
aymansiraj
Copper Contributor
Mar 15, 2022
Live Triage is the way to go, it's fast and aligns best with business objectives of least impact to business downtime. Most data on computers isn't forensically/threat hunting relevant. Disk Images are usually necessary if you are trying to carve for a file no longer on disk or litigation/lawyers come in. One key thing to focus on is employees who know how to use 5 tools well are more well prepared to defend vs throwing 10 shiny tools at them. On many engagements we see customers with all the tools, but the security folks aren't well versed in how to use them or don't gain a deep enough understanding as they are switching between tools/portals.
Date and Time
Mar 15, 20229:00 AM - 10:00 AM PDT