Cybersecurity Expert | Incident Response Team Lead | Speaker | Digital Content Creator
⏳ Time is crucial in Incident Response ⏳ In one incident, the victim engaged Talos IR immediately after discovering malicious activity alerts. Talos IR worked swiftly to combat additional malicious activity and prevented the execution of any encryption in the environment. Conversely, in a second incident, the victim ignored alerts of malicious activity and did not contact Talos IR until after the ransomware binary began to execute. Talos IR was then not provided network access for analysis for over a day, during which time the actors achieved nearly 100% host encryption. Full article here: https://lnkd.in/enpX5CuB
Bryan McCaffrey
2mo
Took us three days once, recently, to get access to EDR. We pivoted and started going after logs with Velociraptor, KAPE module configured for certain things and a couple other scripts. Expensive EDR didn't help much there.
Well, it’s not about time…this is about experience/knowledge of L1/L2, escalation process and internal communication.
Anthony V.
2mo
Imagine seeing payloads in the logs or EDR or whatever and doing nothing? I would FIRE EVERYONE involved in that process. EVERYONE.
Harlan Carvey
2mo
Ah, the tale of two "cities"...
Staff Threat Intel Analyst, Adversary Tactics
2moTime is most definitely crucial. This is why military members are taught the basics of medical response, and carry first aid kits. Self-care and buddy-care are more immediate than waiting for a corpsman/medic, or a surgeon, which can be hours away. Unfortunately, while there is something similar in IT, as it relates to operational troubleshooting (to some extent), this simply is not part of our culture, as it applies to incident identification and response.