In his presentation to BlueHat Seattle, John-Luke Peck, D-CISO and Senior Security Consultant at Critical Insight, reviews in hindsight and retrospect several recent incident response engagements performed recently by Critical Insight's Incident Response team. All presented examples and incidents described in this presentation have been de-identified to maintain and protect privacy and operational security.
As a prediction for 2020, John-Luke describes the importance of remote DFIR services and what organizations need to do prepare their environments for remote digital forensics and virtual incident response. An important note is that this presentation was made in late 2019 - and John-Luke predicts at 20:20 that the time for remote DFIR has arrived.
The "autopsies" that John-Luke covers are enlightening. From considering what went well to what did not go well during the various engagements, he highlights the particular data, services, and support available from Microsoft & Office 365, and AzureAD. Furthermore, he covers how they were and were not able to be leveraged during the various engagements, which were performed virtually.
Data requirements were also discussed, and what organizations need to do to prepare for virtual incident response and digital forensics investigations conducted remotely. John-Luke explains how he dealt with data that was and wasn't there, including:
John Luke also highlighted the following:
Source: 2019 Cost of a Data Breach Report, https://www.ibm.com/security/data-breach