This workshop aims to cover the three key areas required to build an effective Incident Response capability:-
1. Legal - Contracts/NDAs/permission to call in other staff/work off site/take IP data away from the network/site. - Noting that EU/US Privacy/SEC laws/Regulation in play here (Plus IP etc) - as in many IR companies are US based, what do we do about privacy/disclosure/Ip protection.
2. Working with the team - What to expect when they are onsite - space/access/briefing needs - Getting the basis together: Points of Contact, Network Schematics, OS/App deployment info, Barrier info (AV, FW, SIEM, Logs, N/HIPS, Netflow etc). - What to release to who, when and how - secure methods of communicating with the team, sharing files and getting legal's approval for all this. - Getting quotes or ROMs for extras like "We will just send this back to the office for off-site malware analysis" - What does a badly controlled engagement look like? Where does the fault lie?
3. Tech - What to configure to improve logging fidelity - Various new MS updates for logins exe hashes, File system journaling, prefetch enabling, shadow copy enabling etc. - When to call it a day - What to do afterwards - making the remediation hold - Maintaining the momentum - Fixing the problem to prevent the reoccurrence