homepage
Open menu
Contact Sales

SANS Community Night Secure Singapore 2023 - Managing Large-Scale Response

  • Wednesday, 15 Mar 2023 7:00PM SST (15 Mar 2023 11:00 UTC)
  • Speaker: Mathias Fuchs

Large-scale incident response is not about scaling classical forensic approaches, it's an entirely different field. In his talk, Mathias will focus on the various pitfalls when handling major breaches in organizations with well above 100.000 endpoints. While there are many points to cover, the main focus of the talk will be on documentation and how it ties into managing resources, the victim and other stakeholders.

Good Incident Response Leads need to be able to brief a non technical client as well as a new team member on the case at every given time - not just in pre-scheduled status calls. This requires a stable set of information at the IR Lead's finger tips. To consolidate all the information in one place, Mathias created and maintains the Aurora Incident Response tool that strives to bring Incident Response documentation to the next level. Many years ago Mandiant coined the term SOD (Spreadsheet of Doom) which is the general source of truth and stores all the key findings in an investigation. While the original SOD was an Excel template, Aurora is an SOD on steroids. It enables responders to work as a team, offers instant visualizations of lateral movement and a graphical timeline. It ties into MISP and Virus Total for a streamlined intelligence workflow. That way responders never lose the oversight or get lost in details as they can always step back to get the helicopter view on the case.

Resource management is a key topic in large-scale incident response. If responders use a linear scaling approach they will fail. Good IR teams can usually handle large-scale response for over 100.000 hosts with only 3-4 FTEs. Mathias will introduce strategies on how to optimize resource allocation and allow for personnel swaps easily. All of these strategies rely on a number of factors like technical team skills, tools and the IR lead's soft skills. Resource management is also strongly supported by Aurora-based documentation.

The target audience for the talk are security specialists who want to understand how to improve their IR readiness as well as everyone else who wants to hear some cyber war stories.

Login to Register

Related Content

Blog
DFIR - Blog - Defending Against SCATTERED SPIDER and The Com with Cybercrime Intelligence_340 x 340.jpg
Digital Forensics, Incident Response & Threat Hunting
Defending Against SCATTERED SPIDER and The Com with Cybercrime Intelligence
Due to the notoriety SCATTERED SPIDER and The Com have attracted as prolific cybercriminal threats, law enforcement has been tracking them closely.
Will_Thomas_370x370.png
Will Thomas
read more
Blog
DFIR - Blog - The Importance of Cyber Threat Intelligence- Insights from Recent Nobelium Attacks_340 x 340.jpg
Digital Forensics, Incident Response & Threat Hunting
The Importance of Cyber Threat Intelligence: Insights from Recent Nobelium Attacks
The persistent and sophisticated attacks by Nobelium highlight the critical role of cyber threat intelligence.
DFIR_ICON_(1).PNG
SANS DFIR
read more
Blog
ics blog image.png
Industrial Control Systems Security, Digital Forensics, Incident Response & Threat Hunting
A Visual Summary of SANS ICS Summit 2024
Check out these graphic recordings created in real-time throughout the event for SANS ICS Security Summit 2024
370x370-person-placeholder.png
Alison Kim
read more