Large-scale incident response is not about scaling classical forensic approaches, it's an entirely different field. In his talk, Mathias will focus on the various pitfalls when handling major breaches in organizations with well above 100.000 endpoints. While there are many points to cover, the main focus of the talk will be on documentation and how it ties into managing resources, the victim and other stakeholders.
Good Incident Response Leads need to be able to brief a non technical client as well as a new team member on the case at every given time - not just in pre-scheduled status calls. This requires a stable set of information at the IR Lead's finger tips. To consolidate all the information in one place, Mathias created and maintains the Aurora Incident Response tool that strives to bring Incident Response documentation to the next level. Many years ago Mandiant coined the term SOD (Spreadsheet of Doom) which is the general source of truth and stores all the key findings in an investigation. While the original SOD was an Excel template, Aurora is an SOD on steroids. It enables responders to work as a team, offers instant visualizations of lateral movement and a graphical timeline. It ties into MISP and Virus Total for a streamlined intelligence workflow. That way responders never lose the oversight or get lost in details as they can always step back to get the helicopter view on the case.
Resource management is a key topic in large-scale incident response. If responders use a linear scaling approach they will fail. Good IR teams can usually handle large-scale response for over 100.000 hosts with only 3-4 FTEs. Mathias will introduce strategies on how to optimize resource allocation and allow for personnel swaps easily. All of these strategies rely on a number of factors like technical team skills, tools and the IR lead's soft skills. Resource management is also strongly supported by Aurora-based documentation.
The target audience for the talk are security specialists who want to understand how to improve their IR readiness as well as everyone else who wants to hear some cyber war stories.