Hal Pomeranz · May 11, 2021 · 8:15 PM UTC

Hal Pomeranz · May 11, 2021 · 8:15 PM UTC

Hal Pomeranz

Hal Pomeranz @hal_pomeranz

11 May 2021

Good words here. Unfortunately I’ve been involved in far too many IRs where the victim is unable to provide the information the reputable IR firm needs.

Lesley Carhart @hacks4pancakes

11 May 2021

Because predatory companies are taking advantage of the many ransomware victims out there these days, I wrote some basic expectations you should have of your contracted IR team and why, from the perspective of an incident responder. tisiphone.net/2021/05/11/rea… via tisiphone-net

May 11, 2021 · 8:15 PM UTC

ExtremePaperClip · May 11, 2021 · 8:30 PM UTC

ExtremePaperClip @ExtremePaperC

11 May 2021

Replying to @hal_pomeranz

Would a list of “must have” data fit into a tweet? FWIW, here is my list: Sysmon logs, Zeek logs, Windows Events, Linux logs, Firewall logs, Honeypot logs + list of all machines & owners.

Hal Pomeranz · May 12, 2021 · 11:05 AM UTC

Hal Pomeranz @hal_pomeranz

12 May 2021

What you get is whatever Windows event logs and Linux logs happen to be on each system. Plus one random collection of network logs (firewall, CloudTrail, etc) and you don’t get to pick which one. Welcome to my world!

more replies

Lesley Carhart · May 11, 2021 · 8:23 PM UTC

Lesley Carhart @hacks4pancakes

11 May 2021

Replying to @hal_pomeranz

Also quite true