Good words here. Unfortunately I’ve been involved in far too many IRs where the victim is unable to provide the information the reputable IR firm needs.
Lesley Carhart @hacks4pancakes
11 May 2021
Because predatory companies are taking advantage of the many ransomware victims out there these days, I wrote some basic expectations you should have of your contracted IR team and why, from the perspective of an incident responder. tisiphone.net/2021/05/11/rea… via tisiphone-net
2
2
12
Would a list of “must have” data fit into a tweet? FWIW, here is my list: Sysmon logs, Zeek logs, Windows Events, Linux logs, Firewall logs, Honeypot logs + list of all machines & owners.
1
5
Replying to @ExtremePaperC
What you get is whatever Windows event logs and Linux logs happen to be on each system. Plus one random collection of network logs (firewall, CloudTrail, etc) and you don’t get to pick which one. Welcome to my world!

May 12, 2021 · 11:05 AM UTC

1
1
Replying to @hal_pomeranz
I can imagine 😬 - and perhaps the occasional “we have no idea what that machine is, or where it’s at”