Partnering with Incident Responders for Faster Investigations

Our mission is to ensure that front-line incident responders have the tools and resources they need to conduct cyber investigations. As outlined in a recent press release from Vendetta Cyber Defense (VCF), we have started to formalize those partnerships with both corporate and consulting digital forensics and incident response (DFIR) teams.

Our partnerships have three goals:

  • Integrate our automated digital forensics software, Cyber Triage, into your environment and help you tune it.
  • Ready your team, with training, simulations and test datasets.
  • Support you with our deep DFIR expertise. If you come across uncommon artifacts, previously unseen tools, techniques or procedures, we’ll join you to figure it out.

As a mission-focused company, we provide first class service to our customers. As one of our MSSP partners recently said:

“We appreciate your team’s responsiveness. It’s truly unlike any other partners we’ve worked with before. The team speaks highly of Cyber Triage and the tool has really sped up our analysis efforts.”

This blog post goes into these three goals in more detail to allow you to identify areas that we can help.

Automated Forensics with Cyber Triage

As VCF said in their press release, resolving attacks like ransomware quickly is critical to reduce damage. With the massive amounts of data involved in a corporate investigation, automation becomes critical for investigators. Only a tiny subset of the data in an enterprise is going to provide answers about an attack and the responders need to quickly find it.

Cyber Triage is our automated digital forensics software that is used by incident response and security operation center (SOC) teams to rapidly collect and analyze endpoint systems. Within minutes, you have the first leads in your investigation and are quickly identifying affected hosts and key containment actions.

We meet with you on a regular basis to ensure your team is trained and help with any deployment tuning. We also love to learn what you are encountering and brainstorm on ways to make you even more efficient. After all, our main goal is to help you resolve incidents as quickly as possible.

Advanced Artifact Analysis

Some attacks are routine and responders have seen variations of it before. Others though involve novel tactics and new challenges. And some environments are unique with different kinds of infrastructure and responders have trouble differentiating normal from malicious.

Those novel situations are where we have in depth expertise and ready to assist. We will partner with you to provide advanced expertise. Sometimes we have seen that unique behavior and other times we can engage our research and development team to build a solution.

The Sleuth Kit Labs R&D team can help reverse engineer tools and artifacts and conduct experiments to determine when artifacts are created and updated. Because that team spends all of its time focused on artifacts, they can efficiently help you interpret the evidence left behind by threat actors.

Preparing For the Incident

Fortunately, most corporate DFIR teams don’t get to experience major incidents on a regular basis (and we want to help keep it that way). But, when they do happen,  it’s important to know that both your infrastructure and team are prepared for when it happens. We meet with our partners regularly to focus on topics such as new threats, new sources of evidence, incident simulations and threat hunts.

Incident Simulations allow your team to be challenged and practice their plans. Some are pure table tops and others are live fire. We like to integrate Cyber Triage data sets and challenges if appropriate. These are designed to be challenging, but also fun to solve the problems.

Threat hunts and assessments involve conducting collections in the enterprise and identifying suspicious activity. Cyber Triage streamlines the hunt process and provides in-depth analysis of endpoint artifacts that is not possible with other tools. As a partner, we guide you through your first few hunts and then typically perform a supportive role after that. You know your environment best and will be best suited to know what is normal versus suspicious.

We’re Here To Help

We’re excited to work closely with Vendetta and other response teams. We truly want to make sure every incident responder and digital forensics investigator can quickly resolve threats and defend their people and businesses. The world needs more responders and we’re here to support them.

If your team would like to work with us, contact us. You can also try a free evaluation copy of Cyber Triage.