Event Recap: Forensics in the CISA Incident Response Playbook

What’s the main reason agencies conduct end point investigations? In a poll conducted during this webinar on Incident Response, 43% of agency attendees said it was due to ‘Cyber security response’. The next primary reason was for ‘IT Compliance audits’ at 32% of attendees. Given that, Justin Tolman, Forensic Subject Matter Expert with Exterro reminded us that “CISA not just an enforcement agency… it is an agency that can work as a resource for cyber security information, frequently posting news and updates about various attack vectors, ways you can fix those things, and contact information to get support.” As part their larger mission, he added, “CISA has published a forensic playbook that addresses what the government can do collectively, reliably and repeatedly to help secure the nation’s security and the missions carried out by those agencies.”

During the remainder of the webinar, Tolman addressed the following in greater detail:

• Review of who CISA is and how they can help agencies.
• What kinds of threat information CISA publishes.
• What the playbook is and how it applies to forensics.
• Preparation for Instrumentation, Agency user and Contractor/ICT reporting, Cyber threat intelligence.
• Relevance and use of Preparation, Investigation, Remediation, and Communication.
• Forensic collection, preservation, analysis, and reporting.
• Working with Off-Network and On-Network data.
• The application of the playbook to companies and non-government agencies

Sponsor: Exterro