Cloudy with a Chance of DFIR: How Our Traditional Methodologies Need to Change (53:05)

Traditional digital forensics and incident response (DFIR) processes include preparation, identification, containment, eradication, recovery, and retrospective. The introduction of mutable environments and resources within cloud-based networks means that our approach to incident response has changed. Our methodologies are fundamentally the same, but instead of relying on traditional approaches such as capturing an image and downloading it from a cloud provider we should conduct our investigations with the same cloud resources.

The problem is, the clouds sprawling nature makes DFIR increasingly difficult, especially when it comes to the identification, containment, and eradication steps. But since cloud providers are built with dynamic networks and resources in mind, we have new capabilities that allow us to automate the containment, eradication, and initial investigative processes.

During this presentation, Swimlane Research Engineer Josh Rickard will walk you through both traditional and cloud-centric incident response processes with security orchestration, automation, and response (SOAR). He will also discuss how open-source tools can assist with forensic investigations in cloud-based environments as well as explore a few gotchas related to incident response that should be continual areas of focus by the cybersecurity community.