Episode 20:What Makes an Elite Incident Response Team: Mindset, Mastery, and Real-World DFIR Lessons

Show Notes

Drawing inspiration from observing military special forces and over five years of hands-on DFIR experience, Clint explores the mindset, habits, and tactical processes that set top-performing IR teams apart. Clint Marsden explores the mindset, habits, and tactical processes that set top-performing IR teams apart.

From threat intelligence workflows and detection-first thinking to deep forensic analysis and clear executive reporting, this episode is packed with real-world lessons, relatable stories, and practical advice. Whether you're running your first threat hunt or leading an enterprise SOC, you'll walk away with a clearer vision for building a resilient, high-performing IR capability.

You’ll learn:

• Why elite IR teams focus on boring repetition and clarity over cool tools
• How to track threat groups and adapt detection rules in real time
• Where most SOCs fail with SIEM tuning and memory forensics
• How to communicate findings that actually move leadership to act

Check out the blog: www.dfirinsights.com

Transcript

1:21

Hi, I'm Clint Marsden, and today we are discussing what makes a great incident response team. And this is more than following a playbook and having good team culture. It's not about after a big incident, we all go down to the pub and have some beers and a steak. It's a little bit more than that. I've. I've been working in incident response teams for years, over five years at this point, and based on that real world experience, I wanted to explain what makes a great incident response team. And I've also done some research to bring some additional things together because it's something that's interested me for a long time. The correlation between the military special forces and what they do, how they train, and how this can be implemented in civilian life. So I'm not an ex Special Forces member. I've always looked up to those guys for a few reasons. The the most obvious one, I guess, is just their resilience, especially going through training. Go on YouTube and you watch the videos about how they are going through that selection course. It is very, very hard work. It is, it is grueling. Uh, as someone who has spent their life behind a computer, I look at the, the stuff that those guys have to go through and, and just go, wow. It's, it is so impressive. The stories that you hear. About people who have made it, people who haven't made it. It's not always the guys who look the biggest act, the toughest are the alpha males that make it through. And that is because these selection courses are designed to break you and they will take you to your limits, and then they push you further than your limits. And for some people, they're able to dig deep. And they discover more about themselves and then they tap into something bigger, are able to complete selection. And sometimes it's the guys that are the small ones. Jocko Willink is a guy who's got some great books on, on leadership and obviously very, very much outside the, the topic of, of today's episode and the podcast in general. Jocko Willink is this podcaster, ex US Forces Marine, special Forces Marine, I'm sorry, has some great books like Discipline Equals Freedom Leadership Strategies and Tactics. In one of his books, he talks about the best teams and the guys that were some of the most successful were in the SEAL teams during one of the selection courses. They were, I think they called them the, the small guys. They were. Not six foot tall, massive guys, but somehow they managed to just win and succeed against all the odds. And so that's where my interest has come from in, in this, looking up to them and, and identifying what are the traits that these guys have. And it's not about us trying to carry logs or gigantic tires in incidents, of course, right. But when the heat is on, what are those guys doing to get there? How did they get there? Because they weren't born Navy Seals. They were born like everyone else and they worked hard. They got to where they are because they had systems and they had training and did things over and over again. Especially the boring stuff, the way that we can. Get like this. The way that we can become experts, we can become highly trained, we can be comfortable in high process situations, is by practicing over and over again and looking at what the best teams in the world are doing, and then looking at how can we implement that in our team. And a great IR team doesn't just respond to alerts. Especially during the downtime. In fact, what a great IR team does, they try and anticipate what is coming down the wire, so to speak. And you might think, well, you know, how on earth do we, how on earth do we anticipate threats? We, we are dealing with a number of unknown adversaries on the other side. You've got. Teenagers on the other side of the world hacking from their bedrooms. You have nation state threat actors. You have bot or botnet activity. You have users who are just getting caught up in downloading malware and their victims of search engine optimization or search engine poisoning, and they're getting lumous Steeler. Even just talking about those different vectors, that gives us a clue on how we can protect the network, how we can protect the organization at large, because they're all different types of threats. We can't just wait for an indicator of compromise to show up, to get this understanding of what is coming down the wire. We have to do things like tracking threat groups, tracking malware families, and their TTPs and the threat group TTPs the tactics, techniques and procedures. And you can do this in real time. If you have that capability. Maybe you've engaged the partner that provides this to you, or maybe you are doing it more casually. It becomes more of a daily checklist type item, and the team are doing that by reviewing certain websites. They're reviewing blogs like defer insights.com, for example, my blog. Occasionally we'll do writeups on TTPs or threat groups. Did one on Scattered Spider last year. Did one on a PT 40 as well. It takes time to kind of build out what you want, build out a quality curated list. You might use news readers, you might use things like Feedly to keep track of all of these different sources. Using an RSS reader used to be the thing. I think RSS is kind of dying now. It's a bit bit harder to, bit harder to find sources that have easily published or very. Readily available. RSS feeds. Another great source of Intel is your local government agency. So in Australia we have a few different ones that can help. At an Australian federal level, we have the Australian Signals Directorate. We also have the Australian Cybersecurity Center. We also have a ZO an intelligence organization. They're a little bit more aligned to to more traditional security threats. They do provide content on cyber threats too, or the State of New South Wales has resources available through the Joint Cybersecurity Center, the JCSC. All the states have A-J-C-S-C resource that you can work with and get threat intelligence reports. The reports that you get access to give you things like TTPs that are maybe not published to everyone else and maybe not as public. They can be broken down by industry. So if you're not sure where to start, thinking about the industry that you are in is where you should start and use that to then look for threat intelligence sources that specifically rate relate to your industry. Look at a PT groups as a real simple one that's been done to death. Look at a PT groups that targeting your specific industry vertical. Your team upon getting access to those reports should pivot immediately into looking for evidence of compromise. Indicators of compromise, using that group's known Mitre techniques. So following the Mitre attack framework, maybe do some threat hunts. Update your detection rules as appropriate. You don't have to copy every single IOC because your firewall might already have these things. You might have an email gateway in place that is looking for evidence of these types of phishing attacks. You need to understand your infrastructure as well. Adding manual IOCs can augment those additional or those existing capabilities. And then you might also have a little bit of a briefing amongst the people who work. Alongside the security team to let them know this is what we are now looking at. We've just received a threat intelligence briefing. This particular threat group is active right now. They're targeting our industry vertical. To counteract this, we have gone and started blocking do one files at the email gateway, you know, for the OneNote attachment. Malware that was going around a few years ago. Just as an example, if you've got some budget, you might look at implementing open CTI or you might look at getting threat feeds from other organizations. Mandiant recorded future. Setting up a misp. Setting up MISP is not an easy task. Just want to flag that. It is useful if you have a team who have the resources and the time available to review them, to review the threat intelligence that you get from running a MISP malware intelligence sharing platform. It's great that you've got the data. You also need the time to then go and hunt for specific use cases and threat hunting based off intelligence sources, which is a great way to do it, is an entire different. Podcast in itself, but let's leave it there for now. The next thing that the best IR teams are implementing a detection mindset. The way that they're doing that is they're focusing on what the adversaries are doing. What is the adversary behavior? How are they operating in the environment with ai, this is changing. It may not be such a case of it's changing rapidly and may be more. Just the techniques are just becoming a bit more creative at the core level. What are we dealing with? We're dealing with computers, we're dealing with software, we're dealing with security solutions. Have they changed? Well, yeah. They're constantly evolving. Also, they're not evolving that quickly. These things have been around. For so long. It is just AI is enabling a different thought process. It's, it's coming up with different ideas. It is. It is reinventing the wheel as we see it, but behind this, what is the logic? This is gonna be relevant for quite some time because we're still dealing with humans who are launching these attacks. System-based attacks are coming. Yeah, sure. Okay. Let's get worried about that. Well. We can't because we need to fight fire with fire and look at implementing AI tools to detect and prevent and come up with TTPs and come up with different ways of defending not getting carried away. If we're still focusing on how humans are doing things, we have patterns, we have patterns of behavior. There are always attacks that are occurring the same way. It starts with SEO poisoning. Okay? What happens with SEO poisoning? Alright, someone goes to download Audacity and they download Audacity and instead of audacity, well, they get an info stealer. They get luma stealer, or they get quack bott or whatever it is, or they get ransomware or it's a phishing attack. They click on the link, they enter their creds, goes into a database. The organization doesn't have MFA, boom, they're popped. Or they get phished and they click on a link and it steals their tokens. Okay, so these are some basic attack types. These are the detections. How can we detect these types of attacks? It's not about buying more tools at this point. You go, oh, well we don't have budget for this. Great. You don't need the budget. What have you got already? How can we. Use what we've got. Attackers are living off the land. Can we live off the land too? Sure. What have, what have we got? What security platforms are being used right now? Years ago I was working at a small cyber consulting firm or a cyber, MSSP. One of our clients was getting smashed with ransomware. This is when ransomware was in its peak? It was. It was in its heyday. This was before ransomware. Big game hunting kind of existed or had been coined as a term, and everyone was just getting ransomed. And this is also when Bitcoin was, you know,$5,000 a Bitcoin. And this client, they didn't have a massive cybersecurity budget. They probably should have considering the industry vertical that they were in, but this is a common theme. They had purchased an antivirus solution from us. This antivirus solution had been sold to them as it has anti ransomware protection. After they got hit a few times, they spoke to us and said, what is going on? This is, this should not be happening. One of our guys, an expert in that particular AV suite, went out to the client, did a configuration review, spent a day going through everything, write up a nice little report. At the end, he was on site within the first hour. He found that they didn't have anti ransomware protection turned on, turned it on, the problems went away overnight. The point is, you don't need to buy more stuff. Look at your existing stuff, review the technical documentation, become an SME in all of your tools, vendors are constantly releasing new features, new functionality. It's useful. If you turn it on, if you configure it, if you tune it, some of them will be easier to use than others. You'll have to figure it out as you go along. And then if you then decide, we've turned everything on, we are still getting attacked. Okay, sure. But at least you've started. At least you've worked with what you've got. And then you can present to leadership. Hey, we've turned on everything we've tried. We're still getting hit. We now need to make a more significant investment. Now moving into the namesake of this podcast, forensics, having the ability, having the skillset to go beyond what is presented to you on the surface. Looking at memory forensics, looking at what's on disc, looking at what is not on disc anymore, looking at the registry, processing significant amounts of log data. Is really a non-negotiable skill for cyber teams that really want to kick ass. I will say, and we are looking for so much more than evidence of what has been run. It's the first thing that we all do. We get an alert for malware and we go to the system and we talk to the user. They say, yeah, I was, if they're really honest, and this is rare. I was trying to download Audacity and I clicked on a link and downloaded this tool and here it is, and it says Audacity installer, xe. And you run that through virus total and it shows, well, it's got Luma Steeler in there. What about all the rest of it? How did we get here? How did this get past our defenses? Has it gotten past EDR? Did it get past web proxy? Why has it affected this user? Okay, for Audacity? Sure. They're running windows. Why did the user go to Google to get the software? They just needed it and they thought, Hey, I'll just go to Google and. I'll download it and install it. Why did they decide to go to Google instead of going to the company portal, for example? Good questions and can be covered by some mitigations. They've gone to Google to download the software and install it. Maybe because they haven't been given user awareness training, they may have gone to the company portal and found that there was no option. For audio editing software company might have a subscription to Adobe, but audition wasn't available in the company portal, or maybe the user decided, I don't know how to use audition. That comes down to a user awareness problem, and this is good for the incident report as to root cause analysis, but coming back to the forensic side of it. To get that information requires a really good investigation and it covers off. We needing to talk to the user to understand how we actually got here. So having a good interview structure, having a good little interview plan to identify what ha what has happened is what is needed there, and that is a skill that is absolutely needed. It's a skill that gets better with time as you practice. I dunno if it can be a little bit difficult, but. It's easy for us to kind of fall into a rapid fire question of the user. Where did you get this? Why did you do this? And, and from, from the other person's side, from the user's side, it doesn't feel great. Look, they know. They know that they've screwed up. They know because maybe the whole company has ransomware or they know because the cyber team are talking to them and they're worried and. They dunno what's gonna happen next. So it is, requires a little bit of finesse and using AI to generate a interview plan is actually quite helpful here. Using church PT to develop a forensic investigation plan with an interview, a set of interview questions is really helpful. And giving it some context about we need to treat this as a sensitive matter. We don't wanna appear like this is an interrogation. We want to understand the best way to obtain the information that we want without the person becoming defensive, building trust and building rapport with the interviewee to get the most amount of information possible so that we can reverse engineer the problem, get to root cause analysis, and move forward. And finally, part of the computer investigation. We're looking at what the malware has touched, and to get the best answers for this, you've gotta do a lot of evidence acquisition. Some of this needs to happen before you even turn the power off or take the machine away. And when a user calls up, and this is important to explain to your frontline people, your help desk teams, your desktop support teams, when a user calls up and says, Hey. I think I've got some malware. I think I've got a problem here. The frontline teams need to be instructed to one, thank the user for reporting it, because no one should feel apprehensive or scared to report cyber incidents. We need to create a culture of trust, so thank them for that. And then explain disabling wifi, pulling the network cable out. Let's isolate the machine. Then when we get on site, the first thing that we wanna do is we wanna take a memory image using a memory forensics tool. I used to use FTK Imager to do this over time. That's caused a few problems in reliability, and it's been reported that it's modifying, I think, up to about 64 megabytes of Ram. During that capture process, obviously it has to run in memory too. And every memory forensics tool has to execute in memory. I think dump it is the preferred tool these days. So if you wanna use FTK, yes it gets the job done, but I think dump it is A, is a better one to use. Plunk that onto A USB and just remember that, uh, once you plug a USB into a system that has active malware. You might consider that that USB can then not be used ever again to get the malware, to get the memory image off, you would most likely be plugging it into a system that's booted into Linux. And then once the image has been copied off and duplicated as part of your standard forensic process, of course probably best to put a sticker on that malware. Probably best to put a sticker on that USB key that it's got malware on it because we just don't know. And then you can decide whether you want to use it on Linux systems only, or whether you wanna physically destroy it. We've got the memory image. Fantastic. This has been so helpful in many investigations and without the memory image, we wouldn't have found out what's, what's going on. A lot of the time, memory images are not taken. People forget. They just, it's too much effort. The system gets rebooted, shut down. Just make the effort. It is, it is worth it a hundred percent. Get the memory dump and then process it with volatility. Volatility three is now the official standard. Everything has been moved from volatility two to volatility three, according to the Volatility Foundation. So we're good to go using volatility three. Volatility three is much easier to use. Automatic detection of memory image profiles or the operating system that's being used has been improved greatly from volatility. Two. And overall, you'll find it. It's a much more simple and pleasant tool to use. Once you've got memory, you also need to extract disc artifacts. And my favorite way of doing that is using Cape is available from Kroll, K-R-O-L-L. They have a license model that allows you to use it internally. If you're using it for DFI or investigations commercially, you'll need to get a license from them, but using it internally is totally okay. And the benefit of Cape is that it can grab all the artifacts that you ever need. From Windows Systems, and it does that by using answer files that are just text files that you can pre-configure if you, if you want to, or you can just check the box and grab them. The benefit of Cape is that it also not only extracts the artifacts, pulls them off the system in a forensically sound manner, but it can also leverage the use of Eric Zimmerman's tools to then process them. So you can extract them and process them, and then you've got them ready to go, which is if you're taking a disc image, then using something like Plaza or log the timeline as it used to be known. And then if you really wanna get fancy getting that image at the time, sketch a web-based interface that allows you to review the contents of the image a little bit more graphically. You can use that graphical interface to filter and drill down and go deep and then come back to the 30,000 foot view. It's great. The next thing that great IR teams are doing is focusing on improving their processes for scalability. These elite teams are doing their best to automate the collection of artifacts, the analysis of them, and then how to report on them as well. The collection, analysis and reporting are the three things that make up an incident. Sometimes the collection and analysis can take quite a long time, but reporting and the constant editing and reviewing and rewriting can take a lot of time as well. If you put the time into. The collection and analysis phase and documenting as you go, it really makes the reporting a lot easier. And now with AI generating summaries and generating those reports is much easier If you're still using a public LLM. If you're using a chat T or a Claude, you're gonna have to be really careful with anonymizing. The contents of the report. So you're gonna have to replace things with some variables. You're gonna have to be replacing IP addresses, usernames, people's names, organization names, email addresses, all those IOCs that can be used to identify the organization could be used if the LLM database was compromised or accessed by a nation state, for example, if they control. The LLM, which is a potential, uh, liability with, uh, with deep seek. As we, as we understand, that's unconfirmed, but it is a potential risk. You might need to put in a little bit of time to swap those out, and you might need to just have a spreadsheet that maps that out for you. You have a key for yourself so that you can. Control H, find and replace in Word and swap that out. And then if you upload that to an LLM, it's anonymized. Then when it comes back, it being the report, it being the summary, it being the notes that you are emailing as part of your daily or weekly updates, you can then find and replace those values and off you go. This also demonstrates the value. Of running a local LLM to process your evidence, to do your event summaries and do your reporting, and that takes us to the last section of what these elite teams are doing, and you can run a perfect investigation. You can understand patient zero. You know that this person was on their home computer and they. Google for something, and then they wrote themselves an email to their corporate account with a link from a Google search. And then they clicked on that link and then they downloaded malware and then they dropped that onto the file server. And then the file server for some reason executed the malware and it spread. And you have all the technical information about that. You have memory dumps, you have network traffic, you've got P caps. That is fantastic. How are you communicating this? Your boss might be technical. Your boss. Your boss might not be technical. What about your boss's boss? What is the likelihood that they understand what a mem dump is? What a PCAP is? What about volatility plugins? Do they know? Do they care? No, because your boss's boss, guess what? They have to report to their boss. And how are they gonna do that? Well, they need a summary of the incident. They need bullet points that are explained like I'm five. They need to be succinct. They need to be non-technical. They need to talk to impact. They need to talk to risk. They need to talk to the facts of we have contained the incident. We have determined the root cause. We have resolved vulnerability. That caused the incident and we have assessed the impact, and depending on where you're working, no personal information was disclosed. The customer database is okay. The credit card information that we hold on file has not been accessed. Personal information is safe. Great. Then that needs to be in a big report depending on the type of incident that it is, depending on the culture of your organization. Maybe a one page post-incident report is sufficient. Maybe it's a, a sufficient post-mortem. Maybe what I used to do, which is write 20 and 40 page reports. Yeah, it takes a few weeks to write a few revisions over. Time gets easier. You just have to understand your audience. But the reporting needs to be clear. It needs to have layers. The layers are different audience in different sections of the report. If there's an executive summary, there are findings, there are detailed findings, then there are recommendations. Those layers are written for different audience members. The executive summary is meant to be a summary of the entire report. Don't write the executive summary until you've completed the report. The executive summary needs to summarize exactly what's in the report. You can't have information in the exec sum that is unique. That has not been spoken about before, and then it needs to be very simple, very direct, clear. Again, talking to business risk, business impact, and the recommended actions. That technical analysis with those findings needs to include the root cause, the TTPs, the tools that we use by the attacker. Detailed findings. Go hard, right? Dump it all in there. If you need to use appendices. Use spreadsheets as attachments, PDFs. Depends if there's, there's so much evidence it's gonna make the report just blow out. It's gonna go beyond 20, 40 pages and he's just causing the reader just to scroll and scroll and scroll. That's just an information dump. And as a report writer, it's your responsibility to curate that information better. That's why we use appendices. If you wanna see more. Scroll to the end. Read appendix B for the DNS proxy logs for this user for the past two days, where we can demonstrate that they were looking for how to hack an active domain controller, how to hack an active directory domain controller, for example, downloading, hacking tutorials, showing a path of intent, if you like. So circling back, what are these elite teams doing? How can we become like an elite team? They have various capabilities. First, they're threat intelligence driven. They rely on tools to give them threat intelligence, to allow them to do more targeted response. To identify that root cause, to close the gap. They're detection, first, they're restructured. That allows them to detect. What is going on earlier. It allows them to detect what is going on after helping them understand whether the attackers are still in the network. They have excellent forensic skills. This helps identify the root cause. It helps identify the impact. Finally, reporting clarity. They're doing this by writing reports in layers, by communicating to their audience. And by ensuring that they're acquiring all of the evidence that is required first up, and that the analysis that they're performing is detailed and methodical. Great IR teams are not born. They are acquired over years of experience. They invest in themselves. They invest in threat intelligence skills in. Detection, engineering, forensic depth, and their learning communication skills. Any team, any person can move towards this elite tier, this elite way of operating. They have to have the desire to do so. They've gotta have the mindset to do it. They need to train consistently and they need to have a certain level of operational maturity, not just. Having a large budget. I really hope that today's episode has helped get you thinking about how you and your team can get that elite digital forensics and incident response skills. I'd love to hear the techniques that your team are using to level up and the skillset that you are building. That is all for now. I'll see you in the next episode where we will talk about Erco. The incident response copilot, a custom GPT that I've built is available now in chat T. It's IRCO. It's the incident response copilot. That is our next episode. Really looking forward to sharing it with you, and I can't wait till then. Thanks for listening. I'll see you in the next episode.