Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

5 Things to Know About Digital Forensics and Incident Response (DFIR)

Trustwave SpiderLabs is among the most well-respected teams in the cybersecurity industry, having gained a reputation for conducting cutting-edge research, plying the foggy corners of the darkweb for information, and detecting and hunting down threats. 


What is less well known is how Trustwave's SpiderLabs' various teams' function and then pull together to create the formidable force that is the backbone of all Trustwave's offerings. 


This is the second in what will be a series of blogs breaking down how SpiderLabs works to ensure the security of Trustwave's clients. Our first inside look examined Trustwave Security Testing.


In order to bring Trustwave’s Digital Forensics and Incident Response team to life, we asked Jason Bergerson, Director of SpiderLabs Security, to break down how this team operates.  


1. What is the basic day-to-day activity of the DFIR team?  

The DFIR team performs two types of services, proactive consulting and incident response. Proactive consulting consists of discussions with clients, the development of material, and the delivery of material through reports and/or virtual meetings. The incident response consists of discussions with clients, data collection and preservation efforts, evidence analysis, recommendations to contain, eradicate, and remediate, and delivering findings through virtual meetings and expert reports. In addition, when not performing client work, the team spends time on training and improving sales and delivery material.   


2. What are the team's first steps when called onto a case? Does it become a 24/7 operation until the situation is clarified?  

Requests for incident response most typically go to our on-call response system. The on-call consultant calls the client and performs an initial scope, and either confirms the client would like to invoke their retainer hours or begin the process of engaging an emergency contract. Once the scope is determined, initial requirements for data sources and technology deployment, where necessary, are provided to the client. Finally, the on-call consultant alerts the global DFIR team and regional managing consultants to ensure the correct number of resources are assigned based on the initial scope of work. The initial assumption is that the work will require a 'follow the sun' model for incident response delivery.   


3. What are the most difficult aspects of conducting an investigation?  

In most instances, we're taking over an existing environment where the consulting team has little historical knowledge of the environment. This lack of understanding requires collaboration with the client and the local resources to ensure proper access and data collection efforts are undertaken. Additionally, there is often a large volume of initial data to begin analyzing. This activity can front-load the project with necessary work that precedes being able to deliver the initial findings. It is also important to note, the urgent nature of an incident response can sometimes create an unrealistic expectation on how quickly initial findings and recommendations can be delivered. The response cycle is usually delivered in phases; as the investigation discovers new indicators of compromise, the recommendations will increase, and further analysis, and additional evidence sources, may be required.   


4. What are some of the skillsets the DRIR team brings to a client when conducting an investigation?


The primary skill that good DFIR consultants possess is the ability to properly perform an investigation. The inquisitive nature of an investigator drives them to figure out how an incident happened, then how it moved in the environment, and what impact it had on the client. Along with having an investigative mindset, another skill is a good understanding of the forensic process, the tools involved, endpoint detection and response technologies, networking architecture, tooling, and logging, and a well-developed understanding of the MITRE ATT&CK framework.   


5. What aspects of Trustwave's DFIR process do you believe clients and potential clients don't know but should?


The DFIR Retainer service is a valuable way to engage with Trustwave. The service provides a discounted rate from the emergency rate, a guaranteed service level response time of less than two hours, and a complete transferable hour's conversion to other consulting efforts if the client does not need the hours for an incident response. Once engaged, the process is very dependent on the client's ability to respond to the needs for collection and preservation. Even if it is determined that we must deploy an investigation tool set, that deployment is typically performed by the local IT or security staff. After Trustwave starts analysis, the updates can come through on a 24x7 rolling basis as the Trustwave DFIR team works to resolve the incident. Having client points of contact that can answer questions and implement suggested remediations or provide additional data sources is also a way to dramatically increase the speed with which the project can move forward. 




Latest Trustwave Blogs

Defending Healthcare Databases: Strategies to Safeguard Critical Information

The healthcare sector continues to be a primary target for threat actors, with 2023 seeing a record number of data breaches and compromised records. While successful attacks are inevitable, it’s...

Read More

Trustwave SpiderLabs: Ransomware Gangs Dominate 2024 Education Threat Landscape

The security teams manning the defenses at the higher education and primary school system levels often find themselves being tested by threat actors taking advantage of the sector's inherent cyber...

Read More

LockBit Takedown: Law Enforcement Disrupts Operations, but Ransomware Threats Likely to Persist

The news that US, UK, and other international law enforcement agencies disrupted LockBit is welcome, as stopping any threat group activity is always a positive. The unfortunate aspect is this blow...

Read More