A takeover of your M365 environment can wreak havoc on your organization both a financially and operationally. As a responder, kicking the attacker out of the system, gathering evidence, and safely getting your people back online is essential for keeping a business going. How do you make sure you understand the extent of the compromise, don’t destroying evidence, and ensure that attackers aren’t lurking in your cloud? In this talk, we’ll cover how to:
• Use built-in Windows tools to quickly preserve logs and other evidence
• Identify changes made to compromised accounts
• Find the full scope of compromise and how long the attacker was in the system
• Use open-source tools like ELK and Graylog to ingest data and quickly identify malicious behavior
• Identify weakness in your configuration and prevent compromise in the future
Join us and learn techniques that can answer essential questions quickly, improve the effectiveness of your initial response, and make sure you can get back up and running safely.