This paper provides an automated remote incident handling solution for an Information Security organization that rushed to become work-from-home type businesses because of Covid-19. This paper demonstrates a suitable solution to solve two separate problems. The first problem is to develop a method to enhance both incident response and threat hunting remotely. This is accomplished by developing a triggering mechanism based on the Microsoft Windows Defender antivirus system. The trigger subsequently executes a snapshot of the workstations condition for use by the cybersecurity professionals to determine if this is a false positive or a true positive event. The second problem attempted to solve the issue is to create a local logging mechanism to assist with basic forensics analysis of the remote worker’s activity. In a typical enterprise environment, this solution can be utilized efficiently by either a remote desktop protocol or by simply physically picking up the device for further analysis.
Frank B. Williams, C. Varol, A. Rasheed
2021 9th International Symposium on Digital Forensics and Security (ISDFS)