• Learnings from 10000 hours of enterprise forensics

    Med: Alexander Andersson och Rasmus Grönlund, Principal Digital Forensic Investigators på Truesec

    With more than 10.000 hours, leading over 300 forensic investigations — Alexander and Rasmus will take you through all the phases, challenges, and the most important learnings when responding to a cyber attack against a complex enterprise environment.


    The session will cover the entire lifecycle of an incident, from start to end, and consider the challenges we as incident responders see again and again in our cases:

    – How do you scale forensic data collection and analysis to handle thousands of servers?
    – How do you remotely access an environment that is breached, malfunctioning, that at the same time needs to be contained?
    – What are the techniques today’s threat actors use, and what traces do they leave?
    – How do you contain the situtation and minimize the risk for further damage?
    – What steps are needed to eradicate the threat and close any ways back into the environment?
    – What options do you have when everything fails, can ever paying the ransom be an option?


    The session will cover the forensic aspects of incident response on a high level, but will also feature technical deep dives on advanced attack techniques, threat actor modus, and how Truesec recently reversed and cracked a ransomware to get the customer’s files back without paying the threat actors.

    Taggning: Cyber Security and Cloud

    Om: Alexander Andersson och Rasmus Grönlund

    Alexander is a Principal Forensic Consultant at the cyber security company Truesec, where he focuses on incident response, threat intelligence, and security research. Alexander spends most of his time providing incident response to companies that have suffered from a cyber attack. He has performed hundreds of complex investigations over the last years. Alexander also performs offensive and forensic research, and is responsible for developing Truesec’s forensic tooling.


    Rasmus is one of the Forensic Leads in the Truesec CSIRT (Cybersecurity Incident Response Team), responsible for Truesec enterprise scale forensics. In the event of a cyber attack, you’ll find Rasmus at the forefront of the forensic investigation, collecting and analyzing evidence. Analyzing data to figure out what happened, how it happened, and determining what needs to be done to prevent further damage.

    Possessing deep insight into the threat landscape, techniques, and threat actors’ behaviors, Rasmus is a highly valued contributor to the cyber community, frequently sharing his knowledge. He is a top-rated speaker and presenter, educating others about incident response, forensics, threat intelligence, enterprise security, and monitor and response capabilities.