DFIR Foundations: Real-World Lessons in Containment, Eradication, and Recovery
In this powerful continuation of our Foundations of DFIR series, cybersecurity experts Daniel Schwalbe, David Bianco, Lesley Carhart, and Sarah Sabotka dissect the heart of effective incident response, containment, eradication, recovery, and lessons learned. Packed with firsthand war stories, sharp tactical advice, and honest debates, this episode is a must-listen for anyone building or refining their digital forensics and incident response capabilities. Tune in to learn why planning matters, what to do (and not do) during a breach, and how to make the adversary’s job harder, one containment plan at a time.
The Heart of DFIR: Why Containment Matters
Containment is often misunderstood, under-planned, or delayed. David Bianco opens with a bold stance: don’t wait to act once adversaries are detected. “Shut it down. Maybe that won’t work for everyone, but it works for most organizations.” Lesley Carhart echoes this, emphasizing the need to “make the adversaries’ lives hard.”
Organizations often face analysis paralysis. Lesley highlights the importance of naming a risk decision-maker and providing them with the tools to act, noting that “containment is a paralysis point for a lot of organizations.”
“You need to give them the confidence to make the call… so they don’t fear losing their job.” – Lesley Carhart
Eradication: More Than Malware Removal
Eradication is about removing every trace of adversary access – malware, accounts, tools, and persistence mechanisms. Sarah Sabotka underscores the role of cyber threat intelligence (CTI): “CTI can help smash everything down so there’s no potential for another incident.”
David and Lesley drive home the importance of logistics and mass-scale planning: resetting service accounts, performing wide-scale inspections, and having tested procedures in place for both technical and operational actions.
“Everything in eradication is tailored to exactly what happened… there’s no step-by-step playbook.” – David Bianco
Recovery: Testing Backups Is Not Optional
Backups are critical but only if they work. “Everybody has backups. Nobody tests them,” Daniel Schwalbe laments. The panel dives into real-world recovery failures, including a case where a global AD recovery depended on a single offline domain controller on another continent.
Lesley brings up the high-stakes environment of healthcare, where untested or nonexistent backups can be life-threatening. The discussion emphasizes the importance of configuration management, tested restoration processes, and vendor coordination.
“Backups are the difference between a one-day incident and a two-month disaster.” – Lesley Carhart
Identification and the Role of CTI
Once an alert hits the radar, what happens next? The team explores how threat intelligence can shape the identification phase.
Sarah Sabotka highlights how CTI (Cyber Threat Intelligence) plays a key role in real-time incident prioritization: “We can enrich [alerts] with what’s happening on the landscape, or what we’re hearing from intel-sharing partners.”
David Bianco also warns against alert fatigue: “We’ve had that for 20 years… flooded with alerts.” The group urges organizations to optimize detection workflows, not just pile on tooling.
This phase is also where visibility gaps become obvious. “This is really where lessons learned.”
Lessons Learned: The Often-Ignored Goldmine
This phase, often skipped, is where continuous improvement lives. It’s where organizations ask: What happened? Why? How do we prevent it?
David calls it the “best source of CTI,” and Sarah adds that it’s a chance to illustrate the attack chain and share insights with trusted partners. Daniel argues for structured after-action reviews, emphasizing their roots in military best practices.
“Don’t let the lessons learned be something you write after the fact, track them
during the incident.” – David Bianco
The group also emphasizes empathy with users, with staff, and with organizations under attack. Daniel and Lesley passionately reject the culture of blame, calling for a shift toward support and openness in the wake of incidents.
“I will not test-phish my users. It creates shame, and shame creates silence.” —Daniel Schwalbe
Watch on YouTube
That’s about all we have for this week, you can find us on Mastodon and Twitter/X @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!
