That's really cool. I was mostly envisioning hands-on admin stuff (because that's the work I'm most familiar with), but I hadn't thought about how much of a boon it would be to have someone with incident management experience arriving to help out. If you ever do a write-up about your experience, I'd love to read it.
In that case, doing just incident response would not have been enough to be frank. They needed guidance on what to do and what not to do, technically speaking, so that on the one hand, they have hope to start things up, but also to preserve evidence.
Even the sequencing (recover and secure the network, then the AD, then some Tier-2 apps etc.) was something they were not ready for. I cannot blame them - the way these things are managed is really messy, with no clear responsibilities beyond the everyday operations.
My hope is that the continuous attacks on the national infrastructure (such as hospitals) will build a more coordinated and homogenous approach. This would be a great lesson learned.
