Network based incident response is oftentimes overshadowed with the endpoints (servers, desktops, and other devices) that your environment uses. To make matters worse, most organizations don't have the tools nor the fancy bells and whistles that other organizations may have at their disposal. Our approach to Network based Incident Response encompasses the tools you have and, a lot of our own methodology and approach to discovery.
Our approach to network based incident response starts at the potentially affected endpoints (servers, desktops, etc.). From there, we perform our normal endpoint incident response and branch outward. No you don't need fancy tools nor expensive subscriptions. We will utilize what is available coupled with tools that we've developed to help in the detection and mitigation of any risks that may be affecting your network.
From the endpoint and identification of threats, our next stop would be at the network level. This may include network taps, captures or monitoring compiled with performing threat hunting through packet captures.
Once we have enough information to help stop the bleeding and identify affected systems and, how your systems are brought back online we will begin the recovery process for your environment. After this process, we will work with you and your business to formulate a plan to help limit the risk and attack surface based on the current event and, help restore your business to it's operating condition.
Our Approach to Network IR:
-
Endpoint Detection
The suspected systems will be investigated for anomalous traffic and behaviors while network captures with tools like Wireshark, TCPDump or, Network monitor are collecting information in the background and through a network tap.
-
Network Investigation
Once we've collected enough information we will leverage any and all network tools or monitoring you may have available (SIEM, switches or network captures at the switches) and begin building a report of additionally affected systems and communications.
-
Containment
When malicious traffic, systems, programs or other tools a threat actor may utilize are identified -- we will then begin the process of containment. At this stage, all malicious IOC's and communications will be blocked and alerts will be created around said communications to detect additional systems that are affected if you have said technologies in place (SIEM).
-
Recovery
We will work with the business and your I.T. team to help discover what issues have lead to the compromise of the affected systems and help rebuild resiliency (updates, images, hot fixes, security mitigation strategies), etc.
-
Documentation & Lessons Learned
Finally we will provide your business with a complete write-up and lessons learned regarding the impactful event and provide you with everything you need to detect, respond and mitigate similar events in the future. We can also provide training and education to your users to help limit the attack surface moving forward in a comprehensive, easy to understand methodology.
No Fancy Tools Required. No Unnecessary Costs. Just Real Real Response!
We are committed to helping you detect, contain and recover from incidents using a practical, proven and cost-effective approach; empowering your team to handle tomorrow's threats today. Find out how we can help you. Contact us today!