The Respond phase deals with incidents as they are identified; to further our clients’ understanding of an attack or APT, aid the Detect phase, and limit the damage done (Protect). Every compromise offers an opportunity to learn more about the attack or APT.
There are a number of different actions we recommend as a means of furthering our understanding of an attack and finding other, similar compromises. We will always take a collaborative approach and only undertake work when the client is briefed on the reasons, possible/likely outcomes and any associated risks. These options could include one or more of the following:
- Forensic examination of hard disks
- Reverse engineering of malware
- Monitoring the traffic of specific hosts
We will work with a client in order to triage incidents and move towards a Business As Usual approach to dealing with them.
A standard response will be:
- Remove an infected host from the network and re-image.
- Remove an infected host from the network for further analysis, whether through forensic examination or malware reverse engineering.
- Leave an infected host on the network and conduct further analysis, including live imaging for forensic examination and malware.
Oftentimes it is not appropriate, practical or possible to analyse every incident, nor will every incident identified require further analysis. We will work with each client to find the right response.