Suspecting, discovering, or being notified of an incident can be a trying time. Many incidents are discovered well after they started. However, that doesn't mean all is lost. It is never too late to respond and the sooner the better. This page outlines some of the key components of Volexity's Incident Response process. While displayed in multiple sections, many of these steps are performed in parallel and tailored to each specific customer and their environment.
An important first step is not to panic. Consult with Volexity to determine the scope and scale of your breach based on currently available data. In some cases, Volexity has been able to determine initial incident alarms were false positives and incident response was not even necessary.
We will learn more about you and your environment and explain to you how we can help. Once an approach has been agreed upon, we will move forward to next steps and begin the response process.
Volexity will work with you to start collecting data that will be key to scoping and understanding an incident. Quickly collecting this data can be critical to not missing important information. For example, volatile system memory should be collected as soon possible, whereas other data sources may be readily available and have a lower collection priority. This data is used as one component of understanding an incident and will often fuel the next steps.
A small example of data that is often collected during an incident response engagement is as follows:
Obtaining network visibility during an incident can potentially be the difference between playing whack-a-mole and implementing a winning strategy from the start. While network monitoring is not required and in some cases even possible, it can dramatically improve the speed at which success is met.
By deploying network monitoring equipment, Volexity is able to detect suspect activity and threats across the enterprise. This same equipment can be used to deploy agents across the network to support remote data collections and monitoring for various indicators of compromise (IOCs).
Working hand-in-hand with the customer, Volexity will develop a strategy to respond to the the intrusion in a meaningful way. This may involve both short-term and long-term solutions. Many organizations may not have the resources (time, budget, buy-in) for implementing sweeping changes with short notice. Some solutions will be simple and immediate, while others may take longer to coordinate.
This strategy is made with input directly from the customer. No one understands the organization and pitfalls with an organization better than someone that works there everyday. With the appropriate customer input, Volexity will ensure an effective incident suppression strategy and remediate plan are developed and followed.
The process of cutting off attackers and securing key assets will likely start at the very beginning. However, every environment is different and various components of a proper response often take time. Temporary mitigations may be replaced by permanent solutions. Following the previously developed Collaborative Strategy, Volexity and the customer will make sweeping changes that will remove the intruders with a focus on permanently eliminating their foothold.