We are often asked what a typical breach response looks like and the answer is that no two incidents are the same. But here’s one example from a breach we responded to recently. It started after we were contacted by a company in the critical infrastructure sector. The company had noticed some suspicious activity on their network, multiple servers were running unexpected services, there was unusual VPN activity, and they had found suspicious executables. The company knew there was an issue and asked our NDF team to investigate how the breach occurred, determine what if anything had been taken, and to defend against future attacks.
For a little background, the company we were working with has more than 1,600 servers and approximately 6,000 user devices around the world. With that many potential breach points, our first priority was to increase network visibility and perform forensic analysis to determine if intruders were still active within the network.
With that goal in mind we went to work. As is the case with any breach response we first had to put together a plan of attack and in this case our response would include conducting interviews, imaging suspect systems for forensic analysis, reverse engineering suspicious files, and establishing a provisional Security Operations Center manned by our team as the company began to build their own in-house SOC.