Incident Response

Suspecting, discovering, or being notified of an incident can be a trying time. Many incidents are discovered well after they started. However, that doesn't mean all is lost. It is never too late to respond and the sooner the better. This page outlines some of the key components of Volexity's Incident Response process. While displayed in multiple sections, many of these steps are performed in parallel and tailored to each specific customer and their environment.

  • Initial Steps

    An important first step is not to panic. Consult with Volexity to determine the scope and scale of your breach based on currently available data. In some cases, Volexity has been able to determine initial incident alarms were false positives and incident response was not even necessary.

    We will learn more about you and your environment and explain to you how we can help. Once an approach has been agreed upon, we will move forward to next steps and begin the response process.

  • Evidence Collection

    Volexity will work with you to start collecting data that will be key to scoping and understanding an incident. Quickly collecting this data can be critical to not missing important information. For example, volatile system memory should be collected as soon possible, whereas other data sources may be readily available and have a lower collection priority. This data is used as one component of understanding an incident and will often fuel the next steps.

    A small example of data that is often collected during an incident response engagement is as follows:

    • System Memory
    • Hard Drives / Disk Images
    • Proxy Logs
    • Event Logs
    • VPN Access Logs
    • Web Access Logs
    • IDS Alert Data
    • Antivirus Logs

  • Network Capabilities

    Obtaining network visibility during an incident can potentially be the difference between playing whack-a-mole and implementing a winning strategy from the start. While network monitoring is not required and in some cases even possible, it can dramatically improve the speed at which success is met.

    By deploying network monitoring equipment, Volexity is able to detect suspect activity and threats across the enterprise. This same equipment can be used to deploy agents across the network to support remote data collections and monitoring for various indicators of compromise (IOCs).

  • Collaborative Strategy

    Working hand-in-hand with the customer, Volexity will develop a strategy to respond to the the intrusion in a meaningful way. This may involve both short-term and long-term solutions. Many organizations may not have the resources (time, budget, buy-in) for implementing sweeping changes with short notice. Some solutions will be simple and immediate, while others may take longer to coordinate.

    This strategy is made with input directly from the customer. No one understands the organization and pitfalls with an organization better than someone that works there everyday. With the appropriate customer input, Volexity will ensure an effective incident suppression strategy and remediate plan are developed and followed.

  • Incident Suppression & Remediation

    The process of cutting off attackers and securing key assets will likely start at the very beginning. However, every environment is different and various components of a proper response often take time. Temporary mitigations may be replaced by permanent solutions. Following the previously developed Collaborative Strategy, Volexity and the customer will make sweeping changes that will remove the intruders with a focus on permanently eliminating their foothold.

About

Volexity is a security firm based out of the Washington, D.C. area that specializes in assisting organizations with threat intelligence, incident response, forensics, and trusted security advisory.

Recent Announcements

On April 25, 2014, Volexity has launched a new version of its website with an updated Blog to follow shortly!

Connect with Us

© 2014 Volexity, Inc. All rights reserved. | Privacy Policy