Step 1. Assess
First, do a thorough and comprehensive assessment of your organization’s situation. The IR team should interview key stakeholders and gain real-time visibility into their networks and computers. The CrowdStrike® Services IR team achieves deep insight quickly by deploying the cloud-native CrowdStrike Falcon® platform, which enables immediate, comprehensive visibility across your enterprise. It allows you to instantly monitor and restrict any real-time breach activity, preventing it from causing more harm.
Step 2. Contain
Containing any damage from an incident is of paramount importance and should be done as quickly as possible. Once the IR team has gained visibility and is assessing the situation, the team can begin to preserve evidence while preventing the threat actor from doing further harm. To capture this evidence, IR teams often use “imaging,” which involves making a byte-for-byte copy of the compromised machine’s hard drive and memory. This allows them to capture evidence that would otherwise be lost in the next reboot. Having this evidence is important if collaborating with law enforcement becomes necessary, because it eliminates the need for a physical server unless it’s specifically requested.
Step 3. Investigate
After the threat has been assessed and contained, the IR team moves quickly to investigate. During this process, the IR team continues to collect and preserve evidence, document the findings and help the victim organization come to a full understanding of what has occurred by answering key questions that will determine the “who, what, when and where” of the attack. The information gathered during this phase will help the organization implement improvements that decrease risk and protect against future incidents.
Step 4. Secure
IR services teams bring a unique perspective to companies experiencing a breach and their ongoing assistance is important in ensuring that organizations have the security they need to defend against future attacks. The proactive security measures they provide can also guide organizations that have been victimized, helping them implement remediation and on-going security program strategies and technology such as the CrowdStrike Falcon platform.
Given the current threat environment and the headline-making breaches with which we are all too familiar, cyberattacks must be considered an inevitability. When an incident occurs, an organization’s ability to quickly detect, contain and remediate is critical. However, it’s equally important to develop strategies for avoiding future incidents and ensure that you can keep ahead of the attackers that may be targeting your organization. An IR services provider such as CrowdStrike Services has the technology and security expertise to help you resolve incidents faster, with a seasoned and experienced team to take you to the next level of cybersecurity maturity — allowing you to “future-proof” your organizations and reduce the risk of a damaging and costly cyberattack.
- Watch the video “4 Steps to Successful Incident Response.”
- Get back to basics and read our post, “What is Incident Response and Why You Need a Plan”
- Learn more about the CrowdStrike Services team and the proactive services that can help your organization ensure cybersecurity readiness by visiting the webpage.
- Learn more about the CrowdStrike Falcon Platform by visiting the webpage.
- Get a full-featured free trial of CrowdStrike Falcon Prevent™ and learn how true next-gen AV performs against today’s most sophisticated threats.