- a. Network forensics and event visibility will include a centralized, searchable event log repository combined with deep-packet inspection capabilities to give the company continuous visibility into security events and insight into attacker techniques.
- b. Enterprise memory forensics will include the ability to inspect running processes in memory looking for suspicious behaviors—because some malicious software is configured never to be written to disk and signature based detection mechanisms cannot discover malware it has never seen.
- c. Enterprise host-based forensics will enable the investigation team to confirm malware infection on, access to, or data exfiltration from hosts identified by other work streams or through the forensic process, as well as accounts compromised to or created by the attackers that allow them persistent access to the environment.
- d. Enterprise sweep will enable the investigation to search hosts across the enterprise for the indicators of compromise developed during the investigation to identify computer assets that must be addressed during the eradication event.
- a. First, it will identify and address vulnerabilities in the environment that may have been exploited by the attackers to get in or might be exploited by them to re-enter after the eradication event.
- b. Second, it must seek to harden the environment, to complicate an attacker’s efforts to get back into the environment after eradication.
- c. Third, it must enhance the company’s ability to detect future attacks.
- d. Fourth, it must expand the company’s capability to respond to sophisticated attacks.
- e. And finally, the remediation plan must prepare the company for the eradication event.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.