Digital Forensics & Incident Response (DFIR) is getting more and more important in the IT world. Hackers build more sophisticated software to breach devices, networks and so on. This is were Easi comes in to try and prevent this or help when a breach occurs. If you want to know more on our approach on DFIR, don't hesitate to read more or contact us!
What is DFIR?
DFIR or also called Digital Forensics & Incident Response is the process required to correctly handle an incident that involves digital information. The focus is on identifying, investigating, and recovering from computer related incidents. This can be security incidents, breaches, and cyber threats.
As the world of digital information continually changes, so does the approach of hackers. They are becoming more innovative and are increasingly looking for new ways to cause breaches. It could very well be that a hacker is now reading along, without you realizing it. When you realize a hacker is doing malicious activities within your network, it is often too late, and data has already been stolen. This is where Digital Forensics & Incident Response (DFIR) comes in.
What does Easi do for you?
Easi gets right down to business. We follow a pre-defined Incident Response Plan. This IR plan will make sure no steps are overlooked or forgotten.
Kick off: Preparation
The first step is very important and contains multiple aspects. Within our Incident Response package, we will provide User Awareness training where we make sure all employees know how to protect their data in the best possible way. By doing this, we make the employees aware of the dangers regarding cyber security and data breaches. We will also demonstrate a data breach to visually show what can happen. The last part of this phase is providing high tech tools that will monitor, threat hunt... possible attackers 24/7. This will already slim the chance of a cyber security incident.
Step 1: Identification
The second step we try to gather as much information as possible. You will be provided with a predefined questionnaire. Most of the questions will be quite easy to fill in. This will save a lot of time for the Incident Response team. That way they can start faster doing the actual containment of the malware. Depending on the kind of incident it is possible to get additional questions as well. This is not mandatory to fill but will help out a lot.
Step 2: Containment
Next, we have the Containment phase. Within this phase we are going to try and contain the virus, malware... One of the most important phases. Our clients will receive an infection plan where there are short instructions to disconnect infected devices, gather evidence... if needed. The Incident Response team will start hardening devices and users to protect against further infections. This can be changing password policies, add firewall rules, 2FA, patching... This will provide the needing protection to start the next phase.
Step 3: Eradication
In the Eradication phase the Incident Response team will try to eliminate the virus, malware... and delete it from all devices. This phase will contain the use of tools that were provided in the beginning of the agreement. Our tools that we use during the incident response are high-end and will offer a lot of features. For example, some tools will be able to track suspicious activity, abnormal behaviour,... This will show us the path the hacker went through to get in the system and how he/she did it. Our tools will then see whether the infection is malicious and even kill it before it does harm to any system. As you can see is the right tooling very important in incident response. This way we can find threats, search for malicious files… way more efficiently. If we find the cure to the problem we start to patch/update all infected devices and systems. We will also reimage or perform a rollback where needed.
Step 4: Recovery
While we were trying to eradicate the virus, malware… in the previous steps, now will try to bring all devices and systems back to a normal operational state. This can be done through the disaster recovery plan that also could be included in the Incident Response package. This way everything is predefined, so when an incident occurs, we can handle quickly. After doing the Disaster recovery we will review all the configurations of the firewall, tools… based on the information we gathered during the incident. This gathered information will provide a lot of exclusion to eliminate threats in the future.
Step 5: Lessons Learned
Finally, we have to discuss all that happened from before, during and after the incident. This way we learn from it as an Incident Response team and our customer as well. With our well explained report we will present about the incident and what exactly happened. After that, we will explain what we did to try and eradicate the virus, malware… For the non-technical persons, we can give a presentation to provide high-level information as well. At the end we provide you with solutions to possible weaknesses to try and ensure that a similar breach won’t happen again. We at Easi really rely on good communication before, during and after an incident. This way both parties are informed all the time.
How does Easi work on DFIR?
