Cyber incidents often happen out of the blue and catch enterprises by surprise. If you seek assistance from an external incident response team, it is recommended that you prepare the following materials to improve the efficiency of the discussion. This also allows external response teams to give full play to their strengths and quickly assist enterprises to resume operations.
5 keys to working with security incident investigation teams
1.Confirm the range of damage
- Total number of compromised computers, compromised domains, and affected services
2.Key tools we use for forensics analysis (Reg, Log, $MFT...)
- Exchange IIS log/ mail log
3.Enable command-line program auditing
- Event log 4688
5.Traffic monitoring log
Incident response team can assist enterprises to determine the affected situation
Initially, the information security incident team can help enterprises clarify the affected situation, including the following:
- Look for recently added .zip, .tar, .rar and other files, and check whether if they are packaged by attackers
- Check whether the endpoint has a tunnel or port-forwarding tool
- Find cloud application folders such as Megatools, dropbox, etc.
- Some hackers will accidentally keep some config files. If so, there is a chance you can look up information they might have stolen
2.The compromised account
Through the event log, we can determine the accounts hackers used for lateral movement and file installation
3.What tools are used
- Hacking tools: Mimikatz, Rubeus, Impacket, LOLBAS…
- Backdoors: CobaltStrike, Metasploit, TrickBot…
Furthermore, the incident response team can assist enterprises to resume normal operations and recommend appropriate protections to avoid similar attacks in the future.
With our solid technical background and frontline expertise, TeamT5’s incident response team provides an in-depth investigation and response to real-world cyber-attacks. We identify and research the intruders’ attacks, the impact and technical cause of the incidents, and recommend solutions or workarounds to assist our clients in recovery and remediation.
If you have needs for incident response, please contact us: https://teamt5.org/en/request-information/