Incident Response and Containment

Anyone who does Incident Response (IR), or any Digital Forensics Incident Response (DFIR) process knows that collecting Indicators of Compromise (IOC) is only half the story. Eventually, you’ll need to recover the environment, which inherently means you best have confidence in the IOCs and have a plan to evict the adversary.

Before we go into detail on just how to do that, it is paramount to talk about containment. Anytime a recovery team comes in and takes intel from the IR team, a plan must be executed while being sensitive to the control-plane an adversary should have after a step…


Securing cyberspace, evicting the adversary

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store