Expected from the Operational cell

Identify the source of compromise

The Operational cell will have the task of finding the entry point of the attacker. It is not a question here of finding whether it is Josiane from accounting or Robert from the communication department, but of knowing how the attacker entered the network in order to plug this flaw to prevent the new infrastructure from being subject to the same vulnerability.

Date of initial compromise

Now that we know how the attacker operates within the infrastructure, we potentially have a date when the threat appeared. This information is very important because it makes it possible to determine which backups are compromised and which are, a priori, reliable.

Indicators of Compromise

If we know the attack vector as well as the date of initial compromise, it becomes possible to generate indicators of compromise in order to verify that the restored backups are healthy.

Rebuild the new infra

In parallel with the investigation, it is crucial to rebuild an infrastructure in isolation for the members of the various services.

Hardenning

Very often, after an attack, the target realizes that his hardening was insufficient. The operational team will then have to implement the new hardening.