An incident response consists of four main phases which occur in a cycle: assessment of scope, containment, acquisition and preservation of evidence, and analysis. Investigators assess the scope of an incident to estimate business impact and to determine how to contain the situation. Containment serves to both limit the impact of an incident, and to prevent the deterioration of evidence. Investigators then acquire relevant evidence and establish a chain of custody to preserve it for further analysis. Analysis of the evidence is then performed to determine if the original estimated scope of the incident response was adequate.
These four steps repeat until the investigators are reasonably sure the necessary evidence has been contained, acquired, and preserved. The product of an incident response is both the body of evidence collected and the containment of the incident to prevent further business impact. While some analysis will inevitably be undertaken, any conclusions drawn from it are generally incomplete and will require additional deep analysis to validate them. This further analysis can occur in a lab setting without impacting day-to-day operations.
- Staff on-call 24x7 to respond to incidents
- Timely response for mission-critical investigations
- Our experienced responders have been involved in dozens of major incidents at Fortune 500 companies
- Discovery process designed to minimize downtime and maximize integrity of evidence
- Well-defined chain-of-custody procedures in line with industry best practices