Identification, Response, Recovery

Bouncing Back from the Breach

Specific need? Let us build a tailored engagement for you.

Get started

category icon

Those that have suffered a breach can attest to the fact that after a security incident – time seems to move at quantum speeds as IT personnel scramble to pull logs, forensic forays begin acquiring evidence, and business leaders meet with legal teams to strategize public communication strategies. VerSprite has guided many through this journey. Come find calm during this storm via our broad range of DFIR expertise.

DFIR Service Overview

Our services can be aligned to four response stages for which clients may often find themselves. These four stages include planning, prevention, response and validation. These informal stages represent common descriptors to what has provided drivers for which clients have engaged VerSprite for DFIR services.

Before the Compromise (Planning)

The adage of “not if but when” is real. Planning for how to respond to a compromise is key, particularly when addressing both likely and unlikely threat scenarios. Pre-compromise planning efforts around security incidents encompass the following:

  • IR Policy Governance / Administrative Plan Reviews
    • Do you have the right plan?
    • Are there procedures supporting the plan?
  • Readiness around DFIR Efforts
    • Are we logging the right things to support forensic evidence reviews?
    • Is the plan tested somehow?
  • DFIR Retainers
    • Pre-planning teams and workflows for a possible event.
    • Reduce administrative headaches around paperwork
    • Preliminary work to make a swift response to an incident
    • Conversion to IR table top or other VerSprite service if the retainer is not used within a year.

Identifying Existing Compromises (Validation)

Compromises aren’t as evident within an organization as some may think. Subtle signs of compromise are often never reportedly by end users, who chalk up anomalies to network or system glitches, old hardware, etc. Compromise assessments help to address the following:

  • Have I been hacked? / Am I currently compromised now?
  • Am I buying a hacked company?
  • Did a departing employee take company data (i.e. – proprietary software, financial data, client information, etc.)?

Responding to a Compromise (Response)

Execution is everything when doing proper response efforts. Being able to identify root cause analysis from forensic data is critical. Log analysis, drive forensics, interviews all need to be orchestrated around a timeline as well as a focus to understand varied objectives during the response phase, some of which include the following:

  • 1.Detection & Identification
    • a.Determining data compromise
      • i.What type of data was compromised?
      • ii.When was it compromised?
      • iii.Who compromised the data?
      • iv.Was the compromised data encrypted?
    • b.Defining the affected scope
    • c.Defining timeline around the compromise
  • 2.Eradication & Quarantining
  • 3. Post-Incident Review and Analysis

Scope of DFIR Efforts

The scope of our response efforts for any of the above mentioned services encompasses the following:

  • Windows, Mac OS X & Linux
  • Duplicate media
  • Infrastructure logs (e.g. – network, proxy, directory service logs, etc.)
  • Mobile phones
  • Malware analysis
  • Email forensics
  • Memory captures from endpoints and distributed systems (physical & virtual)
  • Time line creation
  • Witness expertise
  • Insider threats
  • Ransomware recovery
  • Intentional/ accidental deletion of files

Specific need? Let us build a tailored engagement for you.

Get started


We are an international squad of professionals working as one.