Response Process

Response Process




Verify: Determine an alert needs to be validated.


Review suspect data to determine if this is a false positive and scope of the event.


Determine if the reputation of attributes are an issue.

Content Review

Retrieve artifacts for validation. This can be accomplished through tools like Solara, NetWitness, and EnCase.


Evaluate collected artifacts to determine if they are malicious. Extract attributes of the artifact in order to prepare for response.


Get the asset operational again.


Enforcement of security controls to prevent further escalation.

Getting to Response and Recovery

Moving from Data to Response & Recovery

Indications of Compromise (IoC)

The term Indications of Compromise (IoC) relates to the set of attributes that infected systems of certain type of attack share. Most commonly, it is a list of:

  • File Hashes (MD5 of SHA256)

  • Bad IP Addresses

  • Bad Host Names

  • Signatures (or Alerts) directly related to the event

While the term IoC relates to compromised systems, the term is used to also include attributes associated with the attacking.

The process of collecting the list of attributes is called Scoping.