Incident response
No matter how well you protect yourself, one day the alarm may go off for real: ransomware encrypting, a compromised account, data leaving where it should not. At that moment every minute counts and improvising is costly. Incident response is having someone who knows what to do: contain the attack so it does not spread, throw the attacker out, close how they got in and help you get back to operating. And, afterwards, understand what happened so it does not repeat.
Incident response and forensics, across all of Spain.
Why
No defence is perfect. Sooner or later something slips through, and faced with a security incident what makes the difference is not what you have, but how you react in the first hour.
No matter how well you protect yourself, one day something gets in. Accepting it and being ready is more realistic than believing yourself untouchable.
Containing quickly limits the damage to one corner. Hesitating lets ransomware or an intruder spread through everything.
Without a plan and without experienced people, under pressure decisions get made that make things worse.
If you do not close how they got in and do not understand what happened, the attacker comes back through the same place.
What it includes
It is not just stopping the attack, it is leaving you running again and with the hole closed so it does not repeat.
We stop the spread by isolating what is affected, so the attack does not jump to the rest of your systems.
We remove the attacker and their tools, not just the visible symptom that comes back again.
We patch the vulnerability or flaw they came in through, so they do not repeat through the same door.
We bring you back to activity from verified backups, without dragging the infection along with you.
We understand what happened, how far it reached and what was taken, capturing the evidence in time.
We sort out who does what and help you with the notifications the law requires.
The approach
When there is an attack underway, order matters. The first thing is to stop the bleeding: isolate what is affected and cut the spread, even if not everything is known yet.
Then the attacker is thrown out, how they got in is closed and activity is recovered from clean backups, in that order, because restoring onto a system that is still compromised means starting over.
And when calm returns, it is time to learn: what happened, how it got in and what to change so it does not repeat. If we already watch your environment with our SOC, Sondriva, the response starts the moment the signal goes off, without losing the first hour.
The day to day or the big incident
They get confused, but they are not the same. One is always on; the other steps in when something serious goes off.
Managed detection and response watches without stopping and contains whatever comes up in the day to day. It is the first line, the one that keeps most things from getting worse.
When something serious goes off, incident response steps in: people directing the containment, the investigation and the recovery of a real attack. It is what this page is about, the step up for the big incident.
Forensics, frankly
Here we prefer to be clear. Our thing is the response: contain, throw the attacker out and bring you back to activity. Forensic analysis is part of that, we do the work needed to understand what happened, how far it reached and what was taken, and to capture the evidence while it is still fresh.
What we do not do is sell ourselves as a computer forensics lab or as court experts. If your case needs an expert report for a trial, with a certified chain of custody, we say so and bring in whoever specialises in that. We prefer that to promising you a specialty that is not ours.
When
There is an incident underway, ransomware or a compromised account, and you need someone to take command right now.
The attack is over, but you want to know what happened, close what was left open and make sure it does not repeat.
You would rather have an incident response plan ready in advance, so you do not improvise the day the alarm goes off.
NIS2 requires you to have proper incident management, notify them on time and prove that you have a real incident response.
Method
We declare the incident and mobilise the team following the response plan, with a cool head and not in a rush.
We isolate what is affected to cut the spread before going on, while the evidence is preserved.
We throw the attacker out, close the entry point and bring you back to operating from clean backups.
We reconstruct what happened, put it in writing and adjust so that door does not open again.
Fits with
Incident response is the end of a chain that begins much earlier. Detection comes from our SOC, Sondriva, and from detection and response on the endpoint, which are the ones that raise the alarm. Threat intelligence helps to understand who we are up against.
And to recover it leans on two pieces: vulnerability management closes how they came in, and backup returns the systems to a clean state. If NIS2 applies to you, we also help you notify on time.
Questions
MDR is the continuous monitoring and the first day-to-day response: it detects and contains whatever comes up. Incident response steps in when something serious goes off that needs a thorough intervention, with people directing the containment, the investigation and the recovery. One watches always; the other acts when the incident is big.
Yes, as much as is needed to respond well: understand what happened, how far the attacker reached and what they took, and capture the evidence while it is fresh. What we do not do is sell ourselves as a forensic lab or court experts; if your case needs an expert report for trial with a certified chain of custody, we say so and bring in whoever specialises in that.
First, do not switch off or delete anything in the heat of the moment, because it can destroy evidence and make recovery worse. Contact us as soon as possible and, if we already work with you, the incident is activated immediately to contain it before it spreads.
Yes. When an incident has to be notified, for example under NIS2 or because it affects personal data, we help you prepare the information and coordinate the communication with whoever is responsible, within the deadlines set by the regulation.
It helps a lot. Having the response prepared in advance means that, when the incident goes off, action is taken in minutes instead of losing hours getting organised. We also handle incidents for those who had not contracted us, but arriving with the plan ready makes the difference.
Before restoring, the hole they came in through is closed and the backups are checked to be clean. Recovering onto a system that is still compromised or from an infected backup means going back to the start, so that order matters.
Do you have an incident or want to be ready?
If you think you are being attacked, contact us as soon as possible. And if you want to have the response prepared before it happens, the same: arriving with the plan ready changes everything.
Get in touch