• Orbituary
      link
      English
      55 months ago

      Quite a lot, actually. This is really a summation and not comprehensive.

      • Evaluate an environment after incident:
        • looking for IOCs, determine spread
        • Determine backup status and restore if possible
        • Return environment to healthy state (AD restore, replication, networking, etc.,)
        • Lockdown of security holes
        • Advise on best practices going forward
      • Decrypt environment if client pays ransom

      etc., etc.

      Depending on the complexity of the environment, this can take a lot of time and effort: much bigger than most internal teams are capable of doing. A client I had in Feb-Mar lasted a total of 3200 hours of work between 12 people on my team across 34 locations to unfuck the situation.