• Orbituary@lemmy.world
    link
    fedilink
    English
    arrow-up
    5
    ·
    5 months ago

    Quite a lot, actually. This is really a summation and not comprehensive.

    • Evaluate an environment after incident:
      • looking for IOCs, determine spread
      • Determine backup status and restore if possible
      • Return environment to healthy state (AD restore, replication, networking, etc.,)
      • Lockdown of security holes
      • Advise on best practices going forward
    • Decrypt environment if client pays ransom

    etc., etc.

    Depending on the complexity of the environment, this can take a lot of time and effort: much bigger than most internal teams are capable of doing. A client I had in Feb-Mar lasted a total of 3200 hours of work between 12 people on my team across 34 locations to unfuck the situation.