We appreciate you reaching out and trusting Huntress to assist with your security needs. We value your partnership and are committed to helping you identify and address cybersecurity threats. However, there are certain situations—especially during complex or large-scale incidents—where we strongly recommend engaging with a professional Incident Response (IR) firm to ensure a thorough investigation and resolution.
Certain incident reports will contain the manual remediation step shown below. This article is designed to expand on what this suggestion means, and explain why we're making that recommendation.
What is an IR Firm and Why is It Important?
An IR firm specializes in handling security incidents from start to finish. Their job is to dive deeply into an incident to:
- Fully Scope the Incident: Identify the full extent of the compromise, including how attackers gained access, what systems were affected, and whether any sensitive data was accessed or exfiltrated.
- Eradicate the Threat: Completely remove the attacker’s foothold, ensuring the environment is clean and secure.
- Prevent Future Attacks: Implement comprehensive measures to harden your environment and close security gaps, reducing the risk of similar attacks in the future.
- Provide Legal and Compliance Guidance: If data breaches are involved, suspected, or a concern for your clients IR firms can help address legal requirements, such as notifying affected parties or fulfilling compliance obligations.
Why Huntress Recommends IR Firms
Huntress is designed as an Endpoint Detection and Response (EDR) solution, focusing on identifying early signs of compromise and providing actionable recommendations to address threats. However, there are limitations to what Huntress can investigate, as we primarily analyze endpoint activity. When an incident extends beyond that scope, IR firms bring a wider set of tools and expertise to the table, such as:
- Digital Forensics:
This involves analyzing system artifacts (e.g., registry keys, memory snapshots, deleted files) to uncover detailed evidence about the attacker’s activity and tactics. Digital forensics can trace the origin of the attack, identify lateral movement, and reveal how deeply the environment was compromised. - Environment-Specific Analysis:
IR firms take a tailored approach to your environment. They examine configurations of your network, servers, firewalls, cloud platforms, and more. This enables them to identify gaps unique to your setup and provide specific, actionable recommendations to secure your systems. - Advanced Threat Containment:
They analyze logs from network devices, VPNs, cloud services, and email systems—areas Huntress does not monitor. This broader visibility allows them to detect and address threats that may not appear in endpoint telemetry alone. - Remediation Planning and Execution:
Beyond cleaning up the current incident, IR firms help you implement long-term changes to your processes, systems, and configurations. This could include network segmentation, security policy adjustments, and even employee training to prevent similar attacks in the future. - Compliance and Legal Support:
If sensitive data was involved, IR firms can assist in preparing reports for legal or regulatory bodies, ensuring you meet obligations for breach notifications or audits. Huntress does not have the required telemetry or resources required to confirm or deny if data exfiltration took place during an incident, so we will always recommend getting the assistance of an Incidence Response firm if there is a potential that sensitive data was lost or stolen.
Why Engaging an IR Firm Matters
In instances where existing security measures and response procedures fail to fully contain the attack or prevent future attacks, IR firms provide the expertise and resources to thoroughly address the situation. Without comprehensive visibility into your entire environment, it’s challenging to guarantee that all traces of the attacker have been removed, or that gaps exploited in this incident won’t leave you vulnerable to future compromises.
By engaging with an IR firm, you ensure:
- Full Confidence in Remediation: The root cause of the attack is addressed, and any residual risks are eliminated.
- Proactive Defense Enhancements: Your environment is tailored to withstand future attacks, not just recover from this one.
- Clear Path Forward: Comprehensive guidance on best practices for securing your systems and maintaining compliance.
What Happens During an IR Engagement?
A typical IR engagement involves:
- Incident Scoping: Determining the breadth and impact of the attack.
- Containment: Stopping the attacker from causing further damage.
- Forensic Investigation: Analyzing evidence to understand what happened and ensure thorough remediation.
- Recovery: Helping you rebuild systems securely and restore operations.
- Post-Incident Guidance: Providing tailored recommendations to strengthen your defenses and prevent future compromises.
We understand that navigating an incident can be stressful, and we’re here to support you to the best of our ability. If you need help selecting an IR firm, we can provide recommendations based on your needs and circumstances.
By addressing the incident at its root, you’re not only securing your current environment but also reducing the likelihood of future disruptions.