INCIDENT RESPONSE

Perform digital forensics to identify factors related to the incident, including:
Vulnerabilities have been exploited
The server systems/PC/user accounts have been affected
Affected data/account information
Malicious files and attack tools have been used
Attack flow of the attacker
Implement the incident response process in each stage:
Identification: Identification of incident-related factors, clarification of the attack flow through the Digital Forensic process
Containment: Implement temporary prevention plans and isolate objects related to the incident. Then, focus on long-term deterrents, including fixes and patches.
Remediation: Implement the process of troubleshooting and resolving issues related to the incident (removing malicious code, overcoming security vulnerabilities, backing up data, etc.)
Recovery: Recover affected systems and provide monitoring options to identify problems that have been entirely resolved and no similar threats exist.
Lessons Learned: Synthesize detailed reports on incidents, offer solutions to detect and prevent possible incidents in the future, and draw on experiences gained during the troubleshooting process.

Depends on the number of devices, applications, and log sources related to the problem

Investigating and troubleshooting experts will participate onsite or remotely. The forensic process will be performed on a copy of the evidence to avoid causing changes or disturbances to the evidence in the actual system.

Detailed reports on the implementation process (from tool deployment, information collection, data analysis, and testing of computers and servers).
List details of detected security issues, including IOC (Indicator of Compromise) evidence.
Propose a radical remediation plan or a plan to minimize risks, as well as a temporary remediation plan for found security issues.

Each incident requires at least 2 Tier 2 and 1 Tier 3 level personnel to perform. Implementation time depends on each specific incident.