To be best prepared for the eventuality, the incident response should be divided into two strands of action. First, there is the forensic investigation of the alleged incident. Here, it is possible to determine how deeply the attacker penetrated the IT infrastructure, the hackers' goals, and what technology the hacker used. In addition to logging data, company analysts should also use information from endpoint detection and network monitoring and analyze conspicuous systems in depth. Analysts usually focus on Active Directory, DMZ (Demilitarized Zone), and particularly vulnerable areas.
Based on this, measures can be planned to defend against the attack and remove the attacker from your network. In the case of ongoing incidents, it is necessary to decide which actions need to be taken ad hoc (containment) and which predefined measures are to be applied. The same applies to remediation. Here, packages of measures must adapt to the complexity of the business processes, the structure of the infrastructure, the monitoring capabilities on endpoints and network traffic, and available analysis skills. The defensive measures should also correspond to the attacker's methods.