Immediate Actions:
What to do right now
Before our specialists take over, these three steps can determine how quickly your organization regains full control.
Stay Calm
Stay calm. Do not shut down servers immediately. Pause virtual machines to preserve memory. On physical servers, create a memory dump before powering down.
Isolation
Immediately isolate affected systems from the network by disconnecting cables or disabling wireless access to prevent further spread.
Document Everything
Record timing, symptoms and initial observations in chronological order. Do not modify files on affected systems.
Operational expertise you can feel immediately
We do not improvise under pressure. We work from precise playbooks. Explore our library of response actions for common cyber threats.
Renew Expired SSL/TLS Certificate
An expired SSL/TLS certificate was detected. This breaks HTTPS trust and may expose users to man-in-the-middle attacks.
Replace Weak SSL/TLS Cipher Suites
Weak cipher suites (DES, 3DES, RC4, export ciphers) are enabled, potentially allowing decryption of traffic.
Replace Self-Signed Certificate
A self-signed certificate provides no chain of trust. Users will see browser warnings, and the certificate cannot be verified by clients.
Disable Deprecated TLS/SSL Protocols
Deprecated protocols (SSLv2, SSLv3, TLS 1.0, TLS 1.1) are still enabled, vulnerable to known attacks like POODLE, BEAST.
Disable Telnet and Switch to SSH
Telnet transmits all data including credentials in cleartext. It should be replaced with SSH for all remote access.
Replace FTP with SFTP/SCP
FTP transmits files and credentials in cleartext. Replace with SFTP or SCP which use SSH encryption.
Enable SMB Signing
SMB signing is disabled, allowing man-in-the-middle attacks and NTLM relay attacks on file sharing connections.
Harden SSH Configuration
SSH configuration allows potentially insecure settings like root login, password authentication, or old protocols.
Secure SNMP Configuration
SNMP is using default community strings (public/private), allowing anyone to read/modify device configurations.
Disable Open DNS Resolver
An open DNS resolver can be abused for DNS amplification DDoS attacks and DNS cache poisoning.
Fix SQL Injection Vulnerability
SQL injection allows attackers to read, modify, or delete database contents and potentially execute system commands.
Fix Cross-Site Scripting (XSS) Vulnerability
XSS allows attackers to inject malicious scripts that execute in users' browsers, stealing sessions, credentials, or defacing content.
Implement CSRF Protection
Missing CSRF tokens allow attackers to trick authenticated users into performing unintended actions.
Disable Directory Listing
Web server directory listing exposes file structure, potentially revealing sensitive files, backups, or configuration files.
Add Missing Security Headers
Important HTTP security headers are missing, leaving the application vulnerable to clickjacking, MIME-sniffing, and other attacks.
Change Default Credentials
Default manufacturer/vendor credentials are in use. These are publicly known and can be exploited trivially.
Strengthen Password Policy
Weak password policy allows easily guessable passwords, increasing risk of brute-force and credential stuffing attacks.
Implement Multi-Factor Authentication
Critical services lack multi-factor authentication, making them vulnerable to credential compromise.
Update Outdated Software
Software with known vulnerabilities is running. Apply available patches to prevent exploitation.
Apply CVE Security Patch
A known CVE with an available patch has been identified. Apply the vendor patch immediately to prevent exploitation.
Remediate Kerberoasting Risk
Service accounts with SPNs are vulnerable to Kerberoasting — offline password cracking of Kerberos TGS tickets.
Fix AS-REP Roasting Vulnerability
Accounts without Kerberos pre-authentication can have their password hashes retrieved and cracked offline.
Remove Unconstrained Kerberos Delegation
Systems with unconstrained delegation can impersonate any user to any service, enabling domain compromise if the system is compromised.
Fix Accounts with Non-Expiring Passwords
User accounts with 'Password never expires' flag increase risk of credential compromise from stale passwords.
Disable Inactive Privileged Accounts
Privileged accounts that have not been used for extended periods pose a significant security risk.
Remediate Active Directory Attack Path
An attack path to Domain Admin has been identified, allowing privilege escalation from compromised accounts.
Enable SMB Signing on Domain Systems
SMB signing is not enforced, allowing NTLM relay and man-in-the-middle attacks against domain systems.
Deploy LAPS for Local Admin Passwords
Local administrator passwords are identical across workstations, enabling lateral movement after any single compromise.
Fix Insecure File Permissions
Sensitive system files have overly permissive access controls, potentially exposing credentials or configurations.
Apply Kernel Security Hardening
Linux kernel parameters are not hardened, leaving the system vulnerable to various network and local attacks.
Disable Unnecessary System Services
Non-essential services are running, increasing the attack surface of the system.
Configure System Audit Logging
System audit logging is not configured or insufficient, hindering incident detection and forensics.
Remove Exposed Secrets from Code/Files
Sensitive credentials, API keys, or tokens were found in source code or configuration files.
Secure Exposed Database Ports
Database services (MySQL, PostgreSQL, MSSQL, MongoDB) are directly accessible, risking unauthorized data access.
Secure or Restrict RDP Access
Remote Desktop Protocol (RDP) is exposed, making the system vulnerable to brute-force and credential stuffing attacks.
Re-enable Windows Defender Real-Time Protection
Windows Defender real-time protection is disabled, leaving the system without active malware protection.
Update Windows Defender Antivirus Signatures
Antivirus definitions are outdated, reducing detection capability for recent malware threats.
Resolve Detected Malware Threats
Windows Defender has detected threats that have not been fully remediated or quarantined.
Mitigate NTLM Relay Attack Risk
NTLM authentication is enabled and systems are vulnerable to relay attacks allowing credential forwarding.
Our Structured IR Process
Based on NIST and SANS guidance, we guide your organization through the crisis and back to stable operations.
Triage and Analysis
Immediate situation assessment and prioritization of the next actions.
Containment
Isolation of affected systems to limit business and technical impact.
Eradication
Complete removal of threats, persistence mechanisms and exploitable weaknesses.
Recovery
Controlled return to stable operations with validated systems and clean data.
Lessons Learned
Root cause analysis and long term hardening to reduce the chance of recurrence.