The initial assessment and investigation of the incident gives the IR Team the best information it needs to initiate the Nerds On Site 3 Phase Incident Response Protocol.
Phase One: Isolate
The Team removes the existing Cisco ASA gateways at site-to-site VPN infrastructure and replaces them with adam:ONE, the cutting-edge, DNS-based firewall and gateway solutions software. adam:ONE has a default “Holding Tank” policy. adam:ONE inserts a lifeline into the Holding Tank that gives infected devices limited internet access; only to Windows Update and Webroot - an advanced threat protection software —to ensure all security updates and patches are applied. With each endpoint automatically placed into Holding Tank policy, they have no access to an Active Directory and cannot do any further damage.
Phase Two: Remediate
The Team sets up every computer to boot into “safe mode” with networking support and deploys Webroot to do a thorough scan.
Locally, computers are brought into a large area where the Team works on 20 at a time. Across the other global locations, local IT teams under Nerds On Site direction, are given step-by-step instructions to do the same, translated into their language and communicated across a central dashboard that allows for a real-time view of global progress.
Once Webroot removes all known infections, the system is re-scanned in “normal mode” to ensure a clean status. Any and all Windows and applications updates are applied according to a “mission-critical”, “important” and “can wait” priority.
Phase Three: Fortify & Maintain
Using adam:ONE technology, the Team reconfigures the systems starting from a Zero Trust standpoint using whitelisting. Whitelisting is the compilation of a list of all acceptable or known-safe applications - emails, IPs, devices, etc. - that you are going to allow to run on your systems and networks. Instead of the traditional blacklisting approach where any site or application not on a list of known bad actors is granted access to a site, whitelisting starts by allowing no-one access to the site. Then, once scanned and determined to pose no threat, all legitimately required internet resources and domains are added to the whitelist and made accessible to users. Any ongoing requests are managed with an adaptive whitelist approach that is supplemented with Artificial Intelligence.