Emergency Incident Response

Welcome to the MANDIANT Incident Response (IR) Emergency web page. If you need immediate assistance for a possible incident please contact us at help@mandiant.com and/or at 1.877.962.6342.

Computer security incidents are complex, stressful, and not often part of your routine business operations. Therefore, you will want to consider the following activities to ensure you can start on the path to resolving the incident in an appropriate manner.

Initial Incident Response Activities

1. Assign one person to have overall responsibility to resolve the incident.
2. Enact your Incident Response plan if you have one.
3. Assemble the Incident Response team.
4. Define the objectives and goal of the response.
5. Develop a communication strategy for internal & external contacts.
6. Gather all technical tools to be used during the response.
7. Collect and review all the information that is currently at your disposal (See Initial Data Collection Below).
8. Match your response against any reporting/compliance requirements you may have.
9. Implement network and host-based countermeasures to assess the scope of the incident.
10. Involve legal counsel and/or law enforcement as deemed necessary.

Initial Data Collection

1. Obtain and/or develop a network topology
2. Collect and review relevant log files
   • DNS logs
   • DHCP logs
   • VPN concentrator logs
   • Web application firewall logs
   • Proxy logs
   • Intrusion detection/prevention system(s) logs
   • Firewall logs
   • Windows event logs
   • Netflow data from routers and switches
   • Anti-virus logs
   • Host-based intrusion prevention (HIPs) logs
3. Obtain live response data
4. Perform forensic preservation of the relevant systems (if needed)
5. Collect and analyze identified malware