Se rendre au contenu

Incident Response Services

Quand une violation survient, les premières 72 heures déterminent tout.
Confinement rapide, forensique numérique et récupération — disponible en astreinte ou engagement d'urgence.

Le Défi

A security breach is a crisis that most organisations are unprepared for. Not because they have not thought about it — most have some form of incident response plan. But the reality of a breach at 3 AM on a Saturday is fundamentally different from the tabletop exercise conducted in a conference room on a Wednesday afternoon.

What actually happens when a breach occurs:

  • Panic leads to evidence destruction. Well-meaning IT staff reboot servers, reimage workstations, or restore from backup — destroying the forensic evidence needed to understand what happened, how far the attacker got, and whether they are still present. Once evidence is destroyed, it cannot be recovered.
  • Slow response amplifies damage. In a ransomware incident, every hour of delay allows encryption to spread to additional systems. In a data exfiltration incident, every hour means more data leaving the network. In a business email compromise, every hour means more fraudulent transactions. The cost of a breach scales directly with response time.
  • Communication failures compound the crisis. Who needs to be told? When? What can you say publicly? What are your legal obligations under POPIA (72-hour notification to the Information Regulator for compromises involving personal information)? What do you tell customers? Employees? The board? Without a communication plan, organisations either say too much (creating legal liability), too little (losing stakeholder trust), or nothing at all (violating regulatory obligations).
  • Incomplete remediation leads to re-compromise. The attacker is removed from the visible systems, declared defeated, and everyone goes back to normal. But the attacker maintained persistence through a secondary backdoor, a scheduled task, or compromised credentials that were never rotated. Within weeks, they are back. This happens more often than anyone wants to admit.

Most organisations do not have the forensic capability, the containment playbooks, the legal coordination experience, or the crisis communication skills to handle a breach well. These are specialised competencies that require practice — and practice means exposure to real incidents, not annual tabletop exercises.

L'Approche Layer7

Layer7's incident response team provides end-to-end breach response — from initial containment through forensic investigation, remediation, recovery, and post-incident hardening. We are available on retainer (guaranteed response times) or emergency engagement (best-effort).

Confinement Rapide

The first priority in any incident is stopping the bleeding. Our IR team deploys containment measures within hours of engagement:

  • Isolation réseau des segments compromis
  • Isolation des endpoints via EDR (CrowdStrike, Defender, SentinelOne)
  • Verrouillage des comptes et rotation des identifiants pour les identités compromises
  • Blocage de l'infrastructure connue de l'attaquant (domaines C2, IPs, URLs)
  • Préservation des preuves volatiles (dumps mémoire, processus en cours, connexions réseau) avant que les actions de confinement n'altèrent l'état

Forensique Numérique et Investigation

Une fois le confinement établi, nous menons une investigation approfondie pour répondre aux questions critiques :

  • How did the attacker get in? Initial access vector — phishing, exploited vulnerability, compromised credentials, supply chain compromise, insider threat.
  • Qu'ont-ils fait ? Chronologie de l'activité de l'attaquant — mouvement latéral, escalade de privilèges, accès aux données, mécanismes de persistance, préparation et exfiltration.
  • What was impacted? Systems accessed, data exposed or exfiltrated, accounts compromised, changes made to infrastructure.
  • Are they still here? Identification of all persistence mechanisms — scheduled tasks, registry modifications, implanted backdoors, compromised service accounts, modified authentication configurations.

Our forensic process follows chain-of-custody procedures that ensure evidence is admissible in legal proceedings — criminal prosecution, civil litigation, insurance claims, or regulatory investigation.

Analyse de Malware

When malware is involved — ransomware, remote access trojans, information stealers, wipers — our team conducts analysis to understand the malware's capabilities, communication channels, and persistence methods. This analysis directly informs containment and remediation: you cannot eradicate what you do not understand.

Récupération et Renforcement

We do not declare victory at containment. Recovery includes:

  • Éradication vérifiée de toute la persistance de l'attaquant
  • Restauration des systèmes à partir de sauvegardes de confiance (après vérification de l'intégrité des sauvegardes)
  • Credential rotation across affected accounts and service accounts
  • Renforcement des contrôles de sécurité basé sur l'analyse du chemin d'attaque
  • Enhanced monitoring for re-compromise indicators

Post-Incident Review

Chaque incident est une opportunité d'amélioration. Notre revue post-incident couvre l'analyse des causes profondes, l'évaluation de l'efficacité de la réponse, les lacunes identifiées pendant l'incident et des recommandations spécifiques pour prévenir la récurrence. Ce n'est pas un exercice de blâme — c'est un processus d'amélioration structuré qui rend votre organisation plus résiliente.

What You Get

  • Emergency response — retainer and ad-hoc engagement models
  • Confinement rapide et éradication des menaces
  • Digital forensics with chain-of-custody evidence handling
  • Analyse de malware et rétro-ingénierie
  • System recovery and integrity verification
  • Post-incident hardening recommendations
  • Detailed incident report with timeline and root cause
  • Post-incident review and lessons learned
  • Crisis communication support
  • Regulatory notification assistance (POPIA, SARB)

Retainer vs. Emergency Engagement

Astreinte IR

  • Guaranteed response time (4 hours or less)
  • Pre-established access and documentation
  • Évaluation annuelle de préparation IR
  • Tabletop exercise included
  • Priority scheduling over ad-hoc engagements
  • Frais d'astreinte annuels fixes avec tarifs pré-convenus

Emergency Engagement

  • Best-effort response time
  • Disponible quand les clients en astreinte ne consomment pas la capacité
  • Tarifs horaires plus élevés que les clients en astreinte
  • Temps d'intégration requis (accès, documentation, contexte)
  • Pas de baseline pré-établie ni d'évaluation de préparation

The retainer model is strongly recommended. Establishing access, documenting your environment, and conducting a readiness assessment before an incident occurs saves critical hours during an actual event. The cost of the retainer is a fraction of the cost of those lost hours during a breach.

Questions Fréquentes

A retainer is recommended but not required. Retainer clients receive guaranteed SLAs, priority response, and pre-negotiated rates — critical advantages when every minute counts.

We execute immediate triage, containment strategy, evidence preservation, stakeholder notification, and begin initial forensic analysis — all within the first 60 minutes.

Yes — we support POPIA Information Regulator notification, affected party communication, and coordination with legal counsel throughout the regulatory process.

Retainer clients receive 24/7/365 availability with guaranteed response times. Emergency engagements are handled on a best-effort basis.

Soyez Préparé Avant Que Ça N'Arrive

Establish an IR retainer now. When the call comes at 3 AM, you will be glad you did.

Discuter des Options d'Astreinte IR