Overslaan naar inhoud

Incident Response Services

Wanneer een inbreuk plaatsvindt, bepalen de eerste 72 uur alles.
Snelle inperking, digitale forensiek en herstel — beschikbaar op retainer of noodinzet.

De Uitdaging

A security breach is a crisis that most organisations are unprepared for. Not because they have not thought about it — most have some form of incident response plan. But the reality of a breach at 3 AM on a Saturday is fundamentally different from the tabletop exercise conducted in a conference room on a Wednesday afternoon.

What actually happens when a breach occurs:

  • Panic leads to evidence destruction. Well-meaning IT staff reboot servers, reimage workstations, or restore from backup — destroying the forensic evidence needed to understand what happened, how far the attacker got, and whether they are still present. Once evidence is destroyed, it cannot be recovered.
  • Slow response amplifies damage. In a ransomware incident, every hour of delay allows encryption to spread to additional systems. In a data exfiltration incident, every hour means more data leaving the network. In a business email compromise, every hour means more fraudulent transactions. The cost of a breach scales directly with response time.
  • Communication failures compound the crisis. Who needs to be told? When? What can you say publicly? What are your legal obligations under POPIA (72-hour notification to the Information Regulator for compromises involving personal information)? What do you tell customers? Employees? The board? Without a communication plan, organisations either say too much (creating legal liability), too little (losing stakeholder trust), or nothing at all (violating regulatory obligations).
  • Incomplete remediation leads to re-compromise. The attacker is removed from the visible systems, declared defeated, and everyone goes back to normal. But the attacker maintained persistence through a secondary backdoor, a scheduled task, or compromised credentials that were never rotated. Within weeks, they are back. This happens more often than anyone wants to admit.

Most organisations do not have the forensic capability, the containment playbooks, the legal coordination experience, or the crisis communication skills to handle a breach well. These are specialised competencies that require practice — and practice means exposure to real incidents, not annual tabletop exercises.

De Layer7-Aanpak

Layer7's incident response team provides end-to-end breach response — from initial containment through forensic investigation, remediation, recovery, and post-incident hardening. We are available on retainer (guaranteed response times) or emergency engagement (best-effort).

Snelle Inperking

The first priority in any incident is stopping the bleeding. Our IR team deploys containment measures within hours of engagement:

  • Netwerkisolatie van gecompromitteerde segmenten
  • Endpoint-isolatie via EDR (CrowdStrike, Defender, SentinelOne)
  • Accountvergrendeling en credential-rotatie voor gecompromitteerde identiteiten
  • Blokkering van bekende aanvallersinfrastructuur (C2-domeinen, IP's, URL's)
  • Bewaring van vluchtig bewijs (geheugendumps, draaiende processen, netwerkverbindingen) voordat inperkingsacties de toestand wijzigen

Digitale Forensiek en Onderzoek

Zodra de inperking is gevestigd, voeren we een grondig onderzoek uit om de kritieke vragen te beantwoorden:

  • How did the attacker get in? Initial access vector — phishing, exploited vulnerability, compromised credentials, supply chain compromise, insider threat.
  • Wat hebben ze gedaan? Tijdlijn van aanvallersactiviteit — laterale beweging, privilege-escalatie, gegevenstoegang, persistentiemechanismen, staging en exfiltratie.
  • What was impacted? Systems accessed, data exposed or exfiltrated, accounts compromised, changes made to infrastructure.
  • Are they still here? Identification of all persistence mechanisms — scheduled tasks, registry modifications, implanted backdoors, compromised service accounts, modified authentication configurations.

Our forensic process follows chain-of-custody procedures that ensure evidence is admissible in legal proceedings — criminal prosecution, civil litigation, insurance claims, or regulatory investigation.

Malware-Analyse

When malware is involved — ransomware, remote access trojans, information stealers, wipers — our team conducts analysis to understand the malware's capabilities, communication channels, and persistence methods. This analysis directly informs containment and remediation: you cannot eradicate what you do not understand.

Herstel en Verharding

We do not declare victory at containment. Recovery includes:

  • Geverifieerde uitroeiing van alle aanvallerspersistentie
  • Systeemherstel vanuit bekende goede backups (na verificatie van backup-integriteit)
  • Credential-rotatie over getroffen accounts en serviceaccounts
  • Verharding van beveiligingscontroles gebaseerd op aanvalspadanalyse
  • Verbeterde monitoring op hercompromitteringsindicatoren

Evaluatie na het Incident

Elk incident is een kans om te verbeteren. Onze evaluatie na het incident omvat analyse van de hoofdoorzaak, evaluatie van de reactie-effectiviteit, tijdens het incident geïdentificeerde hiaten en specifieke aanbevelingen om herhaling te voorkomen. Dit is geen schuldoefening — het is een gestructureerd verbeteringsproces dat uw organisatie weerbaarder maakt.

Wat U Krijgt

  • Noodrespons — retainer- en ad-hoc-inzetmodellen
  • Snelle inperking en dreigingsuitroeiing
  • Digitale forensiek met bewakingsketen-bewijsafhandeling
  • Malware-analyse en reverse engineering
  • Systeemherstel en integriteitsverificatie
  • Verhardingsaanbevelingen na het incident
  • Gedetailleerd incidentrapport met tijdlijn en hoofdoorzaak
  • Evaluatie na het incident en geleerde lessen
  • Crisiscommunicatie-ondersteuning
  • Ondersteuning bij regelgevingskennisgevingen (POPIA, SARB)

Retainer vs. Noodinzet

IR-Retainer

  • Gegarandeerde reactietijd (4 uur of minder)
  • Vooraf gevestigde toegang en documentatie
  • Jaarlijkse IR-gereedheidsbeoordeling
  • Tabletop-oefening inbegrepen
  • Prioriteitsplanning boven ad-hoc-inzetten
  • Vast jaarlijks retainertarief met vooraf afgesproken tarieven

Noodinzet

  • Best-effort reactietijd
  • Beschikbaar wanneer retainer-klanten geen capaciteit verbruiken
  • Hogere uurtarieven dan retainer-klanten
  • Onboardingtijd vereist (toegang, documentatie, context)
  • Geen vooraf vastgestelde basislijn of gereedheidsbeoordeling

The retainer model is strongly recommended. Establishing access, documenting your environment, and conducting a readiness assessment before an incident occurs saves critical hours during an actual event. The cost of the retainer is a fraction of the cost of those lost hours during a breach.

Veelgestelde Vragen

A retainer is recommended but not required. Retainer clients receive guaranteed SLAs, priority response, and pre-negotiated rates — critical advantages when every minute counts.

We execute immediate triage, containment strategy, evidence preservation, stakeholder notification, and begin initial forensic analysis — all within the first 60 minutes.

Yes — we support POPIA Information Regulator notification, affected party communication, and coordination with legal counsel throughout the regulatory process.

Retainer clients receive 24/7/365 availability with guaranteed response times. Emergency engagements are handled on a best-effort basis.

Wees Voorbereid Voordat Het Gebeurt

Stel nu een IR-retainer in. Wanneer het telefoontje om 3 uur 's nachts komt, zult u blij zijn dat u het heeft gedaan.

IR-Retainer Opties Bespreken