This paper addresses the phases of the incident response process and some common pitfalls of their implementation. It also introduces the concept of a layered approach to cybersecurity and incident response including Endpoint Detection, Malware Hunting, and Deep Memory Forensics and their roles in every phase of the incident response process. These three layers combine to provide continuous protection from advanced threats including improved security monitoring, threat detection, and incident response capabilities.
An effective endpoint detection system records numerous endpoint and network events and stores this information in a centralized database. Malware hunting tools are then used to provide deeper context and proliferation information. Finally, deep memory forensics provide keys to malware intent including artifacts that can lead to further discovery on other endpoints, and linkages to related malware tools trying to perform reconnaissance.