![](https://lemmy.world/pictrs/image/52321401-ef47-458e-9aad-72fc8b3aabb5.jpeg)
![](https://fry.gs/pictrs/image/c6832070-8625-4688-b9e5-5d519541e092.png)
Quite a lot, actually. This is really a summation and not comprehensive.
- Evaluate an environment after incident:
-
- looking for IOCs, determine spread
-
- Determine backup status and restore if possible
-
- Return environment to healthy state (AD restore, replication, networking, etc.,)
-
- Lockdown of security holes
-
- Advise on best practices going forward
- Decrypt environment if client pays ransom
etc., etc.
Depending on the complexity of the environment, this can take a lot of time and effort: much bigger than most internal teams are capable of doing. A client I had in Feb-Mar lasted a total of 3200 hours of work between 12 people on my team across 34 locations to unfuck the situation.
No.