Incident Response Services

Incident Response Services

Take a moment and imagine … You’re at the office and it’s a morning like any other, until you begin to experience acute pain in your arm and upper body.  You’re having a heart attack.  The pain is so intense that you collapse to the floor and the paramedics are called.  They arrive, load you onto a stretcher, and drive you to the hospital.   You’re just being wheeled into the emergency room when an attendant emerges and tells you: “We’re very sorry, the doctors are all busy today.  But don’t worry!  One of the nurses will get you fixed right up.”

Much like the field of medicine, or any other technical field, when it comes to planning for and responding to cybersecurity incidents there is no substitute for seasoned experts who have decades of hands-on experience diagnosing, mitigating, and repairing the problem.

NES Professional Services
Our highly experienced, highly discrete SANS-certified security engineers and white hats provide real-time, on-site support to ensure that your organization is prepared to manage a wide range of potential incidents, whether they be environmental, technical, or man-made in nature.

Our services – planning, documentation, training, and response – are based on the SANS 6-step ‘PICERL’ methodology, as shown below.


  • Documentation of organizational structure, assets (soft and hard), and data flows
  • Analysis of operational priorities, resources, and contingencies
  • Development and documentation of processes, roles, and responsibilities
    • Criteria for evaluating incidents
    • Selection of key people and tools to handle each type of incident
    • Detailed guidance for staff, IT department, and management
    • Development and training on communication procedures


  • Monitoring (Periodic or Continuous)
    • Review of net flow data
    • Analysis of alerts and log data from firewalls, IDS, OS, SIEM, etc.
  • Determine if an incident has occurred (at the network, host, or system level)
    • Detection of behavioral deviations
    • Detection of malicious acts or attempts to do harm
    • Application of expert judgment to weigh competing issues and risk factors
  • Impact Assessment
    • Assessment of the current damage to the network, devices, data bases, and the overall infrastructure
    • Notification of key internal and external stakeholders
    • Prioritization of next steps, including containment measures


  • Application of expert judgment to determine strategy and methods to contain the incident
  • Engagement of senior management and key persons regarding potential network or system shut-downs
  • Strategic application of containment procedures


  • Identify and mitigate exploited vulnerabilities
  • Determine how the exploit was conducted (into and across the environment)
  • Apply measures to prevent recurrence of the vulnerability


  • Restore compromised systems and/ or data bases
  • Monitor the restored operating environment
    • Verify adequate restoration
    • Verify eradication and identify any signs of evasion by the attacker(s)

Lessons Learned

  • Identify methods to improve future incident handling
  • Create final report for management
  • Implement further reporting and training (as needed) for:
    • Employees
    • IT Department and Admins
    • Compliance Personnel
    • Management Team