Recent Searches

No recent searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Response Actions: Overview

            Introduction

            This article introduces response actions and outlines the factors considered when deciding the appropriate response action for a given threat. 


            Table of contents


            Overview

            A response action is the action taken by Field Effect, and our analysts, to stop a discovered threat. Response actions are triggered on a case-by-case basis and will vary based on the response policy your organization has in place. Some example response actions include: 

            • Block access to domain that is known to be malicious. 
            • Block or isolate a compromised host from the rest of the network. 
            • Disable or isolate a compromised system.
            • Terminate or block a malicious process from running on a system.


            Visit our knowledge base chapter on Active Response & Active Protection for more details on response policies and how to configure response policies in the Field Effect MDR Portal.


            Factors that Determine the Response Action

            Factor 1: Response Policy

            Your organization’s response policy helps our analysts understand your organization’s tolerance for risk, and downtime, when addressing a threat. 

            To learn about Response Policies and how to set one, see Response Policies: Overview and Configuring an Active Response Policy.


            Factor 2: Response Intent

            • Prevent: these responses are typically automated and pre-positioned to stop malicious behavior. Examples include: 
              • Block access to a malicious domain. 
              • Stop behavior associated with ransomware on a device (required the endpoint agent). 
            • Isolate: Until “next steps” are determined, the activity should be suspended. Examples include: 
              • Isolate a system or service from the network during an overnight incident, preventing further harm during regular business hours.
            • Remediate: revert the asset back to a “known good” state. In a case of malware that was downloaded but not executed, remediation could mean deleting the malware. This will vary per incident and organization, but it almost always will include some form of manual intervention from a human.


            Factor 3: Response Method

            The nature and potential of impact of a threat, along with the resource’s location (cloud/network), help us define the proper response method.  


            Using the example of a domain associated with ransomware, access should be blocked automatically. Alternatively, a gradual increase in anomalous traffic may warrant manual intervention instead of an automated response action.

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select at least one of the reasons
            CAPTCHA verification is required.

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0