In that case, doing just incident response would not have been enough to be frank. They needed guidance on what to do and what not to do, technically speaking, so that on the one hand, they have hope to start things up, but also to preserve evidence.
Even the sequencing (recover and secure the network, then the AD, then some Tier-2 apps etc.) was something they were not ready for. I cannot blame them - the way these things are managed is really messy, with no clear responsibilities beyond the everyday operations.
My hope is that the continuous attacks on the national infrastructure (such as hospitals) will build a more coordinated and homogenous approach. This would be a great lesson learned.
Even the sequencing (recover and secure the network, then the AD, then some Tier-2 apps etc.) was something they were not ready for. I cannot blame them - the way these things are managed is really messy, with no clear responsibilities beyond the everyday operations.
My hope is that the continuous attacks on the national infrastructure (such as hospitals) will build a more coordinated and homogenous approach. This would be a great lesson learned.