The first step is to understand the sophistication of the attack and the various attack vectors which have been used to understand the likelihood of data exfiltration occurring, through the standard Tactics Techniques and Procedures (TTP) normally associated with the type of attack.
Where possible the likely threat actors are identified to understand the motivation and likely outcomes.
Where traffic data is available it will be analysed in an attempt to see what data has been exfiltrated in what quantities to where.
Our Cyber Threat Intelligence Team will analyse whatever evidence has been found to try to attribute the attack and also delve into the dark web looking for any artefacts relating to the attack.
Our investigators use very tool at their disposal, for instance after one breach, the attacker published an expose in their own language, we had the document analysed by language experts who identified the likely sex of the author and through nuances in the dialect, a region where they are likely to have originated from.