When handling a cyber-security incident, the organization must respond quickly and effectively. The organization needs to establish an incident response plan that includes the involvement of incident response experts.
Whether your organization is small or large, it is costly to develop and maintain in-house expertise and skills for an incident response team. Here are the advantages of hiring our incident response team:
- Our incident responders will identify the causes of the incident and offer advice on how to contain, eradicate, and remediate the incident.
- Our incident responders have the knowledge and experience of hundreds of scenarios, which will help with reducing the time for diagnosing the incident.
- We work in a forensic approach so that any evidence will be secured and documented according to a legally valid chain of custody. This evidence can be presented later on in court, if necessary.
An incident trigger is an event that indicates the presence of a cyber threat. When incident triggers are generated, the security team must be aware that a cyber-attack may be in progress. Here are several examples of incident triggers:
- Triggers from the endpoint protection system, such as attempts to access a known C2 server, attempts to infect the system with malicious software, repeated detection of malicious software, etc.
- Triggers from network devices about an unexpected rise in the volume of DNS or ICMP, access to suspicious domains, interaction with URLs that were categorized as suspicious.
- Triggers from correlated events usually alerted by the SIEM system (e.g., malware event followed by a connection with C2 server followed by a port scan).
- Preparation: Writing a guide regarding how the internal incident response team will respond to a security incident before an external incident response team intervention.
- Identification: Defining criteria that will activate the incident response team (e.g., an excessive amount of malware triggered by the SIEM).
- Containment: Performing an immediate response to the incident and stopping the threat from spreading and doing further damage.
- Eradication: Establishing a process to restore all of the affected systems. (e.g., re-image all systems involved in the incident and remove any traces of the security incident).
- Recovery: Determining how to bring all systems back into full production after verifying that they are clean and free of any malware that could lead to a new security incident.
- Lessons learned: Reviewing the documentation of the incident with the incident response for training purposes. Update the incident response plan based on feedback and any identified deficiencies.
Performing an in-depth malware analysis on any potentially malicious files on a suspicious system (e.g., workstation, server). The study will allow determining if it is indeed malware, its type, and the impact that it might have on the respective organizations’ systems.
Examination of suspicious network traffic and abnormal patterns using advanced network forensic tools that spread across the entire organization. This process will allow our team to detect attacks, such as insider threats that leak data, and malware that spreads laterally and is connected to C&C servers and may cause denial-of-service conditions attacks.
We use advanced investigation and analysis techniques to gather and preserve evidence from a particular computing device in a manner that is suitable for presentation in a court of law. The goal is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on the computing device and who was responsible for it.
Fill in your details and we will be in touch.