Incident response services

Our incident response services can equip you with the necessary skills to proactively take action or reactively respond in the event of a data breach.

We work with you to plan and implement policies and procedures, imparting the knowledge and skills needed to respond instantly to a data breach.

Planning proactively and reacting quickly are necessary to minimize business impact.


Proactive response

We plan and implement disaster and incident dry-runs to give you the assurance that your systems work. Implementing a robust incident response programme means you have the ability to quickly react to a security incident, limiting the amount of damage an incident may have.

Not every incident is going to be the same and therefore incident responders must have the ability to react to different situations.

We leverage the SANS, NIST and ISO/IEC 27001 based methodologies to consistently and effectively implement information security incident response programmes.

When implementing an incident response plan in an organization, our tailored approach ensures that:

  • Staff are trained on how to respond to a security incident in a methodical manner using a defined framework
  • Roles and responsibilities are allocated and defined
  • Incident scenarios are drilled and the response is effective
  • Legal, regulatory and contractual obligations for incident response and notifications are defined and documented

Reactive response

In addition to developing an Incident Response policy in an organization, we can also provide real-time first responder services to support you in the midst of an attack.

We provide dedicated incident response advisory services backed by a specialist team of IT security experts and information governance consultants. Having a predefined incident response relationship means our team of responders can act quickly, reducing the duration and impact of the breach.

Our methodology for incident response provides a systematic and structured approach to respond to a security incident. This ensures first and foremost that the breach is contained and business operations are returned to normal as soon as possible, while compliance obligations are maintained and impacts of the breach are fully understood.


Incident response services

  • Incident

    Incident response is a term used to describe the process by which an organization handles a data breach or cyberattack, including the way the organization attempts to manage the consequences of the attack or breach (the “incident”)

    Our incident response services can equip you with the necessary skills to proactively take action or reactively respond in the event of a data breach.

    We work with you to plan and implement policies and procedures, imparting the knowledge and skills needed to respond instantly to a data breach.

    Planning proactively and reacting quickly are necessary to minimize business impact.

  • Prepare to

    We plan and implement disaster and incident dry-runs to give you the assurance that your systems work. Implementing a robust incident response programme means you have the ability to quickly react to a security incident, limiting the amount of damage an incident may have.

    Not every incident is going to be the same and therefore incident responders must have the ability to react to different situations.

    We leverage the SANS, NIST and ISO/IEC 27001 based methodologies to consistently and effectively implement information security incident response programmes.

    When implementing an incident response plan in an organization, our tailored approach ensures that:

    • Staff are trained on how to respond to a security incident in a methodical manner using a defined framework
    • Roles and responsibilities are allocated and defined
    • Incident scenarios are drilled and the response is effective
    • Legal, regulatory and contractual obligations for incident response and notifications are defined and documented

    Maturity Assessment (Scenario Based):

    BSI Cybersecurity and Information Resilience are members of CREST, a leading international body providing guidance and best practice in the field of information security. CREST has developed a maturity model to enable assessment of the status of an organisation’s cyber security incident response capability.  The model has been supplemented by a spreadsheet-based maturity assessment tool which helps to measure the maturity of a cyber security incident response capability on a scale of 1 (least effective) to 5 (most effective).  The tool is powerful yet easy to use and consists of two different spreadsheets, enabling assessments to be made at either a summary or detailed level.

    The assessment tool has been developed in conjunction with representatives from a broad range of organisations, including industry bodies, consumer organisations, the UK government and suppliers of expert technical security services.  It delivers an assessment against a maturity model that is based on the 15 steps within the 3 phase Cyber Security Incident response process outlined below.

    15 step response process CREST

     

    A detailed overview of the maturity assessment tool can be downloaded here

    The tool itself can be downloaded as follows:

    A part-completed example of the Cyber security incident response maturity assessment tool, for easy demonstration and understanding, can be viewed here

    Threat Hunting:

    Threat hunting is the activity of performing proactive “hunts” through networks for indications of malicious activity and software.

    Modern computer networks are complicated, with diverse technologies and commonly with a geographical spread, combined with the issue of acquisition and subsequent joining of disparate third-party networks.

    Whilst modern security technologies provide a defence against the more common threats, they are not going to identify 100%, which is why there is a need for human intervention.

    Threat Hunting goes beyond the traditional signature and rule-based detection and instead uses proactive and iterative data searching techniques to identify threats that evade traditional security solutions.

    We can perform threat hunting in various formats, depending on the network size and level of analysis required:

    • Perform one shot analysis for large environments, useful for high level assessments, particularly as part of the due diligence process for networks to be integrated due to acquisition
    • Perform longer analysis, typically for a period from a week to a month. Uses centralized logging for data retention and client installed software to provide in depth analysis
    • Perform in-depth analysis using a combination of centralized logging and forensic memory analysis on key assets

    As part of the service we will:

    • Provide a highly skilled and experienced team
    • Provide clear alerts for identified threats
    • Provide a summary report with all identified threats with recommendations for the prevention of re-occurrences of the threat

    BSI’s threat hunting service has three elements; Host Triage, Threat Hunter and Memory Forensics.

    Note: Threat hunting is a service that is conducted at each stage of the incident response journey both before and after an incident and indeed as an ongoing implementation.

    Any of the elements can be used to perform a threat hunting exercise and the elements used will depend on the organizations requirements, time available and funding within the organization.

    Host Triage

    Host Triage is a consultancy-based service designed as a platform for threat hunting. Host Triage allows an organization to perform a threat hunting exercise across an entire enterprise quickly without the need of an experienced internal team nor the requirement to have software installed locally on the targeted host. The aim of the Host Triage service is to perform snap shot in time analysis, over a large estate, quickly. The analysis for a five thousand host organization could be performed within ten days.

    Threat Hunter

    The threat hunter system is designed to provide a longer assessment of an organization. The threat hunter client software is deployed across the targeted hosts, each host logs data such as process creation and new network connections to a central server. Once the system is operational, BSI consultants will perform analysis on the logged data to identify any threats or suspicious behaviour.

    The threat hunter system is typically deployed for a period of a week up to a month, however, it can provide a longer-term monitoring solution if required. The consultant led analysis can be performed on a daily, weekly, or monthly basis, depending on the deployment length and the number of hosts targeted in the engagement.

    Memory Forensics

    Memory forensics can provide an in-depth view of a host, the operating system state, and the running processes. Whilst the capture of a computer's memory is relatively quick, the analysis normally takes at least two days of analysis per host. Due to the time involved with the analysis, it is important to identify the key assets of an organization, memory forensics can then be periodically performed on a small number of key hosts (2-5).

    Memory forensics can provide assurance that the hosts do not have any indicators of malicious software running or behaviour that is indicative of a compromise. To provide wider coverage of the network, the hosts involved in the analysis can be rotated.

    Cybersecurity Incident Readiness Planning (CIRP):

    Few organisations really understand their ‘state of readiness’ to respond to a cyber security incident, particularly a serious cyber security attack, and are typically not well prepared in terms of:

    • People (e.g. assigning an incident response team or individual; providing sufficient technical skills; enabling decisions to be taken quickly; and gaining access to critical third parties)

    • Process (knowing what to do, how to do it and when to do it), e.g. identify cyber security incident; investigate situation; take appropriate action (e.g. contain incident and eradicate cause); and recover critical systems, data and connectivity

    • Technology (knowing their data and network topology; determining where their Internet touch points are; and creating / storing appropriate event logs)

    • Information (e.g. recording sufficient details about when, where and how the incident occurred; defining their business priorities; and understanding interdependencies between business processes, supporting systems and external suppliers, such as providers of cloud solutions or managed security services).

    The BSI Incident Response service focuses on cyber-incidents ranging from non-targeted malware infections through to Advanced Persistent Targeted (APT) attacks and network breaches.

    The CIRP service aims to review the customer's’ existing operating procedures and environment to ensure that in the event of an incident there is sufficient information and processes in place to contain the incident in a timely manner, minimizing the impact, damage, cost and reduce any potential reputational damage.

    The FRP service delivery is split into several phases. The initial phase involves meeting the key stakeholders to identify assets that are likely to be affected or targeted because of an incident, the threats that are relevant to the organization and the scenarios that would have the most severe impact.

    The second phase is a documentation review which should take between 5 and 10 days. An example of the documentation reviewed in this phase includes:

    • Existing incident response plans
    • Standard operating procedures (SOP)
    • Network architecture designs/configurations
    • Security infrastructure designs/configurations (IDS, Endpoint Detection, and Response (EDR))
    • Team member CV’s
    • Firewall rulesets

    The third phase will consist of interviews with individuals or groups which will provide a secondary source of information to fill any gaps from the documentation review. An example would be the identification of logging sources for key hosts.

    The final phase will be the production of a report highlighting gaps and recommendations to improve the organizations internal processes or environment. The final phase will also include the production of up to five run books that provide a detailed strategy for the detection and response methods for dealing with a specific threat

    Data Discovery (PII)

    We combine our experience with the latest technologies to set up and run challenging local and multi-jurisdictional eDiscovery projects. We follow the Electronic Discovery Reference Model (EDRM) as a basis for any electronic discovery project.

    We help you to identify the right balance of in-house and externally-managed support across your eDiscovery process and advise you at every step. Whether you apply the Electronic Discovery Reference Model (EDRM) or an equivalent, we assist you to allocate internal and external personnel, incorporating your chosen process with a suitable technology solution.

    Information management

    Information management looks to establish a common and practical framework to effectively deal with the rising volume and diversity of information and the associated risks, costs and complications.

    A focused information management system helps ensure the success of an eDiscovery project, providing:

    • Fast implementation of eDiscovery protocols for collecting and preserving Electronically Stored Information (ESI)
    • Quick and reliable identification of potentially relevant data sources
    • Substantial cost savings by not having to process, review, and analyse irrelevant information
    • We have the expertise to structure IT environments and design information management solutions. So we can assist you establish best practices for your information management cycles.

    Identification

    We conduct interviews with business, legal, and IT stakeholders. This allows us to identify what types of relevant documents exist, how and where this data is stored and how best to interrogate IT systems to extract these documents in a forensically sound manner. We help organizations find the best ways to plan and execute the successful identification of data.

    For more information read about our eDiscovery and Forensics competencies here

     

  • Respond to

    In addition to developing an Incident Response policy in an organization, we can also provide real-time first responder services to support you in the midst of an attack.

    We provide dedicated incident response advisory services backed by a specialist team of IT security experts and information governance consultants. Having a predefined incident response relationship means our team of responders can act quickly, reducing the duration and impact of the breach.

    Our methodology for incident response provides a systematic and structured approach to respond to a security incident. This ensures first and foremost that the breach is contained and business operations are returned to normal as soon as possible, while compliance obligations are maintained and impacts of the breach are fully understood. 

    First Responder Triage

    The first people dealing with the incident are sometimes referred to as first responders, ideally as part of a team. These first responders should be able to determine whether any specialist resources – including third parties - will be required.

    Many organisations do not have the right tools, systems or knowledge to conduct a suitable investigation. You need to identify quickly when the scope and severity is beyond in-house skills, before decisions are made that may adversely affect an investigation. It is critical for arrangements to have been made in advance so that expert investigators are available at short notice and have enough prior information to be able to hit the ground running.

    As well as expert cyber security incident response experts, other third parties that you may wish to get involved can include technology forensics specialists, technology analysts (for example, database experts), Information analysts (for example, accountants), legal experts and on-site police support.

    Some organisations set up a “war room” during serious cyber security attacks. This is the crisis management team’s primary meeting and collaboration space, where all relevant parties (incident investigators, IT staff representatives, stakeholders and other leaders) assemble to manage the incident from one central point.

    BSI can provide first responder services to provide the initial support an organization requires during the early stages of an incident. BSI can assist with an on-going incident and recommend steps to contain and eradicate the attacker. BSI’s consultants can engage with a company to prioritize key systems, correlate logs and events and recommend immediate actions to lock out an intruder and regain control during an active attack.

    BSI can provide all the technical skills required from hard disk forensics, memory forensics, through to log analysis and network analysis. Collating this information, distilling the key facts, and taking decisive action to protect a company’s assets and systems is a vital skill possessed by BSI consultants to respond and react to an on-going threat.

    Forensic Collection & Preservation

    It is critical in the preliminary stages of an incident or event that all potentially relevant evidence is correctly captured and preserved in a forensically sound manner. BSI is equipped to acquire data, including data running in memory, from all manner of systems and devices, from traditional laptop and desktop computers, servers, mobile devices, and cloud based applications.

    Forensic Analysis

    BSI has extensive experience conducting forensic analysis activities to uncover the true cause of an incident, its scale, and its impact. BSI will analyze network traffic, log files, active memory, disk drives, mobile devices, cloud based systems and any other potentially relevant sources of evidence. BSI maintains numerous ISO 27001 certified laboratories equipped with the most up to date and sophisticated forensic technology. BSI consultants are highly qualified with extensive experience and follow strict procedures including those of the CREST CSIR Scheme.

    For more information read about our eDiscovery and Forensics competencies here

    Threat Hunting (see in the prepare section): ongoing threat hunting from end-to-end.

    Note: Threat hunting is a service that is conducted at each stage of the incident response journey both before and after an incident and indeed as an ongoing implementation.

  • Follow Up

    eDiscovery & Forensics:

    We use our eDiscovery experts and technology to fully support organizations in facilitating an efficient review of electronic evidence to meet the scope of a regulatory or court order request. We apply world class project management techniques and leading technology to collect and analyze large volumes of data quickly and accurately. This enables you to make informed decisions for your specific requirements. For example, we can help identify the extent of Personably Identifiable Information exposed in a breach; facilitate a large-scale document review to help organizations respond to a regulatory request or a court order to produce electronic documents; or analyze and identify the best evidence for use as evidence in legal proceedings.

    For more information read about our eDiscovery and Forensics competencies here

    Compliance:

    Across all industries, regulatory compliance requirements are becoming more demanding and complex. Legislation is evolving, bringing increased accountability for organizations who are already heavily regulated. 

    Our consultants have the legal and technical knowledge to provide you with tailored solutions. We help you view  the scope of legislative requirements through regulatory obligation assessments and risk assessments.

    We establish the policies, procedures and lines of accountability necessary to meet your obligations, with the overall objective to minimize the associated costs and complexity involved.