Incident response services

Incident response is a term used to describe the process by which an organization handles a data breach or cyberattack, including the way the organization attempts to manage the consequences of the attack or breach (the “incident”)

Our incident response services can equip you with the necessary skills to proactively take action or reactively respond in the event of a data breach.

We work with you to plan and implement policies and procedures, imparting the knowledge and skills needed to respond instantly to a data breach.

Planning proactively and reacting quickly are necessary to minimize business impact.

Key sub-activities that occur in the prepare stage include:

  1. Maturity Assessment (Scenario Based)
  2. Threat hunting
  3. Cybersecurity Incident Readiness Planning (CIRP)
  4. Data Discovery (PII)

We plan and implement disaster and incident dry-runs to give you the assurance that your systems work. Implementing a robust incident response programme means you have the ability to quickly react to a security incident, limiting the amount of damage an incident may have.

Not every incident is going to be the same and therefore incident responders must have the ability to react to different situations. 

We leverage the SANS, NIST and ISO/IEC 27001 based methodologies to consistently and effectively implement information security incident response programmes.

When implementing an incident response plan in an organization, our tailored approach ensures that:

  • Staff are trained on how to respond to a security incident in a methodical manner using a defined framework
  • Roles and responsibilities are allocated and defined
  • Incident scenarios are drilled, and the response is effective
  • Legal, regulatory and contractual obligations for incident response and notifications are defined and documented

1. Maturity Assessment (Scenario Based)

We're members of CREST, a leading international body providing guidance and best practice in the field of information security. CREST has developed a maturity model to enable assessment of the status of an organization’s cybersecurity incident response capability. The model has been supplemented by a spreadsheet-based maturity assessment tool which helps to measure the maturity of a cybersecurity incident response capability on a scale of 1 (least effective) to 5 (most effective). The tool is powerful yet easy to use and consists of two different spreadsheets, enabling assessments to be made at either a summary or detailed level.

The assessment tool has been developed in conjunction with representatives from a broad range of organizations, including industry bodies, consumer organizations, the UK government and suppliers of expert technical security services.  It delivers an assessment against a maturity model that is based on the 15 steps within the 3-phase cybersecurity incident response process outlined below.

15 step response process CREST

 A detailed overview of the maturity assessment tool can be downloaded here

The tool itself can be downloaded as follows:

A part-completed example of the cybersecurity incident response maturity assessment tool, for easy demonstration and understanding, can be viewed here

2. Threat hunting

Threat hunting is the activity of performing proactive “hunts” through networks for indications of malicious activity and software.

Modern computer networks are complicated, with diverse technologies and commonly with a geographical spread, combined with the issue of acquisition and subsequent joining of disparate third-party networks.

Whilst modern security technologies provide a defence against the more common threats, they are not going to identify 100%, which is why there is a need for human intervention.

It goes beyond the traditional signature and rule-based detection and instead uses proactive and iterative data searching techniques to identify threats that evade traditional security solutions.

We can perform threat hunting in various formats, depending on the network size and level of analysis required:

  • Perform one shot analysis for large environments, useful for high level assessments, particularly as part of the due diligence process for networks to be integrated due to acquisition
  • Perform longer analysis, typically for a period from a week to a month. Uses centralized logging for data retention and client installed software to provide in depth analysis
  • Perform in-depth analysis using a combination of centralized logging and forensic memory analysis on key assets

As part of the service we will:

  • Provide a highly skilled and experienced team
  • Provide clear alerts for identified threats
  • Provide a summary report with all identified threats with recommendations for the prevention of re-occurrences of the threat

BSI’s threat hunting service has three elements; host triage, threat hunter and memory forensics.

Note: threat hunting is a service that is conducted at each stage of the incident response journey both before and after an incident and indeed as an ongoing implementation.

Any of the elements can be used to perform a threat hunting exercise and the elements used will depend on the organizations requirements, time available and funding within the organization.

Host triage

Host triage is a consultancy-based service designed as a platform for threat hunting. host triage allows an organization to perform a threat hunting exercise across an entire enterprise quickly without the need of an experienced internal team nor the requirement to have software installed locally on the targeted host. The aim of the host triage service is to perform snap shot in time analysis, over a large estate, quickly. The analysis for a five thousand host organization could be performed within ten days.

Threat hunter

The threat hunter system is designed to provide a longer assessment of an organization. The threat hunter client software is deployed across the targeted hosts, each host logs data such as process creation and new network connections to a central server. Once the system is operational, our consultants will perform analysis on the logged data to identify any threats or suspicious behaviour.

The threat hunter system is typically deployed for a period of a week up to a month, however, it can provide a longer-term monitoring solution if required. The consultant led analysis can be performed on a daily, weekly, or monthly basis, depending on the deployment length and the number of hosts targeted in the engagement.

Memory forensics

Memory forensics can provide an in-depth view of a host, the operating system state, and the running processes. Whilst the capture of a computer's memory is relatively quick, the analysis normally takes at least two days of analysis per host. Due to the time involved with the analysis, it is important to identify the key assets of an organization, memory forensics can then be periodically performed on a small number of key hosts (2-5).

Memory forensics can provide assurance that the hosts do not have any indicators of malicious software running or behaviour that is indicative of a compromise. To provide wider coverage of the network, the hosts involved in the analysis can be rotated.

3. Cybersecurity incident readiness planning (CIRP)

Few organizations really understand their ‘state of readiness’ to respond to a cybersecurity incident, particularly a serious cybersecurity attack, and are typically not well prepared in terms of:

  • People (e.g. assigning an incident response team or individual; providing sufficient technical skills; enabling decisions to be taken quickly; and gaining access to critical third parties)
  • Process (knowing what to do, how to do it and when to do it), e.g. identify cybersecurity incident; investigate situation; take appropriate action (e.g. contain incident and eradicate cause); and recover critical systems, data and connectivity
  • Technology (knowing their data and network topology; determining where their Internet touch points are; and creating / storing appropriate event logs)
  • Information (e.g. recording sufficient details about when, where and how the incident occurred; defining their business priorities; and understanding interdependencies between business processes, supporting systems and external suppliers, such as providers of cloud solutions or managed security services).

Our incident response service focuses on cyber-incidents ranging from non-targeted malware infections through to Advanced Persistent Targeted (APT) attacks and network breaches.

The CIRP service aims to review the customer's’ existing operating procedures and environment to ensure that in the event of an incident there is sufficient information and processes in place to contain the incident in a timely manner, minimizing the impact, damage, cost and reduce any potential reputational damage.

The FRP service delivery is split into several phases. The initial phase involves meeting the key stakeholders to identify assets that are likely to be affected or targeted because of an incident, the threats that are relevant to the organization and the scenarios that would have the most severe impact.

The second phase is a documentation review which should take between 5 and 10 days. An example of the documentation reviewed in this phase includes:

  • Existing incident response plans
  • Standard operating procedures (SOP)
  • Network architecture designs/configurations
  • Security infrastructure designs/configurations (IDS, Endpoint Detection, and Response (EDR))
  • Team member CV’s
  • Firewall rulesets

The third phase will consist of interviews with individuals or groups which will provide a secondary source of information to fill any gaps from the documentation review. An example would be the identification of logging sources for key hosts.

The final phase will be the production of a report highlighting gaps and recommendations to improve the organizations internal processes or environment. The final phase will also include the production of up to five run books that provide a detailed strategy for the detection and response methods for dealing with a specific threat.

4. Data discovery (PII)

We combine our experience with the latest technologies to set up and run challenging local and multi-jurisdictional eDiscovery projects. We follow the Electronic Discovery Reference Model (EDRM) as a basis for any electronic discovery project.

We help you to identify the right balance of in-house and externally-managed support across your eDiscovery process and advise you at every step. Whether you apply the Electronic Discovery Reference Model (EDRM) or an equivalent, we assist you to allocate internal and external personnel, incorporating your chosen process with a suitable technology solution.

Information management

Information management looks to establish a common and practical framework to effectively deal with the rising volume and diversity of information and the associated risks, costs, and complications.

A focused information management system helps ensure the success of an eDiscovery project, providing:

  • Fast implementation of eDiscovery protocols for collecting and preserving Electronically Stored Information (ESI)
  • Quick and reliable identification of potentially relevant data sources
  • Substantial cost savings by not having to process, review, and analyse irrelevant information

We have the expertise to structure IT environments and design information management solutions. So, we can assist you establish best practices for your information management cycles.

Identification

We conduct interviews with business, legal, and IT stakeholders. This allows us to identify what types of relevant documents exist, how and where this data is stored and how best to interrogate IT systems to extract these documents in a forensically sound manner. We help organizations find the best ways to plan and execute the successful identification of data.

For more information read about our eDiscovery and Forensics competencies here

Key sub-activities that occur in the respond stage include:

  1. First responder triage
  2. Forensic collection and preservation
  3. Forensic analysis

In addition to developing an incident response policy in an organization, we can also provide real-time first responder services to support you during an attack.

We provide dedicated incident response advisory services backed by a specialist team of IT security experts and information governance consultants. Having a predefined incident response relationship means our team of responders can act quickly, reducing the duration and impact of the breach.

Our methodology for incident response provides a systematic and structured approach to respond to a security incident. This ensures first and foremost that the breach is contained, and business operations are returned to normal as soon as possible, while compliance obligations are maintained and impacts of the breach are fully understood. 

1. First responder triage

The first people dealing with the incident are sometimes referred to as first responders, ideally as part of a team. These first responders should be able to determine whether any specialist resources – including third parties - will be required.

Many organizations do not have the right tools, systems, or knowledge to conduct a suitable investigation. You need to identify quickly when the scope and severity is beyond in-house skills, before decisions are made that may adversely affect an investigation. It is critical for arrangements to have been made in advance so that expert investigators are available at short notice and have enough prior information to be able to hit the ground running.

As well as expert cybersecurity incident response experts, other third parties that you may wish to get involved can include technology forensics specialists, technology analysts (for example, database experts), information analysts (for example, accountants), legal experts and on-site police support.

Some organizations set up a “war room” during serious cybersecurity attacks. This is the crisis management team’s primary meeting and collaboration space, where all relevant parties (incident investigators, IT staff representatives, stakeholders, and other leaders) assemble to manage the incident from one central point.

We can provide first responder services to provide the initial support an organization requires during the early stages of an incident. We also can assist with an on-going incident and recommend steps to contain and eradicate the attacker. Our consultants can engage with a company to prioritize key systems, correlate logs and events and recommend immediate actions to lock out an intruder and regain control during an active attack.

We can provide all the technical skills required from hard disk forensics, memory forensics, through to log analysis and network analysis. Collating this information, distilling the key facts, and taking decisive action to protect a company’s assets and systems is a vital skill possessed by our consultants to respond and react to an on-going threat.

2. Forensic collection and preservation

It is critical in the preliminary stages of an incident or event that all potentially relevant evidence is correctly captured and preserved in a forensically sound manner. We’re equipped to acquire data, including data running in memory, from all manner of systems and devices, from traditional laptop and desktop computers, servers, mobile devices, and cloud-based applications.

3. Forensic analysis

We’ve an extensive experience conducting forensic analysis activities to uncover the true cause of an incident, its scale, and its impact. Our will analyse network traffic, log files, active memory, disk drives, mobile devices, cloud based systems and any other potentially relevant sources of evidence. We maintains numerous ISO 27001 certified laboratories equipped with the most up to date and sophisticated forensic technology. Our consultants are highly qualified with extensive experience and follow strict procedures including those of the CREST CSIR Scheme.

For more information read about our eDiscovery and Forensics competencies here

Threat Hunting (see in the prepare section): ongoing threat hunting from end-to-end.

Note: Threat hunting is a service that is conducted at each stage of the incident response journey both before and after an incident and indeed as an ongoing implementation.

 

 

Key sub-activities that occur in the respond stage include:

  1. eDiscovery and forensics
  2. Compliance

1. eDiscovery and forensics

We use our eDiscovery experts and technology to fully support organizations in facilitating an efficient review of electronic evidence to meet the scope of a regulatory or court order request. We apply world class project management techniques and leading technology to collect and analyse large volumes of data quickly and accurately. This enables you to make informed decisions for your specific requirements. For example, we can help identify the extent of Personably Identifiable Information (PII) exposed in a breach; facilitate a large-scale document review to help organizations respond to a regulatory request or a court order to produce electronic documents; or analyse and identify the best evidence for use as evidence in legal proceedings.

For more information read about our eDiscovery and forensics competencies here

2. Compliance

Across all industries, regulatory compliance requirements are becoming more demanding and complex. Legislation is evolving, bringing increased accountability for organizations who are already heavily regulated. 

Our consultants have the legal and technical knowledge to provide you with tailored solutions. We help you view  the scope of legislative requirements through regulatory obligation assessments and risk assessments.

We establish the policies, procedures and lines of accountability necessary to meet your obligations, with the overall objective to minimize the associated costs and complexity involved.