Key sub-activities that occur in the prepare stage include:
- Maturity Assessment (Scenario Based)
- Threat hunting
- Cybersecurity Incident Readiness Planning (CIRP)
- Data Discovery (PII)
We plan and implement disaster and incident dry-runs to give you the assurance that your systems work. Implementing a robust incident response programme means you have the ability to quickly react to a security incident, limiting the amount of damage an incident may have.
Not every incident is going to be the same and therefore incident responders must have the ability to react to different situations.
We leverage the SANS, NIST and ISO/IEC 27001 based methodologies to consistently and effectively implement information security incident response programmes.
When implementing an incident response plan in an organization, our tailored approach ensures that:
- Staff are trained on how to respond to a security incident in a methodical manner using a defined framework
- Roles and responsibilities are allocated and defined
- Incident scenarios are drilled, and the response is effective
- Legal, regulatory and contractual obligations for incident response and notifications are defined and documented
1. Maturity Assessment (Scenario Based)
We're members of CREST, a leading international body providing guidance and best practice in the field of information security. CREST has developed a maturity model to enable assessment of the status of an organization’s cybersecurity incident response capability. The model has been supplemented by a spreadsheet-based maturity assessment tool which helps to measure the maturity of a cybersecurity incident response capability on a scale of 1 (least effective) to 5 (most effective). The tool is powerful yet easy to use and consists of two different spreadsheets, enabling assessments to be made at either a summary or detailed level.
The assessment tool has been developed in conjunction with representatives from a broad range of organizations, including industry bodies, consumer organizations, the UK government and suppliers of expert technical security services. It delivers an assessment against a maturity model that is based on the 15 steps within the 3-phase cybersecurity incident response process outlined below.
A detailed overview of the maturity assessment tool can be downloaded here
The tool itself can be downloaded as follows:
A part-completed example of the cybersecurity incident response maturity assessment tool, for easy demonstration and understanding, can be viewed here
2. Threat hunting
Threat hunting is the activity of performing proactive “hunts” through networks for indications of malicious activity and software.
Modern computer networks are complicated, with diverse technologies and commonly with a geographical spread, combined with the issue of acquisition and subsequent joining of disparate third-party networks.
Whilst modern security technologies provide a defence against the more common threats, they are not going to identify 100%, which is why there is a need for human intervention.
It goes beyond the traditional signature and rule-based detection and instead uses proactive and iterative data searching techniques to identify threats that evade traditional security solutions.
We can perform threat hunting in various formats, depending on the network size and level of analysis required:
- Perform one shot analysis for large environments, useful for high level assessments, particularly as part of the due diligence process for networks to be integrated due to acquisition
- Perform longer analysis, typically for a period from a week to a month. Uses centralized logging for data retention and client installed software to provide in depth analysis
- Perform in-depth analysis using a combination of centralized logging and forensic memory analysis on key assets
As part of the service we will:
- Provide a highly skilled and experienced team
- Provide clear alerts for identified threats
- Provide a summary report with all identified threats with recommendations for the prevention of re-occurrences of the threat
BSI’s threat hunting service has three elements; host triage, threat hunter and memory forensics.
Note: threat hunting is a service that is conducted at each stage of the incident response journey both before and after an incident and indeed as an ongoing implementation.
Any of the elements can be used to perform a threat hunting exercise and the elements used will depend on the organizations requirements, time available and funding within the organization.
Host triage is a consultancy-based service designed as a platform for threat hunting. host triage allows an organization to perform a threat hunting exercise across an entire enterprise quickly without the need of an experienced internal team nor the requirement to have software installed locally on the targeted host. The aim of the host triage service is to perform snap shot in time analysis, over a large estate, quickly. The analysis for a five thousand host organization could be performed within ten days.
The threat hunter system is designed to provide a longer assessment of an organization. The threat hunter client software is deployed across the targeted hosts, each host logs data such as process creation and new network connections to a central server. Once the system is operational, our consultants will perform analysis on the logged data to identify any threats or suspicious behaviour.
The threat hunter system is typically deployed for a period of a week up to a month, however, it can provide a longer-term monitoring solution if required. The consultant led analysis can be performed on a daily, weekly, or monthly basis, depending on the deployment length and the number of hosts targeted in the engagement.
Memory forensics can provide an in-depth view of a host, the operating system state, and the running processes. Whilst the capture of a computer's memory is relatively quick, the analysis normally takes at least two days of analysis per host. Due to the time involved with the analysis, it is important to identify the key assets of an organization, memory forensics can then be periodically performed on a small number of key hosts (2-5).
Memory forensics can provide assurance that the hosts do not have any indicators of malicious software running or behaviour that is indicative of a compromise. To provide wider coverage of the network, the hosts involved in the analysis can be rotated.
3. Cybersecurity incident readiness planning (CIRP)
Few organizations really understand their ‘state of readiness’ to respond to a cybersecurity incident, particularly a serious cybersecurity attack, and are typically not well prepared in terms of:
- People (e.g. assigning an incident response team or individual; providing sufficient technical skills; enabling decisions to be taken quickly; and gaining access to critical third parties)
- Process (knowing what to do, how to do it and when to do it), e.g. identify cybersecurity incident; investigate situation; take appropriate action (e.g. contain incident and eradicate cause); and recover critical systems, data and connectivity
- Technology (knowing their data and network topology; determining where their Internet touch points are; and creating / storing appropriate event logs)
- Information (e.g. recording sufficient details about when, where and how the incident occurred; defining their business priorities; and understanding interdependencies between business processes, supporting systems and external suppliers, such as providers of cloud solutions or managed security services).
Our incident response service focuses on cyber-incidents ranging from non-targeted malware infections through to Advanced Persistent Targeted (APT) attacks and network breaches.
The CIRP service aims to review the customer's’ existing operating procedures and environment to ensure that in the event of an incident there is sufficient information and processes in place to contain the incident in a timely manner, minimizing the impact, damage, cost and reduce any potential reputational damage.
The FRP service delivery is split into several phases. The initial phase involves meeting the key stakeholders to identify assets that are likely to be affected or targeted because of an incident, the threats that are relevant to the organization and the scenarios that would have the most severe impact.
The second phase is a documentation review which should take between 5 and 10 days. An example of the documentation reviewed in this phase includes:
- Existing incident response plans
- Standard operating procedures (SOP)
- Network architecture designs/configurations
- Security infrastructure designs/configurations (IDS, Endpoint Detection, and Response (EDR))
- Team member CV’s
- Firewall rulesets
The third phase will consist of interviews with individuals or groups which will provide a secondary source of information to fill any gaps from the documentation review. An example would be the identification of logging sources for key hosts.
The final phase will be the production of a report highlighting gaps and recommendations to improve the organizations internal processes or environment. The final phase will also include the production of up to five run books that provide a detailed strategy for the detection and response methods for dealing with a specific threat.
4. Data discovery (PII)
We combine our experience with the latest technologies to set up and run challenging local and multi-jurisdictional eDiscovery projects. We follow the Electronic Discovery Reference Model (EDRM) as a basis for any electronic discovery project.
We help you to identify the right balance of in-house and externally-managed support across your eDiscovery process and advise you at every step. Whether you apply the Electronic Discovery Reference Model (EDRM) or an equivalent, we assist you to allocate internal and external personnel, incorporating your chosen process with a suitable technology solution.
Information management looks to establish a common and practical framework to effectively deal with the rising volume and diversity of information and the associated risks, costs, and complications.
A focused information management system helps ensure the success of an eDiscovery project, providing:
- Fast implementation of eDiscovery protocols for collecting and preserving Electronically Stored Information (ESI)
- Quick and reliable identification of potentially relevant data sources
- Substantial cost savings by not having to process, review, and analyse irrelevant information
We have the expertise to structure IT environments and design information management solutions. So, we can assist you establish best practices for your information management cycles.
We conduct interviews with business, legal, and IT stakeholders. This allows us to identify what types of relevant documents exist, how and where this data is stored and how best to interrogate IT systems to extract these documents in a forensically sound manner. We help organizations find the best ways to plan and execute the successful identification of data.
For more information read about our eDiscovery and Forensics competencies here