Cyber Security Incident Response

CSIR_logo

7Safe is a CREST registered Cyber Security Incident Response provider

Need Expert Advice?

Have you had a cyber breach? Act fast and speak to the 7Safe experts. Or are you looking to put preventative measures in place? Call us in confidence on +44 (0)1763 285 510 or contact us via the below.

Email Us Enquiry Form

 

CSIR Phase 2 - ​Respond


Phase one of our model comprises of the stages below:

Step 1: Identify cyber security incident

7Safe’s comprehensive approach to incident response encompasses the following:

  • Situational awareness (cyber intelligence)
  • Monitoring security events on your system
  • Evaluating threat analytics (based on a model of the behaviour of attacks)
  • Performing forensic analysis of host assets, network data and malware
  • Prioritising which assets should be investigated
  • Addressing unusual problems – e.g. bespoke file types or encryption. 

7Safe consultants will rapidly identify if a cyber incident has taken place and if so, what the cyber security incident type is. This will then determine an appropriate response and subsequent actions.

Cyber security incident types include the following:

  • Distributed Denial of Service (DDoS)
  • Ransomware
  • Hacking/Un-authorised access
  • Data loss
  • Malware
  • Phishing/Whaling 

Cyber security incidents usually begin with one or more of the following indicators:

  • Alerts from technical monitoring systems such as anti-virus software, intrusion detection systems (IDS), data loss prevention (DLP), security information and event management (SIREM) systems, log analysers, etc.    
  • Reports of suspicious events made to the IT help desk by users, third party reports, or directly to the security team by the police, industry bodies, your vendor partners, or the government.    
  • Anomalies detected by audits, investigations or views. Note: this includes financial audits that show withdrawals that are traceable to fraudulent activity.

 Source - Ponemon Institute

[Source: Ponemon Institute]

As a result of our comprehensive assessment, you may find that the malware has spread widely within your network or to third party systems, compromising security beyond the point where the infection was initially detected. Our responders are used to monitoring the complete evidence trail for signs of unusual occurrences and assessing one or more trigger points.

Analysing all the available information will often provide a different in-sight into what has actually caused the alert. Responders can then determine whether there has been a DDOS and/or malware attack, system hack, session hijack, and/or data corruption, basing their conclusions on the facts. Relying instead on the reports produced by your security monitoring software can be misleading – especially without expert help to interpret results.

In this way, we aim to definitively confirm that you have been subjected to a cyber-attack or cyber-related data breach, removing any doubt about the possible causes. 


Do you need to respond to a cyber breach?

7Safe’s CSIR team will aim to conduct their first response within a few hours of their engagement. Speak to the experts before reacting to ensure minimum damage is caused. Click on the button below to send your incident response enquiry to one of our dedicated team, or call us now on +44 (0)1763 285 510

Email Us


Step 2: Define objectives and investigate the situation

Objectives and scope will be formulated based on identification factors and information gathered to date. These will be directed by client requirements in-line with business continuity and concerns.

Investigation will be an on-going effort from initial identification through to containment and eradication. The main focus of investigation at this stage is to return normal operation rather than in-depth analysis and will triage by:

  • Classifying
  • Prioritising
  • Assigning

7Safe will use cyber threat intelligence to clearly understand the tactics, techniques and procedures of the attacker/s to assist with the definition of objectives and scope and better remediate.

Any changes to scope or objectives will be clearly discussed and agreed with the client with written authorisation where additional work is needed above or beyond the initial scope. These changes will be communicated in a timely fashion with the incident team where required.

CSIR consultants will conduct such CSIR services as detailed in Stage 3.2 and 3.3 of the 7Safe CSIR Framework.

Once the incident response team is sure that they have identified a cyber security incident, they will determine the objectives for the response activities that will follow.

7Safe’s approach is to ask the following key questions to build up a better picture of the attacker and their modus operandi, as well as evaluate the likely threat vectors – the paths or tools that a threat actor (attacker) uses to attack the target (which may be an entire corporate IT system, a user device like a PC or iPad, your online bank account… or you if they are stealing your identity.

  • Who has attacked us?
  • What are the scope and the extent of the attack?
  • When did the attack occur?
  • What did the attackers take from us?
  • Why did they do it?

It is not always immediately obvious what information has been disclosed to unauthorised parties, stolen, deleted or corrupted. The incident responder’s role takes on that of a forensic investigator at this point, finding out who did it (i.e. which threat agent or agents) and why (e.g. financial gain, hactivism, espionage, revenge, challenge, or just for fun. They also have the task of identifying what systems, networks and information assets have been compromised, quantifying the damage.

Working out how the hacker gained entry to the system will help you to prevent it happening again and may form part of the evidence in a subsequent prosecution.

Cyber threat intelligence

Research conducted into the attackers to determine their capabilities, motives and likely actions can be invaluable in responding to incidents. This can be provided by the government, CERTS, collaborative groups or through the use of our experts, whose work includes building up detailed profiles of cyber attackers to understand their methodologies, intentions/motivations in carrying out their attacks, and focus – i.e. is their target a person, the organisation, a market sector, or the government?

Knowing who as well as what you are dealing with improves your response tactics.

Triage

The early part of a cyber investigation is often called triage. It consists of:

  • Classifying the incident as critical, significant, normal or negligible impact
  • Prioritising the incident as high, medium or low
  • Assigning incidents to appropriate team members

This is important in determining the correct, proportionate level of incident response.

Many organisations do not have the right tools, systems or knowledge to conduct a suitable investigation in the case of a critical or significant cyber security incident. When the scope and severity is beyond in-house skills, it is a wise move to hire in experts as this can save your organisation time, money and potentially its reputation.

7Safe’s CSIR team will aim to conduct their first response within a few hours of their engagement, before decisions are made by the client organisation that may adversely affect an investigation. It is a natural reaction on the part of an IT manager to shut down systems that are thought to be infected with malware. This can be a costly mistake as it will alert the hacker that you have identified the infection and could compromise the investigation.

Initial analysis of the incident

Our responders will examine important alerts or suspicious events in logs or technical security monitoring systems (e.g. IDS, IPS, DLP or SIEM), correlate these with network data including data from cloud service providers, and then compare these findings with threat intelligence. In the process, each possible trigger event will be thoroughly investigated, including:

  • Date/time
  • Internet protocol (IP) address (internal or external)
  • Port (source or destination), domain and file (e.g. exe, dll)
  • System information including hardware vendor, operating system, applications, purpose, and location.

In this way, our first responders will build up clear picture of what caused the alerts.


Are you looking for an Incident Response team that you can trust?

7Safe CSIR teams are led by a highly skilled and experienced digital forensic consultant who has a minimum of 8-years’ experience. Talk to us today about how we can bring our expertise to your business.  Call us now on +44 (0)1763 285 510 or submit via below.

Email Us
7Safe's incident response team


Step 3: Take appropriate action to contain the incident

An important step in the process is containment. That is, stopping the infection from spreading to other networks and devices both within your organisation and beyond.

At 7Safe, we prioritise actions that are aimed at reducing the immediate impact of the cyber security incident, primarily by removing the attacker’s access to your systems. This does not always mean returning to business as usual, but to make best efforts to return to functionality as normal, while continuing to analyse the incident and plan longer term remediation.

We will contain the incident and isolate any compromised nodes or devices to prevent further infection or lateral movement and allowing the business to resume normal functions. We will also monitor for responses in attack vector or escalation as a result of containment and ensure no further compromises to the infrastructure are made, ensuring that tools introduced to assist are verified and malware free.

Once the incident has been contained, we will eradicate the suspect material from the network while preserving evidence to the required evidential standards for more detailed investigation and/or possible future prosecution.

7Safe follows the ACPO Good Practice Guide for Digital Evidence, which we helped to create.

CSIR consultants will conduct such CSIR services as detailed in Stage 3.3 and 3.5 of the 7Safe CSIR Framework.

Our team will look at different containment strategies for different types of major cyber-attack, and produce documented criteria that will facilitate decision-making.

Documented Containment Criteria Report

The output from our reporting process will help your organisation to evaluate the following:

  • Potential damage to and theft of resources
  • Need for evidence preservation
  • Service availability (e.g. network connectivity)
  • Time and resources needed to implement the strategy
  • Effectiveness of the strategy (e.g. partial containment, full containment)
  • Duration of the proposed solution (e.g. emergency workaround to be removed in ‘x’ hours, temporary workaround to be removed in ‘x’ weeks, permanent solution).

Actions necessary to contain the incident

Based on our report of the containment criteria, we will recommend a course of action and, where required, provide the technical services to support this action.

One of your chief priorities in the event of a cyber security incident is to contain the damage, for example, by stopping the malware in your system from spreading to other networks and devices both within your organisation and to any third parties.

Our expert consultants can carry out the following tasks or provide remote or on-site support to enable your IT team to perform any of the following containment actions:

  • Blocking (and logging) of unauthorised access
  • Blocking malware sources (e.g. email addresses and websites)
  • Closing particular ports and mail servers identified as compromised
  • Changing system administrator passwords where compromise is suspected
  • Firewall filtering
  • Relocating website home pages
  • Isolating systems.

Business as usual may not be possible in the short-term while efforts are made to analyse the incident and plan longer term remediation. The main consideration here is a proportionate first response to the severity of the cyber incident, as delaying any containment action due to uncertainty or over-compensating by closing down ports, mail servers, etc, when the risk factors identified do not justify such action can make the problems faced by the organisation worse in a given situation. The overriding objective of a containment strategy is to make best efforts to return to functionality as normal.

Eradicating the cause of the incident

Once the cyber incident has been identified and the causes contained, our team can help you to eradicate the key components of the incident. This can involve removing the attack from the network, deleting malware found on the system, and disabling breached user accounts. Again, these are tasks that are best performed by expert consultants rather than by IT personnel using standard tools such as AV scanners, etc, since advanced technical tasks form an integral part of the eradication process; namely:

  • Identifying all the hosts affected within and sometimes beyond your organisation and remediating
  • Carrying out malware analysis to better understand the threats posed
  • Checking for any response from the attacker to your actions
  • Using a risk-based approach, developing a response to future actions by the attacker in the form of preventive actions designed to address the threats
  • Allowing sufficient time to ensure that the network is secure and that there is no response from the attacker (evidence from malware analysis and the experience of the incident responder need to be taken into account when deciding timescales)
  • Forensic requirements – gathering and preserving evidence.

In order to investigate the cyber incident from the perspective of law enforcement, it is necessary to preserve the evidence and maintain a chain of custody. 7Safe’s expert digital investigation consultants carry out work of this kind for clients in both the public and private sectors, gathering the evidence necessary to bring about a successful prosecution and taking account of the following le.g.al requirements:

Admissibility of evidence: whether or not evidence can be used in court

Weight of evidence: the quality and completeness of evidence.

They will also help to ensure that the evidence complies with relevant laws, such as:

  • Police and Criminal Evidence Act (PACE)
  • Data Protection Act 1998
  • General Data Protection Regulation (GDPR)
  • Computer Misuse Act 1990
  • Regulation of Investigatory Powers 2000 (RIPA).

Our team includes former police officers who collect both paper-based and electronic information at the scene. They maintain logs of every action that they take during an investigation so that it can be referred to at a later date and the sequence of events and actions taken can be repeated by opposition experts, if this is a requirement.

We only perform detailed forensic analysis work on copies of evidential material obtained using imaging technology in order to protect the integrity of that material.


We can quickly and professionally respond to your cyber incidents

7Safe will deploy incident responders and other cyber security advisers to assist your organisation on request. If you need a fast response to a cyber incident, call us now on +44 (0)1763 285 510 or submit an enquiry via below.

Email Us
SPB_0178_(mini)


Step 4: Recover systems, data and connectivity

7Safe will ensure that systems have been restored to their normal operation and remediate vulnerabilities to prevent similar incidents occurring in the future.

Validation of recovery is important and 7Safe can offer a vulnerability assessment (penetration test) to add additional piece of mind.

7Safe will monitor the situation over an agreed period of time to ensure that no follow-up attack takes place and to confirm successful eradication and recovery of systems

CSIR consultants will conduct such CSIR services in accordance with Stage 3.6 of the 7Safe CSIR Framework.

The final step in the Cyber Security Incident Response process is to restore your systems to normal operations, confirm that the systems affected are functioning normally, and remediate vulnerabilities to prevent similar incidents from occurring.

This is not as straightforward as it may first appear. Project research cited by CREST has identified that the main challenges organisations face when recovering from a cyber security incident in a fast, effective and consistent manner are:

  • Confirming that remediation has been successful
  • Reconnecting networks, rebuilding systems, and restoring, recreating or correcting information.
  • Rebuilding infected systems from known ‘clean’ sources is only possible when you are certain that the source of the malware infection has been totally-removed and the hacker prevented from gaining access. Hiring a skilled CSIR team to perform the necessary checks on your system can prevent the malware that you thought you had removed from re-infecting the system and potentially corrupting clean data as well.

Replacing compromised files with clean versions is also an operation requiring care.

When the 7Safe CSIR team leader is certain that the malware has been completely removed, he/she will advise the removal of temporary constraints imposed during the containment period as well as the resetting of passwords on compromised accounts. They will then recommend the installation of security patches, changing passwords and tightening the security of the network perimeter, such as your firewall rule-sets. Our Penetration Testing team can then, if you agree, carry out thorough tests of your system – including security controls. The integrity of business systems and controls will be confirmed in their final report before we complete this last Step of the process.

Through penetration testing combined with security controls assessments - you can be sure that your systems are operating normally again and are free from the threat. The malware been removed from all your systems as a result of the identification, investigation and containment steps of the CREST-recommended CSIR process, and the attacker no longer has access and therefore cannot carry out further attacks.