Identify cyber security incident
7Safe consultants will rapidly identify if a cyber incident has taken place and if so, what the cyber security incident type is. This will then determine an appropriate response and subsequent actions.
Cyber security incidents usually begin with one or more of the following indicators:
- Alerts from technical monitoring systems such as anti-virus software, intrusion detection systems (IDS), data loss prevention (DLP), security information and event management (SIREM) systems, log analysers, etc.
- Reports of suspicious events made to the IT help desk by users, third party reports, or directly to the security team by the police, industry bodies, your vendor partners, or the government.
- Anomalies detected by audits, investigations or views. Note: this includes financial audits that show withdrawals that are traceable to fraudulent activity.
As a result of our comprehensive assessment, you may find that the malware has spread widely within your network or to third party systems, compromising security beyond the point where the infection was initially detected. Our responders are used to monitoring the complete evidence trail for signs of unusual occurrences and assessing one or more trigger points.
Analysing all the available information will often provide a different in-sight into what has actually caused the alert. Responders can then determine whether there has been a DDOS and/or malware attack, system hack, session hijack, and/or data corruption, basing their conclusions on the facts. Relying instead on the reports produced by your security monitoring software can be misleading – especially without expert help to interpret results.
In this way, we aim to definitively confirm that you have been subjected to a cyber-attack or cyber-related data breach, removing any doubt about the possible causes.
Define objectives and investigate the situation
Objectives and scope will be formulated based on identification factors and information gathered to date. These will be directed by client requirements in-line with business continuity and concerns.
Investigation will be an on-going effort from initial identification through to containment and eradication. The main focus of investigation at this stage is to return normal operation rather than in-depth analysis and will triage by:
7Safe will use cyber threat intelligence to clearly understand the tactics, techniques and procedures of the attacker/s to assist with the definition of objectives and scope and better remediate.
Any changes to scope or objectives will be clearly discussed and agreed with the client with written authorisation where additional work is needed above or beyond the initial scope. These changes will be communicated in a timely fashion with the incident team where required.
Take appropriate action to contain the incident
An important step in the process is containment. That is, stopping the infection from spreading to other networks and devices both within your organisation and beyond.
At 7Safe, we prioritise actions that are aimed at reducing the immediate impact of the cyber security incident, primarily by removing the attacker’s access to your systems. This does not always mean returning to business as usual, but to make best efforts to return to functionality as normal, while continuing to analyse the incident and plan longer term remediation.
We will contain the incident and isolate any compromised nodes or devices to prevent further infection or lateral movement and allowing the business to resume normal functions. We will also monitor for responses in attack vector or escalation as a result of containment and ensure no further compromises to the infrastructure are made, ensuring that tools introduced to assist are verified and malware free.
Once the incident has been contained, we will eradicate the suspect material from the network while preserving evidence to the required evidential standards for more detailed investigation and/or possible future prosecution.
Recover systems, data and connectivity
7Safe will ensure that systems have been restored to their normal operation and remediate vulnerabilities to prevent similar incidents occurring in the future.
Validation of recovery is important and 7Safe can offer a vulnerability assessment (penetration test) to add additional piece of mind.
7Safe will monitor the situation over an agreed period of time to ensure that no follow-up attack takes place and to confirm successful eradication and recovery of systems
The final step in the Cyber Security Incident Response process is to restore your systems to normal operations, confirm that the systems affected are functioning normally, and remediate vulnerabilities to prevent similar incidents from occurring.