If you had a security incident today, how would you deal with it? What steps would you take? Who would need to be involved? Can you manage it in house? Do you have a repeatable, efficient response plan in place?
Over the last decades, organisations have focused on threat protection,threat detection and incident response. But as we lose some control of our computing environment – and as threats become more sophisticated, it’s time to invest in incident response planning.
Most organisations have the technology in place to detect an incident and protect their infrastructure. But incident response is less about technology and more about processes and people – and understanding how to create best practice, repeatable processes to deal with incidents quickly and efficiently.
A recent Global Threat Intelligence (GTIR) report showed that 74% of organisations using our Incident Response services did not have a functional incident response plan in place.
Most organisations don’t have spare resources waiting to leap into action when an incident occurs. Instead they seek advice from us, as a trusted partner. We’re here to help with both rapid response services and proactive incident response planning. And our experiences with clients across the globe means there are very few scenarios that our experts haven’t seen before.
Rapid Response service
If you’ve suffered a breach, we’ll help you immediately with guidance, support and technology to deal with the incident and minimise business impact. We’ll deploy a rapid response team and quickly establish a process to deal with the incident. We’ll then contain the cause of incident and provide support and guidance to resolve it. And we will work with you to create a tactical roadmap of recommendations to reduce risk in the future.
Proactive incident response planning:
It’s safe to assume that your organisation will, at some point, suffer a breach. So incident response planning needs to be part of your business continuity planning. We’ll help you to create a functional incident response plan which will:
- Define the incident response team along with their roles and responsibilities
- Agree any skill sets that may be required which don’t exist within your organisation
- Define your communications process and plan for effective communication during and after the incident
- Define the criteria to declare when an incident has started as well as when the incident has ended
- Manage all testing to ensure that the process works
There’s a lot more to it that this of course, but predefining the process will allow the response to start within minutes of the incident being declared.
The support to manage security incidents, whatever the scale
Building an incident response plan to deal with breaches as and when they arise is fraught with unknowns. Our unique and extensive frontline experience means we can help you make informed decisions at every stage. Kroll’s incident response and forensics experts have the expertise to investigate cyber incidents of all types – no matter the type, complexity or severity. We can deploy remote solutions quickly and/or be onsite within hours.
Common threats our incident response services help to address:
- Business Email Compromise
- Advanced Persistent Threats
- Malware, keyloggers and backdoors
- Insider threats
- Web application attacks
- Targeted IP theft
- Supply chain attacks
- Technology deployment/investigation of initial leads: Deploy the technology most appropriate for a fast and comprehensive incident response. We simultaneously investigate initial client-provided leads to start building Indicators of Compromise (IOCs) that will identify attacker activity while sweeping the environment for all indicators of malicious activity.
- Crisis management planning: Work with executives, legal teams, business leaders and senior security personnel to develop a crisis management plan.
- Incident scoping: Monitor real-time attacker activity and search for forensic evidence of past attacker activity to determine the scope of the incident.
- In-depth analysis: Analyze actions taken by the attacker to determine the initial attack vector, establish timeline of activity and identify extent of compromise. This can include:
- Damage assessment: Identify impacted systems, facilities, applications and information exposure.
- Remediation: Develop a custom containment and remediation strategy based on the actions of the attacker and tailored to the needs of the business in order to eliminate the attacker’s access and improve the security posture of the environment to prevent or limit the damage from future attacks.
Executive, investigative and remediation reports that withstand third party scrutiny.
Executive summary. High level summary explaining the timing and investigative process, major findings and containment/eradication activities.
Investigative report. Details on the attack timeline and critical path (how the attacker operated in the environment). Reports include a list of affected computers, locations, user accounts and information that was stolen or at risk.
Remediation report. Details of containment/eradication measures taken, including strategic recommendations to enhance the organization’s security posture.
- Live response analysis
- Forensic analysis
- Network traffic analysis
- Log analysis
- Malware analysis