Emergency Cyber Incident Response Support

Emergency Support is exactly that, it’s an emergency that you have not planned for.

We try to avoid these as they come with a whole heap of challenges (not just technical ones!), we much prefer that you either have a tested plan or that you engage us to help you prepare, however we know the realities of the world and wanted to share some info on some of the work we do in the emergency space.

Phases

Check

  • Sanity Check and Confirm Availability

Respond

  • Identify Cyber Incident
  • Define tactical objectives to contain the situation
  • Take action to contain the threat
  • Recover Systems
  • Tactical Clean-up

Follow Up

  • Detailed investigation
  • Incident Reporting
  • Post incident review
  • Lessons Learnt
  • Control updates
  • Data Wipe and Response Cleanup

FAQ

Emergency cyber incident response is a complex, fast paced task at the best of times. If there isn’t a formal response process in place (that’s been tested) then that doesn’t mean you are all alone. It is however incredibly complex, stressful and without guarantees. The only thing we can guarantee is that we will try our best to support you in your time of need. To this end we’ve put together an FAQ to help answer some of the common questions we get!

  1. How long does a typical response take?
    1. There’s no such thing as a typical response but if you are asking for emergency support without a pre-existing agreement your situation is probably not great to start with. We expect an incident to take two weeks at minimum.
  2. What’s a typical working pattern?
    1. Well it’s an emergency so we tend to work around the clock and in shifts  to ensure we are with you when it count but also that time isn’t lost, containment in an incident is critical but so is ensuring that there isn’t a secondary breach but also that the actions on target (impact) is understood.
  3. How do we get charged?
    1. It’s quite simple really, we charge you based on the days consumed (we charge x2 outside of standard business hours (Monday to Friday 0900-1730) and we charge you for any materials and expenses we may incur (such as virtual machine usage, specific software licenses, cloud services, API key usage, usage of drives etc.)
      1. Remember it’s an emergency so we don’t know exactly what we will need (we do come along with a great toolbox already!), and we generally don’t have time to ask for every single resource usage to be approved. We clearly don’t go out and buy Ferraris and will explain why and what the charges are for once the incident has been contained (we aim to be reasonable with expenses and where we can call them out as we go)
  4. What happens after we either get to a conclusion or we agree to stop investigating (you can request this at any time)?
    1. Once we’ve agreed or been instructed to stop, we will likely stand the team down for a day or two to recuperate (depending upon the scenario). We will then proceed to process the data, create our report and finally we conduct a clean-up and project closure.
      1. We often collect a range of sensitive data; we need to mark data which is sensitive and can be removed quickly or we need to identify the data we need for further analysis
      1. We need to securely clean out environments and ensure your data (and our IP) is safe so we go through a clean-up process.
  5. How long does it take to write then report?
    1. It depends upon the size, scale and complexity of the scenario. We advise customers that following containment and eradication, recover of services and root causes analysis, that we typically expect to return a formal report within 10 business days.
  6. If I want to engage the services, stop them and not pay for the time/materials required to clean-up and write a report is this ok?
    1. No, we do not walk away from a job with sensitive data nor do we exit and engagement without writing a formal report (this is NOT optional)
  7. Can we have a copy of the virtual machines you use during a response?
    1. We are afraid not. Our virtual machines contain our tools, techniques and practises as well as specialist software licenses and our company confidential data. We reset and secure wipe these after our report has been delivered an accepted.
  8. I’m not sure if I have an incident, can we have the team check our environment out before hand to check for free?
    1. Our emergency services are not free. There is a call out fee and a minimum charge. We will conduct a verbal validation to conduct an initial assessment of the scenario and then advise on a course of action.
  9. Do you provide legal advice?
    1. No, we are not lawyers, we are technology and security professionals. If you need legal advice speak to your legal team.
  10. Can we have a fixed price in an emergency?
    1. We don’t offer fixed price emergency services. They are all consumption based.
  11. How do we know you keep our data safe?
    1. We take the same care of your data as we do our own. We leverage encrypted virtual machines, encrypted hard drives and a range of tools to keep your and our data in safe hands.
  12. How do you clean-up the data after the report has been delivered and accepted?
    1. We wipe our environments down using NIST 800-88 standards.
    1. If requested, we’ll Blanco erase the drives (there’s an additional cost)
    1. We provide an attestation of media/data sanitization.
  13. We’ve been advised by the ICO we don’t need to report the breach, what should we do?
    1. We recommend you follow the legal advice of your council and if it were us, we would listen to the ICO (they know a few things about this process)
  14. Can I have a discount?
    1. No, it’s not a walk in the park, it’s an unplanned scenario with no agreement in place and we are probably going to end up missing time with our families. We love helping people, but this is our livelihood, but it also takes us away from our lives. We also feed back into the security community and conduct R&D to help prevent people getting into emergencies in the first place!
  15. What information will you share with a third party?
    1. Outside or legal and regulatory requirements we keep your information confidential. We will unless explicitly asked to NOT do so, share IOCs inside a country region on a TLP: RED basis (e.g. on CISP) to help the wider community protect detect and respond to emerging cyber threats.
  16. Do you make the decision during a response?
    1. Well we have free will so we decide what we do, but alas you and your business must decide the avenues and direction you wish to take. We just provide the tools, techniques and practises to support and help you, your choices however are your own.
  17. Can anyone sign the request for data deletion?
    1. We require a company officer to sign the data deletion request.
    1. Without this signed form we will hold sensitive data (encrypted at rest) in a safe when not in use.
  18. What happens after an incident?
    1. It really depends upon the severity complexity and lifecycle elements that have been covered.
  19. After an incident can we get you pizza?
    1. Yes, we will never say no to pizza!
  20. If we disagree with the costs what’s the process?
    1. We’ll provide a timesheet and breakdown of reasonable and fair costs. We are happy to discuss these but the deal when you ask us to walk into your emergency scenario is that you pay for our time and the resources we leverage.

Well that’s the common questions we get asked outlined! But if you want to know more please do get in touch! We try and support customers in their hour of need and we are friendly so feel free to get in contact even if you don’t have an emergency (we’d prefer it if we can help you avoid one in the first place!)

If you are in an emergency and need support contact us on: cirt[@]xservus.com or complete the Contact Us form!

If you have made it this far then you probably should be getting in contact already! but hopefully you are just being proactive! There’s a ton of good practise guidance to help you not require emergency response.

Planning Incident Management and Response

https://www.crest-approved.org/wp-content/uploads/2014/11/CSIR-Procurement-Guide.pdf

https://www.ncsc.gov.uk/collection/incident-management/cyber-incident-response-processes

Government Security Services, ICO and Action Fraud

https://www.ncsc.gov.uk/information/cir-cyber-incident-response

https://ico.org.uk/for-organisations/report-a-breach/

https://www.actionfraud.police.uk/

Our Toolbox

We have a range of resource available to us for emergency incident response which include:

Previous Response Examples

  • Next Generation Firewalls
  • Threat Intel and OSINT Toolsets
  • Penetration Testing Toolsets
  • GPUs and Compute Services for analysis work
  • Tools such as Maltego and Spiderfoot
  • Proprierty toolsets to enrich data at scale
  • A network of ascociates
  • A threat intelligence network
    • We are members of CISP, OTX, OpenSecurity

Phishing link clicked and credentials leaked leading to a wider scale breach. We deployed our team and isolated the environment by resetting all system passwords, deploying a rapid lock down GPO and monitoring the environment to ensure threat actor activity was contained.

Manfufaturing Organisation

Membership web services were the victim of a credential stuffing excercise, we worked with the application team to identify and contain the threat, implementing addtional controls to remove the weakness the threat actor was exploiting.

Membership Organisation

We worked with a specialist trust to respond to a major ransomware attack. We leveraged our threat intelligence capabilities to provide rapid response advice and guidance which included deployment of a local sink hole, providing mitigation and patch guidance, performing log analysis, conducting vulnerability scanning to ensure that the threat was contained.

Healthcare Organisation

Suffering a major ransomware attack we deployed a team equipped with a private network, we deployed a firewall TAP to ensure that the environment was being monitored and known threats were stopped. We then proceeded to contain and eradicate the malware, restore the data and services from backup. We performed an attack surface review and created a likely timeline of events to help the customer improve their security posture and to prevent re-infection.

Retail Organisation

A digital media marketing agency had suffered a ransomware attack, they had already recovered their services but they wanted to ensure that their environment was safe and that they had removed reasonably likely attack vectors. We conducted an attack surface review combined with an internal assessment to create a timeline of events identifying exposed RDP and a laterval movement path. The customer hardened the environment to reduce their risk.

Digital Markting Organisation