Effective and immediate response equals fast recovery time and limited financial damages
There are typically six steps to incident response: Preparation of systems and procedures; Identification of incidents (when they occur); Containment of attacks; Eradication of both attackers and re-entry routes (system backdoors); Recovery from incidents, including the restoration of systems; and lessons learned that can strengthen the organisation’s cybersecurity and future responses.
The goal of incident response is to identify the threat actors, prevent lateral movement, contain/ terminate cyberattacks, minimising data loss and inhibit future attacks.
Assisted by the industry’s most advanced technology platforms and the latest curated intelligence from around the world, CyberCom place local and international experts at our client’s immediate disposal to manage analyse and resolve any security incidents in a fraction of the time compared to conventional approaches.
We assist clients with imitate assistance in relation to:
- Identification/ verification and scoping of the reported incident;
- Containment of the breach
- Deployment of monitoring software on endpoints and network;
- SOC monitoring of alerts;
- Threat hunting and intelligence gathering of on the threat-actors
- Triage data collection (onsite / remotely) and Deep dive Forensic Investigation with expert reporting
- Threat eradication
- Remediation and Environment Recovery – Data recovery, malware removal and rebuild of environment;
- Post incident review and monitoring of the client environment;
- Ransom negotiation, cryptocurrency procurement and managed ransom payments;
- Restore and decryption of Encrypted data
- Electronic/automated notification services to Data Subjects and Data Subject Access Requests
- Reporting and lessons learned.
- Ongoing Monitoring of Darkweb and public domains for information related to the breach
Benefits include:
- Provisioning state-of-the-art response and investigation technologies before and during attacks.
- 24 Hour Monitoring of on-site alerting and Incident Response technologies.
- Flexible and rapid deployment options of endpoint agents.
- Secure connections and communication between endpoints and management server.
- Practicing IR Experts responding to the identified and ongoing breaches.
- Automatically network isolate a compromised machine from communicating with attacker infrastructure when Indicators of Compromised (IOC’s) are detected.
- Contain or network isolate a compromised machine while allowing investigators access to the volatile command and control channels during live breaches.
- Full deep dive Forensics services conducted remotely or on site.
- Expert interpretation of the findings and sound remedial advice.
Businesses cannot operate without access to their data or technology, which has made cyberattacks that hold data to ransom or lock companies out of their devices extremely lucrative. Equally profitable is the exfiltration of valuable client data, which can be sold on the black market. The rise in legislation requiring businesses to protect customer data adds an additional element. Data breaches can come with hefty fines, not to mention reputational damage.
Although it is not advised, in some instances it might be required to engage with the perpetrators and even enter into negotiations. Care must also be taken that international and local legislation is not breached by paying ransom and should best be performed by am experienced and responsible party. Ransom negotiations can be complex, and unfortunately, simply paying a ransom doesn’t guarantee data recovery. Ransoms are paid via crypto currencies, which many businesses have little to no experience in. Our clients have access to experts who have experience in Ransomware negotiations. We can help you by negotiating and managing the process to ensure the best outcome from a complicated situation.
There are many ways threat actors can access a system or commit cybercrime. These activities can range from malware distribution to disgruntled employees setting up fake social media pages to cause a business reputational harm. Determining the point of compromise (POC) is an essential first step in identifying how a system was accessed and whether there are still vulnerabilities that need to be addressed. It is also important to gather defensible digital evidence for litigation purposes.
CyberCom’s partner company, Cyanre the Digital Forensic Lab, was established in 2002 to provide state-of-the-art cyber forensic services to clients who require innovative and cost-effective solutions.
Cyanre follows forensically correct methodologies by making use of internationally accepted software and operating procedures that major law enforcement agencies across the globe conform to. These agencies include the FBI, Scotland Yard, US Secret Service as well as South Africa’s own South African Police Service. By making use of sophisticated software and judicially tested procedures, Cyanre is able to place the integrity of all evidence collected, data disseminated and facts placed in front of a judicial body, beyond question.
Forensics experts inspect, identify, analyse, preserve digital evidence, and use it to help them investigate cybercrimes. Our partner, Cyanre the Digital Forensic Lab, looks for virtual traces of activity logs, file fragments, metadata and timestamps. Depending on how sophisticated the cyberattack is – and how cutting edge the techniques utilised – threat actors can be extremely difficult to trace.
There is a great deal that digital forensics experts can do when an attack occurs, including:
- Identifying how, where and when a threat actor infiltrated a network.
- Potentially identifying why an attack occurred (i.e. disgruntled employee activities vs financially motivated criminal activities).
- Preserve and safeguard digital evidence to ensure it is not destroyed.
- Retracing a threat actor’s path into the network to close any vulnerabilities.
- Identify which tools were used to breach the network security technologies.
- Identify what data was accessed by the threat actors.
- Determine the duration that the threat actors were active on the network.
- Tracking the geolocation and mapping the threat actors’ logins.