Incident Response

How Prepared Is Your Organisation to Deal with a Cyber Attack?

As the frequency and complexity of cyber-security attacks continue to grow, the question facing organisations should be how would they cope when faced with a significant, sophisticated cyber-attack, rather than if it will happen.

By preparing for a cyber-incident, an organisation is far more likely to be able to detect the incident at an earlier stage and provide a comprehensive defense against the attack. A well-defined incident response effort will provide robust processes for containing the incident in a more-timely manner, whilst communicating with key stakeholders in order to minimise the impact, damage, cost and reduce any potential reputational damage.

If the first time that the management board of an organisation is aware that a significant cyber-security breach has occurred is via the news, a customer complaint, or an acquiring bank then this is likely to have a significant and lasting impact on investor and customer trust.

If an organisation is ill-prepared for a cyber-security incident then any response is likely to be delayed and un-coordinated with the additional risk that any evidence may be contaminated by inexperienced internal staff.


Maintaining a well-skilled and effective incident response team can be difficult and costly even for the largest of organisations. Incident response threats require a wide-ranging skillset to deal with the threats posed by nation states, hacktivists and criminals; it is these skills that can be difficult to recruit for, along with the associated costs of maintaining the team, it is common for internal security teams to suffer from skill degradation due to an inconsistent level of real world use and experience. BSI Info-Assure aims to address such issues with an expert team, ready to provide expertise and capacity.


crest-cyberBSI Info-Assure is an independent provider of cyber-security incident response services and a member of the CREST Cyber Security Incident Response scheme (CSIR).

BSI Info-Assure consultants have extensive experience of assisting organisations to prepare for cyber incidents and forensic investigations, and dealing with incident containment, evidence gathering and response.

BSI Info-Assure has launched the new Cyber Security Incident Response (CSIR) service to assist organisations in assessing their readiness to respond to a cyber-security incident.

The CSIR service will enable organisations to:

  • Identify likely threat scenarios that would result in the need for a cyber-security incident response and/or forensic investigation.
  • Identify desired outcomes based on each threat scenario.
  • Perform GAP analysis on existing controls and monitoring systems to identify areas requiring improvement.
  • Identify legal and regulatory requirements regarding the ability to carry out any such investigations and any requirement to retain and protect evidence, along with any requirement to report such incidents to law enforcement and/or other regulatory authorities.
  • Identify internal capabilities and the need for engagement with specialist third parties for tasks, such as forensic analysis, host triage and log analysis.
  • Develop cyber incident and forensic investigation plans.
  • Put in place measures to test plans with periodic reviews and updates.

BSI Info-Assure offers various response services that are designed to aid organisations in the preparation for cyber incidents, as well as dealing with the aftermath of such an attack.


Host Triage:

The host triage service is a proactive and a reactive service. The service can be performed as a proactive activity to provide a level of assurance that a network does not contain malicious or unwanted software. The service can also be performed after a breach has occurred to ensure that the original threat has been eradicated. BSI Info-Assure will liaise with the client to determine an ideal number of host to sample, with consideration to likely targets for an attack. The service is performed by a BSI Info-Assure supplied script that collates information on a per host basis and is designed to be run once per host. The script captures volatile and non-volatile information, such as process and registry data. The data is collated and analysed by the BSI Info-Assure response team to identify any potentially malicious or unwanted items.

Network Analysis:

The network analysis service is a proactive and reactive service. The service can be performed as a proactive activity to provide a level of assurance that a network does not contain malicious content. The service can also be performed after a breach has occurred to ensure that the original threat has been eradicated and to determine if other threats exist on the network.
The service is performed using BSI Info-Assure-supplied sensors that provide a full packet capture solution. The sensors are placed at key positions in the network for a given period of time. The sensor is returned to the secure lab at the BSI Info-Assure office where offline analysis is performed using a blend of threat intelligence-based signatures, a custom platform for traffic analysis and anomaly detection.

Forensics:

The forensics service is based around the need to provide knowledge about an incident. The knowledge provided may include information about the originating threat actor or the source of the infection vector. The service has different modes of operation, either using a hard disk/image or a memory capture. Investigations can use both modes which can aid the analysis process.


Forensic Readiness Planning:

A Forensic Readiness Plan (FRP) is a framework that puts in place procedures that will provide robust processes for containing the incident in a more timely manner, minimising the impact, damage and cost, and reduce any potential reputational damage. BSI Info-Assure will create an FRP that fits into the organisation, taking into account existing procedures and skills. If an organisation has an existing FRP, then BSI Info-Assure can perform GAP analysis to ensure that it is robust and well-defined.

Gold Build:

Gold Builds are used to ensure that all replicated machines have the same base set of software and configurations. Any malicious software or content within a Gold Build can mean that an entire network can be contaminated through the cloning process. BSI Info-Assure can verify that Gold Builds have not been tampered with and primarily can provide assurance that the Gold Build does not contain malicious content.

Please contact us for more information regarding our Cyber-Security Incident Readiness Review service and our Cyber-Security Incident Response (CSIR) service.