Our approach emphasizes maximum system availability by concentrating on preparation and prevention. It’s important to ensure all endpoints, networks and applications are secure while leveraging our expertise to help develop incident response and resolution policies and procedures. This provides our incident handlers with a precise roadmap that covers the lifecycle of an incident from identification to recovery.
The proper identification of systems compromised is one of the most critical steps in the incident response lifecycle. Our highly-trained staff utilizes proprietary advanced malware detection tools and multiple threat intelligence feeds which enhances our first level of response. Through the monitoring of network devices and endpoints, including full packet capture are some of the critical components that build upon the foundation of Cybersafe’s detection and identification methodology.
The key to containment is timeliness and effectiveness. Our incident response team relies on isolation and containment efforts. During this phase our team will perform network and endpoint analysis to determine how the intruders breached the network, if there was lateral movement throughout the network, and if malware was used as the initial attack vector. Once determined, incident handlers can isolate impacted endpoints and perform more granular analysis.
Eradication requires the removal of all malicious code or the mitigation of an IT security incident. Our incident response team works within the constraints of the operational environment to provide a properly vetted solution. We will ensure short-term countermeasures that may include blocking malicious IP addresses or domains, reimaging infected systems and the changing of passwords across the entire organization.
Recovery is more than restoration of full business operations; it also includes processes to ensure that the incident will not recur and that a permanent and appropriate solution has been applied to address the vulnerability. Long term solutions should be implemented to prevent and detect similar incidents and to improve an organization’s overall security posture.
6. Lessons Learned
Follow up is necessary to ensure that the incident has been mitigated, the attacker has been removed and proper countermeasures have been put in place. Implementing a continuous monitoring solution that incorporates ongoing asset inventory, vulnerability assessments, network and host based intrusion detection, behavioral monitoring and log management will ensure that the new security measures are working properly to rapidly detect and respond to future attacks.