Incident Response

Contain, invesitigate and remediate.

Fortune favors the prepared mind.

Louis Pasteur

The most technologically advanced, and high spending (on security) companies get hacked, usually in a spectactular fashion.

The method of compromise in these high-profile attacks has come to be known as the 'Advanced Persistent Threat': individuals, teams, or even nation-states want something from organizations, thus target those organizations, learn about how to manipulate the organization's people, technology and processes, and achieve their ends. Their tactics involve stealth and persistence: a combination of covert, deep reconnaissance coupled with exploitation of security issues gets them from the outside, through successive layers of security, to what their goal is: usually your company's sensitive data. Note: this has always been done, now we just have a catchy name for it.

Given that, chances are, if you're not already hacked, you will be, soon. And that's why you need Incident response. Our approach is shown in the image below.

Before an incident happens, you need to be prepared. Do you have a plan? Equipment? Personnel? Incident response consultants? As with any form of disaster, the less you plan and prepare, the worse things are

When you're hacked, how will you know it happened? And what do you do to work out what's happened, which needs to be done before you can get rid of the intruders? According to studies the majority of breaches take months to be discovered and it’s usually by someone outside the organization.

Once they're in, do you just turn off the affected systems? Unplug the network? And then, what do you do with those systems - assuming your organization can do without them being available? With persistent threats, how do you know they won't just get back in? Maybe they're using a hole that has no patch or update to fix it?

Postmortems aren't just useful in CSI - they're the foundation for understanding how to to improve: fixing the gaps and holes you have, and starting down the path to becoming more immune, as an organization, to future attacks.

The thing to note is that, unlike traditional controls, which do have some effectiveness, targeted, custom attacks such as seen in Advanced Persistent Threats are not static; they are intelligent adversaries, which means the security problem is less like an act of nature (e.g a storm), and more like the influenza virus. And that's why you need the right ingredients for IR, but most importantly, the tenacity to be ever vigilant. Good IR is not a one-off, but a constant, cyclical approach to work.

Occamsec knows how to blend the secret ingredients together: skilled people, coupled with the right tools, to both constantly monitor, detect, and response to skilled adversaries. We can help with designing, implementing and running such a capability, and uniquely link that with our advanced threat intel and threat ops () to give you your best shot at stopping Advanced Persistent Threats in their tracks.

  • About Us

    We are a tier one information security and risk management company. Our goal is to provide our clients with tailored solutions which meet their objectives.

    Our considerable reachback capabilities allows us to ensure clients receive the very best service, with no compromises.

^ Back to Top