The increasing volume and complex nature of electronic threats presents a constant challenge to organizations’ capability to identify and understand when they are the subject to a threat or attack. But even when they are able to identify such incidents, determining the most effective and appropriate course of action, is not always clear.
In fulfilling this need, our clients can capitalize on the plethora of knowledgeable and experienced resources available within our ITHACA Labs®. When you identify or suspect such occurrence, our Computer and Emergency Response Team (CERT) may be commissioned to act independently or to complement your organization’s internal incident response team acting as investigators, or even as actual implementers as the need may be.
Following a structured, best practice procedure, based on NIST (US National Institute of Science and Technology) Computer Security Incident Handling Guide the ITHACA Labs® CERT team can help your organization Identify, Manage, and Recover from an attack which may threaten your organization’s image, financial stability and operational integrity. Alternatively, in case we are commissioned to assist your internal incident response team, we are flexible in that we may work based on your organization’s incident response plan/methodology.
Our Incident response methodology and approach, organized in a six-step process for handling security incidents, is described below:
During the preparation phase, the roles and responsibilities of the Incident Response Team will be defined. On the part of the client, the team members may include:
During this phase a logbook will be established in which we will be documenting our observations, findings and communications. Every action taken from the time the incident was detected to its final resolution, will be clearly documented and time-stamped, so that it can serve as a basis for developing a risk mitigation process of preventing or responding to similar incidents in the future.
During the Detection & Analysis phase our CERT team will interview key personnel responsible for the administration and maintenance of the affected systems and security controls. These observations (e.g. a complaint of a server being unavailable, excessive logins of malicious activity on the network or host Intrusion Prevention Systems, a web server crash or modification of critical files) will be treated as malicious/suspicious activity and will be thoroughly examined and evaluated.
In addition we will gather and analyze log entries, security alerts and configuration files from system, network and security control devices in order to determine the type and/or types of the attack, since attacks could occur in countless ways and have different impact.
Furthermore, during the analysis process, we will study network, systems, and software applications to gain a solid understanding of what their normal behavior is, so the extent of the incident’s impact can be determined.
Below it is briefly explained what the impact of different types of attacks/incidents may be on the organization’s systems and network infrastructure:
Some incidents may fit into more than one category. Our CERT team will categorize incidents based on the mechanism by which they spread, for example:
Based on the outcome of the Detection & Analysis phase our CERT team experts will formulate a response course of action suggesting the measures that your organization should take towards containing the incident’s impact. These guidelines will be based on the type and criticality of the incident.
During this phase, threats identified during the Detection & Analysis phase, such as vulnerabilities, breached user accounts, mis-configured network, security and system components, or back door programs, will be patched, removed, or re-configured accordingly.
During this phase our CERT team experts will ensure that the affected systems and/or networks are fully operational.
This is generally a task that will be performed by your internal team with the guidance and overseeing of our experts. These tasks may include:
Once the affected components have been restored, it is up to the organization’s management to decide when to restore relevant business operations.
During this phase the CERT team will organize a meeting with all parties involved in order to present our findings, observations and assessment as to what has happened, and if applicable, how the incident could have been avoided/prevented. Among other issues, during this meeting we will discuss the following:
Incident Response & Digital Forensics
Odyssey Services Portfolio ►
ClearSkies SecaaS SIEM Brochure ►
ClearSkies SecaaS SIEM article ►
ICS Cybersecurity Conference ►
Odyssey's Mobile App ►