Incident Response
Time is of the Essence — Each Second Counts
When handling a cyber-security incident, the organization must respond quickly and effectively. The organization needs to establish an incident response plan that includes the involvement of incident response experts.
Why Clear Gate’s Incident Response Team?
Whether your organization is small or large, it is costly to develop and maintain in-house expertise and skills for an incident response team. Here are the advantages of hiring our incident response team:
- Our incident responders will identify the causes of the incident and offer advice on how to contain, eradicate, and remediate the incident.
- Our incident responders have the knowledge and experience of hundreds of scenarios, which will help with reducing the time for diagnosing the incident.
- We work in a forensic approach so that any evidence will be secured and documented according to a legally valid chain of custody. This evidence can be presented later on in court, if necessary.
Is My Organization Under Attack?
An incident trigger is an event that indicates the presence of a cyber threat. When incident triggers are generated, the security team must be aware that a cyber-attack may be in progress. Here are several examples of incident triggers:
- Triggers from the endpoint protection system, such as attempts to access a known C2 server, attempts to infect the system with malicious software, repeated detection of malicious software, etc.
- Triggers from network devices about an unexpected rise in the volume of DNS or ICMP, access to suspicious domains, interaction with URLs that were categorized as suspicious.
- Triggers from correlated events usually alerted by the SIEM system (e.g., malware event followed by a connection with C2 server followed by a port scan).
How Do We Respond To Security Incidents?
- Preparation: Writing a guide regarding how the internal incident response team will respond to a security incident before an external incident response team intervention.
- Identification: Defining criteria that will activate the incident response team (e.g., an excessive amount of malware triggered by the SIEM).
- Containment: Performing an immediate response to the incident and stopping the threat from spreading and doing further damage.
- Eradication: Establishing a process to restore all of the affected systems. (e.g., re-image all systems involved in the incident and remove any traces of the security incident).
- Recovery: Determining how to bring all systems back into full production after verifying that they are clean and free of any malware that could lead to a new security incident.
- Lessons learned: Reviewing the documentation of the incident with the incident response for training purposes. Update the incident response plan based on feedback and any identified deficiencies.