Incident Response

Contain, invesitigate and remediate.

Fortune favors the prepared mind.

Louis Pasteur

All organizations, from the smallest to the most technologically advanced, get hacked, however much they spend on security. The attack could be sophisticated, stealing information in stealth, or opportunistic "phishing" or ransomware, but the potential damage to your organization is the same. The risk is real and ongoing.

Irrespective of whether the attack is a so-called "Advanced Persistent Threat" or something less complex, they follow the same pattern: individuals, teams, or even nation-states want something from an organization, so they target those organizations.

With ransomware, which is really just the most recent iteration of the age-old virus attack, attackers simply want to hold your data hostage, in return for cold, hard cash.

APTs, on the other hand, involve long-term campaigns where attackers learn about how to manipulate the organization's people, technology and processes. Their tactics involve stealth and persistence: a combination of covert reconnaissance coupled with exploitation of security issues to break through all your layers of security, to get to your company's sensitive data.

The lesson to be learned is: if you're not already hacked, you soon will be. And that's why you need Incident response. Our approach is shown in the image below.

Before an incident happens, you need to be prepared. Do you have a plan? Equipment? Personnel? Incident response consultants? As with any form of disaster, the less you plan and prepare, the worse things are

When you're hacked, how will you know it happened? And what do you do to work out what's happened, which needs to be done before you can get rid of the intruders? According to studies the majority of breaches take months to be discovered and it’s usually by someone outside the organization.

Once they're in, do you just turn off the affected systems? Unplug the network? And then, what do you do with those systems - assuming your organization can do without them being available? With persistent threats, how do you know they won't just get back in? Maybe they're using a hole that has no patch or update to fix it?

Postmortems aren't just useful in CSI - they're the foundation for understanding how to to improve: fixing the gaps and holes you have, and starting down the path to becoming more immune, as an organization, to future attacks.

The thing to note is that, unlike traditional controls, which do have some effectiveness, targeted, custom attacks such as seen in Advanced Persistent Threats are not static; they are intelligent adversaries, which means the security problem is less like an act of nature (e.g a storm), and more like the influenza virus. And that's why you need the right ingredients for IR, but most importantly, the tenacity to be ever vigilant. Good IR is not a one-off, but a constant, cyclical approach to work.

Occamsec knows how to blend the secret ingredients together: skilled people, coupled with the right tools, to both constantly monitor, detect, and response to skilled adversaries. We can help with designing, implementing and running such a capability, and uniquely link that with our advanced threat intel and threat ops () to give you your best shot at stopping Advanced Persistent Threats in their tracks.

  • About Us

    We are a tier one information security and risk management company. Our goal is to provide our clients with tailored solutions which meet their objectives.

    Our considerable reachback capabilities allows us to ensure clients receive the very best service, with no compromises.

^ Back to Top