We have had quite a few requests lately for incident response services. One of our core tenets is partnering with our customers and being there to help them, especially in times of need when they may have just experienced a data breach. With that being said, there is a difference between incident response and digital forensics. In this blog, we will explore what incident response services we offer, how it works in terms of cost, and what we cannot do.
What Incident Response Services We Offer
Triaxiom Security offers incident response that focuses on the detection and analysis portion of the incident response lifecycle, as defined by NIST SP 800-61 R2. More specifically, Triaxiom aims to answer the following questions with our incident response services:
How did the attacker get in?
This is one of the most important questions to answer following an incident. Without knowing how it happened, there is no way to prevent this from happening again. Moreover, there is no way to prevent this particular adversary from breaching your network again using the exact same attack. So before you reformat workstations and restore the network, it’s important to make sure that the particular hole or vulnerability that allowed this incident to happen is patched.
Sometimes this is obvious. For example, if an attacker sends a phishing email and your employee admits to clicking on it, that is a pretty obvious point of entry. In cases like that, we can analyze the phishing attack and provide some targeted recommendations to reduce the likelihood it happens again, such as:
- Changes to your security awareness program
- Additional security controls, like a banner on all emails originating from outside the organization
- Updates to current security controls, i.e. updating your email filters and spam policy
In other cases, initial indications may have shown sensitive information leaving the network, but further investigation is necessary to determine exactly how and where the adversary gained access in the first place. Triaxiom will use the available logs and evidence to trace the attack back and try to answer these questions.
What did the attacker access?
One of the things an organization needs to know as soon as possible following an incident is what the attackers had access to. Is there any evidence that the attacker gained access to customer information, credit cards, or other valuable information you are trying to protect? The answers to those questions are going to dictate a lot about your organization’s response process, including the urgency of the process and the legal/regulatory requirements for the response. By using a combination of open source intelligence, analyzing available logs, and reverse engineering any malware, Triaxiom will follow the trail to see where the attacker may have had access and whether there is any indication of sensitive information being exfiltrated from the network.
Is the attacker still on the network?
Before the incident can be resolved and network services can be fully restored, it is imperative to understand whether the attacker is still present on the network. Using all available information, Triaxiom will attempt to determine if the attacker still has a presence on the network, following containment and eradication procedures.
What Incident Response Services We Do Not Offer
While we will do everything we can to assist our clients, there are some things in incident response that we aren’t equipped to handle. Most specifically, if you are focused on taking the attacker to court, there are a number of additional things that come into play. While we are happy to testify as experts in the field, we cannot take responsibility for chain of command (ensuring the evidence is preserved appropriately). For example, if you want us to analyze the hard drive of a suspected computer, we will ask that you first make a secure copy using a write-blocker. This way, we are working off a copy and not the original, which must be preserved as evidence.
How it Works?
Our incident response services are typically treated as Time & Materials contracts. For something like incident response services, a fixed price contract does not work well due to the variables and unknowns when it comes to the response process. Some incidents will be cut and dry and we can get the answers you need in a few days, while others will require further investigation. We will have weekly status updates (daily, if necessary) to let you know where we stand in the investigation, what we found, and whether you would like us to continue digging deeper.
When you give us a call, we will work the schedule as much as possible to get our engineers to start analyzing your breach in a timely manner. With that being said, some of our customers have chosen to provide a retainer (a bucket of hours for incident response services, purchased up front). By purchasing a retainer, these customers have priority access in the event they need us to respond to an incident, similar to a retainer for a lawyer.
In all cases, incidents require a quick response time to get the ball rolling on an investigation. We pride ourselves on rapid communication and respond to calls/emails as quickly as possible to get you the answers you need. If you think you may be experiencing an incident or just want to talk through preparation steps in the event you do ever experience one, give us a call and we’ll be happy to help!