Incident Management
Plan, respond and recover from a security incident
Security incident management. Preparation and recovery
When you have been attacked, standard IT responses often wont work in this criminal act where forensics, triage and attention to detail are needed.
SOC360 Emergency Security Incident Management
We can help your plan and respond to security incidents in your IT organisation. Preparation can have both the technology and processes in place to react to attack, data loss, or hacking attempts to stop the attack cold, and keep your data safe.
Breach Management
If you suspect data is missing, stolen or compromised you need to execute a breach management plan. We can help guide you with the early steps you need to take to ensure that the perpetrator can be found and any damage minimised and further proceedings can occur.
On-Hand
We can have our IT experts available onsite to either supervise, or carry out the investigations or activity to assist you. This is where we act as an extension to your team in providing expert support.
Incident Plan
An incident plan is more than a document, but a practised and corrected procedure in your organisation to deal with security attacks. Our security experts can help your IT team build an test and incident plan that works for you.
Ransomeware/Cryptolocker Recovery
Dont give in and pay money. That just proves that you will be a willing target for the next attacker. It is possible to recover from ransomware attacks and prevent further attacks. No matter how small or large your data is, we can help.
Decryption of Cryptolocker
Despite what the attackers say, it is possible to decrypt data attacked by ransomware. With brute-force, and guided forensics, full or partial recovery of data is possible.
Attack Vector Discovery
If you have been attacked by ransomware, dormant bots or proxies are present in your network. These also need to be discovered and removed, or the attack will continue. We have the means to uncover and indentify these systems and stop them
Future Mitigation
Being attacked by ransomware is a big wake up call to ensure your security, processes and training is tight. We can assist with the preparation and deployment of industry leading solutions to help.
What do you need to report and when?
It is likely that severe security incidents or loss of data (particularly private personal data) needs to be reported, even if you are not covered by industry regulations.
We can assist you with answering the questions of whether you need to report or not, and also the preparation of the report itself.
Executive Advisory and Reporting
Reporting failures in security or data loss can be a nightmare, but we can help. This step must be taken, and the report needs to be detailed but easy to understand. We have the templates, and resources to investigate the real issues and impact, professionally validated with external experts with realistic recommendations within your capabilities.
Discover the root cause of security alerts and fight back
Often security tools or other management platforms can alert you to suspicious behaviour in your network, servers or applications. This may or may not be a security issue, but you can not be negligent in the reactions you need to take.
We can support you in tracking down possible attackers with the deployment of agents and log monitoring back to our SIEM-as-a-Service. Once ready (it does not take much time as it’s in the cloud), you are armed to track down the threat and eliminate it.
Have you been cyber hacked before? We know how to prepare your business
We work across hundreds of environments and have frequently had to discover, recover and fight back from cyber attacks on our customers. That gives us experience, and while not every attack is the same, they follow common vectors in a majority of cases. We can call on experts that are well trained in the field to help you. That find great satisfaction in finding the problem and kill them (thats what engineers do best). We are ready to let them loose in your environment to help you recover your business and data.
Do you have:
- Unexplained data spikes, or increase/abnormal usage
- Changes that have occurred without anyone’s knowledge
- Strange software installs
- Website blacklisted or reports
- Emails failing due to blacklisting
- Fake emails being generated
- Locked out of accounts, particular root or admin
- Strange new/system accounts being created
- Additional files/scripts showing up
- Malware or Viruses
- Fake system messages,web or emails directing to external malware sites
- Random popups during browsing
- Logs cleaned/deleted
Responding to Cryptolocker
How to easily detect and respond against Cryptolocker ransomware attacks
Stop-Think
Don’t just run for your backups, they may already be compromised. Stop and think about what could be happening and ask for help
Do you turn the PC off?
This can be successful is stopping a running attack, however if you have already see the ransomeware message, most likely it’s completed its job, and restarting will loose the in memory keys.
Do I reboot?
Unlike most user problems, rebooting won’t help. The ransomware has likely infected or emulated a system process and is undetectable and it will simply re-run after a reboot. Don’t even run AV programs? The encryption key is likely cached in memory and running more programs will overwrite it!
Do I isolate?
Isolating an infected system can be a good idea, as long as the business can operate without it. This may prevent the malware from spreading to other users? But don’t reboot the infected machine, just disconnect from the networks.
Do I reformat?
If your data is encrypted, then reformatting the servers may get rid of the malware, but it also gets rid of any data that forensics may be able to use to decrypt your data
Get help?
It is possible to decrypt your data. Talk to the experts for help.
Be prepared against ransomware
With a combination of SOC-as-a-Service, SIEM-as-a-Service and end-point protection, you have a surefire way to prevent and defend against ransomware attackers. The advanced endpoint protection can prevent the attack from infecting a target computer in the first place, despite what the user does. When the attack is prevented, it is then reported to the SIEM event monitor and investigated by a SOC security experts. The SIEM, then provides the history of each endpoint to determine the attack vector that was used. Once discovered, this can be closed and signatures and vendors updated and notified so future attacks can be prevented.