Cyber Response Analysis Services

CyberSecOp consultants are cyber incident response subject matter experts who have collaborated on numerous security projects and operational improvement initiatives. We will support your security operational activities by helping to develop an incident response plan and work with your IT team to mitigate any potential risk. Our teams will create an investigative process and playbooks. Our security incident response services enrollment is required to ensure progressive operational effectiveness and alert fidelity. In addition, we will be responsible for continuously identifying gaps and managing the improvements in the security response process, technologies, and monitoring. Working closely with internal architecture, engineering, and project management teams, we will ensure cyber-defense requirements are identified and communicated early in the project life cycle.

Security Incident response process

What does an incident response team do? CyberSecOp has identified six steps in the incident response lifecycle:

1. Preparation. In this phase, organizations set up their policy, response plan, communication, documentation, team, access controls tools and training.

2. Identification. This phase involves detecting unusual activity and determining whether or not it qualifies as a security incident.

3. Containment. Once you determine that an incident has occurred, your next step should be to prevent any additional damage.

4. Eradication. Next, you should remove any malicious code and repair any damage caused to your systems and networks.

5. Recovery. After the problem has been eliminated, organizations should bring the affected systems back online slowly and carefully, taking steps to make sure that the incident won't reoccur immediately.

6. Lessons learned. Finally, after systems are operating normally again, the team should document the incident and look for ways to harden systems against similar attacks.

Security incident response services with CyberSecOP

• Support cyber incident response actions to ensure proper assessment, containment, mitigation, and documentation

• Support cyber investigations and contribute to large and small-scale security incident breaches

• Review and analyze cyber threats and provide SME support

• Interact and assist other investigative teams within on time-sensitive, critical investigations

• Participate as part of a close team of technical specialists in coordinated responses and subsequent remediation of security incidents

• Manage the security monitoring enrollment process to ensure adequate coverage and effectiveness of all new and existing cloud and premise-based applications, services, and platforms

• Maintain detailed tracking plan of all internal/external enrollment outcomes/recommendations and provide support through to implementation

• Act as a liaison between cyber-defense, engineering, security architecture, network & system operations, and functional project teams to ensure effective project implementation that meets incident response requirements

• Define baseline security monitoring requirements for all new projects, services, and applications joining your organization's network

• Facilitate the development and tuning of SIEM rules to support enrollments and ensure high fidelity alerting

Responding Security Incidents

Our team responds to all types of security incidents, some of the most common includes:

• Phishing. In a phishing attack, criminals send an organization's employees a message (usually via email) that includes a malicious attachment. The bad news, according to Cyber Team, is that phishing attacks are on the rise and employees don't know how to handle them. The median time between when attackers send out a phishing campaign and when the first recipient opens the message is just 1 minute and 40 seconds, and the median time for clicking on the malicious link is just 3 minutes and 45 seconds. Only 3 percent of phishing recipients reported malicious emails.

• Stolen Credentials. The goal of many phishing or malware attacks is to obtain credentials that will allow an attacker to access the organization's network. In many cases, however, the attackers don't actually have to "steal" anything — they simply guess the correct password. According to the Cyber Team report, "63 percent of confirmed data breaches involved weak, default or stolen passwords."

• Malware. Malware is a broad category that includes any kind of malicious software. Examples include viruses, trojan horses, rootkits, adware, and the increasingly common ransomware. Users can introduce malware into a network in a number of ways, for example, by clicking a malicious attachment in a phishing email, visiting a malicious Web page, or by connecting an infected USB drive or another device to the network.

• Ransomware. An increasingly common attack vector, ransomware is a type of malware that demands that victims pay a fee in order to remove the malicious code, regain access to files that were encrypted by the ransomware, or prevent something unwanted from happening, such as making a victim's data public. According to Symantec's Ransomware and Business 2016 Report, security vendors discovered one hundred new malware families last year alone, and the average ransom demand has climbed to $679.

• Denial of service attacks. In a denial of service (DoS) attack, attacks flood a system, usually a Web server, with so much traffic that legitimate users can no longer access it. Hackers often mount DoS attacks for ideological reasons or to "punish" a person or organization for some activity. For example, last year attackers hit security blogger Brian Krebs with a DoS attack after he published a series of articles on DoS-for-hire services.

• Web app attacks. Hackers attack organizations' Web apps in a number of different ways, such as buffer overflows, SQL injection, cross-site scripting, and, as already mentioned, DoS attacks. The Cyber Team reported 5,334 incidents of Web app attacks last year, including 908 that resulted in data breaches. Financial services companies are a particularly popular target for Web attacks.

• Cyber espionage. One of the hardest types of incidents to defend against, cyber espionage occurs when an unauthorized person attempts to infiltrate a system or network in order to gain access to secret information. Often these attacks are perpetrated by a company's competitors or by nation-states. According to The Cyber Team, "90 percent of cyber espionage breaches capture trade secrets or proprietary information."

• Loss of theft of devices. As mobile devices have become more common, organizations have experienced an increase in the loss or theft of devices that contain corporate information or that can access corporate networks. Many of these incidents do not result in data breaches, but organizations often find it very difficult to distinguish between accidents and intentional theft carried out with the goal of infiltrating an organization's networks.

• Insider attacks. Organizations sometimes don't pay enough attention to threats from their own employees or partners' employees, but the Cyber Team reported that there were 10,489 incidents of "insider and privilege misuse" last year. These attacks can be very difficult to detect and mitigate because insiders often have knowledge that helps them evade an organization's security measures.

Writing your security incident response plan may seem like a daunting prospect. If so, you're not alone. CyberSecOp Enterprise Strategy Team of security professionals is experienced with creating a full incident response process.