Our incident response process
From the very moment of initial suspicion to the last steps of evidence collection and systems repair, incident response requires a meticulous approach in order to guarantee both the termination of unauthorized access and the integrity of systems and information, but also a proactive effort to counter potential attempts to tamper or eliminate evidence from affected systems. Furthermore, mistakes done by the responders often result in tainting of evidence and even further damage to backups and other resources.
01. Initial analysis
We collect information on personnel, infrastructure and the circumstances surrounding the incident. Additionally, we work with the customer to minimize the possibilities of detection for the initial evidence gathering. Techniques such as live-memory imaging and network taps are often used in this stage. We will employ reverse engineering in order to obtain a proper level of awareness of the complexity of the actors and their toolkit, as well as any potential self-protection mechanisms.
02. Damage control and containment
It is imperative to assess existent damage once a baseline has been established to investigate the incident. Typically, we will focus on securing the integrity and availability of backups, especially those susceptible of being compromised (onsite). Additionally, at this stage, we will have collected sufficient "hot" evidence so that systems can be pulled offline unless there is a risk of triggering self-protection mechanisms in malware or APT components. This is the "inflection point" of the investigation.
03. Evidence assessment and defensive steps
At this point, our efforts will mostly involve assessing all the collected evidence, monitoring systems for any unexpected changes, supervising due diligence of the staff responsible for systems maintenance. In addition, we will work towards successful attribution of the incident with the highest confidence possible with the evidence and intelligence at hand. In most cases, we can procure enough evidence and analysis to assist in prosecution and deterrence efforts, with a high degree of confidence. In this stage we will cooperate with the legal representatives of the customer, as well as service providers, vendors, etc.
04. Final report and briefing
Our engagement comes to an end with the briefing of the customer and final report delivery. Our commitment to our customers extends past this stage, providing further assistance related to the incident for as long as it is needed, including expert witness testimony if requested.
Our work ethic and capabilities for incident response
Our team and external contractors across multiple timezones can engage on request, effectively "standing by" for any unexpected situation your business might suffer. We can respond within one hour and accommodate to the unpedictable nature of security incidents, adjusting our agreement and contracted hours to be cost effective. Our retainer agreements can be significantly more effective and affordable than most insurances available today, with the benefit of a team that is best-in-class and far more experienced than those in most consulting clearing houses with next to no real offensive security experience on their shoulders.
Cooperation with other vendors
We are more than happy to cooperate and work together with other vendors involved with the customer. Our confidence in our abilities and our business ethic negate any sort of competitive attitude when the customer's integrity and safety are at risk. We believe that a multi-vendor approach, combining highly skilled professionals from different specialized backgrounds, is a far greater assurance of success. Our industry connections allow us to quickly act upon incidents that affect products by major software vendors with the assistance of their teams, ultimately benefitting a much wider audience.
Our team is a tightly knit group of professionals with decades worth of experience engaging sensitive projects and situations. Loyalty to our work ethics and principles are as important to us as technical capabilities. We understand security incidents are sensitive and plagued with complicated economical and legal ramifications, requiring the utmost diligence.
We apply our extensive R&D and real-world experience
Our consulting and research & development efforts directly contribute to our capabilities for Incident Response. Through intimate knowledge of offensive security we can direct our efforts and attention much more effectively, compared to other firms whose staff have significantly less practical experience.
Incident Response-related in-depth knowledge of:
IT infrastructure and security systems
- Reverse engineering (embedded systems, C, C++, .NET...)
- Kerberos / IPA environments
- Microsoft™ Active Directory environments
- Mobile platforms (iOS, Android)
- Network appliances (Cisco, Ruckus, Palo Alto, Netgate...)
- Ransomware reverse engineering
- Software protection circumvention
- Exploit reverse engineering
- Evidence recovery from network captures
- Network capture and tapping systems (N2disk, Napatech, etc)
Physical security systems
- Access control mechanisms (RFID/NFC, RF cards, tokens)...
- Lock security (Europe, North America, Asia)
- Alarm systems and sensors communications
- Commercial radio systems (Motorola, Hytera, Sepura)
- Rolling-code protocols (integrated circuits in appliances)
- NVR equipment (Dahua, Hikvision)
We help busineses respond, prevent and document security incidents.
What can I expect?
- Best-in-class technical team
- A spotless work ethic
- Specialized assistance around the clock