Sometimes the only way is to reach for the big red button
This approach should not be feared; we often discover that incidents are not breaches. We follow the CIBOK techniques of investigation and one of our board advisors acts as executive editor. The principles of our approach are based around speed of discovery, enabling us to find indicators and follow the evidence to a successful conclusion.
Data sweep and incident scoping
If a potential cyber incident is suspected it is critical that rapid forensically-sound techniques are utilised to validate, investigate and take remedial action. Secrutiny follows a proven, three-step ‘Triage’ Incident Response methodology.
This approach enables us to focus specifically in areas which appear to be ‘hosts of interest’ so we can understand the intent and impact.
Forensic collection and investigation
Secrutiny’s Incident Response Methodology is more efficient than traditional ‘ball-of-string’ practices which focus on evidence collection based upon IOC-following.
IOCs are not “threat intelligence” until they are understood in context to the risks your organisation may be encountering, or has faced in the past. Consequently, the cost in terms of resources (people, tools and time) and related financial impact can be as long as the proverbial “ball-of-string” because you never know where the string will lead or how long it’s going to be.
Incident containment and remediation
Our Incident Response Process encompasses:
- Data Collection and Incident Scoping.
- Forensic Collection and Investigation.
- Incident Containment and Remediation.
- Post-Incident Support.
This process assesses the scope of an incident followed by rigorous interrogation to establish the storyline. This results in targeted containment and remedial action followed by support to stop attackers re-establishing entry.