CYBER RESILIENCE & INCIDENT RESPONSE

Transcription

1 CYBER RESILIENCE & INCIDENT RESPONSE

2 Introduction The threat landscape has changed dramatically over the last decade. Once the biggest threats came from opportunist attacks and preventable accidents, but now organisations are facing a multifaceted set of cyber security threats. The consequences of a successful cyber attack are well known, so having an effective program of risk reduction and response is no longer optional. Today s attacks are rarely random, rather they are targeted at organisations or industries with the aim of achieving specific goals. These attacks are intended to cause financial or reputational damage, or to steal confidential information, and can come from hostile nation-states, organised criminal enterprises or disgruntled employees. Such attacks require the public and private sectors to take a different approach to their cyber security posture and strategy. As attacks are often tailored to evade or subvert the particular defences of the organisation under attack, conventional technical security measures are often ineffective. This is why it has become critical for organisations to understand and remediate the threat in the context of their business and take action to improve their cyber resilience. NCC Group s Cyber Resilience and Incident Response services help you prepare, assess, maintain and respond to the threats you face. Drawing on the experience of our cyber risk professionals, incident response experts and technical security consultancy teams, we help clients to: Understand their current cyber posture Contain and mitigate any breach Understand ongoing risk and develop a strategic roadmap to improve overall cyber security maturity Cyber resilience goes beyond risk management and tactical technical solutions, taking a holistic view of preparing organisations for the reality of cyber incidents. Cyber Resilience and Response 2

3 Prepare Review Assess Respond Maintain Cyber Resilience and Response 3

4 What should your organisation do? Believing that an incident could happen at any time will enable better preparedness. Accepting that cyber incidents will happen, means that your organisation will be ready to respond when a breach occurs or is detected. By being ready your organisation will understand the best course of action to take to return to business as usual. To ensure comprehensive coverage, cyber resilience must be embedded in an organisation and become an everyday consideration, not just a one-off project. It is important to adopt the mindset that while total security is unachievable, risk is manageable when an eventual breach is planned for. Improving your overall security posture may seem like a daunting task. Our Cyber Resilience and Incident Response framework enables you to develop a strategy to suit your organisation. Our framework takes you through the key areas you need to consider to put together an approach that works for you. Our services range from executive engagement and strategy development, through to education and awareness, incident management and remediation. With a global team of over 400 experienced consultants we are on hand to help organisations plan for and respond to a variety of cyber risks. Our strength in depth and unique set of skills means we can respond to incidents of all sizes, even those with challenging timescales and diverse technical requirements. With best-of-breed solutions, tools and the expertise of our intrusion response specialists, we are constantly evolving our capabilities to meet our clients demand for robust cyber security. Cyber Resilience and Response 4

5 How we can help Prepare Assess Maintain Respond Review Executive Steps to Cyber Security Cyber and Incident Response Strategy & Planning Board Level Training Cyber Security Capability Assessment/ Health Check Policy Maturity Review Sophisticated Simulated Attack (Red Team) Investigative Protective Monitoring & Logging Review Host, Network & Forensics Readiness Training Ongoing Consulting and Managed Services Proactive Network Monitoring Incident Response Management Investigate & Remediate Impact Understanding & Quantification Managed Services Malware Analysis & Reverse Engineering Information & Threat Intelligence Sharing Partnerships Post Incident Analysis: Threat Impact & Loss Review Lessons Learned: Action Identification & Knowledge Dissemination Cyber Security Diagnostics Host Forensics & Network Monitoring Mitigation & Recovery Assistance Log Analysis Cyber Resilience and Response 5

6 Prepare Assess Maintain Proactive Risk Management Your organisation s cyber risk strategy must be driven from the board level. Focusing on technology is not enough, security must be an integral part of your core business governance strategy. Proactive risk management enables you to integrate cyber security into every aspect of your organisation. Embedding cyber security into the organisational governance and control framework of any business is the starting point for the design, development and delivery of a forward looking strategy. NCC Group s Cyber Resilience services will help you to develop an understanding of your current capabilities, the threats faced and vulnerabilities present, with the goal of developing a cyber-resilient organisation. Cyber & Incident Response Strategy Planning If you don t have an in-depth security strategy, then you need to know where you should focus your investment and what your security priorities should look like in the short, medium and long term. Our security strategy advisory service is based on four attributes: 1. Getting the basics right 2. Identifying and protecting what matters most to your business 3. Strengthening leadership and governance 4. Pioneering security as a business enabler Cyber Security Capability Health Check Our Cyber Security Capability Health Check helps organisations understand their risk posture and ability to defend against internal and external cyber threats. By taking a holistic view of people, processes and technology, the health check enables organisations to articulate their enterprise cyber security capabilities and highlight areas of vulnerability and risk in the context of the overall business. Actionable findings backed up with practical recommendations will enable your organisation to prioritise areas for remediation and result in your organisation becoming more vigilant and resilient in its approach to manage cyber threats. Policy Maturity Review Your organisation s ability to manage cyber threats and vulnerabilities is heavily reliant on the existence of robust and mature security policies which articulate the security standards of your organisation in relation to staff behaviour, business and technical processes. Keeping security policies aligned with your business direction and the evolving security threat landscape is challenging and, if not done correctly, can lead to data loss, breaches or other security incidents. We have the experience and capability to review your organisation s existing security policies to make sure they reflect business and technical processes. We also have the expertise to help you develop new policies which will be mature enough to address compliance gaps and meet industry best practice. Cyber Resilience and Response 6

7 Prepare Assess Maintain Sophisticated Simulated Attack (Red Team) Performing a simulated attack on your organisation to assess its susceptibility to a breach, its level of user awareness and its detection and response capabilities is very valuable. Our methods include open source intelligence (OSINT) to identify targets; phishing campaigns to gain access to company credentials or systems; and the use of simulated malicious-like payloads to retain access. Alternatively, we will generate traffic on your internal network, originating from a simulated compromise to assess your current ability to detect suspicious activity. We tailor a program designed to identify and highlight gaps and ensure the robustness of your overall security posture. Investigative Protective Monitoring & Logging Review We perform a technical deep-dive exercise intended to answer the question do we have the requisite technical infrastructure and capabilities to be able to support investigations in a timely, accurate and sufficiently deep manner?. NCC Group s cyber incident response and defence operations experts review what your organisation has today, any gaps against particular threat types and your current level of maturity. Cyber Security Diagnostics Our consultants will undertake a broad review of your cyber security controls and capabilities to enable you to understand your risk posture and ability to defend against internal and external threats. The review will take a rounded view of people, processes and technology to understand areas of vulnerability and prioritise areas for remediation. Training People are the weakest link in cyber security. If your organisation lacks relevant training and cultural awareness then technology will be of limited benefit in preventing or responding to cyber attacks. We offer tailor-made training and awareness programmes relevant to your sector and level of maturity. From executive table top scenarios to phishing awareness our courses and experience are an important part of any risk reduction program. Our technical training is intended for individuals who will undertake incident response activities within a particular organisation and centres around first responder activities for host forensics, network traffic investigations and malicious code analysis (malware). Ongoing Consulting and Managed Services As part of your organisation s ongoing program of improvement our consulting and managed services teams provide a broad range of capabilities and offerings on an, as needed, as well as program basis. Cyber Resilience and Response 7

8 Respond Incident Response Knowing how to respond to an attack is one of the most important aspects of cyber resilience. NCC Group s Cyber Incident Response services provide step-by-step guidance and expert skillset to help you keep control of the situation. Incident Management and Response In the aftermath of a security incident you need a quick response and accurate insight. With our dedicated Incident Management and Response team we help you find out what happened and how. With our rapid incident response capability we focus on helping your organisation to promptly regain control of your systems and information following a security incident. Through a combination of evidence protection and forensicallysound investigation, our consultants can determine: How the breach occurred by understanding the initial vector of attack and compromise. The capabilities and activity of a threat actor to determine the extent of infiltration. Identify (where possible) who may be responsible Categorise what was taken and when to enable you to understand the loss. Our 24-hour response team provide timely and accurate advice on how best to deal with a breach as soon as it is discovered. Investigate & Remediate We provide comprehensive investigation services using appropriate experts in gathering, analysing and presenting digital evidence. Our consultants have experience of a wide range of investigations, including traditional laboratory-based forensic analysis, network forensics, covert monitoring, live host and memory forensics. Impact Understanding & Quantification We work closely with you to investigate a breach to help answer the question of what happened? and thus allow you to understand the impact on your organisation while also quantifying any losses. Managed Services Our Cyber Defence Operations network sensors are deployed as part of a managed service, in which traffic on your network will be automatically monitored around the clock, with any unusual traffic compared to our extensive intelligence databases. Combining our own intelligence with industry-wide knowledge and that privately shared from partners, we identify indicators of compromise and unusual network traffic quickly and accurately. Cyber Resilience and Response 8

9 Respond Malware Analysis & Reverse Engineering We have a dedicated malware investigations laboratory which enables us to analyse malicious code. Our team of consultants will reverse-engineer the malware, to discover exactly what its effect is and what damage it has already done to any affected systems. Using sandboxed virtual or physical machines, configured to the same specification as client machines, our experts analyse the malware s behaviour, allowing clients to secure their estates effectively. Host Forensics We provide you with cyber forensic investigation capabilities using appropriate experts in gathering, analysing and presenting digital evidence. We collect forensic images of hosts, getting a forensicallysound copy of all data in both storage and volatile memory. Our consultants then analyse any information found, using industrystandard tools and platforms. We provide you with an accurate picture on what happened and when, in support of a broader investigation. Network Monitoring Sensors are deployed on your networks and managed by our Security Operation Centre (SOC) through a secure connection and is used to perform live monitoring of unusual and potentially malicious traffic, such as intrusion attempts, data egress, and malware command and control traffic. Using secure systems and in-house developed software, we analyse your network traffic in real time, allowing our experts to recommend countermeasures to block malicious traffic while tracing the source. Mitigation & Recovery Assistance We provide you with knowledge and support in the eradication of a threat actor from your environment and in the subsequent effort to bolster your defences. This is a blended service consisting of highlevel management combined with investigation, analysis, protective monitoring, advice and planning. Log Analysis Our consultants quickly and reliably assess available logs, as well as any intrusion detection and prevention systems already in place. We compare any traffic to previous attacks held in our intelligence databases to discover the extent of any compromise, malware infection or exfiltration of data. This service enables us to provide you with recommendations to prevent further attacks. Cyber Resilience and Response 9

10 Prepare Assess Maintain Respond Review Post Incident Post incident, all stages of the Cyber Resilience and Incident Response framework are revisited to ensure an ongoing program of improvement. The information gathered is fed back into the process and is used to further strengthen your security posture. Information & Threat Intelligence Sharing NCC Group believes that keeping your management informed of current, relevant facts around incidents is vitally important. During every investigation, we appoint a technical account manager who works closely with you and your management, ensuring that lines of communication are open at all times. The technical account manager provides detailed status reports, enabling you to make business decisions based on the threat intelligence that has been gathered. All of our reports contain details aimed at technical audiences and comprehensive summaries aimed at management, providing your managers and executives with a full picture of their current security status. Threat Impact & Loss Review We help you understand the impact and loss suffered as a result of a breach. Through a full review we will assess both the business and technical impact and the arising losses. Post Incident Analysis & Lessons Learned Many organisations are unaware of what steps they need to take to minimise the risk and impact of security breaches. Our team of highly qualified consultants offers advice, training and guidance in all areas of systems security, including: Ensuring that your organisation s staff are fully aware of their cyber security responsibilities. Proactive network monitoring tools and solutions. Establishing security and storage rules for the handling of evidence. Delivery of training to key staff ensuring adherence to evidence handling procedures. Providing guidance in the guide of a documented, real-world example that everyone can run through in advance. Ensuring that all parties, including legal, are confident that the processes in place are correct. NCC Group - your global cyber security partner Cyber Resilience and Response 10

11

12