INCIDENT RESPONSE & FORENSICS SERVICES OVERVIEW
Cybersecurity incidents, particularly complex cyberattacks like emerging advanced persistent threats (APTs), are today’s all too familiar headline news. These incidents, inflicting damage on the critical infrastructure of organizations of all types, including government bodies, as well as on wide ranging connected devices, have not only become more numerous and diverse, but also more damaging and disruptive.
To achieve a secure state of readiness for network infrastructure—and protect information assets, organizations requires an agile service delivery solutions company like NSSPlus to lead the way. Our Security Incident Investigation and Response Management Services apply our proven capabilities to the investigation of sophisticated threats like APTs and respond effectively to cybersecurity related incidents.
Forensically Sound Processes and Tools
To deliver technical investigation, response, and remediation services, the Forensics Team uses our tailored 5I Event and Incident Investigation and Response Framework and Methodology. Based on the five core elements of:
NSSPlus’s 5I model (Figure 1) ensures our Incident Response and Forensics Teams have a roadmap to follow during the investigative, response, and remediation phases of the incident lifecycle. Our 5I model includes an informing component to meet all organization defined preferences for updates, summaries, and reports.
Reporting thresholds are customized further by incident severity levels, with higher levels receiving shorter reporting times and intervals to maintain situational awareness across stakeholders. From initial threat assessment and root cause analysis to eventual countermeasures and remediation, our specialized teams deliver services to meet your organization’s requirements.
As the framework for delivering our wide ranging Security Incident Investigation and Response Management Services, Incident Response and Forensics team members’ qualifications are the foundation of our performance. Key members of this high performing team are incident responders (levels 1–3) and cyber hunt threat analysts (levels 1–3). We developed carefully tiered functional responsibilities for each position based on specialized educational and experience requirements, anchored by the globally recognized certifications across all positions.
The success of these process driven investigations relies heavily on pairing skilled staff with mission specific forensic tools and technologies, including:
- Forensic Toolkit (FTK)—Supports the team, maintains evidentiary chain of custody, and enhances communications with organizations throughout an incident lifecycle
- EnCase—Provides NSSPlus staff with rapid and remote incident and event response functionality
- Security Information and Event Monitoring (SIEM) tools—Collect and evaluate systems data to provide enterprise wide analytics, with multiple security specific intuitive analysis tools available
Detailed Reporting and Executive Summaries
NSSPlus customizes detailed reporting based on incident reporting requirements set by your organization. We provide initial notification within 15 minutes for high impact incidents, followed by a detailed Forensic Summary Report within 4 hours. As impact levels decrease, the notification and reporting time lengthens incrementally to upper limits of 4 hours and 12 hours for incidents with the lowest potential impact.
Each Forensic Summary Report comprises three parts: Executive Summary, Actionable Intelligence, and Technical Details. By clearly communicating actionable intelligence and technical details, our personnel ensure stakeholder awareness of action items to implement further containment strategies, eradicate risk, and recover from the incident.
Incident Lifecycle of Device Forensics and Eviction of Intruders
When an incident is confirmed, our Incident Response and Forensics Teams follow 5I to the end.
- Uses device forensics to gather evidence
- Discovers additional indicators of compromise
- Successfully remediates and closes out incident
- Engages cyber hunt threat analysts to dig deeper to proactively identify and evict intruders hiding on the network or devices
NSSPlus’s 5I model ensures our Cyber Hunt and Incident Response and Forensics Teams have a roadmap to follow throughout the phases of an incident lifecycle. NSSPlus builds out team structures and methodologies to move away from antiquated, reactive network defense practices to implement a robust proactive security posture that identifies network anomalies, malicious activity, and potential cyber threats that reside in a network infrastructure.
By applying fundamental security principles and threat vectors, cyber hunt threat analysts develop Indicators of Compromise (IOCs) to identify and investigate cyber events that escape the detection of traditional signature based network security monitoring standards.