NL

Incident response & aftercare

Good aftercare after a cyber attack 


Organization

It is important to ensure that cyber monitoring is properly organized. Sometimes the client has the necessary expertise in-house to interpret and follow up on the alerts issued by the cyber security monitoring system. But sometimes the client has outsourced IT to an external management party.

SBL generally uses the following organizational model:

  1. The first-line security analyst of SBL does a first screening of the alerts and collects the corresponding data;
  2. The relevant alerts are passed on with the corresponding context to the customer's security officer or external IT management party, who takes care of follow-up;
  3. If the security officer has questions or needs assistance in following up on the alerts, he/she will call in SBL's senior security analyst;
  4. Should an alert lead to an incident, the incident response process will follow as described below.
     

 

Incident response

Incident response is an organized process for addressing the aftermath of a security breach or attack (also known as an incident). The goal is to minimize damage and minimize recovery time and costs. 
This should be done in an efficient process, which consists of the following components:


Incident Triage
Triage describes a situation in which you have limited resources and information and must decide on the priorities of actions needed based on the severity of the incident. Incident triage is used to determine the following:

  • Is it really an IT security incident?
  • Is it within your mandate?
  • What is the severity of the incident (impact and collateral damage)?
  • Can it be mitigated and/or isolated?
  • Who should handle the incident?
  • Severity of the incident
  • Time constraints

Incident coordination and response
It is important to ensure that the roles and responsibilities in dealing with incidents are clear to everyone.

Digital forensics
Many organizations fall victim to cyber attacks (see recent ransomware and data breach incidents). Many of these attacks remain "under the radar" and are invisible. When a cyber-attack is discovered, it is often not clear how the attack was carried out, what kind of information was accessed and whether there was help from within. In addition to responding to cybercrime attacks, digital forensic investigations are conducted in the event of data breaches. With digital forensic investigation, facts and evidence are collected and analyzed. Incidentally, SBL is not a specialist in the execution of forensic investigations, but does ensure that the necessary logging and event information is available for the investigation.

Malware analyses
Comprehensive malware analysis is performed in a virtual execution environment to determine if a highlighted piece of code actually poses a threat. The detailed information generated provides insight into options for resolving the issue and how to respond.
 
SBL offers a flexible service to assist the client in the detection, triage, analysis and resolution of IT security incidents. When a security incident occurs, there is no time to conduct extensive contract negotiations regarding NDA, rates, terms, etc. This is normally a time consuming task and the longer the actual Incident response takes, the more impact this incident will have on the organization.
 
Within the Cyber Monitoring service offered, SBL has reserved a standard block of 12 or 24 incident response service hours per year (incident response retainer), which can be used for remote or onsite incident response support as well as for any security consulting service offered by SBL. If more hours are required to analyze and resolve the incident, SBL will charge the actual hours spent on the basis of a rate of €125 per hour.
 


 

Report

SBL will prepare a detailed monthly report describing events, alerts and conclusions. As a result, SBL will prepare a list of actions for the client with priorities and status information. If requested, SBL will hold a briefing to discuss the results and answer questions related to the results. A service management meeting between the client (possibly together with the IT management party) and SBL takes place once a quarter, during which the service provision and the manner of cooperation are evaluated.
 



Interesting?

Would you like more information or make an enquiry? Then please contact us.
 
Contact us