Digital Forensic and Incident Response (DFIR)

ITSEC can help organisations investigate cybersecurity incidents and develop an adequate response.

The primary goal of an incident response is to examine which vulnerabilities got exploited by the adversary, to understand how the adversary attacked the systems, which systems and credentials are compromised, and what information has been exposed. In addition to that, digital forensics is used to perform a systematic investigation while documenting the chain of evidence. It is important to discover exactly what transpired on digital systems and who was responsible for it.

ITSEC’s Digital Forensic and Incident Response (DFIR) service include the technical investigation and response to incidents of cyber attacks. It identifies the initial attack vector to determine the extent of the incident. The service also aims to recover lost information, which involves retrieval and examination of evidence found in digital devices.

Our method usually replicates the step-by-step actions of an attacker. We conduct an in-depth forensic investigation of suspected malicious network security incidents, and we carry out an investigative analysis of computers, mobile devices, networks, memory drives, databases, logs, files, etc. This is important to gather information and evidence and detect intrusion. As a consequence, we can discover and analyse patterns of fraudulent activities resulting from criminal activities.

The service includes analysing the incident, assisting the enterprises to respond to them, and removing the attacker from their network.

ITSEC’s DFIR service offers a portfolio of incident response processes to investigate and respond to cybersecurity incidents that hit organisations.

Enterprise Incident Response Service

The Enterprise Incident Response Service helps organisations to respond to incidents of cybersecurity.

Our method includes identifying the initial attack vector, determining the extent of the compromise, understanding the attacker’s methods, and developing an action plan to remediate. The investigation will follow the evidence of cyber attacks.

The salient features of the service are:

Value Proposition

  • Understand and resolve critical security incidents and enhance prevention, detection, and response.

Differentiators

  • A unique experience in responding to multiple attack groups, large and complex environments, extensive compromise, and complex remedial activities.
  • Leverage the technology and threat intelligence feeds from leading global cybersecurity firm.
  • Network and endpoint technology to investigate incidents at scale.
  • Global knowledge with a deep understanding of local customer requirements.

Benefits

  • Resolve and recover critical security incidents effectively to minimise business and data loss.
  • Get the big picture of the breach and identify the extent of the breach.
  • Enhance enterprises’ capabilities to prevent, detect, and respond to security incidents.

Deliverables

  • An executive summary report.
  • A technical report containing attacker techniques, tactics and procedures (TTP), attacker activities, compromised systems, compromised accounts, attack diagram, timeline, and indicators of compromise (IOC).
  • A brief presentation.

Rapid Response Service

The Rapid Response Service helps organisations to triage security incidents. It includes scoping and identifying systems of interest, artefact collection, incident analysis, developing an action plan, and reporting.

The scoping refers to the investigation of a number of hosts. Starting from this scope, we follow the evidence in order to understand the attacker’s techniques.

Value Proposition

  • Investigation of alerts or command control traffic to get detailed information on how systems are infected.
  • Get in-depth insight and effective action plan based on the extent of infections.

Differentiators

  • Unique experience in responding to multiple attack groups, large and complex environments, extensive compromise, and complex remedial activities.
  • Leverage the technology and threat intel feed from leading global cybersecurity firm.
  • Unique applications to investigate alerts effectively.

Benefits

  • Triage critical security incident to effectively minimise business impact at an affordable cost.
  • Easy pivot to a full-blown enterprise incident response if such requirements arise.
  • Get effective action plans or eradicate threats identified on the systems of interest.

Key Deliverables

  • An executive summary report.
  • A detailed technical analysis, a timeline of attacks, information on attacker tools, compromised accounts and systems, recommendations.
  • A brief presentation.

Digital Forensic Investigation

Our Digital Forensic Investigation service is deployed when forensic imaging is required, including full drive imaging.

This service is delivered either as part of our Enterprise Incident Response and Rapid Response services or on a standalone basis, for example as an e-discovery in a Credit Card leakage scenario.

Our method involves scoping and identifying systems of interest, forensic imaging, forensic analysis, preparing an action plan, and reporting.

The salient features are:

Value Proposition

  • Investigation of incidents to get detailed information and estimation of the severity of a breach.
  • Detailed insight and effective action plan based on the scope of the incident identified.

Key Differentiators

  • Unique experience in responding to multiple attack groups, large and complex environments, extensive compromise, and complex remedial activities.
  • Leverage the technology and threat intelligence feeds from leading global cybersecurity firm.
  • Unique technologies to perform forensic investigations against multi-terabyte unstructured data.

Benefits

  • Get the big picture of the breach and identify the extent of the breach.
  • Easy pivot to a full-blown enterprise incident response if such requirements arise.
  • Get enhanced enterprise capabilities to prevent, detect, and respond to similar breaches.

Key Deliverables

  • An executive summary report.
  • A detailed technical report containing diagnosis, incident timeline based on evidence, impact, and recommendations.
  • A brief presentation.

Tabletop Exercise

ITSEC’s Tabletop Exercise enables organisations to prepare for potential future security incidents. The exercise includes a brief assessment of the incident response capability and simulation of the incident response process.

This service tests whether an organisation is operationally ready to face an incident. The testing is based on a simulated scenario in a workshop and examines how an organisation’s primary stakeholders respond to the scenario.

Our method involves scenario discussion and planning, workshop exercise with targeted audiences, gap analysis, and preparing an action plan.

The salient features are:

Value Proposition

  • Learn how to respond to cybersecurity incidents based on unique business scenarios.
  • Tabletop discussion between business stakeholders to evaluate stakeholders’ understanding during cybersecurity incident.

Key Differentiators

  • Leverage our front-line threat intelligence to create real-world cybersecurity incident scenarios.
  • Facilitated by security experts with experience in responding to incidents involving multiple attack groups in large and complex environments.

Benefits

  • Evaluate the understanding of participants playing their role during a cybersecurity incident to strengthen incident preparedness.
  • Increase critical thinking among participants under “near-real” cybersecurity incident conditions.
  • Uncover cybersecurity incident issues before they happen for real.

Key Deliverables

  • Workshop discussion with business-tailored cyber attack scenarios, facilitated by experienced Incident Responders.
  • Provide an actionable plan based on gap analysis between participant response, incident response policy, and best practice standard.

Cyber Incident Response Plan (CIRP) Assessment

A cybersecurity incident is a disturbing event that threatens confidentiality, integrity, or availability of organisational information assets.

Cybersecurity incidents can include an unintentional or intentional disclosure of sensitive or protected information, data breaches, data theft, acts of intrusions, such as cyber attacks, to networks, or a full-blown system compromise by external attackers or faulty operational processes getting exposed or exploited by members of own staff.

Information security incident management involves the monitoring and detection of security events on information assets and the execution of appropriate responses to those events.

A Cyber Incident Response Plan (CIRP) is a specific form of an incident management plan. Its primary objective is to define a well-understood and expectable response to cybersecurity incidents. By implementing CIRPs, businesses can be proactive about cybersecurity and prevent potential damage.

Members of staff that are most likely be dealing with the cybersecurity incidents are organisations’ IT security teams.

A CIRP should at least describe:

  • The types of incidents or crisis situations that trigger its activation.
  • A framework for the required actions to mitigate and control the impact during and after the incident.
  • The details of an incident response team, including clearly defined roles and responsibilities of each person performing those actions.
  • A communication plan, including communication procedures, messaging intervals, contact lists of the stakeholders.
  • An event log to record information, decisions, actions, and evidence that is taken during an incident.
  • A set of recovery goals and objectives.

ITSEC’s CIRP Assessment service enables organisations to get their CIRP reviewed to deal with potential future cyber incidents effectively. We analyse organisations’ current CIRP and recommend changes based on industry best practices. The assessment is based on a document evaluation in order to examine specific policies, standards, processes etc. that are in place to respond to an incident.

Our method includes document collection, workshops with the stakeholders, gap analysis, and reporting.

The service includes strategic consultancy after the assessment of the incident response capability of an organisation.

The salient features are:

Value Proposition

  • Learn how to improve enterprise defence posture in order to find and stop attackers faster.

Key Differentiators

  • We benchmark organisational operational maturity and capabilities against industry standards.
  • Leverage our front-line threat intelligence to provide practical recommendations.

Benefits

  • Improve enterprise defence posture against advanced real-world attacks.
  • Find and stop attackers faster with proven CIRP capability.
  • Mature organisational security operations and incident response capabilities.

Key Deliverables

  • An executive summary report.
  • A detailed report containing observation, gap analysis, recommendation, approximate duration and effort.
  • A brief presentation.
Singapore

ITSEC SERVICES ASIA PTE. LTD.

71 Robinson Road, #14-01

Singapore 068895

contact@itsec.sg

+65 3159 1145

Indonesia

PT. ITSEC Asia

RDTX Tower Lt.28 Zona A

Jl. Prof. Dr. Satrio Kavling E.IV No.6

Jakarta Selatan 12950, Indonesia

contact@itsecasia.com

+62 (21) 57991383

Australia

ITSEC Australia Pty. Ltd.

ABN 33 623 449 267 Level 19

180 Lonsdale St Melbourne

Victoria Australia, 3000

info@itsec.com.au

+61 (0) 403 185 051

Company
Security services & solutions