CovertHart :: Incident Response.
Incident Response
We provide your organization with actionable Threat Intelligence, Network Visibility and the Security Tools to break the Kill Chain of today’s most advanced Cyber Attacks.
Incident Response Services
ABOUT THE SERVICE
CovertHart® Incident Response Team is ready to immediately engage and mitigate the impact of security threats to any organization. We prepare our customers for battle with actionable Threat Intelligence, Network Visibility, Security Tools and a Proactive Incident Response Plan to prevail and be resilient in times of extreme crisis and stress.
Our Incident Response Retainer programs gives you the budged flexibility your organization needs and ensures that your organization is well prepared.
IMPORTANT STEPS IN A CYBER EMERGENCY
The increasing probability of a cyber incident dictates that every organization needs to be prepared to respond effectively. Readiness translates not only in the form of monitoring but in the practice of crisis simulation to understand what can happen and which steps to take.
A well prepared, multi-functional team reduces significantly the escalation of an incident, minimizes the impact and improves effectively a fast recovery.
Identify, Collect and Preserve details related to the attack, how the incident came to light, who reported it, and how they were alerted, what is the impact, personnel or relevant parties involved and actions taken in a chronological order. Identify and Isolate affected systems so no one attempts to alter the state of the systems.
Initiate the Incidence Response and Communication plans. Contact your CovertHart® IR Team representative.
If you are not a current customer fill out the form and a member of the IR Team will be contacting you.
Activate an out-of-band communication channel to replace those that are broken.
Understanding existing business limitations, initiate the recovering phase.
INCIDENT RESPONSE PHASES
Find out how our Incident Response Team addresses some of the world’s largest and most sophisticated attacks.
There’s no substitute for preparedness. Customers, Partners, Employees, and others understand that crises will occasionally affect an organization. What they find hard to understand are lack of preparation, inadequate responses, and confusing communications.
- Create an Incident Response Planning.
- IR Policy Creation.
- Develop a communication plan.
- Vulnerability Assessment.
- Playbook Creation.
- Determine roles and responsibilities of your team.
Rapid detection mechanisms can usually limit damage. Without an effective investigative tools, the causes of the incident may never be understood, and the risk of a repeat incident may actually increase.
- Monitor.
- Detect.
- Alert.
Preserving evidence is critical to understand how the incident happened and who was responsible. The first step after a breach is to determine which assets have been compromised and contain them as quickly as possible to minimize the impact.
- Disconnect your internet.
- Disable remote access.
- Restrict Physical access.
- Install any pending security updates or patches.
- Change passwords.
Understanding the cyber-attack chain model can help the IR Teams to deploy strategies and technologies in order to contain the attack at various stages.
- Ensure that your organization only uses ‘vetted’ hardware.
- Apply software updates, patches and upgrades.
- Deploy or Update Endpoint / AV / Anti-Malware software.
- Enable IPS Protections.
- Apply new Firewall rules.
- Monitor for suspicious activity.
- Create Incident Report.
Recovering from a cybersecurity related incident can be a difficult but you can limit the damage by developing a solid recovery plan in advance.
Returning to normal operations and limiting the damage to the organization continues after the incident. You must capture data, log decisions, handle insurance claims, and meet legal and regulatory requirements.
- Incident Response Planning.
- Validate Backups before Restoring Data Loss.
INCIDENT CLASSIFICATION FRAMEWORK
The Incident Classification framework is used to classify the severity level of various types of incidents, to help with communication and accurate reporting.
- Denial of service.
- Forensics.
- Compromised Information.
- Compromised Asset.
- Unlawful activity.
- Internal Hacking.
- External Hacking.
- Malware.
- Email.
- Consulting.
- Policy Violations.
- Level 1 – Incident affecting critical systems or information with potential to be revenue or customer impacting. (IR Time: 60 Min)
- Level 2 – Incident affecting non-critical systems or information, not revenue or customer impacting. Employee investigations that are time sensitive should typically be classified at this level. (IR Time: 4 Hrs)
- Level 3 – Possible incident, non-critical systems. Incident or employee investigations that are not time sensitive. Long-term investigations involving extensive research and/or detailed forensic work. (IR Time: 48 Hrs)
* – IR Time – Maximum amount of time that should elapse before an IR Team member contact the customer.
- Level 1 – Extremely Sensitive.
- Level 2 – Sensitive.
- Level 3 – Not Sensitive.
* – Sensitivity will vary depending on circumstances.
COMMON TYPES OF CYBER ATTACKS
Here’s an overview of some of the most common cybersecurity threats and types of attacks seen today.
Eavesdropping involves intercepting communications. Eavesdropping can be the act of listening to other people talk without them realizing it. It can also be done using technology like microphones, cameras, recording devices or intercepting digital or analog voice transmissions on a network to steal private information.
A denial-of-service (DoS) attack occurs when legitimate users are unable to access systems or network resources due to the actions of a malicious cyber threat actor.
There are different types of DoS and DDoS attacks; the most common are TCP SYN flood attack, teardrop attack, smurf attack and ping-of-death.
Dictionary and brute-force attacks are networking attacks where the attacker attempts to log into a user’s account by systematically checking and trying all possible passwords until finding the correct one. The term brute-force means overpowering the system through repetition.
Phishing attacks often lure Email recipients and Web users into believing that a spoofed website is from a legitimate easily recognized organizations, such as a large bank or social media site.
Victims are tricked in to entering their information and by doing so stealing their private or sensitive information, such as credit card numbers, social security numbers or website login credentials.
A business email compromise (BEC) attack is a type of deceptive activity in which malicious outsiders target an organization by spoofing their business emails. E.g. Impersonating Leadership, fake orders, request fund transfers, etc.
A Man-in-the-Middle attack (MITM) occurs when a hacker inserts itself using different methods between two systems, eavesdrops in and intercepting communications. Some of these methods are IP, ARP and DNS spoofing.
Drive-by Attack is when a malicious actor locates a vulnerable website and insert malicious code into the site’s (HTTP) or (PHP) code. This malicious code could directly install malware onto the computer or device of a user who visits the site.
SQL injection attack is a web security vulnerability that allows an attacker to read sensitive or private data, insert, update, delete or otherwise modify the data, perform shutdowns on the database and similar administrator operations, send commands to the operating system, or retrieve content from a database driven site by injecting crafted commands.
Cross-site scripting attacks are quite similar to Drive-by attacks, the attacker insert malicious code into a content from a reputable website or application, often using third-party web resources to infect the users who visit the site.
Zero-day is a term for a recently discovered vulnerability or exploit for a vulnerability that only the attacker was aware of their existence.
It is almost impossible to prevent zero-day attacks, as their existence can stay hidden even after the vulnerability is exploited.
DNS Tunneling is a method of cyber attack that encodes commands and data into the DNS queries and responses facilitating Data Exfiltration, Command and Control communications and