At the VS DATA Specialist Institution, we have established a Rapid Response team dedicated to handling incidents of breaching the security of IT systems.
OFFER
Incident handling
Czym się zajmujemy?
The Rapid Response team is the third line of support in responding to security incidents that exceed the capabilities of the attacked organization. Team members secure and analyze evidence and traces of an attack, stop and remove an incident, mitigate the threat, and restore data and infrastructure.
According to the recommendations of the American NIST institute, the Polish equivalent of which is the National Cybersecurity Standard NSC 800-61, incident response should be carried out in the following stages:
Preparation - Incident Detection - Incident Response - Incident Analysis
1
Preparation
In the preparation stage, efforts are concentrated in the area of prevention and building capacity to respond to incidents that may occur in the future. This also includes building the awareness of the users of the organization’s IT systems – training in cyber hygiene and proper response to potentially dangerous situations, as well as increasing the competences of the internal IT team in the field of proper response to security incidents.
2
Incident detection
At this stage, it is determined whether the identified event is in fact a security breach incident. If confirmed, the traces and evidence are collected and initially analyzed in order to correctly classify the incident and then react appropriately.
At this stage, the material is also secured, maintaining the chain of evidence, which may constitute the basis for analyzes for the purposes of further proceedings, e.g. administrative (in the scope of GDPR) and criminal. It is extremely important to deal properly with electronic evidence in order to maintain the continuity of the chain of evidence. Only then will the collected materials have probative value.
Without securing the material for subsequent analyzes, it is not possible to provide a reliable answer to questions regarding the breach of personal data, especially unauthorized access and theft of data (leakage), or to the questions of contractors – whether and what secrets of their companies have been breached (e.g. whether technical specifications of the products have been leaked, which have not yet been put on sale).
3
Incident response
It means stopping the incident, depending on its type, removing its effects and restoring business continuity of the attacked organization. At this stage, adequate technical and organizational measures are implemented to mitigate the risk of an undesirable event occurring in the future, including: reinstallation and reconfiguration of the IT environment of the attacked organization.
4
Post-Incident Activities = Incident Analysis
This is one of the most important steps in dealing with an incident. Its proper conduct can and should be used to draw conclusions and further improve the security of IT systems in the organization.
Contact US: [email protected], tel. +48 500 16 26 36
The graphic shows 10 steps of data security for the purpose of forensic analysis.
Define the scope of the incident.
Estimate which infrastructure elements (devices and systems) are affected by the incident.
Separate / disconnect infected infrastructure from the Internet.
Access links to the Internet should be physically disconnected from the edge router or by switching off the appropriate interfaces of the device. Do not turn off the devices themselves!
Do not restart and do not turn off!
Leave applications, systems and devices turned on to collect volatile data.
Volatile data.
List detailed information about the operating system, network configuration and connections, running processes, services, scheduled tasks, user information.
RAM.
Secure the RAM of a running machine.
Binary copy. Turn off devices - make a binary copy of the media with the system partition.
Logs. Secure logs from available network devices.
Do not perform analysis on an infected device!
Do not cover your tracks by installing new software, overwriting data, scanning with an antivirus program.
Report.
Prepare a report with information about the incident and actions performed.
The forensic analysis. Forward to an appropriate specialist for an investigative analysis.
TO DOWNLOAD
SSC 800-61 National Cybersecurity Standard:
Handbook for Handling Computer Security Incidents (October 2021).