Cyber Security Incident Response Team – IR Services
Cyber Incident Response – is a methodical approach to effective, efficient management by cyber security experts in cases of cyber attacks, data breaches, data leakage, ransomware, extortion and other cyber risks. The IR team’s mission is to minimize downtime, to enable the organization to resume its’ normal activity, to mitigate the breaches and minimize damage in terms of cost and reputation.
Force Majeure’s IR Team has been certified for cyber incident management by leading EU’s insurers
Cyber incident management rely on three main fields of expertise:
- Business Perspective – finding solutions to return the organization to full or partial activity from a management and operational perspective.
- Cyber Security – more than a decade of experience in handling cyber attacks, information security and cyber investigations means we have a vast pool of practical knowledge on handling and managing cyber security incidents.
- In-Depth Familiarity with IT Systems and Regulation – Each organization has different interfaces with different applications, servers and third party providers. Familiarity with various configurations and systems as well as knowing the regulatory requirements and legal sensitivities significantly reduces the time it takes to handle information security incidents. It also reduces exposure to risks in the short and long term.
Force Majeure’s DFIR (Digital Forensics & Incident Response) Team includes veterans of elite cyber & intelligence units, information security experts, anti-fraud and embezzlement experts with many years of experience in cyber investigations, information security incident management and cybersecurity.
IR activity is based on three key pillars:
Collaboration with Cyber Incident Response Team
In order to analyze the situation and reduce downtime and consequential damage, it is essential to link the IR team to trusted personnel in the relevant key roles, who have been briefed on transparency and collaboration with the IR team.
The relevant key roles are usually: CEO, CTO, PR office (if any), legal advisers, finance personnel and so forth.
Regulation – is there a duty to report in case of cyber attacks and data breach?
Examination of the regulation to which the company under attack is subject, and the requirements arising from this regulation:
- Private / Public Company.
- Is the company subject to international privacy and information security laws such as the EU’s GDPR, US regulations requiring reporting of cyber incidents and cases of data breach, HIPAA regulations, information security standards for organizations in possession of medical information, etc.
Detection, Containment, Eradication, Recovery
Response to the attack begins after a quick process of understanding the organization’s structure, its information systems, the sensitive nature of the information, the nature of the attack, and once the relevant key figures and third-party providers have been identified. A quick investigation will ensue, carefully documenting and gathering forensics of the sources of the security breach. This will be followed by containment of the affected arenas, eradication the attack, and evaluation of the quickest options for recovery.
Why is specialized expertise required for managing cyber security incidents?
Every response to a cyber attack requires careful planning of prioritization. A methodology and steps must be devised, tailored to each particular organization and based on the nature of the attack. Cyber incident teams often encounter critical mistakes made by the organization before they made the call to Force Majeure’s IR center. For example: poor and unprofessional negotiation with the hackers, overwriting critical forensics that might be useful in future legal proceedings, premature declaration of recovery before the vector of the attack has been detected, overwriting encrypted files due to incorrect assumptions regarding the backup’s integrity, resumption of routine from the technological standpoint without conducting an organized decision-making process with the organization’s management and consultants, and no managerial, legal, operational or PR discretion (neither internal, employee-facing, nor external, customer-facing, provider-facing, media facing), and from the operational standpoint.
Furthermore, proper gathering of evidence during the incident is of great importance for determining whether the incident is related, whether by mistake or through malice, to a third party or to collaboration within the organization. It is also crucial for allowing the organization to document, draw conclusions, and fully understand whether information was leaked which may lead to revelation of trade secrets and cause legal, reputational or other damage.
Cyber & Information Security Incident Management
- Detection – confirmation or ruling out of a cyber incident
- First Response – detection of the affected digital arenas.
- Analysis – identification of the affected arenas and systems and locating the attack vector, source and characteristics.
- Assessment – estimation of incident scope and identification of a possible data breach
- Forensics – forensic documentation and information gathering for malware analysis / reverse engineering (if needed)
- Containment – isolation of affected arenas.
- Eradication – halting the attack.
- Recovery – swift return to routine activity while prioritizing and minimizing damages.
- Conclusions – investigation of the incident and lessons learned for minimizing future risks.
Cyber Incident Response Playbook | Cyber Crisis Management Plan
Whether it is due to realization on the part of corporate management that there is a need, or whether this is due to regulatory requirements, many organizations prepare themselves in advance for cyber attacks on their systems. As part of a structured plan for managing cyber incidents, the company appoints key figures and each is assigned a role in the event of a cyber attack.
In the event of a cyber crisis, each team member is assigned specific tasks to perform. The aim of having a well-thought-out plan to deal with a cyber-attack is to significantly reduce the scope of and damage caused by the crisis. If the company already has an IR plan, Force Majeure’s DFIR team will assist the company’s appointed team. Our cyber and information security experts may also be consulted when devising the cyber crisis management plan.