Loading...

Cyber Security, Incident Response Team
(CS-IRT)

24x7 Cyber Security, Incident Response Team (CS-IRT) services, (DFIR services) delivered to IT team during cyber-attack

CyberScope's Cyber Security Perception

person-suffering-from-technology-addiction-cybersickness

It is an unfair battle, and it is only a matter of time before a persistent hacker penetrates a typical organization, even the highly protected ones. This is because hackers only need one successful attempt while organizations need 100% success in their continuous defense against any malicious attempts.

At CyberScope, we assume that all of our customers, including those who have implemented our entire security recommendations, will eventually be breached.

Therefore, our proactive CS-IRT services start from day one, even before a real attack occurs. By doing this, we can respond faster and more effectively during an attack, and the potential damage is significantly minimized.

The Challenge

Given today’s threat landscape, most organizations will at some point encounter a cyber-attack that they will need to respond to and manage.

The speed, efficiency, and expertise, both technical and managerial, with which an incident is responded to are critical to avoid catastrophic losses in both technical and business operations, as well as direct and indirect costs associated with a breach.

Slow and tedious

Too many alerts from too many sources – how to prioritize & classify them.


Inefficient

Processes and customer communication are dificult.

Unaware

Typical IT engineer may face cyber-attack < twice a year and cannot gain required experience to be well prepared to efficiently face the next attack.


The Solution

Specialized Cyber-Security, Incident Response Team (CS-IRT) qualified to response to sophisticated cyber-attack and support the management while facing managerial strategic hard decisions to minimize business damages:

Speed

24/7 available team ready to act immediatly and communicate in English and Spanish.

Efficiency

Trained and prepared via understanding the customer network, it ́s strategic, sensitive and vulnerable business and IT assets and have a tailored PlayBook Plan.

Expertise

Proven both technical and managerial experience from sophisticated attacks in Israel and worldwide.

Key Differentiators

Proven Expertise

Our CS-IRT experts have proven experience to mitigate sophisticated attacks worldwide and in Israel.

Efficient Response

Via prepared PlayBooks tailored to face known and un-known complex attacks scenarios for each customer ́s unique risks.

Security Performance

Via deployed integrated-Security-Solutions that minimize Blind-Spots, maximize telematry and therefore, enable optimum secutiry.

Immediate Response

Via 24/7 availability of multi-National experts from Israel and Spain communicating with our multi-national reputable clients in Spanish and English.

Optimum Readliness

Via periodic readliness maturity reviews and attack simulation drills.

Crises Management

Services consulting to top management to take hard managerial decisions, manage responsible sensitive internal and external communications during and after the incident, considering remediations tactics while controlling reputational damage and legal liabilities.

Real Estate

Donec consequat nibh at urna tincidunt tempor. Integer quis lobortis felis. Nulla id quam vestibulum, aliquam mauris vitae, auctor ex. Aliquam augue nulla, faucibus sed lacus ac, placerat elementum nisi. Curabitur enim nunc, dictum et accumsan.

Wellness

Morbi ullamcorper tellus eu purus dictum convallis. Duis posuere dui sit amet pellentesque malesuada. Morbi ultrices tortor ut diam molestie, vel pharetra lectus lacinia. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aenean varius lectus lectus.

The Importance of Selecting
SOC with CS-IRT Capabilities

When considering a provider of SOC services, it’s important to choose one that offers specialized and comprehensive services beyond just daily monitoring and limited incident response. This includes support for the entire organization, including top management, during a sophisticated attack.

However, customers can often get confused by similar names such as SOC, MDR, MSP, MSSP, and CS-IRT.

While SOC (or any of the others) typically refers to a provider that focuses on daily monitoring and limited incident response, CS-IRT is a specialized task force that is specifically trained to respond to sophisticated attacks from both technical and business operation and management perspectives.

 

Typical Scenario

CyberScope’s CS-IRT at Work

Scene 1

CyberScope typically deploys cloud-based security technologies to initiate an investigation of the attack indicators. Simultaneously, CyberScope analyzes logs to identify suspicious and malicious activities on Active Directory and firewalls, and correlate them with the reported attack indicators. Additionally, CyberScope validates the usage of new and old legitimate accounts, suspicious data exfiltration traffic on the network, and critical vulnerabilities that might have been exploited to enable the initial penetration, including suspicious phishing attempts that could have established the initial foothold.

Scene 2

CyberScope will meet with top management to provide updates on the status and alternative plans, as well as manage the crisis while ensuring all stakeholders understand the situation and coordinating responsible, controlled internal and external communication.

Scene 3

CyberScope will progress with the investigation to track the attacker's initial attack vector and possible propagation through the organization to understand the attacker's profile and motivation while using threat intelligence and historical information on similar attacks. If necessary, CyberScope will collect forensic evidence and traces to develop conclusions on the possible attacker profile to help understand their motivation and goals, in order to develop the best containment, eradication, and remediation strategy.

Case Study

CyberScope’s CS-IRT at Work

CERT Israel identified suspicious activities related to XXX.XXX.XXX.XXX
Between WED 27th 23:11 IL Time Zone and until THU 28th 12:02 IL Time Zone

An israeli company called CyberScope asking for support during a cyber attack

Installation of EDR sensor starts

nstallation of Agent for Vulnerability Analysis

There was high CPU usage of Powershell. Process Explorer was installed to review why. Traffic Analyser tool is installed

EDR Remote Terminal Session launched: Windows update manipulation execution was found.

Ask The client to check where DefaultAccount has login using powershell: Get - ADUser - Identity "username" - Properties "LastLogonDate"

Found that Security Event Log was cleared before we entered, so we don't have those logs

Cyberscope Teams meeting to prepare EDR for installation

Forensics investigation starts using Malware Scanner

Extraction of Logs for further investigation using a Windows Artifact Collector: Security, System, Windows Powershell, Powershell Operational

End Point investigation. No critical or high vulnerabilities were found. We found critical software was unpatched:

Failed login atempts from IP: XXX.XXX.XXX.XXX

Abnormal commands Query: A new user DefaultAccount was created using a file named user.bat at 10/27/2021 11:21:19 PM:

Found malicious IPs related with the *.exe and *.dll that launch the *.bat. Asked to block them in FW and see if can see connections

Malware Scan is finished: No malware found

SOC vs. Standard CS-IRT vs. Comprehensive CS-IRT

Service Category/Level
Description
SOC (MDR)
SOC (MDR) + Standard CS-IRT
SOC (MDR) + Comprehensive CS-IRT
Managed, Detections (Active Monitoring)
• Constant support to improve readiness to cyber attack • 24x7 Alerts Monitoring & Notifications • Triage: Qualifications & Validations of Alerts
Response
Block suspicious activities on specific compromised hosts; Response via remote access and explore via scripts; Quarantine suspicious message and network contain specific hosts
Threats Management
• Threat Hunting (Manuel/Semi-Automatic) • Threat Intelligence
Standard Incident Response (IR)
Network-wide attack vector investigation Including:

• Search for suspicious events, artifacts and IOAs. • Remove planted persistence, malware artifacts and malware-less activities on all endpoints, servers and networking equipment including AD & FW.
Comprehensive Incident Response (IR)
Advisory to the top management regarding common dilemmas in multiple critical aspects during and after the attack I.e.

• Status and information sharing during and after the attack with Employees/Customers/Suppliers/Medi a/Law Enforcements... • Operational decision if to shutdown part or whole the operation during the attack and in parallel to our IR process • Ransomware negotiation with hackers

Managed, Detections (Active Monitoring)

• Constant support to improve readiness to cyber attack • 24x7 Alerts Monitoring & Notifications • Triage: Qualifications & Validations of Alerts
SOC (MDR) ✓
SOC (MDR) + Standard CS-IRT ✓
SOC (MDR) + Comprehensive CS-IRT ✓

Response

Block suspicious activities on specific compromised hosts; Response via remote access and explore via scripts; Quarantine suspicious message and network contain specific hosts
SOC (MDR) ✓
SOC (MDR) + Standard CS-IRT ✓
SOC (MDR) + Comprehensive CS-IRT ✓

Threats Management

• Threat Hunting (Manuel/Semi-Automatic) • Threat Intelligence
SOC (MDR) ✓
SOC (MDR) + Standard CS-IRT ✓
SOC (MDR) + Comprehensive CS-IRT ✓

Standard Incident Response (IR)

Network-wide attack vector investigation Including:

• Search for suspicious events, artifacts and IOAs. • Remove planted persistence, malware artifacts and malware-less activities on all endpoints, servers and networking equipment including AD & FW.
SOC (MDR) ✖
SOC (MDR) + Standard CS-IRT ✓
SOC (MDR) + Comprehensive CS-IRT ✓

Comprehensive Incident Response (IR)

Advisory to the top management regarding common dilemmas in multiple critical aspects during and after the attack I.e.

• Status and information sharing during and after the attack with Employees/Customers/Suppliers/Medi a/Law Enforcements... • Operational decision if to shutdown part or whole the operation during the attack and in parallel to our IR process • Ransomware negotiation with hackers
SOC (MDR) ✖
SOC (MDR) + Standard CS-IRT ✖
SOC (MDR) + Comprehensive CS-IRT ✓
Top