Cyber Incident Response
One look at the constant news cycle illustrates just how vulnerable companies are to the whims of cyber-attacks. Therefore, the ability of today’s organizations to quickly and efficiently respond to a computer security incident has never been more critical. A proper response to network and computer attacks can prevent unneeded expense, over-extending internal resources, and provide the essential information needed to make critical decisions on how to move forward.
Our incident response methodology leverages the NIST-800-61 Computer Security Incident Handling Guide to determine answers to critical questions, such as:
- When did the incident occur? It is not uncommon to find that the intruders have been on networks for months before detected. Therefore, proper analysis is imperative to find out when the incident initially occurred so you can determine the timeframe of exposure.
- Where did the incident occur? Determining the point of initial compromise, and all locations of the compromise, is paramount to properly contain and eradicate the threat.
- What was at risk? Data breaches are arguably one of the most feared events for an organization to endure. This is an area where a thorough forensic analysis is beneficial. Just because a system has been compromised does not always mean that sensitive data was obtained. Understanding the extent of the compromise is vital to determine next steps.
- How did the incident occur? Understanding the root cause of the incident will provide the needed details for proper remediation. Our incident response reports provide immediate and long-term remediation steps to build resiliency against similar attacks moving forward.
Our goal is to leverage our extensive security and digital forensics expertise to assist our clients through computer security incidents while working to reduce the overall impact as much as possible. Being able to answer these questions during a computer security incident is paramount in numerous situations.
Incident Response Plans
An incident response plan is a documented plan/procedure for how the incident will be handled. While the contents may vary from organization to organization, most consist of standard operating procedures, processes, and communication plans. [Link to blog titled “Incident Response Frequently Asked Questions”]
Incident Response Programs and Training
We also work with organizations to elevate their incident response plans into proactive incident response programs. To assist our clients with this transition, LBMC Information Security designs and delivers custom incident response tabletop exercises. Experience has demonstrated that this small investment in continuous improvement will pay dividends with faster response times, better communications, and lower costs when an incident does occur.
Digital Forensic Analysis
Today’s technology is embedded in almost every aspect of our business and personal lives. With this reliance on modern technology, investigating digital devices is a necessity to avoid missing crucial details regarding the activities and communications that could be otherwise unknown.
LBMC Information Security has invested in “best of breed” computer forensics software platforms and tools to efficiently and effectively preserve and analyze computers, storage media, and mobile devices of all types to recover artifacts that may otherwise have been unknown.
Our certified forensic analysts follow strict evidence handling procedures and employ a forensics analysis methodology that has been built on more than 10 years of experience to assist you.
While the details of our analysis are often case-specific, the basics of this methodology include:
- Developing detailed timelines of detailed computer activity
- Identifying and recovering electronic communications outside of conventional email (webmail, text messaging, etc.)
- Analyzing Internet activities
- Determining and analyzing “cloud” storage usage (Google docs, Dropbox, etc.)
- Investigating social media activities
- Recovering and analyzing deleted information
- Understanding application histories regarding execution
- Recovering and analyzing videos and pictures
- Detailing removable media usage (USB drives, printers, etc.)
- Determining documents created, opened, printed, etc.
Sample applications of our digital forensics services involve:
- Employee theft
- Employment disputes
- Commercial disputes
- Domestic matters
- Insider threat activities
- Internet Investigations
- Patent/Copyright Infringement
- Incident response related to data breaches
Our findings may require competent expert witness testimony. You can have confidence that LBMC Information Security’s forensic analysts have expert testimony experience in Federal and numerous state courts.
Litigation Support and Electronic Discovery
Due to our extensive experience in both digital forensics and electronic discovery, LBMC Information Security’s experts provide a full spectrum of litigation support services to law firms and corporate legal teams. Our Electronic Discovery services methodology is based on the accepted Electronic Discovery Reference Model (ERDM). Our litigation support services can provide value at each stage of the EDRM lifecycle.
Information Governance (Readiness)
Our litigation support experts will assist in developing readiness assessment for future eDiscovery requests. This assessment will review existing electronically stored information (ESI) data maps, will provide data retention suggestions, and can design litigation response procedures.
Our experts will assist you in both identifying and locating potentially-relevant ESI sources.
We will ensure that the relevant ESI is collected in a cost-effective and forensically-sound manner. We will also maintain proper chain of custody to ensure admissibility to the courts. We will further ensure the ESI is properly protected against inappropriate alteration or destruction.
We use the proper tools and methods (e.g., removing system files, keyword searching, de-duplication, designated timeframes, etc.) to reduce the volume of ESI and convert it, if necessary, to prepare for the legal review and presentation phases.
When necessary, we will provide the needed platforms for an effective review of the ESI for relevance, privilege, etc. We will also provide the required production formats. This technology will be provided via a cost-effective, cloud-based solution, along with the needed training.
Mobile Device Forensics
There are few eDiscovery matters or forensic investigations that do not involve mobile devices. LBMC leverages state of the art mobile forensics platforms, combined with extensive experience, to collect, process, and extract the contents of mobile devices. To assist our clients with predictable costs, LBMC has a standard per device fee to extract all available information from mobile devices. The information is then provided in a digital format to easily analyze, search, and report sought information in a forensically sound manner. The digital report can also be uploaded into modern eDiscovery review platforms.
Flash Forensic Investigations
Unpredictable costs are a common concern that can deter the value of forensic investigations of computers. Leveraging certified and experts with testimony experience, LBMC offers a Flash Forensic Investigation with a fixed fee to determine whether the computer contains activities of value to the situation. This due diligence effort can alleviate concerns of missing valuable digital information and determine how to properly leverage information available if further analysis and reporting is warranted.
eDiscovery Program Development
For organizations not accustomed to responding to eDiscovery requests, the process is often overwhelming and stressful for counsel representing them. In working with organizations of all sizes for decades to prepare for and respond to eDiscovery requests, LBMC has an eDiscovery Program Development offering to construct a defensible process that, based on the Electronic Discovery Reference model (EDRM), prepares organizations for eDiscovery requests. The program development includes relevant phases from the EDRM from data mapping to production of electronically stored information (ESI) sought.
LBMC Information Security’s litigation support experts work closely with our clients to ensure your needs are handled in an efficient and cost-effective manner.
Malware Compromise Assessment
Our Malware Compromise Assessment was designed on the premise that most organizations have a passive approach to malware protection. Billions of dollars are spent annually on products designed to detect an attacker, yet massive data breaches happen on a near-weekly basis.
Recent studies have determined that the time between compromise and detection, known as the “compromise detection gap,” averages five to eight months. In more than two-thirds of cases, the compromised organization is first notified of the breach by a third party, such as law enforcement.
We use a “converged security” approach that gathers and analyzes both network information and endpoint information and correlates the captured data with threat intelligence.
Dissolvable Agents Save Time and Money
In the past, thorough threat hunting services required full endpoint agents to be installed and later uninstalled on each computer. Our malware compromise assessment does not require the installation of a full client agent. It gathers this information using an innovative “dissolvable” agent on Windows and Linux endpoints. This shortens the project timeline to a few weeks as opposed to many months.
Threat Intelligence and Malware Analysis
LBMC Information Security’s threat intelligence uses a large catalog of data, including open-source threat intelligence from multiple sources, up-to-the-minute data from CyberMaxx, and multiple commercial threat feeds. For artifacts that cannot be identified as either benign or malicious through threat intelligence, we perform network traffic heuristics and manual malware analysis.
The most crucial step in developing an incident response plan is to stress test the plan before a real incident occurs. Ask yourself:
- Does your plan include everything needed to successfully address an incident?
- Are the contacts and communication plans accurate to your organization?
- Does it need revisions or updates?
- Does it add any value outside of a checkbox for compliance?
- How do you know if it actually provides the intended value?
We can help design and facilitate an incident response tabletop session to help you improve your incident response program. Our team will provide consulting services to help you design, plan, and execute table top exercises to practice your information security incident response (IR) plan, help personnel understand their obligations and duties in the event of a security incident, and evaluate the IR plan’s robustness concerning communication, responsibilities, and governance. The test will also include documentation of results and an after-test review to evaluate the test process, specific responses, successes, failures, and lessons learned.
Instead of making assumptions and simply placing your incident response documentation on a shelf and hoping it is accurate, it’s better to test it with tabletop exercises designed to build continuous improvement into your incident response program before your next incident occurs. Designed correctly, tabletop exercises can help you determine how well your people, processes, and technologies are prepared for an incident. More importantly, these exercises allow you to improve that preparation over time.