< Back
Is your organisation ready for a security incident?

Tags:

CERT Incident response Detect and respond Threat intelligence
05 November 2024

Is your organisation ready for a security incident?

Security incidents can occur at any time, as the press regularly reports. There are many examples of so-called "ransomware" attacks, where adversaries compromise and encrypt an organization's data, then demand a ransom to decrypt it. Other examples are cyberattacks perpetrated by sophisticated groups known as "APTs" (Advanced Persistent Threat), where attackers manage to infiltrate the network, stay undetected in the organization, and remain there to extract sensitive data. 

There are, however, many other types of less publicized incidents that can ultimately have a significant impact. These incidents, which are the most numerous in terms of volume, are often neglected.

A minor incident can have serious consequences

Take the case of simple phishing, where adversaries trick their victims into browsing a website they control that mimics a trusted site. The goal of attackers is to trick victims for disclosing personal, financial, or credentials information. These credentials are usually sold to other actors who use them to fraudulently gain access to a company's network.

Phishing is a simple technique, frequently used, and against which it is difficult to protect completely. The consequences of such an attack can be devastating: in 2023; a third of the ransomware attacks handled by THALES incident response teams originated from this attack vector.

The same applies to a whole family of malware that is often installed within a company's information system. Theses "Stealers" are specifically designed to steal credentials such as passwords, unlike Trojans that usually allow attackers to control an infected system.

This malware can retrieve information from web browsers, application configuration files, or the operating system. They are then passed on to the attackers. 

A simple incident is always a source of improvement

It is important to be attentive to all these benign attacks; not only because of their potential impact, but also with a view to continuously improving the response capacity. These "minor" incidents are an opportunity to gain maturity and be able to manage major incidents effectively.

Indeed, it is only through practice that malfunctions in emergency procedures or gaps in the information necessary for dealing with incidents can be discovered. Preparing to deal with a major incident by using incidents with low immediate impact therefore contributes to improving your overall resilience capacity.

What are the recurring problems?

Incident response teams frequently encounter the same problems when working in unprepared organizations. Thus, the acquisition of the evidence necessary for investigations is often either slowed down by a lack of procedures or a lack of knowledge of the environment of the local teams, or simply impossible because no implementation to preserve them has been carried out beforehand.

These same issues will be found throughout the incident response stages, from containment to remediation. They lead to a "lessons learned" phase, during which the recommendations produced can seem insurmountable if the level of maturity has not been worked on beforehand.

How do lessons learned to improve incident response?

Let's take the case of handling a phishing campaign against a company's users. Unfortunately, some of these emails will always end up in user’s inboxes. However, once the attack has been detected, it remains to determine which users have been trapped. With proper defense in depth, in this case via a properly configured email gateway and proxy, it is possible to quickly and easily confirm which users received the email, which visited the fraudulent site, and what actions they took there, such as passing on their credentials.

By dealing with this type of incident, noticing the malfunctions encountered and following the recommendations given during the lessons learned, it becomes possible to gradually acquire a better capacity for analysis and response within the company.

In the event of a major incident, it will be possible for response teams to determine the exact actions of attackers, to detect any backdoors left on site, despite the attempts to conceal them by the attackers.

The "lessons learned" include many other points necessary to be able to deal with any type of incident, both at the technical level (access and analysis of evidence) and at the organizational level (how and to whom to transmit this evidence).

How can Thales' incident response teams help you?

Lessons learned are effective but cannot cover all aspects of the response. On the one hand, the systematic execution of this exercise is costly for companies, but also because this same exercise only covers the incidents encountered, thus leaving gaps in preparation.

To compensate for these shortcomings, we offer our customers annual incident response preparation to help them become more autonomous. We assist our clients by validating critical points that will reduce their attack surface and improve their ability to respond and investigate.

With our expertise and knowledge of the potential pitfalls that our clients will encounter when responding to incidents, we are able to provide them with detailed reports with concrete recommendations tailored to their strengths and weaknesses. The ultimate goal is to strengthen their resilience to threats, by reducing their reaction time, and improving their analysis and remediation capabilities.

To complete this preparation, we also offer operational incident simulations, to validate in near-real conditions the capabilities of the responses to incident scenarios adapted to their infrastructure.

Who are we?

Our digital forensics and incident response (DFIR) service aims to support customers in the entire cybersecurity incident response process. This includes collecting, preserving, reviewing and analyzing digital data to uncover the causes and extent of a security incident, and to support the remediation process.

To support you: 

  • Expertise and Specialized Knowledge: A team of highly trained and certified professionals with specialized knowledge in digital forensics and incident response. Leveraging this expertise allows the client to benefit from industry best practices. 
  • 24/7 rapid response: In the event of a security incident, an incident manager immediately intervenes, assesses the situation, and starts the incident response process. 
  • Advanced tools and technologies: Access to advanced tools, technologies, and software specifically designed for digital forensics and incident response. These tools can facilitate the collection, analysis and preservation of evidence, improving the overall efficiency of the investigation. 
  • Compliance and legal considerations: Meeting requirements and compliance related to incident response and digital evidence handling. This ensures that the investigation and collection of evidence complies with relevant legal and regulatory standards, reducing the risk of evidence manipulation and helping organizations maintain compliance with data protection and privacy regulations.
  • Experienced teams: Our teams have handled thousands of incidents since their inception.

Do not hesitate to contact us!