cyber resilience & incident response - ncc group

CYBER RESILIENCE & INCIDENT RESPONSE

www.nccgroup.trust

Introduction

The world of technology moves quickly, and in the case of cyber threats, the threat landscape has changed almost completely in the last decade. Where once the biggest threats were opportunistic attackers and preventable accidents, attacks are increasingly targeted at specific organisations, with the aim of achieving specific goals.

Those goals might be to cause financial or reputational damage, to steal confidential information, or to advance a political cause and the attackers might be hostile nation-states, organised criminal enterprises, political “hacktivists” or disgruntled employees.

Such attacks require both public and private sectors to take a different approach to their cyber security posture and strategy. The consequences of a successful cyber-attack are well known, so having an effective program of risk reduction and response is no longer optional.

Targeted attacks are often tailored to the particular defences of the organisation under attack, rendering conventional technical security measures ineffective. For this reason, it is now critical for organisations to have an understanding of how the new threat landscape relates to their own unique circumstances, and to take action to improve their cyber resilience.

NCC Group’s Cyber Resilience and Incident Response services help you prepare, assess, and maintain your cyber security systems, and respond to the threats you face.

Drawing on the experience of our cyber risk professionals, incident response experts and technical security consultancy teams, we help clients to:

• Understand their current cyber posture

• Contain and mitigate any breach

• Understand ongoing risk and develop a strategic roadmap to improve overall cyber security maturity

Cyber Resilience and Response 2All Rights Reserved. © NCC Group 2015

Cyber resilience goes beyond risk management and tactical technical solutions, requiring a holistic view of systems and processes to prepare for the reality of cyber incidents.


Review

Prepare

MaintainRespond

Assess

What should your organisation do?

Cyber Resilience and Response 4

Believing that an incident could happen at any time will enable better preparedness.

Accepting that cyber incidents will happen means that your organisation will be ready to respond when a breach occurs or is detected, allowing you to take the correct course of action to return to business as usual.

To ensure comprehensive coverage, cyber resilience must be embedded in an organisation and become an everyday consideration, not just a one-off project. It is important to adopt the mindset that while total security is unachievable, risk is manageable when an eventual breach is planned for.

Improving your overall security posture may seem like a daunting task. Our cyber resilience and incident response framework enables you to develop a strategy to suit your organisation. Our framework takes you through the key areas you need to consider to put together an approach that works for you.

Our services range from executive engagement and strategy development, through to education and awareness, incident management, and remediation.

Our global team of over 400 experienced consultants are on hand to help organisations plan for and respond to a variety of cyber risks. Our strength in depth and unique set of skills mean we can respond to incidents of all sizes, even those with challenging timescales and technical requirements.

With best-of-breed solutions and tools, and the expertise of our intrusion response specialists, we are constantly evolving our capabilities to meet our clients’ demand for robust cyber security.

All Rights Reserved. © NCC Group 2015

Executive Steps to Cyber Security

Cyber and Incident Response Strategy & Planning

Board Level Training

Cyber Security Capability Assessment/Health Check

Policy Maturity Review

Sophisticated Simulated Attack (Red Team)

Investigative Protective Monitoring & Logging Review

Cyber Security Diagnostics

How we can help

Cyber Resilience and Response 5

Prepare Assess Maintain Respond Review

Host, Network & Forensics Readiness Training

Ongoing Consulting and Managed Services

Proactive Network Monitoring

Incident Response Management

Investigate & Remediate

Impact Understanding & Quantification

Managed Services

Malware Analysis & Reverse Engineering

Host Forensics & Network Monitoring

Mitigation & Recovery Assistance

Log Analysis

Information & Threat Intelligence Sharing Partnerships

Post Incident Analysis: Threat Impact & Loss Review

Lessons Learned: Action Identification & Knowledge Dissemination

All Rights Reserved. © NCC Group 2015

Proactive Risk Management

Your organisation’s cyber risk strategy must be driven from the board level. Focusing on technology is not enough; security must be an integral part of your core business governance strategy.

Proactive risk management enables you to integrate cyber security into every aspect of your organisation.

Embedding cyber security into the organisational governance and control framework of any business is the starting point for the design, development, and delivery of a forward-looking strategy.

NCC Group’s cyber resilience services will help you to develop an understanding of your current capabilities, the threats faced, and the vulnerabilities present in your systems, with the goal of developing an organisation that is resilient to cyber threats.

Cyber & Incident Response Strategy Planning

If you don’t have an in-depth security strategy, then you need to know where you should focus your investment and what your security priorities should look like in the short, medium, and long term.

Our security strategy advisory service is based on four objectives:

1. Getting the basics right

2. Identifying and protecting what matters most to your business

3. Strengthening leadership and governance

4. Pioneering security as a business enabler

Cyber Security Capability Health Check

Our Cyber Security Capability Health Check helps organisations understand their risk posture and ability to defend against internal and external cyber threats. By taking a holistic view of people, processes, and technology, the health check enables organisations to understand their enterprise cyber security capabilities and highlight areas of risk in the context of the overall business. Actionable findings backed up with practical recommendations will enable your organisation to prioritise areas for remediation and result in your organisation becoming more vigilant and resilient in its approach to managing cyber threats.

Policy Maturity Review

Your organisation’s ability to manage cyber threats and vulnerabilities relies heavily on the existence of robust and mature security policies which define the security standards of your organisation in relation to staff behaviour, business, and technical processes. Keeping security policies aligned with your business direction and the evolving security threat landscape is challenging and, if not done correctly, can lead to data loss, breaches, and other security incidents.

We have the experience and capability to review your organisation’s existing security policies to ensure they reflect business and technical processes. We have the expertise to help you develop new policies which will be mature enough to address compliance gaps and meet industry best practice.


Prepare Assess Maintain

Sophisticated Simulated Attack (Red Team)

Performing a simulated attack on your organisation can be very valuable, allowing you to assess its susceptibility to a breach, its level of user awareness, and its detection and response capabilities. Our methods include open source intelligence gathering to identify targets, phishing campaigns to gain access to company credentials or systems, and the use of simulated malware (with harmless payloads) to retain access.

Alternatively, we can generate traffic on your internal network, originating from a simulated compromise, to assess your current ability to detect suspicious activity. We tailor our programme to the needs of your organisation, designed to identify and highlight gaps and ensure the robustness of your overall security posture.

Investigative Protective Monitoring & Logging Review

Would your current infrastructure and capabilities allow you to support investigations into an attack in a timely, accurate, and sufficiently deep manner? NCC Group’s cyber incident response and defence operations experts can review your organisation’s current capabilities, any gaps against particular threat types and your current level of maturity.

Cyber Security Diagnostics

Our consultants will undertake a broad review of your cyber security controls and capabilities to enable you to understand your risk posture and ability to defend against internal and external threats. The review will take a rounded view of people, processes, and technology, to understand areas of vulnerability and prioritise areas for remediation.

Training

People are the weakest link in cyber security. If your organisation lacks relevant training and cultural awareness then technology will be of limited benefit in preventing or responding to cyber attacks.

We offer tailor-made training and awareness programmes relevant to your sector and level of maturity. From executive table top scenarios to phishing awareness our courses and experience are an important part of any risk reduction program.

Our technical training is intended for individuals who will undertake incident response activities within a particular organisation and centres around first responder activities for host forensics, network traffic investigations and malicious code analysis (malware).

Ongoing Consulting and Managed Services

As part of your organisation’s ongoing programme of improvement, our consulting and managed services teams provide a broad range of capabilities and offerings as needed, on top of your regular security assessments.


Prepare Assess Maintain


Incident Response

Even the best-prepared organisations still get attacked, and responding to those attacks is a crucial aspect of cyber resilience. NCC Group’s cyber incident response services provide step-by-step expert guidance to help you keep control of the situation.

Incident Management and Response

In the aftermath of a security incident you need a quick response and accurate insight. With our dedicated Incident Management and Response team, we help you find out what happened and how.

With our rapid incident response capability, we focus on helping your organisation to regain control of your systems and information promptly following a security incident.

Through a combination of evidence protection and forensically-sound investigation, our consultants can:

• Determine how the breach occurred, by understanding the initial vector of attack and compromise.

• Determine the capabilities and activity of a threat actor, and the extent of infiltration.

• Identify (where possible) who may be responsible.

• Categorise what was taken and when, to enable you to understand the loss.

Our 24-hour response team provide timely and accurate advice on how best to deal with a breach as soon as it is discovered.

Investigate & Remediate

We provide comprehensive investigation services using appropriate experts in gathering, analysing and presenting digital evidence. Our consultants have experience of a wide range of investigations, including traditional laboratory-based forensic analysis, network forensics, covert monitoring, and live host and memory forensics.

Impact Understanding & Quantification

We will work closely with you to investigate any breach, to help discover what happened, and allow you to understand the impact on your organisation and quantify any losses.

Managed Services

Our Cyber Defence Operations network sensors are deployed as part of a managed service, in which traffic on your network will be automatically monitored around the clock, with any unusual traffic compared to our extensive intelligence databases. Combining our own intelligence with industry-wide knowledge and data privately shared by partners, we identify indicators of compromise and unusual network traffic quickly and accurately.

Respond


Malware Analysis & Reverse Engineering

We have a dedicated malware investigations laboratory which enables us to analyse malicious code.

Our team of consultants will reverse-engineer the malware, to discover exactly what its effect is and what damage it has already done to any affected systems. Using sandboxed virtual or physical machines, configured to the same specification as client machines, our experts analyse the malware’s behaviour, allowing clients to secure their estates effectively.

Host Forensics

We provide you with cyber forensic investigation capabilities using appropriate experts in gathering, analysing and presenting digital evidence.

We collect forensic images of hosts, getting a forensically-sound copy of all data in both storage and volatile memory. Our consultants then analyse any information found, using industry-standard tools and platforms. We provide you with an accurate picture of what happened and when, in support of a broader investigation.

Network Monitoring

Sensors are deployed on your networks and managed by our Security Operation Centre through a secure connection. These sensors are used to perform live monitoring of unusual and potentially-malicious traffic, such as intrusion attempts, data egress and malware command and control traffic. Using secure systems and software developed in-house, we analyse your network traffic in real time, allowing our experts to recommend countermeasures to block malicious traffic while tracing the source.

Mitigation & Recovery Assistance

We provide you with knowledge and support in the eradication of a threat actor from your environment and in the subsequent effort to bolster your defences. This is a blended service combining high-level management with investigation, analysis, protective monitoring, advice and planning.

Log Analysis

Our consultants quickly and reliably assess available logs, as well as any intrusion detection and prevention systems already in place. We compare any traffic to previous attacks held in our intelligence databases to discover the extent of any compromise, malware infection, or exfiltration of data. This service enables us to provide you with recommendations to prevent further attacks.

Respond


Post Incident

In the aftermath of an incident, all stages of the cyber resilience and incident response framework are revisited, to ensure an ongoing programme of improvement. The information gathered is fed back into the process and is used to strengthen your security posture further.

Information & Threat Intelligence Sharing

NCC Group believes that keeping your management informed of current, relevant facts around incidents is vitally important. During every investigation, we appoint a technical account manager who works closely with you and your management, ensuring that lines of communication are open at all times. The technical account manager provides detailed status reports, enabling you to make business decisions based on the threat intelligence that has been gathered.

All of our reports contain details aimed at technical audiences and comprehensive summaries aimed at management, providing your managers and executives with a full picture of their current security status.

Threat Impact & Loss Review

We help you understand the impact and loss suffered as a result of a breach. Through a full review we will assess both the business and technical impact and the losses arising from the breach.

Post Incident Analysis & Lessons Learned

Many organisations are unaware of what steps they need to take to minimise the risk and impact of security breaches. Our team of highly qualified consultants offers advice, training, and guidance in all areas of systems security, including:

• Ensuring that your organisation’s staff are fully aware of their cyber security responsibilities.

• Proactive network monitoring tools and solutions.

• Establishing security and storage rules for the handling of evidence.

• Delivery of training to key staff ensuring adherence to evidence handling procedures.

• Providing guidance in the guide of a documented, real-world example that everyone can run through in advance.

• Ensuring that all parties, including legal, are confident that the processes in place are correct.

Prepare Assess Maintain Respond Review

NCC Group - your global cyber security partner

CONTACT US

0161 209 5200 [email protected]@nccgroupplcwww.nccgroup.trust

Cheltenham

Edinburgh

Glasgow

Leatherhead

London

Manchester - Head office

Milton Keynes

Denmark

Germany

The Netherlands

Switzerland

Atlanta

Austin

Chicago

New York

San Francisco

Seattle

Sunnyvale

Sydney

United Kingdom Europe North America Asia Pacific

cyber resilience & incident response - ncc group

Documents