Handling Security Incidents

The hyper connected digital world presents some unique challenges for any organisation that needs to investigate issues concerning data breaches, malware outbreaks e.g. ransomware, or the misuse of organisational systems and data, that potentially could lead to legal and employment action. The use of mobile technology, Cloud services, increased levels of virtualised systems, combined with the ongoing use of traditional or legacy computer platforms, means investigations are becoming more complex.

For many organisations confirming they have an incident that warrants investigation or understanding the nature of an incident often is not straightforward. Commonly they do not have ready access to people with the right level of experience and skills and they certainly don’t have a comprehensive suite of Incident Response tools sitting on the shelf ready to deploy.

Calling upon expertise or buying Incident Response tools can be an expensive exercise, whether the exercise results in a positive or negative outcome.

MPAs’ First Responder Forensic Toolkit (FRFT), built using Encase - forensic, cyber security & security analytics software, enables an organisation to quickly start an incident response process without requiring in-house expertise. With the FRFT you will know how to respond and to collect the necessary data and complete an initial triage exercise which is paramount to beginning an effective incident response and recovery process. In the event of a cyber security attack, a data breach, issues with a rogue employee or suspected fraud, use the FRFT to start collecting forensic data. Any privileged computer user just follows the simple instructions and the FRFT will then take care of the rest - eliminating the need to have a forensics expert travel to site and a requirement to invest in a suite of forensic software tools.

Once the data capture exercise has been completed by the toolkit our forensics experts will provide detailed reporting on their analysis of your supplied data. This enables the next stages of the incident response process to be initiated, guided by the intelligence gained from the triage exercise using the FRFT. The toolkit has been developed in accordance with the following incident response and investigation standards: ISO 27035-1, 27035-2, 27037, and 27043. This helps to ensure that any information collected with the toolkit is admissible in courts.

What are the challenges the FRFT will assist you with?

The toolkit will allow an organisation to perform in-depth forensic searches, collect evidence and complete specific key investigative tasks. Some examples being –

·        A Ransomware outbreak means users are unable to access their data as it has been encrypted. The toolkit will assist an organisation to quickly gather the right evidence regarding the attack and most importantly help identify and recover unencrypted copies of the data affected with ransomware. Should this option prove to be not possible then the kit can also aid in the recovery process by gathering relevant information to help create a decrypt key

·        There is a requirement to identify which people have, without authorisation, elevated their system account privileges to access confidential company information and sent it to an external third party. The toolkit will identify system changes, detail user activity and if required recreate system logs (deleted or non-existent).    

·        An organisation is concerned that over time it has collected and stored credit card numbers on internal systems, however it cannot locate this data readily and is concerned that:

1. They could be in breach of PCI-DSS requirements.

2. The data could be identified and used in the future by a hacker or rogue employee.

Note: The toolkit can perform a search for card numbers from 12 major card credit card providers.

These examples provide a simple snapshot of the power of the FRFT capabilities. CLICK HERE to view a detailed infographic on common use cases.

MPA developed the First Responder Forensic Toolkit (FRFT) so that it can be quickly deployed by Channel Partners and customers in the event of an incident as urgent action usually is required. The FRFT can be hired for a specific one off exercise so that an organisation has some rapid response capability on hand to deal with an incident.