Time is of the essence if your organisation is under some form of cyberattack, particularly if you have not got the correct tools or expertise on standby. For many organisations, confirming they have an incident that warrants investigation or understanding the nature of an incident, is often not straightforward. Commonly they do not have ready access to people with the right level of experience and skills, and they certainly don’t have a comprehensive suite of Incident Response forensic tools sitting on the shelf ready to deploy.
The First Responder Forensic Toolkit (FRFT), built using Encase - forensic, “The Gold Standard in Forensic Investigations”, enables an organisation to quickly start the incident response process without requiring in-house expertise. Within minutes our FRFT will allow you to react to a potential incident and start collecting the data necessary to complete an initial triage exercise, which is paramount in conducting an effective investigation during incident response.
In the event of a cyber security attack, a data breach, issues with a rogue employee or suspected fraud, use our FRFT to start collecting forensic data. A privileged computer user follows our simple instructions and the FRFT will then take care of the rest - eliminating the need to have a forensics expert travel to site. The FRFT will ensure that the collected data is encrypted and can therefore be securely transferred to our forensic analysts.
Once the data collection exercise has been completed by the toolkit, our forensics experts will provide detailed reporting on their analysis of the supplied data. Guided by the intelligence gained from the triage exercise using our FRFT, the next stages of the incident response process can be initiated.
The toolkit has been developed in accordance with the following incident response and investigation standards: ISO 27035-1, 27035-2, 27037, and 27043. This helps to ensure that any information collected with the toolkit is admissible in courts.
What are the challenges the FRFT will assist you with?
The toolkit will allow an organisation to perform in-depth forensic searches, collect evidence and complete 32 predefined key investigative tasks. Some FRFT common use examples being –
- A Ransomware outbreak means users are unable to access their data as it has been encrypted. The toolkit will assist an organisation to quickly gather the right evidence regarding the attack and most importantly help identify recoverable copies of the data affected with ransomware. Should this option prove to be not possible then the kit can also aid in the recovery process by gathering relevant information that may help create a decrypt key
- Data breach - there is a requirement to identify which people have, without authorisation, elevated their system account privileges to access confidential company information and sent it to an external third party. The toolkit will identify system changes, detail user activity, and if required, recreate or recover system logs even if they have been deleted. Our technical experts advise that logs that never existed can be created!! – using data correlation techniques.
- An organisation is concerned that over time it has collected and stored credit card numbers on internal systems, however it cannot locate this data readily and is concerned that:
- They could be in breach of PCI-DSS requirements
- The data could be identified and used in the future by a hacker or rogue employee.
Note: The toolkit can perform a search for card numbers used by 12 major credit card providers.
These common use examples provide a simple snapshot of the capabilities and power of the FRFT. Click Here to view a detailed infographic we created on common use examples.
In summary, the First Responder Forensic Toolkit (FRFT) can be quickly deployed by customers in the event of an incident, as urgent action is usually required. If you are responsible for documenting and maintaining an incident response plan, then it may be worth scheduling a call with one of our consultants to discuss how our FRFT will allow you to quickly take control of an incident and ideally manage it to a positive conclusion. Contact Mike or Steve today to schedule a call
The power of lessons learned
Some very good information that caught our attention recently was a communication piece from the North American Electric Reliability Corporation (NERC), a not-for-profit regulatory body whose mission is to assure the effective and efficient reduction of risks, to the reliability and security of the North American power grid.
The communication piece is called Lessons Learned. It discusses a real-life example of how an organisation in the power sector was impacted as a result of a vulnerability in their firewall vendors web interface. A number of perimeter firewalls that served as the outer security layer went into reboot mode over a 10-hour period, and each reboot saw a firewall being offline for under five minutes causing a Denial of Service effect.
The article is worth a read and the last section entitled “Lessons Learned”, provides some good advice that is not power industry specific. A very short summary of the points in this section are:
- Follow good industry practices for vulnerability and patch management
- Reduce and control your attack surface
- Use virtual private networks
- Use access control lists (ACLs) to filter inbound traffic
- Layer defences
- Segment your network
- Know your exploitable vulnerabilities so you can pursue fixes
- Monitor your network
- Employ redundant solutions to provide resilience
Click Here to view the article.
Another one for the good guys!
We have frequently covered the topic of Business Email Compromise in our previous Newsflash editions. It was good to see an announcement this week that a law enforcement operation that ran over four months, led to the arrest of 74 people in the United States and 207 others in 8 overseas locations, for allegedly running a range of financial fraud schemes. Named Operation reWired, it also led to the recovery over $100m that was transferred by the fraudsters during some of their time in operation. Whilst this result is very positive, it is also un-nerving to read how sophisticated some of the scams used by this group were, knowing that they represent just a small percentage of a very active and somewhat ingenious global cybercriminal population.
Click Here to read the article.