Cyber and Data Breach: Incident Response

Whether your organisation is a Sole Trader, SME or a PLC, you are a target.

 

Developing an incident response plan and preemptively adding guidance in how to handle incidents will help you make good decisions under pressure of a real incident. Having this in place is a critical step towards a robust and effective incident management and technical response capability.

OCiSO engages with your organisation to create a plan ahead of time, that will include the guidance of Technical IT professionals, Legal and insurance partners we work with in order to identify gaps in your incident handling capabilities. Once we have helped you to develop an organisation-wide breach response plan, we will also be on hand to mitigate and respond to the incident. In the event of a breach, we will efficiently provide advice and create a roadmap in order to prevent future ones.
 

The OCiSO Critical Hour Framework produces a number of activities and deliverables as defined below:

• Review and Assess Defensive capabilities

• Define tactical response plan

• Identify roles and responsibilities with associated engagement methods

• Provide framework document

​

The UK’s Number 1 Cyber Security and Data Breach Incident Response Service:

"An expert-led human approach to IT and Data Security"

 

We will work to identify problems and where we can help, then deploy a team of cross-industry professionals to swiftly and seamlessly deliver the ideal solution for your situation.

 

We work quickly to leverage support of our network of accredited technical experts when you need assistance with a cyber breach.

Our service level commitment to you is that we guarantee that you will have one of our technical experts on-site at your preferred premises within 4 working hours of your initial contact.

 

If it is confirmed that you’ve experienced a breach, our team of technical and professional experts can assist in building a comprehensive, compliant and timely Cyber Incident Response Action Plan that addresses the risks to your systems, your data, your reputation and to the individuals affected.

 

We understand what’s most important to you, Business Continuity. It is our goal to manage and resolve each incident to that you can focus on the running of your business. We will keep your priorities in mind when designing the right solution for your organization and the situation at hand. Our end-to-end cyber security and data breach response offers expert guidance to improve your outcome and mitigate any damage caused.

 

Our Methodology: Cyber Security Incident Response

 

Once your call is received, OCiSO will deploy one of our specialist Cyber Incident Responders, who will, once on-site (if not before) rapidly identify whether a cyber incident has taken place and if so, what type of cybersecurity incident your business is the victim of. This will then determine the appropriate, proportionate and necessary response that we and our technical responders will prescribe, along with subsequent follow-up actions.

 

Cyber Security incidents usually begin with one or more of the following incident indicators:

• Technical monitoring alerts on systems such as anti-virus software, Intrusion Detection Systems (IDS), Data Loss Prevention (DLP), Security Information and Event Management (SIREM) systems, log analysers, etc.

• Reports of irregular or suspicious events made to the in-house or outsourced IT help desk by employees or other system users, queries from the accounts department (in the case of rogue requests), third party reports (including client queries – following the receipt of a questionable email), or directly to the security team by the police, industry bodies, your vendor partners, or the government (rare, but this can happen).

• Anomalies detected circumstantially by audits, investigations or views. Note: this includes financial audits that show withdrawals that are traceable to fraudulent activity.

 

As a result of our cyber incident responder’s comprehensive assessment, we may find that the malware has spread more widely within your network than you may have anticipated or to third party systems, compromising your data and network security beyond the point where the infection was initially detected.

 

Our cyber incident responders are used to monitoring the complete evidence trail for signs of unusual occurrences and assessing one or more trigger points.

 

Analysing all the available information will often provide a different insight into what has actually caused the alert. Responders can then determine whether there has been any one of – or a combination of – the following: a DDOS and/or malware attack, system hack, session hijack, and/or data corruption.

 

Relying instead on the reports produced by your security monitoring software can be misleading – especially without expert help to interpret those results.

 

In this way, we aim to definitively confirm that you have been subjected to a cyber-attack or cyber-related data breach, removing any doubt about the possible causes.

 

Following the initial diagnostic of the nature and severity of the cyber incident described above, if the cyber incident can be remedied within the working day, then the remediation response will be performed as quickly as possible and with the minimum disruption to your business and for the amount paid at the outset.

 

Define objectives and investigate the situation

 

Where the incident cannot be resolved within Day 1, further services will need to be confirmed by the Incident Responder and agreed by you, the client.

 

Objectives and scope will be formulated based on identification factors and information gathered to date. These will be directed by client requirements in line with business continuity and concerns.

 

Investigation will be an ongoing effort from initial identification through to containment and eradication. The main focus of investigation at this stage is to return normal operation rather than in-depth analysis and will triage by:

• Classifying

• Prioritising

• Assigning

• Replacing

 

OCiSO's Incident Responders will use cyber threat intelligence to clearly understand the tactics, techniques and procedures of the attacker/s to assist with the definition of objectives and scope and better remediate.

 

Any changes to scope or objectives will be clearly discussed and agreed with you, the client with written authorisation where additional work is needed above or beyond the initial scope. These changes will be communicated in a timely fashion with the incident team where required.

 

We can assist in replacing your Hardware on an interim rental basis so that your business can continue without the need to purchase entirely new equipment.

 

Take appropriate action to contain the incident

 

An important step in the process is containment. That is, stopping the infection from spreading to other networks and devices both within your organisation and beyond.

 

At OCiSO, we ensure that actions are prioritised that are aimed at reducing the immediate impact of the cybersecurity incident, primarily by removing the attacker’s access to your systems. This does not always mean returning to business as usual, but to make best efforts to return to functionality as normal, while continuing to analyse the incident and plan longer-term remediation.

 

We will contain the incident and isolate any compromised nodes or devices to prevent further infection or lateral movement and allowing the business to resume normal functions. We will also monitor for responses in attack vector or escalation as a result of containment and ensure no further compromises to the infrastructure are made, ensuring that tools introduced to assist are verified and malware-free.

 

Once the incident has been contained, we will eradicate the suspect material from the network while preserving evidence to the required evidential standards for more detailed investigation and/or possible future prosecution.

 

Recover Systems, Data and Connectivity

 

OCiSO will ensure that your systems have been restored to their normal operation and remediate vulnerabilities to prevent similar incidents from occurring in the future.

Further considerations, post-restoration:

• You may require further validation of recovery. If so, our incident responders can offer a vulnerability assessment (known as a penetration test).

• OCiSO’s Incident Responders can also monitor the situation over an agreed period of time to ensure that no follow-up attack takes place and to confirm successful eradication and recovery of systems

• The final piece of the Cyber Security Incident Response process is the restoration of your systems to normal operations, with confirmation that the systems affected are functioning normally.

• Vulnerabilities will be remediated to prevent similar incidents from occurring.

​

​

​