Incident Response
For over 15 years Sylint has developed and implemented highly effective incident responses to a broad range of cyber events.
We’ve devised and executed successful incident response plans for every type of incident from SQL injections and email viruses on local servers to corporate espionage and nation-state attacks on highly complex global networks. Our experienced and agile team of engineers, forensic analysts and investigators works in concert with our client’s IT professionals to quickly assess an often fluid situation and craft a tailored response strategy.
Incident Response
What We Provide
Beyond just responding to a cyber incident, we also help clients post-event to identify vulnerabilities, implement best-in-breed policies, minimize future risks, and reduce the likelihood of subsequent cyber security events.
If you’ve sustained an incident, or think you may have, we strongly urge you to contact us today. In some cases, delaying response by a day, or even a matter of hours, can have far-reaching and costly consequences. The Sylint team is able to respond to virtually any cyber incident, anytime, anywhere. Interested parties are encouraged to contact us at any time for an initial consultation.
- 24/7 rapid response to limit damage, terminate access points and identify assailants
- Address system analysis, malware collection and review, log analysis, traffic inspection and many other critical components
- Work discretely with clients, law enforcement and numerous government agencies
- Extensive knowledge of leading edge threats and incident/breach reporting requirements
What is Incident Response?
Incident Response (or “IR”) is the process of responding to a known or suspect cyber-security incident. Sylint’s IR philosophy is to cooperate with internal teams where possible. This maximizes efficiencies and minimizes costs while determining what occurred. Generally working with small fire-teams of two to four experts, Sylint provides highly-skilled support during this stressful time.
It is important not to jump to conclusions, but instead carefully and methodically assess the situation and determine the best path forward. While the initial inclination may be to alternately ignore the problem or to “fix” things quickly, both of these tactics can cause further damage. Review the Critical Steps and Questions outlined here for more information.
Critical Steps
Forensic analysis may be necessary to determine what happened, data attackers may have accessed and the scope and scale of the incident. Prior to ‘fixing’ identified issues, it is important to determine if preservation may be necessary. Additionally, today’s malware may reside only in memory (RAM), so forensic acquisition of RAM may be a critical component to an investigation.
Security incidents may result in both civil litigation and criminal prosecution. Engaging legal assistance early helps to ensure that these legal considerations become part of the response process.
Many insurance policies include cyber-incident response coverage, but the insurance company may have their own preferred vendors for both legal and cyber-security teams. Additionally, insurance companies can often help with communication and coordination of the IR process.
Questions to Ask
Initial questions to be answered in an Incident Response situation include:
What logs and tools are available for an investigation?
Knowing the available logs can help determine what historical data is available for an investigation. High priority logs include security event logs from domain controllers and outbound firewall logs.
How can the network be accessed remotely?
Remote access to the network is a frequent entry-point for attackers. Identifying remote access routes can assist with containment and scoping.
What data could the attackers be targeting?
Identifying the data that attackers could be after can provide some initial direction on scope, attack vectors and even techniques that attackers might use.