Why do you need Cyber Incident Response?
A cyber security incident is one of the most devastating scenarios an organisation can face. The cost of breach is not limited to direct losses from theft or fraud, and can far exceed immediate financial loss. Examples include:
The cost of recovery: Including rebuilding and replacement of systems
- Loss of revenue: From operational downtime where business-critical systems are irreparably damaged or taken offline until security is restored
- Contractual penalties: Related to service downtime
- Regulatory fines and scrutiny: Due to non-compliance with GDPR, or intervention from industry authorities
- Reputational damage: Undermining customer and shareholder confidence
- Loss of competitiveness
How is a Cyber Incident Response Delivered?
Incident response exercises typically follow a staged delivery process:
- Triage – Upon first contact with the client, JUMPSEC will remotely triage the situation to ascertain the nature and severity of the reported incident.
- Investigation – JUMPSEC will deploy resources (remote or on-site) to investigate the breach. This typically involves the forensic analysis of logs, data gathering, and building understanding of the business context to piece together the events and understand the nature of the breach.
- Containment – JUMPSEC will coordinate with the client to design an effective containment strategy once sufficient data has been gathered. It is important to ensure that containment is decisive, and all entry points that an attacker has into the network have been identified so that they can be comprehensively eradicated.
- Monitoring – Following a breach, the majority of attackers will attempt to re-enter the network using the same of alternative access points. JUMPSEC recommends the deployment of its JCORE endpoint monitoring and remote response technology to identify and prevent any attempts at re-entry.
- Remediation – Once the threat has been neutralised, JUMPSEC can support with remedial activities to address the root-cause of the breach, and advise on recovery procedures where systems have incurred damage.
How are reported Incidents reported and triaged?
During the initial contact with the victim, JUMPSEC will remotely triage the reported incident to determine its severity. Incident investigations typically come in one of two categories, according to the level of perceived risk:
- Further investigation required – Investigations of user devices, systems and applications behaving in a way that could be considered malicious. These investigations are typically time-bound exercises to analyse and evaluate whether the activity is genuinely malicious. From this point, the investigation may be escalated to a full-scale incident response effort if evidence is found that a compromise has occurred, or an attack is currently underway.
- Immediate response deployed – Full-scale incident response, deployed immediately where sufficient evidence can be gathered during triage that points to a live cyber attack.
How can I access Incident Response Services?
Retaining JUMPSEC as an incident response provider facilitates seamless response in an incident. Retainer clients benefit from pre-established lines of communication, and a level of prior knowledge about the organisation’s structure and digital infrastructure can facilitate more effective response and seamless cooperation between JUMPSEC, internal staff, and other third-party teams responding to the incident.
Retainer customers can also benefit from the pre-deployment of JUMPSEC’s JCORE technology stack to aggregate event log and endpoint data for use in an incident. The software can lie dormant until it is required, at which point it can be activated to provide immediate remote investigation and response capabilities to accelerate the response effort.
Due to the cost associated with calling out a third-party provider, many organisations can delay the reporting of an incident before the risk can be confirmed. Engaging JUMPSEC’s retainer service means that advice and guidance can be offered without triggering costly call-out fees for another third-party, giving you peace of mind that JUMPSEC is available for you to query as needed without running the risk of incurring hidden and unexpected costs.
What are the benefits of an Incident Response retainer?
Retaining JUMPSEC as an incident response provider facilitates seamless response in an incident. Retainer clients benefit from pre-established lines of communication, and a level of prior knowledge about the organisation’s structure and digital infrastructure can facilitate more effective response and seamless cooperation between JUMPSEC, internal staff, and other third-party teams responding to the incident.
Retainer customers can also benefit from the pre-deployment of JUMPSEC’s JCORE technology stack to aggregate event log and endpoint data for use in an incident. The software can lie dormant until it is required, at which point it can be activated to provide immediate remote investigation and response capabilities to accelerate the response effort.
Due to the cost associated with calling out a third-party provider, many organisations can delay the reporting of an incident before the risk can be confirmed. Engaging JUMPSEC’s retainer service means that advice and guidance can be offered without triggering costly call-out fees for another third-party, giving you peace of mind that JUMPSEC is available for you to query as needed without running the risk of incurring hidden and unexpected costs.
Do you need to install your own technologies for Incident Response Retainers?
No, JUMPSEC incident responders are highly skilled in using a range of bespoke and third-party agents and technologies from which to gather forensic evidence, extract and analyse log data, and plan and execute a decisive response, and are therefore able to provide a technology-agnostic solution.
However, JUMPSEC’s JCORE technology stack is able to reliably provide the functionality required for effective incident response where clients do not have a suitable existing solution. This can be pre-deployed for retainer clients to aggregate event log and endpoint data for use in an incident. The software can lie dormant until it is required, at which point it can be activated to provide immediate remote investigation and response capabilities to accelerate the response effort.
What are the advantages of partnering with a consultancy for Incident Response?
JUMPSEC can leverage its offensive and defensive security expertise to provide tactical advantages during an incident.
Offensive professionals often possess intimate knowledge of how to take down a system, allowing them to predict an attacker’s movements and likely activities. They are also able to offer improved remedial guidance on how to secure a system and prevent re-compromise.
Similarly, defensive professionals used to delivering monitoring and detection services know how and where to deploy to disrupt an attacker’s path toward their likely objectives. JUMPSEC’s experience of defending client estates and hunting for threats means we are well-versed in identifying, triaging, and terminating suspicious activity.
Can you remotely respond to an incident without on-site access?
Yes, providing sufficient technologies are deployed on the estate, JUMPSEC can remotely extract log and system data for forensic analysis, and remotely deploy to areas of the network for response activities to take place.
Some activities will always require an on-site presence, and some large-scale incidents can benefit from visible incident management to coordinate activities and control the situation.