A Cyber Incident! The first 72 critical hours
Cyber defenders have no easy job. Tasked with keeping their organisations safe from cyber attack every minute of every day, all the while completing all the day to day and other re-occurring maintenance and upkeep tasks, planning for the future, and dealing with the unexpected. When an unexpected cyber incident occurs, the overall impact to the business can all hinge on what happens in the first hours and days after detecting the breach.
The reality is that there are no guarantees in cyber security, or perhaps there is only one guarantee; that there is no such thing as “perfect security”. Preparing for failure is therefore a critical aspect of good cyber security practice. When an adversary gets in, being able to respond quickly and in a manner that effectively balances pressures from the business to “get our systems back online ASAP” against the need to ensure a full understanding of the adversary’s presence is all part of the Incident Response (IR) playbook.
In the minutes and hours after detecting that an adversary has established presence in an organisation, organisations often turn to trusted Incident Response (IR) partners which have the expertise, honed by battle-hardened experience, in managing the complexities of investigation, analysis, response, and remediation. These IR partners arrive quickly, rapidly deploy the tools they rely on to perform their work, work relentlessly to understand the scope the incident, formulate a plan to permanently remove the adversary, and all the while provide guidance and insights to the organisation they are helping.
VMware Carbon Black is a proud partner with Fox-IT, and their FoxCERT Incident Response team. As part of the global NCC Group, FoxCERT trusts VMware Carbon Black as their EDR tool of choice to provide deep insights into adversary behaviour on endpoints and workloads. If you’ve ever wondered just what an expert IR team, such as FoxCERT, experience during the first 72 hours of a breach investigation this blog is for you.
Organisation and individual names have all been kept anonymous. An adversary has gained a foothold in an organisation’s business systems. FoxCERT is about to get a call. Strap in for the ride…