Incident Response Team
Incident Response Team it's a "first aid” to support your company in the event of a cyber incident. Our analysts, with specific expertise in the incident response sector, are operational 24 hours on 24, 7 days on 7, they can take quick action to stop an attack and get you back up and running. In accordance with EU regulation 2016/679 (GDPR);
to Legislative Decree 231/01 and the Code of Ethics, are able to manage the security incident according to the NIST guidelines by coordinating all the actors involved in the process (e.g. DPO, system integrator, the suppliers of the security solutions used) and also providing support for any legal obligations.
The Incident Response Team service can be activated at any time, even when the attack is in progress or has already ended, it is always advisable to act in advance, even when there is no evidence of an imminent attack.
A vulnerability scanner scans systems for listening services and installed software to check for vulnerabilities.
The reports are analyzed and a specific priority is assigned to each vulnerability.
Vulnerabilities with a request for mitigation are communicated and assigned to the managers of the individual systems.
Seems like an unnecessary step after resolution but helps improve security and resilience to future attacks
The 4 phases of the Incident Response Team service
PREPARATION: This phase involves the analysis of critical assets, establishing priorities both from an operational point of view and with regard to the protection of personal data. Put in place a series of processes and procedures that allow you to monitor the usual activity and detect an incident in the shortest possible time. Prepare the drafting of an incident response plan describing the procedures to be followed for the most probable incidents. Roles, communication methods and analysis tools to be used in the event of an incident are also established within the incident response plan.
ANALYSIS AND DETECTION: in this phase the accident is detected and the experts of the Safecore they intervene to analyze the evidence and discover the possible vector of attack. The logs of the devices involved are analysed, a series of evaluations determine what actions to take in the following phases.
CONTAINMENT, ERADICATION AND RECOVERY: this phase requires rapid and precise interventions to block the attack, contain it and restore operations in the shortest possible time. This activity essentially involves the remediation of the systems and the return to a normal situation
POST INCIDENT ACTIVITY, also known as "lesson learned" is a very important step because in addition to the preparation of reports that explain how the attack occurred, it includes a series of activities that allow you to analyze the incident in detail, how it was managed and what improvements can be made to the incident handling process and incident response plan.
Why Incident Response Team
“If you need a doctor call 118” , “in case of fire do not use the lift” we all know these rules.
Even if the probability of being in one of these situations is, fortunately, relatively low, we know exactly how to behave: that is, we have an emergency plan.
Cyber security incidents also require an emergency plan to restore business operations as soon as possible, it is therefore desirable that consolidated procedures already exist in the company for managing computer incidents.
In any case, as with any emergency, the main objective is to react quickly, as every minute is precious to mitigate the negative impacts (operational, financial, reputational) that the incident could have on the business.
How the Incident Response Team works
First we evaluate the situation to understand whether the attack has ended or not. In the event that the attack is still in progress, we evaluate, in synergy with the customer, a containment strategy to limit any compromise of data and services.
In close collaboration with management, we analyze the impact on general operations and in detail the short-term impact on the activities and services affected by the attack. Finally we establish the priorities of the critical processes, we plan the recovery actions and the most suitable operating methods for the circumstance.
The experts, together with your Data Protection Officer (DPO) carry out an investigation to understand if any personal data has been violated. If necessary, they offer support to carry out promptly and correctly all the obligations required by the GDPR.
In this phase we collect all the useful information to understand the attack vector and the vulnerabilities used, the so-called lateral movements, privilege escalation and more. To do this we collect the network logs and those of the devices involved (e.g. endpoints, active directory, ERP, etc.). If necessary, we produce forensic copies of compromised systems or preserve logs useful for reconstructing what happened with further in-depth analysis. We identify the hosts from which the attacks originated and the possible communication channels, analyze the activity status and secure the uncompromised parts of the infrastructure.
Once the violated resources have been identified, if necessary, a forensic analysis is conducted, studying the indicators of compromise (IOC), in order to accurately reconstruct the history and the tools used to carry out the attack. We also provide for the preparation of reports with all the results that can be useful for the recovery and "lesson learned" phases.
