INCIDENT RESPONSE & FORENSICS

1 – NES SOC

In charge of incident detection and qualification.

2 – NES CSIRT

Steering of efficient action plans and implementation of organizational and technological corrective actions until incident resolution.
Incident Response : Proportional and quick reaction

3 – FORENSIC ANALYSIS

NES provides an agile and adapted intervention and investigation Task Force

Sequencing of an Intervention

Prior to the incident

Specific organisation adapted to your information system critically level

  • Organization equipped with decision powers :
    • Decision qualification, justification and arbitration
    • How will the decision be audited later-on ?
  • Transverse organisation : Legal, ISS, infrastructure, marketing, public relations, CFO …
  • Harmonization and systematization of the incident handling by activated functions, per the impacted IS critically level

Implementation of tailored set of tools

  • Skillset : Organizational skills of formalization, steering, animation, and communication, mastery of procedures and tools. Mastery of the client’s environment.
  • Toolset : Detection and reaction toolset, initiation / escalation / arbitration / investigation cessation process

Comprehension of the environnements, definition of the “Initial posture” of the company, and determination of the SLA’s in coherence with business-specific requirements

Testing of the crisis processes as to test the organization and tools efficiency

Setting of a comprehensive incident response convention including : global approach, the context and the means made available to the cross-functional team

Only the people with need to know must be integrated to the reaction cell, as to preserve confidentiality

After the incident
  • Observation : Use of tools to detect a gap between the initial posture, or a stable state on :
    • The network
    • Systems
    • Applications
    • The company / corporation / organization

 

    • Orientation : Use of analytical tools as to determine what is going on, taking into accoun contextual informations :
      • Company in a M&A / IPO process
      • Opening of the Enterprise Network to new partners
      • The company is going to lay off employees / is being restructured
      • Geo-political news
      • New malware available on the market
      • New laws or regulations

 

  • Decision : Strategic, tactical, rational and reliable posture as to empower prior designated operational teams

 

  • Action : Use of the CxO-provided mandate to implement chosen solution and actions through technological means on impacted systems
    • An action record must be kept, in order to evaluate them in terms of efficiency and legitimacy
Forensic Analysis

NES implements forensic tools to determine the proof of intrusion. Who has done what and when – on what system ?

The approach :
  • Precautions taken during the acquisition of proof on equipment, disks and medias, as to make them irrefutable in front of legal authorities
  • Labelling
  • Configuration and media copies on which the investigation is performed, through a procedure guaranteeing proof integrity. This approach must be supervised by witnesses or a court baliff / law enforcement agent
  • Placement of seals on the equipment and placement in a safe, assistance by a court baliff /law enforcement agent
  • Collection of proof elements through specialized and tried tools
  • Writing of a report on the observations which were performed
  • Assistance to the determination of the following steps to follow : lawsuit …

Exemples of interventions

Leakage / exfiltration of data on the internet

Cyber terrorism (Cryptolocker)

Loss of a critical file

Threat on employees, blackmail

Litigation within the company

Malwares, Ransomwares

Loss of a business deal through economic intelligence / spying

Our team is ready to help you