Cybercrime continues its activity with undiminished intensity, and cyberattacks are increasing worldwide. Cyber-attacks have been established as a state-level weapon, including the new “Country Extortion” ransomware method and hacktivism, linked to government issues.
The war in Ukraine also plays an important role in increasing the extent and intensity of cyberattacks. Many countries friendly to Ukraine have been under cyber-attacks recently.
Ransomware is now a multidimensional ecosystem, while at the same time cybercriminal groups have become more structured and operate with a specific framework and plan, hitting specific targets.
ADACOM, anticipating the developments, created a Cyber-attack Emergency Response Team (CERT) which specializes in providing incident response & investigation services. Is consisting of experienced engineers and analysts who are on the front line of dealing with cyber-attacks. This team has in-depth knowledge of existing and new emerging threat actors, as well as their rapidly changing tactics and techniques.
The team combines high expertise and experience, which has been gained through continuous training and multi-year investigation of hundreds of security incidents using machine learning and artificial intelligence mechanisms at all levels: endpoint devices, network, industrial control systems, users and cloud services.
The CERT provides support in all aspects of a cyber-attack management — from technical analysis and investigation to legal and communications support if required. Our goal is to help organizations to respond immediately and effectively, to return to their business activity as quickly as possible and at the least possible cost.
The use of analysis and investigation services thru cloud and on-premise solutions, allow our team to immediately start the investigation, as soon as we are informed of a cyber-attack. Within a few hours of its activation, our engineers will implement the technological solutions to analyze network traffic and security events from all endpoint devices.
The Threat Intelligence Service enriches the investigation with information for threats and allows us access to the attack surface and the point from where it has started, as well as information related to the techniques and procedures followed by the attacker (Tactics, Techniques and Procedures, TTP).
Our executives holistically manage each cyber-attack and our response services extend beyond technical investigation, containment and recovery to comprehensive crisis management including legal/regulatory support and communication policy that may need to be followed depending on the incident.
The methodology adopted by our company is based on international standards such as ISO/IEC 27035, the “Computer Security Incident Handling Guide” document with code “SP 800-61” from the international organization NIST as well as best practices from international organizations such as ENISA and the various manufacturers we work with.
During the investigation, our engineers find:
– Affected applications, networks, systems, and user accounts
– Vulnerabilities exploited by the attacker
– Data Leakage
This methodology is divided into four (4) phases:
- Analysis and verification
- Limitation, elimination, and recovery
- Reporting and conclusions
Phase 1: Preparation
During the first phase, our company designs the incident response plan which includes the engagement teams, the communication plan, the crisis management building and room, the crisis management plan, the equipment, the investigation services required, etc.
In addition, the development of the necessary security incident response, management policies and procedures is provided; such as:
- Security Incident Management Organizational Structure
- Security Incident Management Policy
- Security Incident Management Process
- Playbooks for the management of the main cyber attacks
- Malware Playbook
- Ransomware Playbook
- Phishing Playbook
- DoS/DDoS Playbook
- Data Leakage Playbook etc.
- Hardening guides of customer’s infrastructure
- Annual Attack Emulations
Phase 2: Analysis and verification
Our engineers then implement the technological solutions and services required to investigate the incident, so that our analysts can proceed with the in-depth investigation through the Security Operation Center (SOC), while simultaneously investigating the systems log files, to detect the malicious activities of cybercriminals and all Indicators of Compromise (IoC).
Our analysts through machine learning and artificial intelligence mechanisms will fully investigate the actions taken by the attacker to determine the initial entry point, malicious actions, and extent of the incident. The following actions are indicated as examples:
- Analysis of network traffic and security events from endpoint devices in real time 24×7
- Forensics Analysis
- Malware analysis
- Legal and regulatory support
- Communication support
- Actions to contain the security incident, etc.
Finally, the main response plan is determined, on which our engineers will be based for containment, elimination, and restoration.
Phase 3: Limitation, elimination, and recovery
The purpose of this phase is to regain control of the situation as soon as possible and to reduce the extent of the damage that may have been caused to the company’s information systems. Our engineers will perform the necessary actions:
- isolation of compromised information systems.
- elimination of the incident. Indicative depending on the nature and scope of the incident, will take place the initialization of passwords, the repair of vulnerabilities, the deletion of malicious files, the collection of evidence according to national authorities, etc.
- cooperation with national authorities.
- restoring the operation of information systems.
- performing checks and tests for proper operation.
Phase 4: Reporting and conclusions
During the last phase, our consultants will prepare the incident report which will include:
- Executive Summary. It includes the summary of the main points of the investigation, the schedule, the investigation actions, the significant findings and finally the containment, elimination, and remediation actions.
- Investigation Full Description. It includes the full description of the investigation such as entry point(s), malicious actions, affected systems, accounts, any leaked information, etc.
- Remedial measures. It includes containment/elimination measures taken, remedial actions, recommendations to improve the organization’s safety and resilience, useful conclusions, etc.
The main advantages of our company are:
- Many years of experience and know-how. Our company has certified executives who have many years of experience and know-how having investigated some of the biggest cyber-attacks at national and international level.
- Intelligent Threat Analysis Services. To investigate incidents, our company uses an intelligent threat analysis service, which helps identify the attack surface, leaked information, attacker tactics, techniques, and actions.
- Next generation Solutions and Services. Our engineers are able to implement large-scale services and technology solutions using machine learning and artificial intelligence mechanisms to immediately initiate response operations. Our solutions and services from international manufacturers allow us to fully analyze network traffic and security events on endpoint devices with every Operating System – Microsoft Windows, Linux and macOS X.
- Crisis management. Our executives have years of experience in holistic crisis management including technical analysis and response, media communications, legal and regulatory obligations, etc.
- Malware analysis. Our engineers are able to analyze any malware through reverse engineering, by developing the appropriate decoders and analyzers to identify the attacker’s tactics and techniques.
- Response to every incident 24×7. Our company undertakes to investigate each incident 24×7 and perform the necessary analysis, containment, elimination, and remediation actions using artificial intelligence and machine learning mechanisms.