• Emergency Response If you are under attack – or think you might be – call us. We can remotely deploy and start fighting back within minutes. Learn more...
  • Managed Detection & Response (MDR) Bring the latest expertise, technology, and telemetry for attack detection and response to your organization – without the overhead of managing it. Learn more...
  • Threat Hunting Consultancy It can take up to three years to build an internal threat hunting capability. We can defend your organization while training and developing your team to battle the evolving threat landscape. Learn more...

Accredited for Cyber Security Incident Response by CREST and responding to incidents of ‘national significance’ by the NCSC, Countercept delivers effective response to advanced attacks on complex and enterprise networks.

Call us now for:

  • - Remote deployment in minutes
  • - Complete visibility within four hours
  • - Full coverage of your estate to track an attacker’s movements
  • - A communication portal for real-time updates and collaboration

Call a local hotline

Americas: Call +1 (917) 341-2116

Europe: Call +44 (0) 333 311 0014

Africas: Call +27 (10) 500-1921

APAC: Call +65 3159 1795

or 

Email us 

incidents@countercept.com

What to do during an incident


01
Identify useful sources of data

To support a good and effective response, the first action (after calling us) should be to identify which sources of data will be most useful, such as logs (e.g. web proxy, email server, application, VPN authentication, etc.) and network flow data from firewalls.

02
Determine where the data are stored

On endpoints and appliances? Centrally aggregated (SIEM, etc.)? Or a combination of both?

03
Consider what you won’t have tomorrow

Logs and other potentially useful data captured from networks are transient, and may be lost as time passes or due to user actions. Check and increase log storage limits – you want to keep captured data as long as possible. Some data may be sent to aggregation point, but discarded due to configuration – this should be reviewed. Increase logging levels, if possible, and gather as much potentially useful data as is realistic.

04
Preserve artefacts

It is tempting to “have a quick look”, but any actions risk changing and destroying artefacts valuable to an investigation. Refrain from switching off potentially infected endpoints, rather disconnect from the network. Memory contents may be valuable during the investigation.

05
Use alternative communications

Keep communications related to the incident away from potentially compromised network – the attacker/s may be watching email, collaboration platforms (SharePoint, Confluence, etc.], helpdesk ticketing systems, etc.

What not to do during an incident


01
Run AV

AVs often change file systems, deleting malware and destroying the metadata crucial for an investigation. Moreover, they often retain little or no logs about what they found, where it was, and when it was put there.

02
Patching systems and fixing bugs

When you find something un-patched on your internet facing website or internal server in the middle of an incident, remediating immediately will destroy the environment that was the scene of the crime, making it more difficult to answer questions about the data at risk and how much of your estate was exposed.

03
Pull the plug

Most of the information you will need to answer questions about an attack reside in live system memory. Without this information, many questions will be difficult for the incident responders to answer.

04
Moving or copying malware

This can result in the loss of important information regarding where the malware originated including date and time stamps, all whilst the still active attacker watches the IT team attempt to figure out what happened.

05
Uploading malware to Virus Total

When you upload malware to this and other sandbox services, the files are available for anyone else on that platform to download, tipping off the world as to what malware was active on your systems. Attackers usually monitor for when their malware has been uploaded to Virus Total as an early warning sign that you are on to them.

06
Immediately blocking C2 channels

Blocking Command and Control (C2) channels is an important aspect of incident containment; however, it must be executed at the right time. Blocking the C2 channels carries the risk of alerting the attackers, causing them to change their behavior and start creating more channels in increasingly obscure ways or to become destructive. This will make it more challenging for incident response to get ahead of the attack.

07
The “just rebuild it” approach

When you rebuild a system, you lose almost all data about the attack, and will likely re-introduce the security risks that got it compromised in the first place. If you are in the middle of a major incident, any system being rebuilt is worth preserving first in case an investigation is needed.

08
Delete the logs

Often, operations teams will help carry out instructions to move large amounts of data around for analysis. Usually, when space is limited, these teams will delete what they believe to be valueless data, such as logs. In fact, these are exceptionally valuable to the incident investigation. Make sure your security and operations teams have first responder training so that valuable data is not lost.

09
“It must be an insider!” 

Security teams believing an insider means that the administrators and managers of compromised systems – who have the knowledge of how these systems work and what might have happened – are the people you now suspect. Being on the wrong side of these individuals can obstruct an efficient investigation. Be observant, keep an open mind, but keep your internal team’s on-side until you have the full picture. 

10
Assuming the best

By far, this is the most common mistake security and response teams make: assuming the attacker did not use their access as leverage to move laterally towards their goal. Unless you have caught an incident early at the point of entry, assume the worst. Look at what an attacker could have done, and where they could have moved.

Cyber Security Incident Response accreditation by CREST is awarded annually and by application only. CREST is a not for profit organization that serves the needs of the technical information security marketplace by providing assurance for security procurement.