Blog

Informative, up-to-date and exciting – the Oneconsult Cybersecurity Blog.

Emergency Support During Cyberattacks – Incident Response Retainer (IRR)
Nadia Meichtry
Nadia Meichtry
|
16.07.2024
(updated on: 09.09.2024)

Cyberattacks, particularly those involving ransomware, are becoming more prevalent and pose a threat to companies of all sizes. Organizations must be able to respond quickly to minimize financial and reputational damage.

The question of whether a cyberattack will occur is no longer a matter of speculation; it is a matter of when. In light of this, it is imperative that companies prepare for such an event. However, many companies lack the necessary resources or technical expertise to operate their own security team 24/7. An Incident Response Retainer (IRR) is a valuable solution in this regard. An IRR provides companies with round-the-clock expertise and support, enabling them to respond quickly and effectively to a cyber incident.

The Importance of an Immediate Response to Cyberattacks

The prompt response to a cyberattack and the subsequent decisions are of paramount importance for the continued existence of the organization or a rapid and preferably loss-free return to normalcy. Expert assistance in handling and managing the incident is imperative. The experts possess the specialized know-how to implement appropriate immediate measures to contain the attack and to develop a strategy for restoring operations. The initial hours following an attack are of critical importance.

Evaluating Virus or EDR Alerts

When evaluating virus or EDR (Endpoint Detection & Response) alerts, it is of the utmost importance to act promptly and correctly. These alerts should be checked and processed by the security team in the first instance. However, it is possible that some may be overlooked or processed too late, particularly when analysts are experiencing high workloads. This phenomenon is known as “alert fatigue”.

The report must be evaluated properly in order to ascertain whether it is, in fact, an incident. Obtaining a second opinion from experts can assist in correctly categorizing alerts and identifying anomalies before the attack is in full swing. This allows for the prioritization and processing of alerts according to their criticality.

Errors When Responding to Cyberattacks

The probability of misjudgments and erroneous actions is particularly elevated during a cyber incident, particularly when a company’s employees are under pressure or panicking. For example, systems may be reinstalled while the attacker is still in the network, thereby reinfecting them. This also applies if infected backups that have not yet been checked for compromise are imported.

A comprehensive IT forensic analysis should therefore not be deemed superfluous. It can help identify Indicators of Compromise (IOCs) that can be blocked preventively. Furthermore, the analysis is of great importance for determining the initial entry point and the attack vector in order to be able to take further appropriate protective measures, in particular to avoid future reinfection.

In light of this, securing data is of the utmost importance. The later the specialists become involved, the greater the loss of data that would have been required for the analysis. For instance, the log files of a domain controller reach their maximum capacity in less than a day when the default settings for log file size are employed. As the systems continue to operate, the logs are simply overwritten, rendering older entries inaccessible. In some instances, it is therefore not possible to determine when the attack began, as the logs do not extend far enough in time. Consequently, there is a risk that systems may be reinfected at a later date, either because one of the infected systems was overlooked or because a system was not properly cleaned before being put back into operation.

In order to mitigate the impact of an attack and prevent further damage and losses, it is imperative to respond quickly and correctly. An effective Incident Response Plan (IRP) serves as a vital resource in this regard.

The Importance of an Incident Response Retainer

Many companies lack the necessary resources and expertise to respond adequately to cyber incidents. In the event of a cyberattack, external partners are therefore called upon for support.

However, without a prior contractual agreement, it can be challenging to identify a competent and qualified incident response team to provide support at short notice. The search for a suitable partner will take time, which will allow the attackers to cause further damage. The longer a company is unable to operate, the greater and more extensive the losses.

Therefore, it is particularly advantageous to choose a suitable partner and, in particular, an Incident Response Retainer. This will save valuable time and ensure that expert help is always available to process and investigate an incident.

Benefits of the Incident Response Retainer

An incident response retainer offers many advantages. At Oneconsult, you benefit from:

Your Case Takes Priority

In addition to the guarantee of available resources, the Incident Response Retainer provides the option to receive rapid round-the-clock support via an emergency number. From a simple second opinion on an anti-virus alert to a confirmed ransomware attack, Oneconsult’s Incident Response Team is there for you.

On-Site or Remote Support

The IT security incident can be attended to either remotely via a pre-defined means of communication, or on site. In the case of the latter, a contractual response time can be agreed upon for our Incident Response Team to arrive. This rapid response can significantly reduce the amount of time an attacker remains on the network, and therefore the amount of damage the incident can cause.

Incident Manager

In the event of an incident, one of our experts often assumes the role of Incident Manager, acting as a central point of contact. This ensures effective communication and efficient coordination of tasks, allowing for the consideration of all relevant information at each stage of the incident response process. It also ensures that all parties are aware of their responsibilities and that resources are allocated in a manner that is aligned with the incident’s requirements.

Forensic Analysis and “Lessons Learned”

In addition to the incident management, a comprehensive forensic analysis is conducted and documented to investigate the causes and reconstruct the course of events. The findings and further recommendations are presented in a report. Furthermore, a “lessons learned” meeting is held to reflect on the procedures and their results. This enables potential improvements to be identified and the processes to be adapted accordingly in order to avoid a repeat infection and to be prepared for any future attacks.

Tabletop Exercise

The Incident Response Retainer (IRR) includes a tabletop exercise in which a cyberattack is simulated and practiced. This allows the various processes and plans, for example an incident response plan, to be tested and improved upon. A list of the factors to be considered when creating an incident response plan has been compiled and is available here: The 7 Red Flags When Creating an Incident Response Plan (IRP).

Additional Services

Depending on the level of IRR selected, additional services are included. For example, a Digital Forensics & Incident Response Readiness Assessment is performed. This includes an evaluation of the organizational as well as technical measures that are in place to manage a security incident. It also provides recommendations on how to address any identified weaknesses. Also, training is provided on cybersecurity topics such as cyber threats, M365 & Azure AD attack scenarios, vulnerability management, and the analysis of malicious files, to name a few. In addition to our regular cybersecurity webinars, Oneconsult offers IRR-exclusive webinars as well. This means that you are kept up to date on cybersecurity, cyberattacks and how to defend against them. This allows you to continually improve your cyber resilience.

An Incident Response Retainer provides you with comprehensive security by giving you active expert support not only during an incident, but also before and after.

Conclusion

It is becoming increasingly evident that a cyberattack is a matter of when, rather than if. Consequently, it is of the utmost importance to be adequately prepared. However, this also requires the availability of the necessary resources. An Incident Response Retainer (IRR) provides a solution to this problem by enabling a rapid and effective response to a cyber emergency by ensuring the availability of expert support. This can help avoid or minimize the resulting damage.

Our Retainer offers comprehensive support from our team of digital forensics and incident response specialists, encompassing the entire incident management process, from preparedness to post-incident follow-up. Beyond the emergency assistance provided in the event of an incident, which includes the immediate initiation of measures, incident management, and IT forensic analysis, our services extend to facilitating post-incident learning and improvement. Our inclusive services, such as tabletop exercises and webinars, are designed to enhance preparedness for incidents, thereby strengthening an organization’s cyber resilience.

Are you interested in an Incident Response Retainer?
Nadia Meichtry

Autor

Nadia Meichtry studied forensics at the University of Lausanne, holds the GCFA, GREM, GDAT, GRID and OPST certifications, and joined Oneconsult in 2020 as a Digital Forensics and Incident Response Specialist.

LinkedIn

Don’t miss anything! Subscribe to our free newsletter.

Your security is our top priority – our specialists provide you with professional support.

Availability Monday to Friday 8:00 a.m. – 6:00 p.m (exception: customers with SLA – please call the 24/7 IRR emergency number).

Private individuals please contact your trusted IT service provider or the local police station.

For more information about our DFIR services here:

QR_CSIRT_2022_EN@2x
Add CSIRT to contacts