Do you know our Incident Response and Digital Forensic Analysis services, based on NIST CSF?

At Zerolynx we are experts in professional services for companies in terms of cybersecurity. Specifically in corporate security, cybersecurity corporate, intelligence corporate, cyberintelligence corporate and patrimonial security.

Our services are aligned with the most important and recognized international cybersecurity recommendations, frameworks and standards. For this reason, our entire offer is based on the NIST framework (National Institute of Standards and Technologies of the United States) and, specifically, on its proposed cybersecurity framework, known as the NIST Cybersecurity Framework (NIST CSF) .

Thus, the Zerolynx offer is articulated through a wide range of professional services that mach with each of the six functions of the NIST CSF framework:

• ID.
• Protection.
• Detection.
• Answer.
• Recovery.
• Government.

In this article, we will focus on Zerolynx's service offering, aimed at incident response and thedigital forensics.

The objective of response services is to deal with adverse situations, such as cyber attacks, or any other type of cyber incident. The key is not only to realize in time and act, but to respond to the problem:

• Both in time (acting as quickly as possible, before the situation escalates) , before the impact and effects are greater, or a point is reached where an irrecoverable disaster occurs).
• As in form (using the most appropriate, effective and efficient mechanisms, acting as appropriate act according to the type of situation that occurs, the type of threat, risk, attack, elements affected and probable impact).

Ultimately, the answer consists of containing the threat, as soon as possible and best possible way, depending on the type of threat in question and what it may entail. Something, a priori, banal, but not trivial for non-expert personnel.

Furthermore, the term “ response ” may have other meanings and imply additional concepts. According to the RAE ( Royal Academy of the Spanish Language ) , it can mean:

• “Satisfaction with a question, doubt or difficulty”.
• “Reply…”.
• “Reply, refutation...”.
• “Action with which someone corresponds…”.
• “Effect intended to be achieved with an action”.
• “Offensive action taken after parrying an attack”. This, perhaps, is the most appropriate to the situation in which we find ourselves, where we could qualify: “Offensive action executed after having stopped a CYBERattack”.

In summary, some of the terms that define a response are:

• Act (act offensively).
• Stop / Stop.
• Reply (refute, reject).
• Solve.
• To answer.

Thus, the incident response (cyber incident response) could be defined as the activity consisting of acting (in a timely manner) to stop, reject, resolve or solve and respond to a threat (cyberthreat) of which we are aware that it has already occurred.

As we see, it is not a single independent and isolated task, but rather a cycle of activities, dependent and chained in time.

Each of them requires a specific specialization and activity times in its corresponding cycle. Furthermore, we must be aware at all times of the phase of the response in which we find ourselves (imminent detection, preliminary or definitive actions, process of stopping or rejecting the attack, resolution of the incident and its effects, or response against said attack. or “attack on attack”) to be able to act appropriately.

For this reason, it is vital to have experts in the field. It is not about, nor does it lead to anything, but rather it generates more problems, of “trying to give an answer, no matter what”. It is about giving a concrete, exact, tailored response, with knowledge, capacity and experience, in an intelligent, coordinated and professional manner, according to the dangerousness of the situation, its risks, affected elements, possible impact, and even derived collateral effects. her.

This is why expert advice and work is necessary to contain and respond as should and is expected. Experience in this type of situation avoids situations of “headless chickens”, sorry of the expression.

In the case of a bank robbery, would you be able to act as intermediaries who analyze the situation, negotiate, are able to arrest the robbers, resolve the situation and respond to the criminals... and all this, in due time? and cadence, taking the necessary steps at all times?... Well, the same in the case of adigital security incident (cyber incident).

For this, the expert teams at Zerolynx are at your disposal, providing knowledge, experience, professional advice, respond, and carry out a forensic analysis when everything is finished so that it does not return to happen (even with forensic experts, judicial experts, etc., aligned with what is dictated by Article 340 of the Civil Procedure Law - 1/2000).

Both in the response and in the forensic later, our work contributes. In the initial moment, containment is the key. The sooner the better, and in the best possible way. Furthermore, it is very important to collect the evidence existing at that time, since later it is likely that disappear.

Thus, we contain the attack / cyber attack or incident / cyber incident, at the same time we analyze the situation through forensic techniques that allow us to collect the evidence of the situation, as it should be done, so that it is valid and can be used for administrative, legal, and even judicial headquarters: preservation of evidence and maintenance of chain of custody of the collected evidence.

“Experience is the mother of science” and, likewise, having suffered an incident can help us with the lessons learned, which are of vital importance. It is with them that we must strengthen ourselves and build a better process, system and defense, detection and response mechanisms for future occasions (response plan).

But how do they work and how are these types of services provided? How do we offer them from Zerolynx so that they are the most effective, efficient and beneficial for your business or company?

We know that each company is a world, with different sectors of activity, different portfolios of services and/or products, different needs, objectives and strategies.

For that emotional reason we adapt to your company, to any type of company, objectives and needs , offering response services fully personalized to each situation.

Thus, in providing this type of services, we establish several steps when working:

1. We analyze the situation in detail, reviewing the scenario and its surroundings, the assets, elements and affected personnel (both internal and external - suppliers, subcontractors or third parties, for example) and background information, if any.
2. With the objective of recording the incident, being able to act and being able to carry out forensic activities of everything that happened and what may be related to it, we carried out the collection of evidence, applying the necessary mechanisms to guarantee the chain of custody , we generate a documentary record with all the information.
3. The important information is what we can extract from the evidence collected, for which we use different cutting-edge forensic technologies and techniques, putting special care and focus on guaranteeing the integrityof such information and the non-repudiationof it.
4. Based on the UNE 71506 standard, we analyze all the information collected.
5. With all of this we will now be in a position to prepare and issue a detailed expert forensic report ( in accordance with what is stipulated in the standard UNE 197001) of what happened and the actions carried out to stop and respond.

Specifically, our response , intelligence and cyber intelligence services are the following:

• Forensic Expertise. When you are victims of a cyber incident or cyber attack , we analyze in detail the situation, what happened, the elements or assets affected, the implications, the motives, the actors and attack vectors. With all this, we prepare a forensic report and, in this way, in addition to helping, we will be able to act as third party experts . We talked a little about this service a while ago, from different perspectives, in the articles “ Evidence Hunters: Navigating Email Forensics ” and “ Portable Expert System for the Secure and Semi-Automatic Acquisition of Digital Evidence ” and “ Tan “It is important to protect yourself and how to respond .”
• Threat Hunting, orThreat Hunting. We are in charge of continually monitoring all possible scenarios in search of threats that could affect your business. It's as if we assumed that your company is going to be cyberattacked by some means or mechanism and we were continually monitoring it and monitoring possible entry channels or attack vectors. This way we can anticipate a cyber attack and detect it “in real time”. Let's say it is the “snitch service” that is analyzing proactively (not reactively ) and issuing an early alert in case something suspicious is detected. To do this, we will be continually analyzing what are called TTPs (Tactics, Techniques and Procedures) that are commonly used by cybercriminals.
• Incident Response . Do you suspect, or are you certain, that you are suffering, or have suffered, a cyber attack ? Do you not know what to do and how to behave, or what to do? This service is the answer, since we will help you throughout the process, from the evaluation of the situation, to its arrest or containment and the evaluation of what happened, the reasons that caused it, the mechanisms used, etc. , in order to be able to reestablish your activity normally, without repercussions (or as few as possible), being also able to establish measures to try to prevent it from happening again. We already gave some insight into this service in the article “ It is as important to protect yourself as it is to respond ”.
• Playbook Design. Does the termplaybook does it sound Chinese to you? It is a list or concatenation of actions, a strategic and practical guide of steps to follow, in response to a certain situation that, in this case is a cyber incident. What to do, how, and in what order, in this type of situation? A playbook is the answer and guide to follow step by step. This sequence of instructions or activities is used and applied by cyber incident response teams, generally automated. But, before that, it must be defined. Are you able to do it in your company? Do not worry! We are in charge of defining that playbook, adapted and personalized to your company, activity, characteristics and needs.

If you want, learn more details by consulting all Zerolynx Response services .

In addition, you can also learn about Zerolynx 's complete portfolio of cybersecurity and cyber intelligence services .

If you prefer that we inform you personally, do not hesitate to contact us .

Iñigo Ladrón Morales, Content Editor for Zerolynx.