We follow a detailed process to evaluate existing capabilities, and tailor a plan for each and every client.
Protecting against an information security breach is only part of the equation—how a company responds to an attack is critical
Security breaches are inevitable regardless of how well an organization protects its environment. Therefore, a company must develop an effective incident response capability and have a thorough response plan in place, to reduce response time and minimize the impact when a breach does occur.
At Lodestone, we’re industry specialists and problem solvers who understand the small and mid-size business landscape. We work with clients to address their incident response needs before, during and after a breach.
Before: We determine how well prepared a client is to detect and respond to incidents, and make recommendations for appropriate plan development.
During: In the event of a breach, we investigate the events to determine their scope and impact.
After: We assist with recovery activities post-breach, including dealing with ransomware situations.
Establishing and operationalizing a tailored response plan
When working with a client, Lodestone will either establish a new incident response plan or refine an existing one. In some cases, a client may have a plan in place that doesn’t “map” to their specific needs and vulnerabilities, while at other times they may have a great plan in place but fail to operationalize it effectively. At Lodestone, we follow a detailed process to evaluate existing capabilities and tailor a plan for each and every client.
- Conducting interviews with key personnel
- Reviewing existing plan documentation and reports
- Evaluating technology in place to generate electronic evidence
- Determining effectiveness of the incident response processes
- Update security policies, incident response forms and reports, and network architecture diagrams
- Assemble guidelines to address the incident response, from pre-incident preparation through remediation
- Identify software, hardware and scripts to be developed or acquired
- Conduct new process effectiveness testing
- Educate participants on approaches to various incidents
- Institute tracking and reporting mechanisms
- Formal incident response program description
- Incident response handbook including key forms, checklists, and guidelines
- Pre-incident preparation checklist
- Notifications and escalation reference sheet
- Incident triage checklist – do’s and don’ts
- Electronic evidence collection and handling procedures
- Evidence collection and handling forms
- Flow charts of typical steps taken in common incidents
Supporting clients when a breach occurs and beyond
We work with clients to recover from security breaches by assisting them with implementing technical improvements to their environments, improving their processes, and developing new skills.
Technical improvements might involve activities such as changing firewall rules, patching systems, activating new logging, or installing two-factor authentication.
Process improvements might focus on creating new software development quality assurance practices, creating server hardening standards, or improving the incident response triage checklist. Education may take many forms ranging from end-user security awareness basics to incident responder exercises.
Reacting effectively to ransomware attacks to minimize business interruption
Ransomware attacks are on the rise and have on occasion generated more than $1 billion in payments in a single calendar year. Recovering encrypted data in an attack can be problematic when proper backups do not exist. Consequently, to minimize the impact of the incident, many victims choose to pay the ransom. These payments typically require Bitcoin transactions which clients may not be set up to efficiently handle.
At Lodestone, we have significant experience in reacting and responding to ransomware attacks so a client can get past the incident as quickly as possible, and minimize the loss from business interruption. We maintain Bitcoin accounts, know how to process them efficiently, and advise clients on the steps to take to avoid future similar situations.
A thorough and consistent approach to investigating and responding to an incident
In the event of a breach, we follow a consistent approach in investigating the event to determine scope, extent, and impact.
- Initiate triage: we assess the situation, collect initial evidence, and clarify steps to take or avoid
- Confirm objectives: we ensure that all parties have a realistic and consistent understanding of what the investigation seeks to accomplish
- Identify and improve data sources: we verify what log, endpoint, and network data is available, and take steps to improve the detail and retention of key information
- Collect and control evidence: we collect relevant data in a secure manner, consistent with the US Government’s Federal Rules of Evidence collection and handling guidelines
- Analysis: we repeat the collect-analyze-collect process until the investigative objectives have been accomplished or it is no longer cost-effective to pursue further analysis
- Remediation activities: we identify issues throughout the investigation that require either repair or enhancement to end the current incident, and reduce the likelihood of future occurrences
- Prepare investigative reports: we report on key findings and status throughout the life of the incident
- Investigation management: we ensure that technical, business and legal representatives have the appropriate visibility and involvement in the incident. We can also engage with external entities such as legal counsel, business partners, regulatory bodies or law enforcement as required.