Identify the extent of a breach, clean it up as quickly as possible, and prevent re-entry by the attacker.
The Vault Infosec Approach
Recognizing the increased risk organizations and end-users face, mobile software vendors and business consumers alike are seeking assistance in evaluating the security of their mobile applications. Vault Infosec's mobile security testing delivers coverage across the complete mobile app environment, from the local app running on-device to the back-end web services and RESTful APIs that power mobile apps off-device..
Incident response is a distinctly unsatisfying activity for most organizations. Adversaries, usually foreign, are rarely prosecuted or deterred. Ad hoc remediation is trial and error, devolving into a game of attacker whack-a-mole that drags on for months. Mid six figure response bills are common. Vault Infosec offers a pragmatic, goal based approach to incident response. Our goal is to identify the extent of the breach, clean up it as quickly as possible, and prevent re-entry by the attacker.
Incident Response (IR) teams detect, investigate and, when necessary, perform remediation.
Our investigative teams are led by security engineers who perform several activities to determine the scope and type of your suspected incident. Technical investigative steps may include:
Vault Infosec will ship you a network monitoring device which is remotely administer to capture and analyze network traffic. The device is configured based on your incident type to optimize results. Vault Infosec security engineers conduct daily data analysis to identify suspicious activity and determine Indicators of Compromises (IOCs), such as command and control (C2) channels used by attackers to access compromised systems.
Following initial network monitoring Vault Infosec engineers will gather data from key systems that appear to be affected. Live data is collected to retrieve and analyze relevant memory and filesystem attributes, logs, and artifacts. When necessary, forensic duplication can be conducted to retrieve and preserve a complete computer image. Log data is collected and analyzed from relevant network devices such as IDS, IPS, log servers, or similar.
Vault Infosec engineers will investigate discovered malware to determine impact, functionality, attribution, and/or specific Indicators of Compromise (IOCs). Our process includes both static and dynamic analysis. Static analysis will identify file type, strings, debugger unpacking, and checksum comparisons. Dynamic analysis is performed in a sandboxed testing environment to monitor process, memory, and filesystem activity.
Using the results of investigative phases, Vault Infosec engineers will design a coordinated remediation plan specific to your incident. Configuration recommendations and assistance are provided for host and network based security countermeasures. Assistance coordinating the remediation event ensures actions are taken to simultaneously remove the attacker and prevent re-entry, while accounting for IT dependencies and operations.