Identify the extent of a breach, clean it up as quickly as possible, and prevent re-entry by the attacker.
Incident response is a distinctly unsatisfying activity for most organizations. Adversaries, usually foreign, are rarely prosecuted or deterred. Ad hoc remediation is trial and error, devolving into a game of attacker whack-a-mole that drags on for months. Mid six figure response bills are common. Praetorian offers a pragmatic, goal based approach to incident response. Our goal is to identify the extent of the breach, clean up it as quickly as possible, and prevent re-entry by the attacker.
Our investigative teams are led by security engineers who perform several activities to determine the scope and type of your suspected incident. Technical investigative steps may include:
Praetorian will ship you a network monitoring device which is remotely administer to capture and analyze network traffic. The device is configured based on your incident type to optimize results. Praetorian security engineers conduct daily data analysis to identify suspicious activity and determine Indicators of Compromises (IOCs), such as command and control (C2) channels used by attackers to access compromised systems.
Following initial network monitoring Praetorian engineers will gather data from key systems that appear to be affected. Live data is collected to retrieve and analyze relevant memory and filesystem attributes, logs, and artifacts. When necessary, forensic duplication can be conducted to retrieve and preserve a complete computer image. Log data is collected and analyzed from relevant network devices such as IDS, IPS, log servers, or similar.
Praetorian engineers will investigate discovered malware to determine impact, functionality, attribution, and/or specific Indicators of Compromise (IOCs). Our process includes both static and dynamic analysis. Static analysis will identify file type, strings, debugger unpacking, and checksum comparisons. Dynamic analysis is performed in a sandboxed testing environment to monitor process, memory, and filesystem activity.
Using the results of investigative phases, Praetorian engineers will design a coordinated remediation plan specific to your incident. Configuration recommendations and assistance are provided for host and network based security countermeasures. Assistance coordinating the remediation event ensures actions are taken to simultaneously remove the attacker and prevent re-entry, while accounting for IT dependencies and operations.