Search
Send enquiry
Our services

Incident Response and Forensics

24/7 availability in case of an incident

We provide our customers throughout Germany with 24/7 availability of our experts for incident response and forensics with guaranteed response times as well as a comprehensive range of services to handle targeted attacks and other IT security incidents.

In case of a cyber attack or an infection with ransomware, our experts are ready to act and

  • advise you on the selection of suitable immediate actions
  • support you during the processing and follow-up
  • support you during the recovery

This allows you to react quickly and in the correct way, so that the incident can be localized as soon as possible and be processed afterwards in order to reduce the impact to a minimum.

Due to our expertise, the BSI has listed us as a qualified APT Response service provider.

Forensic Investigations
Incident Handling Concepts
Readiness Assessment
Creation of IR playbooks
Exercises Proper Response
Compromise Assessment
Training Incident Handling & Response
Training in Imm­ediate Mea­sures
Inci­dent Res­ponse Readi­ness Work­shop

Forensic Investigations

Independent of our 24/7 availability, we have been assisting our customers with the forensic analysis of IT systems for many years.

Our specialists use professional tools on site or in our forensics and malware laboratory to examine incidents, affected systems and networks as well as malware that has been found.

Thus, we can reconstruct both the attack path and the sequence of events that took place and identify traces typical of the corresponding attack. Additionally, we look for possible indications of other affected systems, user accounts or data and examine a potential data leakage.

Our typical procedure includes, for example:

  • Reconstructing the sequence of events that took place or the infection path by analyzing logs and images of hard disks and main memories
  • Targeted search for files and contents on endpoints and drives in case of a suspected data leakage
  • Identifying the vulnerabilities having caused the intrusion
  • Live analysis of systems to collect further traces of determine the scope of an incident
  • Malware analysis of files and programs

We use customary tools to process and analyze the artifacts. The results of the analysis are summarized in a detailed report, and we can also create a forensic expert report if required.

Consulting On and Preparing of Concepts for Incident Handling

Whether you want to rely on cirosec as your incident response provider or build your own incident response team, CERT, CSIRT or even SOC, defining responsibilities and processes and creating response plans is essential.

We consult and assist you with this to ensure that you are well prepared and can keep calm and respond effectively in case of an emergency.

Our experienced consultants create concepts and preparatory measures in close coordination with you.

We assist you with defining processes, choosing tools as well as specifying responsibilities and instructions for action.

In this regard, we adhere to the recognized standards in this regard.

Readiness Assessment

The goal of a readiness assessment is to identify weaknesses within existing incident response processes and the tools used for detecting attacks. Therefore, it serves as a solid foundation to further develop already existing incident response strategies to effectively prepare for security incidents.

In a workshop, we will use a questionnaire to conduct a structured analysis of your existing processes according to established frameworks (e.g., ISO/IEC 27035). Among others, the following topics will be examined:

Analysis of existing processes:
Assessment of the current incident response plans, emergency handbooks, escalation paths and communication strategies.

Capabilities of the IR team:
Assessing whether the members of the IR team have the necessary capabilities to effectively deal with security incidents. This concerns the technical capabilities as well as the necessary knowledge of the employees involved.

Technical infrastructure:
Evaluating whether the tools used (e.g., malware protection, logging systems, firewalls, etc.) offer sufficient detection capability and support to detect incidents quickly and react accordingly.

Responsibilities and roles:
Examining whether the roles and responsibilities are clearly defined and distinct from each other.

Creation of IR playbooks

In case of an intrusion into your IT systems, it is usefulto have a guideline at hand to make concrete and correct decisions in an emergency.

The playbooks we created adhere to the structure of the NIST Incident Response Cycle, which consists of the following four phases:

  1. Preparation
  2. Detection and analysis
  3. Containment, sanitizing and restoration
  4. Lessons learned

Exercises to Ensure Proper Response

During a security incident, external service providers or a company’s internal incident response team have to work together with the relevant internal technical experts responsible for the respective IT systems.

Necessary roles and processes or procedures are defined beforehand for this cooperation.

To assess whether these plans also work in practice, and to establish the necessary routines for handling an incident, regular exercises are crucial.

Only then, all people involved know how to work together quickly and effectively during an emergency.

These exercises can consist of theoretical simulated situations, where all persons involved are sitting together at a table, or of practical exercises, where, for example, technical alarms are triggered and then processed together.

We assist you during the preparation for such exercises, for example with creating the script, as well as during the exercise itself. This includes, among many other things, leading the exercise, simulating the attackers and observing the actions of the persons participating in the exercise.

We can also offer the follow-up of exercises, lessons-learned workshops and preparing recommendations to improve your processes.

Compromise Assessment

A compromise assessment is an in-depth examination of individual IT systems and networks or of a large part of the IT infrastructure and accounts.

The main goal is to determine whether an attacker could have potentially compromised parts of the infrastructure. In case of a confirmed compromise, the persistence method used by the attackers is analyzed.

A compromise assessment can include different aspects to focus on different types of systems and data.

Typically, such an analysis can include the following aspects:

  • Assessment of the available endpoints (clients and servers)
  • Assessment of the current network communication
  • Assessment of firewall logs (inbound and outbound connections)
  • Assessment of identities (typically AD and AAD accounts)
  • Assessment based on information from threat intelligence and darknet sources

Has your system been attacked?

If you have been the victim of a cyber attack, contact our specialists. With an appropriate contract, you can reach us around the clock in an emergency.

+49 7131 59455-0
Search
Search