Intrusion Analysis Service

Intrusion Analysis Service

What do I do in the event of a breach?

As one of the early members of CRESTs cyber security incident response program, Nettitude has a strong capability in identifying, containing, triaging, resolving and documenting cyber security attacks. Our Security Operations Centre (SOC) and Cyber Incident Response Team (N-CIRT) have extensive experience in identifying attacks, and then conducting host and network intrusion analysis as well as reverse engineering of malware to determine root cause analysis.

Looking for intrusion analysis?

Identify

Nettitude is able to support organisations identify suspicious activity across their estate. This can be achieved by installing network probes or taps in to the infrastructure and monitoring strategic vantage points for malicious traffic. Nettitude partners with a series of SIEM providers as well as network anomaly detection organisations to implement cyber incident detection technology in to client estates. We can then proactively monitor these devices, or provide a call-off service to support an organisation when they think they are experiencing anomalous network or device behaviour.

Triage

Nettitude triages the incident, to ensure that the impact is appropriately managed. During the triage phase, Nettitude identifies what has occurred, what it is has impacted, and categories its impact according to its disruption to confidentiality, integrity and availability. The triage phase results in the incident being allocated to an appropriately skilled incident handler that is able to look at host based and network born data sets.

Contain

Once an organisation believes that there is malicious content within their environment, Nettitude is able to provide a compressive forensic containment service. This includes the ability to generate forensically sound snapshot images of disk, memory, processor and log data that can be used as evidence in a criminal investigation. Nettitude has a robust methodology for containing incidents that ensures the chain of custody is maintained at all points of the investigation. In addition, our approach is pragmatic, supporting the organisation to continue functioning, whilst containing the incident to a small a subset of the estate as is operationally possible.

Resolve

During the resolution phase, Nettitude builds a detailed schematic to record all of the touch points that have been impacted by the incident. This includes documenting ingress and egress points, as well as all systems and resources (people/process/technology) that have been touched by the incident itself. During the resolution phase, Nettitude may conduct reverse engineering and deep dive analysis of malware to understand exactly what a malicious payload does within an environment.

Record

A key element of the incident handling process is to record all aspects of the incident, including malware heuristics, root cause analysis, Indicators of Compromise (IoC) and any identified attacker TTPs. Nettitude maintains an extensive incident library, that contains in excess of 100,000 unique malware samples. Through our global honeypot network, we have gathered IoCs and TTPs of many emerging threat actors and all of this data is combined with one another to build a comprehensive incident response data repository. During the reporting phase, Nettitude generates clear and concise documentation for the organisation to detail how the incident occurred, what it impacted, how it was contained, and what changes need to be implemented to prevent future attacks. This can be tailored to both technical and executive audiences according to individual client requirements.

Host Intrusion Analysis

Host intrusion analysis relates to individual hosts and all of the resources that can be impacted when a host is compromised.

To conduct host intrusion analysis, Nettitude will deliver the following elements:

Common operating system file structures, (Windows, Unix, OSx)

Application file structures

Interaction and assessment of the Windows registry

Identifying suspect files and artefacts

Memory analysis

Infection vectors

Malware behaviours and anti-forensics

Decryption and de-obfuscation techniques

Reverse engineering of malware

The objective is to be able to determine a full picture of how a host is compromised, provide root cause analysis, and to be able to quantify any impact on confidentiality, integrity or availability.

Network Intrusion Analysis

Network Intrusion analysis relates to the assessment of traffic that traverse wireless, wired and mobile data networks.

As part of this type of exercise, Nettitude will deliver the following elements:

Analysis of remote data sources

Statistical analysis of traffic

Anomalous traffic detection

Identification of beaconing

Identification of covert channels, including encrypted communications

Identification of command and control traffic

Identification of data exfiltration

Log analysis

The objective of network intrusion analysis is to determine all network born infection vectors, and all outbound communicate that are being used by threat actors.

Managed Services for Network and Host Analysis

Nettitude provides comprehensive managed security services through our Threat2Alert platform.
This platform allows us to deliver round the clock monitoring of host and network based attacks through our fully manned Security Operations Centre (SOC).

Threat2Alert is a unique detection and response capability that combines of:

  Advanced log and event correlation, powered by LogRhythm

  End point host detection software

  Network traffic assessment

  Real time, technical threat intelligence

  Strategically placed honey trap sensors deployed within your environment

Through the combination of these elements, Nettitude can deliver some of the most advanced host and network intrusion analysis, in real time monitored environment.

Intelligent Cyber Security and Risk Management   0345 5200 085    solutions@nettitude.co.uk