Our Incident Response services help clients who have suffered from a range of cyber issues including cyber frauds, system compromises and insider incidents. We help clients understand what has occurred, how to prevent further issues, and how to recover under the pressures a crisis brings.
We have set out some of the key lessons from previous incidents and how we have designed elements of our enhanced Incident Response service to help.
At the heart of services is speed and a focus on business outcomes. Our previous experiences of response left us feeling that financial recovery and taking action against attackers were left until the last place. A detailed investigation is useful, but not when it prevents action and slows down business recovery. We built upon the Firm's long history of tackling fraud to rethink how Incident Response should occur.
As the first CREST accredited law firm globally, we bridge both cyber security and legal responses to tackle cyber incidents and their impacts.
A cyber incident represents one of the most important tests of your resilience. Regulations such as the General Data Protection Regulation (GDPR) require organisations to respond within 72 hours or to potentially face significant fines. The response to a cyber incident may later be scrutinised by regulators or courts and robust and effective response is key to managing a wide range of stakeholder concerns.
We routinely work with other Incident Response and Corporate Communications providers, using our expertise in financial recovery, data protection and reputation management, to help their clients. Our enhanced service sits alongside digital forensics, monitoring and crisis management services.
Case Study - Widespread Ransomware Attack
Our client experienced a widespread ‘human-operated’ ransomware attack that disrupted their entire business. Whilst staff sat idle and a warehouse rapidly ground to a halt, customers kept buying making the issues worse. Our team worked with our client to manage the entire incident, tackling issues from restoring backups, liaising with law enforcement to corporate governance issues.
Retaining Incident Response
Speed of response is key when dealing with financial crime. Our experience shows that there is a ‘golden 24hrs’ during which the maximum recovery of funds is possible. There is only so fast that funds can move through the banking system, however for other forms of payment such as cryptocurrency time is of the essence.
If you're facing a financial loss it is important to follow the money and to not only focus on the technical aspects of how the incident occurred. When helping clients with these issues we often see strong response team pulled together to protect the organisation, but less follow-through when dealing with banks and financial institutions. It is also important to understand the levers available – the proceeds of crime are treated very differently that a suspected fraud with limited evidence.
Our team provides a 24/7 service to provide peace of mind that, ‘just in case’, you have specialist expertise on hand. We are experienced in dealing with the both the financial and technical aspects of contemporary incidents.
Case Study - Immediate Response to suspicious network traffic
Our client had discovered unusual network traffic, from an area of their network containing highly sensitive data. Within two hours we helped the client team extract forensic images from their cloud provider and were examining the systems and network traffic in question.
We were able to help the client understand what had occurred, and to remediate the issue. The client team were highly skilled at IT operations but understandably needed up to date forensic expertise to tackle an incident in the cloud.
Tackling Cyber Crime and Financial Fraud
Cyber crime is the most common risk to affect organisations and individuals today. The impacts can vary from a ransom demand to fraudulent electronic funds transfers that can be worth millions. Working with one of the largest specialist fraud teams in the UK, we can quickly stop funds moving and recover them from attackers.
The traditional models of Incident Response struggle to cope with cyber fraud and financial crime - often a cyber-enabled issue where an old fraud happens in a new way. We apply our in-house developed process to rapidly target the infrastructure used to support fraud and to identify money, assets and people who we can seek to stop. This approach ensures that the fraud does not continue to create victims whilst investigation continues.
Case-Study - Business E-mail Compromise & Financial Fraud
Business e-mail compromise quickly becomes a financial loss, as well as a data protection issue when e-mail mailboxes have been accessed. We were instructed to help a client who had a loss of over £2m in similar circumstances. Working with our Fraud team we gained an injunction to understand quickly where the funds had moved to and to stop their onward movement. The team provided advice to remediate the e-mail access and our threat intelligence team identified and disrupted the infrastructure used in the attack, preventing further harm.
Disrupting attacks and preventing further harm
Often the infrastructure an attacker uses to conduct an attack or fraud is left in place even after an incident. This allows further attacks to continue, often misusing the same intellectual property or targeting the general public and other organisations.
Our Incident Response team works alongside our Intelligence and Investigations team to identify the infrastructure used in an attack or fraud, from domain names, servers and communications services to bank accounts and shell companies. We work with our legal colleagues to seize control of this infrastructure, to prevent its reuse and to gather evidence to support further action.
Case-Study - Targeted Attacker Disruption
When an incident targets the general public regulators will want to see that you have done everything you can to prevent consumer harm. We worked with a regulated client where a cyber-enabled fraud was using their brand and intellectual property against consumers. Our intelligence team identified a range of domain names, websites, and online advertising providers that were key to the fraud being successful. A joint legal and technical disruption was mounted that closed down the infrastructure identified, stopping the fraud continuing and preventing further harm.
Post-Incident Review
An incident represents an opportunity for reflection and improvement. It often doesn't feel like it at the time, but using an Incident to drive change is an often overlooked benefit. Mature organisations build learning into the Incident Response process, not just remediated or improving cyber security but also improving the response process itself.
We are often asked to conduct independent reviews of cyber incidents to establish their root cause, or to ensure that the response was robust and effective. This is especially effective when multiple third parties are involved, or a view needs to be taken as to potential liability.
Case-Study - Independent Post Incident Review
A client had suffered a major cyber incident linked to a nation-state actor. They had responded to the incident and worked with another incident response vendor and other third parties to manage and remediate what had occurred. We were instructed to conduct an independent Post-Incident Review, to help them ensure that remediation had been successful and to identify any lessons that could be learnt from the process.
Our in-depth review led to improvements to the overall structure of crisis management, along with the identification of areas of the remediation plan that had not been completed. We also identified areas of good practice that could be applied across other business areas.