020 7193 4905
Incident Response Computer Services

Protecting Networks From A Systems Breach

020 7193 4905

If you have a cyber-security incident, believe you are under attack or have been compromised, then call us immediately for assistance on 0207 1934905 or email us at incident [at] first-response.co.uk

Cyber Incident Response

Our cyber incident response and recovery team has a broad range of capabilities comprising people, technology and threat intelligence, working collaboratively with you to handle critical security incidents.

We have been providing on and off-site incident response services for over nine years, and operate on a 24/7 basis to help organisations quickly mitigate the damaging effects cyber-attacks can cause, allowing you to successfully respond to and recover from a comprehensive range of situations.  

Once you determine that your network has been compromised or is currently under attack, you need to seek assistance.

Very few organisations have the technical skills in-house to deal with sophisticated multi-tier attacks, and often the well-intentioned but clumsy responses by internal teams under pressure to resolve the issue will simply tip off the attacker and drive them deeper into the network.

Of course, it’s important to act fast, but you need to draw on specialist skills which the average admins don’t have. We respond to these types of attacks every week and are well versed in attacker methodologies and know where to look to find the tell-tale evidence of their actions. 

It may begin with something as simple as clicking on a link in a email from a colleague, or opening a PDF file sent by a sales company. But that’s all it takes to start the chain of events that leads to a complete network compromise. Very often, the initial target won’t know they’ve been compromised.

In more than 85% of the cases we deal with, victim organisations are informed of the breach by a third party – it may be the bank to say that credit cards used on your website are being used fraudulently, or that clients and suppliers all complain that they are being spammed with email originating from your servers. You may even suddenly stop being able to send or receive email because your company has been put on an international blacklist or because your email systems have been disabled. 

Case study

A medical research laboratory was alerted by anti-virus software to the presence of a Trojan horse program (malware) on one of its internet facing web servers. First Response was instructed to examine the system to determine if any user data had been lost. Analysis of the server log files showed the server had been under attack for the best part of a year, and had been first compromised a few months after that.

The malware that had triggered the detection was very old, six other instances of more recent malware were present, but were not detected by the AV software (this is common). Analysis of the log files showed clear evidence of attempts at SQL injection attacks, but due to the unskilled nature of those attacks, they were unsuccessful.

Our analysis showed that the user login database of the server had been ex-filtrated to an IP address in Romania. A subsequent audit of the user database revealed seven different administrator level logins which were unknown. The attackers had gained access to all of the data present on the server and had copied all of it – several times over a period of months.

 

This compromise lead to the loss of valuable research data, a requirement to report the loss of the user database to the Information Commissioners Office and the reputational loss resulting from informing the user population that their accounts had been compromised and that a password reset was required. Each user who logged in was submitting sensitive personal data relating to medical conditions as part of the research being carried out by the lab.

After this compromise, the client completely re-built this and several other servers, instigated a Forensic Readiness Planning process with us and put in place a series of new policies and procedures to ensure the integrity of their server infrastructure is maintained.

Whilst this case study may seem quite bad it is also very common and reflects the average type of incident that we respond to, week after week.

To find out how First Response can assist you in the event of a systems breach, call us on 020 7193 4905.

For further information on other incidents we have worked on, read our case studies here.

Cyber incident response is included as part of our Managed Endpoint Detection and Response, details are available here.

 

Incident Response for Ransomware

What is Ransomware   Ransomware is a specific type of malicious software which is used in ransomware attacks. Ransomware attacks are often caused by organised cybercriminal networks (the FBI is currently tracking over 100 active ransomware groups). First Response...

Cyber Security Incident Response Services

Cyber incident response or cyber security incident response services may be called on when an organisation has suffered a data breach, when they suspect they are being actively attacked or have had their IT infrastructure and IT environment critically impinged through...

Cyber Security Incident Response – Ransomware Attack

Our cyber security incident response team works with clients across the globe, helping them recover from ransomware attacks and other cybersecurity incidents. For those that have to deal with such incidents, they can quickly be overwhelmed due to the speed that...

Business Email Compromise – Financial Services

With the rapid adoption of Microsoft 365 we have seen a rise in business email compromise attacks. First Response were called in by the Head of IT for a 700 user financial services company based in London, to provide a digital forensic investigation into their...

Mission Impossible

"Your mission, Jim, should you decide to accept it, is to come up with a response to these demands within twelve hours." What would you do if all the IT screens in your organisation refused to show anything except a demand for several hundred thousand pounds in...

Incident Response 101

It'll be all right on the night – NOT When a disaster such as a ransomware attack strikes your organisation, how well are you prepared? A cyber incident response plan is much more than having hardware and software in place, or even having a contract with a managed...

Remote working has brought problems

These are not theoretical possibilities, but real-life attacks which can cost an enterprise tens of thousands of pounds – or more   [Cue Mission Impossible theme] “So here’s the plan. We put on these rubber masks which make us look like the system operators to fool...

It can’t happen to us

Unfortunately, it can happen, even to the most secure of us. The recent breach at FireEye, one of the world’s largest and most sophisticated cybersecurity firms, has demonstrated that no-one is safe from hackers and network breaches. In the case of FireEye, the damage...

Cybercrime wave threatens to become a tsunami

If you’re not already a target – the odds are that you soon will be   Cybercrime is big business – the average cost to a business of an attack on a UK corporate target in 2019 is about £190,000, according to a recent survey carried out by an insurance company....

How real are hardware cyberattacks and what’s your exposure?

A story has recently surfaced from Bloomberg about the supposed discovery of tiny ‘spy chips’ installed on servers constructed for an American firm (Super Micro) that sells to large, publicly-visible customers such as Apple and Amazon, as well as lower-profile...