service

DFIR Rapid Response

Call +1-877-247-4379 24x7 for DFIR Rapid Response

Whether or not you are already a CipherTechs customer 24x7 DFIR assistance is available. Rapid Response is initiated by a discovery phone call to understand the type of incident, determine what tools and log sources are available to work with, and determine if the work can be done remotely or someone needs to be dispatched onsite. CipherTechs has DFIR staff in lower Manhattan, Kilkenny Ireland, Toronto Canada, and Bangkok Thailand allowing us to service North America, Europe, and Asia.

CipherTechs first objective is to determine if the issue is contained and address it head on if the intrusion is in progress. If suitable tools and log sources are available CipherTechs works with the impacted company to obtain temporary access and launch immediate threat hunts. If there isn’t already a mature security monitoring stack in place, tools such as Zeek, Suricata, osquery, and sysmon can be instantly deployed. A combination of open source and custom tools and signatures (yara, Suricata, Zeek) are used to hunt for IOCs across the network.

Example scenarios

  • A company’s Citrix Netscaler was compromised. The Netscaler hosted sensitive applications, email, and had full connectivity to the internal network. Customer identified exploitation indicators in Netscaler logs, verified attackers had interactive access to the system. The customer contacted CipherTechs to determine if the attacker is still on the network, what transpired during the breach window, and provide immediate visibility that current security tooling lacks.

  • Live Ransomware outbreak. Domain controller was compromised and ransomware spreads to other domain computers. VPN logs show logins from a country unaffiliated with the company. CipherTechs is invited to come manage the overall incident, contain the issue, and help remediate.

  • Senior system administrator was terminated and indicated malice towards the company. CipherTechs is called in to determine entry points, look for covert network access, and help eliminate previous administrator’s access to company resources.