National Cyber Security Centre (NCSC) CIR L2 Assured Service Provider
Responding to a Cybersecurity Incident
When a cybersecurity incident strikes, swift and coordinated action is crucial to managing its impact on the organisation. Immediate efforts focus on enhancing the efficiency of the response, with digital investigations uncovering the root cause and extent of the breach.
Legal experts provide guidance on navigating contractual and regulatory obligations, minimising legal risks. If ransom demands arise, skilled negotiators engage with threat actors, handling sanctions checks and cryptocurrency transactions. Crisis communications are managed to protect the organisation's reputation, while systems recovery specialists work to quickly restore critical operations, minimising disruption and ensuring a return to business as usual.
Notification Support & ID Protection
-
Credit Monitoring services
-
Fraud detection and prevention
-
Surge Notification (helpline) Support
-
Dark web monitoring of breached data
Credit Monitoring:
-
Providing real-time or near-real-time alerts for any changes or activities on an individual’s credit report
-
Ensuring that credit reports are monitored continuously to promptly detect any suspicious activity
-
Offering individuals regular access to their credit reports
-
Providing at least one free credit report annually
Identity Theft Protection and Restoration:-
Helping individuals place fraud alerts on their credit files.
-
Assisting individuals in placing credit freezes on their credit files
-
Offering identity theft insurance
-
Identity theft specialist hotline
Education and Resources:-
Guidance for affected individuals on best practices for detecting and avoiding identity theft
Surge Notification Support-
Providing access to customer support for individuals to ask questions, report issues, and get assistance with monitoring services
Dark Web Monitoring:-
Monitoring a wide range of dark web forums, marketplaces, and other underground sites where stolen data is traded or posted
-
Use automated tools and technologies to continuously crawl and collect data from these sources, ensuring comprehensive coverage and timely detection
-
Correlation of collected data with the compromised data to identify matches with alerting when matches are found
-
Analysing the severity and potential impact of the discovered data on the dark web
-
Providing contextual information about the data breach and the dark web sources
-
Offering actionable insights and recommendations for mitigating the risks associated with the exposed data
-
Generating detailed reports on dark web findings, including the type of data exposed, the sources, and the potential risks
-
Keeping relevant stakeholders informed about the findings and the steps being taken to mitigate the risks
-
Trauma Counselling
-
Fully confidential one-to-one service
-
Support for insured staff including (but not limited to):
-
Executives & founders
-
Deceived victims
-
IT staff and first responders
Supporting insured client staff incl. executive and operational team members, victims of deception etc.
Emotional Support-
Validation of feelings
-
Empathy and understanding
Coping Strategies-
Stress management
-
Healthy coping mechanisms
Rebuilding trust post-incident-
Restoring faith in others
-
Setting boundaries
Dealing with Guilt and Shame-
Self-compassion
-
Challenging negative beliefs
Processing Trauma-
Narrative therapy
-
Trauma-Focused Cognitive Behavioural Therapy (TF-CBT)
Building Resilience-
Strengthening inner resources
-
Empowerment
Practical Guidance-
Safety planning. Helping with facing future incidents
Long-Term Resilience
-
Ongoing support
-
Monitoring progress
-
Breached Data Mining
-
Rapid, AI-driven searches for sensitive PII and other important data
-
Actionable results in a fraction of the time and cost of typical e-discovery data mining
-
Allows formulation of notification strategy
-
Output straight into any required notification activity
Our rapid data mining solution, CyberDiscover significantly reduces the time and costs of data mining activities
AI-powered search technology developed from deep cyber investigation and e-discovery experience
Processing and analysis occurs in-jurisdiction
Performance tuned to minimize both false positives and false negatives
Analysis of all files, messages etc., within provided mailboxes, files/folders, databases etc.
Includes OCR and subsequent analysis of machine-readable text
Protects PII by reporting only statistical results
Credits provided inclusive of the service, for post review enquiries
Produces reported output describing datasets analysis in terms of:-
Types: The types of PII that has been found
-
Values: The number of unique values that have been found
-
Items: How many items the PII type has been found in
-
Hits: The number of occurrences of all the PII values that have been found
-
Value concentration: How evenly distributed the PII values are across the hits
-
High concentration is when many hits occur across a relatively small number of values
-
-
Hits concentration: The distribution of the hits across the items where they have occurred
-
High concentration is when many hits occur across a relatively small number of the items
-
-
Spread: The percentage of items across the entire data set contain PII of each discovered type
Reports enable insured clients and their legal advisors to formulate the regulatory and third-party notification strategy
Secure destruction of all PII post-analysis-
Crisis & PR Advice
-
Immediate PR comms strategy advice
-
Stakeholders, authorities, third-parties, press
-
-
Comms formulation support
-
Spoken, written, digital (formal & informal)
-
-
Notification advice
-
Brand protection advice
Immediate Response:
-
Assisting the insured to quickly acknowledge the incident to the public and stakeholders
Initial Statement:-
Drafting a brief initial statement that acknowledges the incident and assures stakeholders that the situation is being handled
Spokesperson Preparedness:-
Identify and coach designated spokespersons who are authorised to speak on behalf of the insured
Accuracy and Transparency:-
Ensuring that all information released is accurate, avoids speculation and sticks to verified facts
-
Providing regular updates as the situation evolves
Consistent Messaging:-
Ensuring all communications are consistent across all channels
-
Using clear and jargon-less language to explain the incident
Stakeholder Communication:-
Internal - assisting the insured to keep employees, management, and board members informed
-
External - advising the insured in communications with customers, partners, investors, and regulatory bodies
Media Management:-
Helping the insured to engage with the media proactively and to control the narrative
-
Drafting press releases with key information and updates
Social Media Engagement:-
Monitoring social media channels for mentions and discussions about the incident. Advice on prompt response to misinformation and concerns
-
Advising on the use of social media platforms to communicate directly with the public, providing updates and addressing queries
Empathy and Reassurance:-
Reviewing the impact on affected parties and expressions of empathy
-
Advising on reassurance of stakeholders
Legal and Regulatory Compliance:-
Working with legal advisors to ensure that all public statements and communications comply with legal requirements
-
Supporting prompt communications with regulatory bodies
Long-Term Reputation Management:-
Conducting a post-incident review identify areas for improvement
-
Assisting the insured to to rebuild trust with stakeholders
Documentation and Lessons Learned:-
Keep detailed records of all communications and actions taken during the crisis
-
Threat Actor Engagement
-
Ransom Negotiation
-
Sanctions Checks
-
Ransom Settlement
-
Payment tracing
-
Law enforcement interaction (where required)
The CCE Threat Actor Engagement (TAE) service includes:
Response techniques: due diligence, expert engagement, conflict & trauma management
Legal, regulatory and corporate communications response-
Confidentiality and privilege
-
Regulatory compliance analysis
-
Contract review
-
Law enforcement interaction
Impact identification and risk management
-
Worse-case and Fall-back planning
Threat actor group identification and profiling
-
Known techniques
Threat actor Engagement
-
Benefits and risk consideration
-
Operational Security (OpSec) techniques
Ransom negotiation-
Strategic briefing
-
Key objective setting
-
Internal comms feedback cycle
-
Decision-making (hierarchy, confirmation)
Sanctions checks
Sansom settlement-
Cryptocurrency acquisition
-
Payment execution
Ransom payment tracing-
Third-party and stakeholder engagement
-
Data leak monitoring
Reporting-
Internally, third-party assurance
Follow-up
-
Best-practice remediation
-
Legal Advice
-
Legal and regulatory situational advice
-
Payment recovery support
-
Data mining support
-
Notification strategy support
-
Contract analysis (AI-assisted)
Our rapid contracts review service, significantly reduces the time and costs of contract review activities.
Includes AI-powered search technology developed from deep cyber investigation and e-discovery experience, and OCR & subsequent analysis of machine-readable text
Increased efficiency and speed-
Review and compare of contracts much faster than humans, reducing the time needed to process documents, applying rules and identifying discrepancies or anomalies.
-
Ensuring a consistent review process, applying the same criteria to every contract
-
Freeing up the CCE Legal specialists for more complex and strategic advice
Improved risk management-
Identifying potential risks, such as unfavorable terms or clauses, by analysing contract language and comparing it to a database of known risks
-
Identifying contractual obligations to comply with relevant laws, regulations, and organisational policies
Better insights and decision making-
Data Analysis: analysing large volumes of contract data to identify trends, patterns, and insights that can inform decision-making
-
Predictive Analytics: predicting potential outcomes based on historical data, helping insured clients to make more informed decisions
Notification strategy-
Reports enable insured clients and their legal advisors to formulate the regulatory and third-party notification strategy
Secure destruction of all contracts post-analysis
-
IT Systems Recovery
-
Systems & data migration & isolation
-
Verification of systems integrity
-
Systems and data restoration
-
Network security and systems hardening
-
Testing & validation
Providing advice and guidance to help the insured with the following:
Containment Verification:
-
Verifying that the threat has been contained and that no further malicious activities are ongoing before beginning recovery
System Integrity:-
Ensuring that all affected systems are free of malware or other malicious artefacts
-
Using clean, verified backups or system images for restoration
Data Restoration:-
Verifying integrity & completeness of backups before restoring data
-
Prioritising the restoration of critical systems and data to resume essential business operations first
Security Patches and Updates:-
Ensuring all systems are up-to-date with the latest security patches and updates to fix vulnerabilities exploited during the incident
-
Updating all software, including operating systems and applications, to their latest versions
Network Security:-
Implementing or verifying network segmentation to limit the spread of any future incidents
-
Reassessing and tightening access controls, ensuring that only authorized personnel have access to critical systems
System Hardening:-
Review and harden system configurations aligned to best-practice
-
Disabling unnecessary services and ports
Monitoring and Detection:-
Increase monitoring of restored systems for anomalous activity
Logging:-
Ensuring comprehensive logging is enabled to facilitate future incident detection and response
Communication:-
Keeping all relevant stakeholders informed about the recovery process, timelines, and any potential impact on operations
Testing and Validation:-
Testing restored systems to ensure they function correctly & securely
-
Conducting user acceptance testing to verify that systems meet business requirements and perform as expected
Documentation:-
Documenting the entire recovery process, including steps taken, decisions made, and any issues encountered
Lessons Learned and Improvement:-
Conducting a post-incident review to analyse the response and recovery efforts, identifying areas for improvement
-
Updating incident response plans, security policies, and training programs based on lessons learned
-
Digital Investigations
-
DFIR tool deployment (EDR etc.)
-
Digital Forensics
-
AI-assisted log and malware analysis
-
Threat Intelligence
-
Attack-surface analysis & pen testing
Preparation:
-
Assimilation: reviewing insureds technology, people and processes including existing IR plans and playbooks
Identification:
-
Evidence Preservation: Ensuring that all evidence is collected and preserved in a manner that maintains its integrity for potential legal proceedings.
-
Detecting Anomalies: Using monitoring tools to detect unusual activities that could indicate a cyber incident
-
Analyzing Alerts: Reviewing alerts from security information and event management (SIEM) systems and other detection tools
-
Initial Triage: Performing initial assessment to determine the scope and impact of the incident
-
Root Cause Analysis: Conducting a thorough analysis to understand the root cause and contributing factors of the incident.
Containment:-
Short-Term: Taking immediate actions to prevent further damage, such as deploying EDR
-
Long-Term: Implementing temporary fixes to allow business operations to continue while a more thorough investigation is conducted
Eradication:-
Removing Malware: Identifying and removing malware or other malicious artifacts from affected systems
-
Identifying Root Cause: Investigating the origin of the attack to prevent recurrence
-
Patch Management: Applying patches to vulnerabilities exploited during the incident
Investigation:-
Forensic Analysis: Collecting and analyzing digital evidence to understand the nature and scope of the incident
-
Log Review: Using AI to analyse logs from various systems to trace attacker actions
-
Timeline Reconstruction: Creating a timeline of events to understand the sequence of actions taken by the attacker
Communication:-
Internal Reporting: Keeping relevant stakeholders informed about the status and impact of the incident
-
External Communication: Coordinating with external parties, such as stakeholders, regulatory bodies, law enforcement and insurers
Documentation:-
Incident Documentation: Documenting all actions taken during the response process for legal, compliance, and learning purposes.
Post-Incident Review:
-
Lessons Learned: Identifying lessons learned to improve future incident response efforts.
-
Recommendations: Providing recommendations for improving security posture and preventing future incidents
-
Incident Operations Coordination
-
Secure Comms
-
Insured client & CCE team meeting facilitation
-
Strategic and operational response coordination
-
Insurer claims teams interaction (retention etc.)
-
Record keeping and reporting
The CCE Incident Operations Coordinator (IOC) and assigned Case Lead will undertake the following:
Incident Command Structure:
-
Introducing the insured's team to the CCE incident response team with clear roles and responsibilities
-
Establishing communications and authorisations with any relevant third-parties such as MSPs, IT support staff and other vendors
-
Maintaining a clear chain of command to ensure decisions are made quickly and effectively
Communication and Coordination:-
Use a secure communications platform to keep all team members informed and coordinated
-
Provide regular updates to all stakeholders, including internal teams, management, and external parties as necessary
Documentation:-
Maintain detailed documentation of all actions taken, decisions made, and communications exchanged during the incident
Initial Assessment and Triage:-
Quickly assess the scope and impact of the incident to prioritise response actions
-
Allocate resources based on the severity and urgency of different aspects of the incident
Investigations and Recovery Support:-
Maintaining evidential exhibit chain-of-custody records
-
Arranging secure transportation and storage of evidential exhibits
-
Delivery and deployment of equipment to support investigations and recovery activities
Containment Strategies:-
Immediate Actions: Implement short-term containment measures to prevent further damage
-
Long-Term Containment: Develop and implement long-term containment strategies to stabilise the situation
Coordination with External Entities:-
Coordinate with law enforcement agencies where specifically requested and authorised by the insured
-
Communicate with relevant regulatory bodies where specifically requested and authorised by the insured
Internal and External Communication:-
Assist the insured to keep internal and external stakeholders informed about the incident status and response efforts
-
Coordinate with the PR team to manage external communications and media relations
Business Continuity and Recovery:-
Assist the insured to activate applicable business continuity plans
-
Advise the insured to prioritise and restore critical systems and data to resume normal operations
Post-Incident Activities:-
Facilitate a post-incident review to evaluate the response and identify areas for improvement
-
CyberCare First Response
-
24 hour hotline
-
Rapid incident triage
-
Immediate CCE team initiation; DFIR, Legal etc.
-
Insurer claims handler advisory
Accessibility:
-
Ensuring our hotline is available 24/7 to handle incidents at any time
-
Multiple channels provide a range of ways to access the hotline, such as phone, email, chat, and a dedicated web portal
Clear Communication:-
Using a dedicated phone line or contact point specifically for cyber incident reporting
Language Support:-
Offering support in multiple languages where insureds are located internationally
Trained Personnel:-
Staffing the hotline with trained first responders who can provide immediate guidance and support
Standard Operating Procedures (SOPs):-
Using proven SOPs for triaging and categorizing incidents based on severity and impact
-
Operating escalation protocols for different types of incidents
Information Gathering:-
Using standard forms to collect all necessary information about the incident, including time, nature of the incident, affected systems, and any initial actions taken.
Immediate Actions:-
Providing immediate guidance on containment measures and next steps
-
Offering a checklist of first steps to be taken by the insured to contain the the impact of the incident and preserve evidence for investigation
-
Initiating the C3 CIR process and assigning cases to the Incident Operations Coordinator (IOC)
Documentation and Tracking:-
Logging all incident reports and actions taken in a centralised incident management system
-
Operating a tracking system to monitor the status and progress of incident responses
Communication with Stakeholders:-
Facilitating initial calls with necessary insured points of contact, including IT, legal, and management teams
Confidentiality and Data Protection:-
Ensuring that all information shared through the hotline is kept confidential and handled in compliance with data protection regulations
-
Using secure communication channels to prevent further compromise.
-
Coordination Support
Enhancing the effectiveness and efficiency of how an organisation responds to and manages cybersecurity incidents.
Digital Investigations
Delivering specialists in computer forensics, log and malware analysis, penetration testing and data mining.
Legal Advice
Providing guidance on contractual and regulatory issues to minimise legal risks and navigate liability issues.
Threat Actor Engagement
Providing experts in ransom negotiation, sanctions checks, cryptocurrency settlements and tracing.
Crisis PR Advice
Supporting potential or actual need for effective crisis communications and reputational risk management.
Systems Recovery
Expert advice and support to ensure critical systems and data are rapidly returned to business-as-usual.
A full-spectrum, end-to-end service from a single provider
Contact the CyberCare team
If you would prefer to speak to the team, give us a call:
UK/Europe: +44-203-693-7480
Africa: +230-434-1277
USA: +1-703-232-9015
Your contact details will only be used in connection with this enquiry. Please read our Privacy Policy.