top of page

CyberCare by STORM Guidance

NCSC Assured cyber incident response

Are you experiencing a cyber incident?

Speak to our emergency cyber response team now:

National Cyber Security Centre (NCSC) CIR L2 Assured Service Provider

Responding to a Cybersecurity Incident

When a cybersecurity incident strikes, swift and coordinated action is crucial to managing its impact on the organisation. Immediate efforts focus on enhancing the efficiency of the response, with digital investigations uncovering the root cause and extent of the breach.

Legal experts provide guidance on navigating contractual and regulatory obligations, minimising legal risks. If ransom demands arise, skilled negotiators engage with threat actors, handling sanctions checks and cryptocurrency transactions. Crisis communications are managed to protect the organisation's reputation, while systems recovery specialists work to quickly restore critical operations, minimising disruption and ensuring a return to business as usual.

Cyber incident coordination support icon blue

Notification Support & ID Protection

  • Credit Monitoring services

  • Fraud detection and prevention

  • Surge Notification (helpline) Support

  • Dark web monitoring of breached data

  • Credit Monitoring:

    • Providing real-time or near-real-time alerts for any changes or activities on an individual’s credit report

    • Ensuring that credit reports are monitored continuously to promptly detect any suspicious activity

    • Offering individuals regular access to their credit reports

    • Providing at least one free credit report annually


    Identity Theft Protection and Restoration:

    • Helping individuals place fraud alerts on their credit files.

    • Assisting individuals in placing credit freezes on their credit files

    • Offering identity theft insurance

    • Identity theft specialist hotline


    Education and Resources:

    • Guidance for affected individuals on best practices for detecting and avoiding identity theft


    Surge Notification Support

    • Providing access to customer support for individuals to ask questions, report issues, and get assistance with monitoring services


    Dark Web Monitoring:

    • Monitoring a wide range of dark web forums, marketplaces, and other underground sites where stolen data is traded or posted

    • Use automated tools and technologies to continuously crawl and collect data from these sources, ensuring comprehensive coverage and timely detection

    • Correlation of collected data with the compromised data to identify matches with alerting when matches are found

    • Analysing the severity and potential impact of the discovered data on the dark web

    • Providing contextual information about the data breach and the dark web sources

    • Offering actionable insights and recommendations for mitigating the risks associated with the exposed data

    • Generating detailed reports on dark web findings, including the type of data exposed, the sources, and the potential risks

    • Keeping relevant stakeholders informed about the findings and the steps being taken to mitigate the risks

Cyber incident trauma counselling icon

Trauma Counselling

  • Fully confidential one-to-one service

  • Support for insured staff including (but not limited to):

  • Executives & founders

  • Deceived victims

  • IT staff and first responders

  • Supporting insured client staff incl. executive and operational team members, victims of deception etc.


    Emotional Support

    • Validation of feelings

    • Empathy and understanding


    Coping Strategies

    • Stress management

    • Healthy coping mechanisms


    Rebuilding trust post-incident

    • Restoring faith in others

    • Setting boundaries


    Dealing with Guilt and Shame

    • Self-compassion

    • Challenging negative beliefs


    Processing Trauma

    • Narrative therapy

    • Trauma-Focused Cognitive Behavioural Therapy (TF-CBT)


    Building Resilience

    • Strengthening inner resources

    • Empowerment


    Practical Guidance

    • Safety planning. Helping with facing future incidents

    Long-Term Resilience

    • Ongoing support

    • Monitoring progress

Cyber incident breached data mining icon

Breached Data Mining

  • Rapid, AI-driven searches for sensitive PII and other important data

  • Actionable results in a fraction of the time and cost of typical e-discovery data mining

  • Allows formulation of notification strategy

  • Output straight into any required notification activity

  • Our rapid data mining solution, CyberDiscover significantly reduces the time and costs of data mining activities 

    AI-powered search technology developed from deep cyber investigation and e-discovery experience


    Processing and analysis occurs in-jurisdiction


    Performance tuned to minimize both false positives and false negatives


    Analysis of all files, messages etc., within provided mailboxes, files/folders, databases etc.


    Includes OCR and subsequent analysis of machine-readable text


    Protects PII by reporting only statistical results


    Credits provided inclusive of the service, for post review enquiries


    Produces reported output describing datasets analysis in terms of:

    • Types: The types of PII that has been found

    • Values: The number of unique values that have been found

    • Items: How many items the PII type has been found in

    • Hits: The number of occurrences of all the PII values that have been found

    • Value concentration: How evenly distributed the PII values are across the hits

      • High concentration is when many hits occur across a relatively small number of values

    • Hits concentration: The distribution of the hits across the items where they have occurred

      • High concentration is when many hits occur across a relatively small number of the items

    • Spread: The percentage of items across the entire data set contain PII of each discovered type


    Reports enable insured clients and their legal advisors to formulate the regulatory and third-party notification strategy


    Secure destruction of all PII post-analysis

Cyber incident crisis and pr icon

Crisis & PR Advice

  • Immediate PR comms strategy advice

    • Stakeholders, authorities, third-parties, press

  • Comms formulation support

    • Spoken, written, digital (formal & informal)

  • Notification advice

  • Brand protection advice

  • Immediate Response:

    • Assisting the insured to quickly acknowledge the incident to the public and stakeholders


    Initial Statement: 

    • Drafting a brief initial statement that acknowledges the incident and assures stakeholders that the situation is being handled


    Spokesperson Preparedness:

    • Identify and coach designated spokespersons who are authorised to speak on behalf of the insured


    Accuracy and Transparency:

    • Ensuring that all information released is accurate, avoids speculation and sticks to verified facts

    • Providing regular updates as the situation evolves


    Consistent Messaging:

    • Ensuring all communications are consistent across all channels

    • Using clear and jargon-less language to explain the incident


    Stakeholder Communication:

    • Internal - assisting the insured to keep employees, management, and board members informed

    • External - advising the insured in communications with customers, partners, investors, and regulatory bodies


    Media Management:

    • Helping the insured to engage with the media proactively and to control the narrative

    • Drafting press releases with key information and updates


    Social Media Engagement:

    • Monitoring social media channels for mentions and discussions about the incident. Advice on prompt response to misinformation and concerns

    • Advising on the use of social media platforms to communicate directly with the public, providing updates and addressing queries


    Empathy and Reassurance:

    • Reviewing the impact on affected parties and expressions of empathy

    • Advising on reassurance of stakeholders


    Legal and Regulatory Compliance:

    • Working with legal advisors to ensure that all public statements and communications comply with legal requirements

    • Supporting prompt communications with regulatory bodies


    Long-Term Reputation Management:

    • Conducting a post-incident review identify areas for improvement

    • Assisting the insured to to rebuild trust with stakeholders


    Documentation and Lessons Learned:

    • Keep detailed records of all communications and actions taken during the crisis

threat actor engagement icon

Threat Actor Engagement

  • Ransom Negotiation

  • Sanctions Checks

  • Ransom Settlement

  • Payment tracing

  • Law enforcement interaction (where required)

  • The CCE Threat Actor Engagement (TAE) service includes:
    Response techniques: due diligence, expert engagement, conflict & trauma management


    Legal, regulatory and corporate communications response

    • Confidentiality and privilege

    • Regulatory compliance analysis

    • Contract review

    • Law enforcement interaction

     

    Impact identification and risk management

    • Worse-case and Fall-back planning

     

    Threat actor group identification and profiling

    • Known techniques

     

    Threat actor Engagement

    • Benefits and risk consideration

    • Operational Security (OpSec) techniques


    Ransom negotiation

    • Strategic briefing

    • Key objective setting

    • Internal comms feedback cycle

    • Decision-making (hierarchy, confirmation)


    Sanctions checks


    Sansom settlement

    • Cryptocurrency acquisition

    • Payment execution


    Ransom payment tracing

    • Third-party and stakeholder engagement

    • Data leak monitoring


    Reporting

    • Internally, third-party assurance

     

    Follow-up

    • Best-practice remediation

Cyber incident legal advice icon

Legal Advice

  • Legal and regulatory situational advice

  • Payment recovery support

  • Data mining support

  • Notification strategy support

  • Contract analysis (AI-assisted)

  • Our rapid contracts review service, significantly reduces the time and costs of contract review activities.

    Includes AI-powered search technology developed from deep cyber investigation and e-discovery experience, and OCR & subsequent analysis of machine-readable text


    Increased efficiency and speed

    • Review and compare of contracts much faster than humans, reducing the time needed to process documents, applying rules and identifying discrepancies or anomalies.

    • Ensuring a consistent review process, applying the same criteria to every contract

    • Freeing up the CCE Legal specialists for more complex and strategic advice


    Improved risk management

    • Identifying potential risks, such as unfavorable terms or clauses, by analysing contract language and comparing it to a database of known risks

    • Identifying contractual obligations to comply with relevant laws, regulations, and organisational policies


    Better insights and decision making

    • Data Analysis: analysing large volumes of contract data to identify trends, patterns, and insights that can inform decision-making

    • Predictive Analytics: predicting potential outcomes based on historical data, helping insured clients to make more informed decisions


    Notification strategy

    • Reports enable insured clients and their legal advisors to formulate the regulatory and third-party notification strategy
       

    Secure destruction of all contracts post-analysis

it systems recovery icon

IT Systems Recovery

  • Systems & data migration & isolation

  • Verification of systems integrity

  • Systems and data restoration

  • Network security and systems hardening

  • Testing & validation

  • Providing advice and guidance to help the insured with the following:

     

    Containment Verification:

    • Verifying that the threat has been contained and that no further malicious activities are ongoing before beginning recovery


    System Integrity:

    • Ensuring that all affected systems are free of malware or other malicious artefacts

    • Using clean, verified backups or system images for restoration


    Data Restoration:

    • Verifying integrity & completeness of backups before restoring data

    • Prioritising the restoration of critical systems and data to resume essential business operations first


    Security Patches and Updates:

    • Ensuring all systems are up-to-date with the latest security patches and updates to fix vulnerabilities exploited during the incident

    • Updating all software, including operating systems and applications, to their latest versions


    Network Security:

    • Implementing or verifying network segmentation to limit the spread of any future incidents

    • Reassessing and tightening access controls, ensuring that only authorized personnel have access to critical systems


    System Hardening:

    • Review and harden system configurations aligned to best-practice

    • Disabling unnecessary services and ports


    Monitoring and Detection:

    • Increase monitoring of restored systems for anomalous activity


    Logging:

    • Ensuring comprehensive logging is enabled to facilitate future incident detection and response


    Communication:

    • Keeping all relevant stakeholders informed about the recovery process, timelines, and any potential impact on operations


    Testing and Validation:

    • Testing restored systems to ensure they function correctly & securely

    • Conducting user acceptance testing to verify that systems meet business requirements and perform as expected


    Documentation:

    • Documenting the entire recovery process, including steps taken, decisions made, and any issues encountered


    Lessons Learned and Improvement:

    • Conducting a post-incident review to analyse the response and recovery efforts, identifying areas for improvement

    • Updating incident response plans, security policies, and training programs based on lessons learned

digital investigations icon

Digital Investigations

  • DFIR tool deployment (EDR etc.)

  • Digital Forensics

  • AI-assisted log and malware analysis

  • Threat Intelligence

  • Attack-surface analysis & pen testing

  • Preparation:

    • Assimilation: reviewing insureds technology, people and processes including existing IR plans and playbooks

    Identification:

    • Evidence Preservation: Ensuring that all evidence is collected and preserved in a manner that maintains its integrity for potential legal proceedings.

    • Detecting Anomalies: Using monitoring tools to detect unusual activities that could indicate a cyber incident

    • Analyzing Alerts: Reviewing alerts from security information and event management (SIEM) systems and other detection tools

    • Initial Triage: Performing initial assessment to determine the scope and impact of the incident

    • Root Cause Analysis: Conducting a thorough analysis to understand the root cause and contributing factors of the incident.


    Containment:

    • Short-Term: Taking immediate actions to prevent further damage, such as deploying EDR

    • Long-Term: Implementing temporary fixes to allow business operations to continue while a more thorough investigation is conducted


    Eradication:

    • Removing Malware: Identifying and removing malware or other malicious artifacts from affected systems

    • Identifying Root Cause: Investigating the origin of the attack to prevent recurrence

    • Patch Management: Applying patches to vulnerabilities exploited during the incident


    Investigation:

    • Forensic Analysis: Collecting and analyzing digital evidence to understand the nature and scope of the incident

    • Log Review: Using AI to analyse logs from various systems to trace attacker actions

    • Timeline Reconstruction: Creating a timeline of events to understand the sequence of actions taken by the attacker


    Communication:

    • Internal Reporting: Keeping relevant stakeholders informed about the status and impact of the incident

    • External Communication: Coordinating with external parties, such as stakeholders, regulatory bodies, law enforcement and insurers


    Documentation:

    • Incident Documentation: Documenting all actions taken during the response process for legal, compliance, and learning purposes.

    Post-Incident Review:

    • Lessons Learned: Identifying lessons learned to improve future incident response efforts.

    • Recommendations: Providing recommendations for improving security posture and preventing future incidents

Cyber incident operations icon

Incident Operations Coordination

  • Secure Comms

  • Insured client & CCE team meeting facilitation

  • Strategic and operational response coordination

  • Insurer claims teams interaction (retention etc.)

  • Record keeping and reporting

  • The CCE Incident Operations Coordinator (IOC) and assigned Case Lead will undertake the following:

     

    Incident Command Structure:

    • Introducing the insured's team to the CCE incident response team with clear roles and responsibilities

    • Establishing communications and authorisations with any relevant third-parties such as MSPs, IT support staff and other vendors

    • Maintaining a clear chain of command to ensure decisions are made quickly and effectively


    Communication and Coordination:

    • Use a secure communications platform to keep all team members informed and coordinated

    • Provide regular updates to all stakeholders, including internal teams, management, and external parties as necessary


    Documentation:

    • Maintain detailed documentation of all actions taken, decisions made, and communications exchanged during the incident


    Initial Assessment and Triage:

    • Quickly assess the scope and impact of the incident to prioritise response actions

    • Allocate resources based on the severity and urgency of different aspects of the incident


    Investigations and Recovery Support:

    • Maintaining evidential exhibit chain-of-custody records

    • Arranging secure transportation and storage of evidential exhibits

    • Delivery and deployment of equipment to support investigations and recovery activities


    Containment Strategies:

    • Immediate Actions: Implement short-term containment measures to prevent further damage

    • Long-Term Containment: Develop and implement long-term containment strategies to stabilise the situation


    Coordination with External Entities:

    • Coordinate with law enforcement agencies where specifically requested and authorised by the insured

    • Communicate with relevant regulatory bodies where specifically requested and authorised by the insured


    Internal and External Communication:

    • Assist the insured to keep internal and external stakeholders informed about the incident status and response efforts

    • Coordinate with the PR team to manage external communications and media relations


    Business Continuity and Recovery:

    • Assist the insured to activate applicable business continuity plans

    • Advise the insured to prioritise and restore critical systems and data to resume normal operations


    Post-Incident Activities:

    • Facilitate a post-incident review to evaluate the response and identify areas for improvement

CCE first response icon

CyberCare First Response

  • 24 hour hotline

  • Rapid incident triage

  • Immediate CCE team initiation; DFIR, Legal etc.

  • Insurer claims handler advisory

  • Accessibility:

    • Ensuring our hotline is available 24/7 to handle incidents at any time

    • Multiple channels provide a range of ways to access the hotline, such as phone, email, chat, and a dedicated web portal


    Clear Communication:

    • Using a dedicated phone line or contact point specifically for cyber incident reporting


    Language Support:

    • Offering support in multiple languages where insureds are located internationally


    Trained Personnel:

    • Staffing the hotline with trained first responders who can provide immediate guidance and support


    Standard Operating Procedures (SOPs):

    • Using proven SOPs for triaging and categorizing incidents based on severity and impact

    • Operating escalation protocols for different types of incidents


    Information Gathering:

    • Using standard forms to collect all necessary information about the incident, including time, nature of the incident, affected systems, and any initial actions taken.


    Immediate Actions:

    • Providing immediate guidance on containment measures and next steps

    • Offering a checklist of first steps to be taken by the insured to contain the the impact of the incident and preserve evidence for investigation

    • Initiating the C3 CIR process and assigning cases to the Incident Operations Coordinator (IOC)


    Documentation and Tracking:

    • Logging all incident reports and actions taken in a centralised incident management system

    • Operating a tracking system to monitor the status and progress of incident responses


    Communication with Stakeholders:

    • Facilitating initial calls with necessary insured points of contact, including IT, legal, and management teams


    Confidentiality and Data Protection:

    • Ensuring that all information shared through the hotline is kept confidential and handled in compliance with data protection regulations

    • Using secure communication channels to prevent further compromise.

The 'Golden Hour' cyber response process

Are you experiencing a cyber incident?

Speak to our emergency cyber response team now:

We respond to any cyber or fraud incident, globally

The team at STORM have considerable experience across the field.

Learn more about some of the more common incident types we respond to.

coordination-support-blue.png

Coordination Support

Enhancing the effectiveness and efficiency of how an organisation responds to and manages cybersecurity incidents.

digital-investigations-blue.png

Digital Investigations

Delivering specialists in computer forensics, log and malware analysis, penetration testing and data mining.

legal-blue.png

Legal Advice

Providing guidance on contractual and regulatory issues to minimise legal risks and navigate liability issues.

tae-blue.png

Threat Actor Engagement

Providing experts in ransom negotiation, sanctions checks, cryptocurrency settlements and tracing.

crisis-pr-blue.png

Crisis PR Advice

Supporting potential or actual need for effective crisis communications and reputational risk management.

system-recovery-blue.png

Systems Recovery

Expert advice and support to ensure critical systems and data are rapidly returned to business-as-usual.

A full-spectrum, end-to-end service from a single provider

Contact the CyberCare team

If you would prefer to speak to the team, give us a call:

UK/Europe: +44-203-693-7480

Africa: +230-434-1277

USA: +1-703-232-9015

Your contact details will only be used in connection with this enquiry. Please read our Privacy Policy.

bottom of page