CyberCare by STORM Guidance
We respond to any cyber or fraud incident
The typical response to a ransomware & extortion incident covers:
-
Surveillance and targeting incl. threat intelligence
-
Initial event alerting & rapid triage
-
Initial response
-
First responder activation
-
Network attack & intrusion, detection
-
-
Crisis team activation; strategy and operations
-
Insurer engagement (where applicable)
-
-
Secure comms & record-keeping
-
-
Response techniques: parallel working, expert engagement, conflict & trauma management
-
Containment and eradication activities
-
Security response incl. pen testing, lockdown, segregation/quarantine
-
Digital Investigation incl. evidence preservation, forensics, malware analysis, root cause analysis
-
-
Data breach considerations incl. legal, regulatory and corporate communications response
-
Confidentiality and privilege
-
Regulatory compliance analysis
-
Contract review
-
Law enforcement interaction
-
-
Data decryption activities
-
Threat actor group identification and profiling
-
Threat Actor Engagement (TAE)
-
Benefits and risk briefing
-
Ransom negotiation
-
Sanctions checks
-
Ransom settlement
-
Ransom payment tracing
-
-
Impact identification and risk management
-
Third-party and stakeholder engagement
-
Systems and data recovery activities
-
Data mining and consequent notifications
-
Data leak monitoring
-
Reporting
-
Internally, third-party assurance
-
-
Follow-up
-
Best-practice remediation
-
-
The typical response to a data breach & extortion incident covers:
-
Surveillance and targeting incl. threat intelligence
-
Initial event alerting & rapid triage
-
Initial response
-
First responder activation
-
Mailbox attack & intrusion detection
-
-
Crisis team activation; strategy and operations
-
Insurer engagement (where applicable)
-
-
Secure comms & record-keeping
-
-
Response techniques: fraud loss reduction, expert engagement, conflict & trauma management
-
Containment and eradication techniques
-
Security response incl. configuration review, pen testing, lockdown, segregation/quarantine
-
Digital Investigation incl. evidence preservation, forensics, malware analysis, root cause analysis
-
-
Data breach considerations incl. legal, regulatory and corporate communications response
-
Confidentiality and privilege
-
Regulatory compliance analysis
-
Contract review
-
Law enforcement interaction
-
-
Data exfiltration techniques
-
Threat actor group identification and profiling
-
Threat Actor Engagement (TAE)
-
Benefits and risk consideration
-
Ransom negotiation
-
Sanctions checks
-
Ransom settlement
-
-
Ransom payment tracing
-
Impact identification and risk management
-
Third-party and stakeholder engagement
-
Data mining and consequent notifications
-
Data leak monitoring
-
Reporting
-
Internally, third-party assurance
-
-
Follow-up
-
Best-practice remediation
-
-
The typical response to a BEC incident covers:
-
Surveillance and targeting incl. threat intelligence
-
Initial event alerting & rapid triage
-
Initial response
-
First responder activation
-
Mailbox attack & intrusion detection
-
-
Crisis team activation; strategy and operations
-
Insurer engagement (where applicable)
-
-
-
Secure comms & record-keeping
-
Response techniques: parallel working, expert engagement, conflict & trauma management
-
Containment and eradication techniques
-
Security response incl. pen testing/policy review, lockdown, segregation/quarantine
-
Digital Investigation incl. evidence preservation, log analysis, root cause analysis
-
-
Fraud response; investigation, tracing and recovery
-
Threat actor group identification and profiling
-
Criminal fraud, insider threat
-
-
Data breach considerations incl. legal, regulatory and corporate communications response
-
Confidentiality and privilege
-
Regulatory compliance analysis
-
Contract review
-
Law enforcement interaction
-
-
Data exfiltration techniques
-
Impact identification and risk management
-
Third-party and stakeholder engagement
-
Data mining and consequent notifications
-
Data leak monitoring
-
Reporting
-
Internally, third-party assurance
-
-
Follow-up
-
Best-practice remediation
-
-
The typical TAE assignment covers:
-
Response techniques: due diligence, expert engagement, conflict & trauma management
-
Legal, regulatory and corporate communications response
-
Confidentiality and privilege
-
Regulatory compliance analysis
-
Contract review
-
Law enforcement interaction
-
-
Impact identification and risk management
-
Worse-case and Fall-back planning
-
-
Threat actor group identification and profiling
-
Known techniques
-
-
Threat actor Engagement
-
Benefits and risk consideration
-
Operational Security (OpSec) techniques
-
Ransom negotiation
-
Strategic briefing
-
Key objective setting
-
Internal comms feedback cycle
-
Decision-making (hierarchy, confirmation)
-
-
Sanctions checks
-
Ransom settlement
-
Cryptocurrency acquisition
-
Payment execution
-
-
Ransom payment tracing
-
-
Third-party and stakeholder engagement
-
Data leak monitoring
-
Reporting
-
Internally, third-party assurance
-
-
Follow-up
-
Best-practice remediation
-
-
The typical response to a website defacement, doxing and disinformation incident covers:
-
Surveillance and targeting incl. threat intelligence
-
Initial event alerting & rapid triage
-
Initial response
-
First responder activation
-
Network attack & intrusion, detection
-
-
Crisis team activation; strategy and operations
-
Insurer engagement (where applicable)
-
-
Secure comms & record-keeping
-
-
Response techniques: parallel working, expert engagement, conflict management
-
Containment and eradication techniques
-
Security response incl. pen testing, lockdown, segregation/quarantine, load balancing
-
Digital Investigation incl. evidence preservation, forensics, malware analysis, root cause analysis
-
-
Threat actor group identification and profiling
-
Individual or group, criminal extortion, hacktivism, insider threat
-
-
Reputational considerations:
-
Impact identification and risk management
-
Legal, regulatory obligations incl. data protection
-
Corporate communications response incl. notifications
-
-
Third-party and stakeholder engagement
-
Data recovery techniques
-
Downstream monitoring
-
Reporting
-
Internally, third-party assurance
-
-
Follow-up
-
Best-practice remediation
-
-
The typical response to a technology-related fraud incident covers:
-
Surveillance and targeting incl. threat intelligence
-
Initial event alerting & rapid triage
-
Initial response
-
First responder activation
-
Internal fraud team
-
-
Crisis team activation; strategy and operations
-
Insurer engagement (where applicable)
-
-
Secure comms & record-keeping
-
-
Response techniques: expert engagement, conflict & trauma management
-
Containment and eradication techniques
-
Security response incl. technology & procedure review, lockdown
-
Digital Investigation incl. evidence preservation, log analysis, root cause analysis
-
-
Fraud response
-
Best-practice techniques; investigation, tracing and loss recovery
-
Interaction with:
-
Fraud victim entities (individuals or corporates)
-
Transaction intermediaries e.g. banks
-
-
-
Impact identification and risk management
-
Threat actor group identification and profiling
-
Criminal fraudsters (opportunists/organised), insider threat & collusion
-
-
Legal, regulatory and corporate communications response
-
Confidentiality and privilege
-
Regulatory compliance analysis
-
Contract review
-
Law enforcement interaction
-
-
Third-party and stakeholder engagement
-
Reporting
-
Internally, third-party assurance
-
-
Follow-up
-
Best-practice remediation
-
-
The typical response to a denial of service attack covers:
-
Surveillance and targeting incl. threat intelligence
-
Initial event alerting & rapid triage
-
Initial response
-
First responder activation
-
Network attack & intrusion, detection
-
-
Crisis team activation; strategy and operations
-
Insurer engagement (where applicable)
-
-
Secure comms & record-keeping
-
-
Response techniques: parallel working, expert engagement, conflict & trauma management
-
Impact identification and risk management
-
Containment and eradication techniques
-
Security response incl. pen testing, lockdown, segregation, load balancing/high availability
-
Digital Investigation incl. evidence preservation, forensics, root cause analysis
-
-
Outage management considerations incl. legal, regulatory and corporate communications response
-
Contractual and regulatory obligations incl. SLA
-
Confidentiality and privilege
-
Law enforcement interaction
-
-
Third-party and stakeholder engagement incl. notifications
-
Extortion considerations
-
Threat actor group identification
-
Threat Actor Engagement (TAE)
-
Benefits and risk consideration
-
Ransom negotiation
-
Sanctions checks
-
Ransom settlement
-
Ransom payment tracing
-
-
-
System recovery techniques
-
Uptime monitoring
-
Reporting
-
Internally, third-party assurance
-
-
Follow-up
-
Best-practice remediation
-
-
The typical response to an insider misuse incident covers:
-
Detection and Identification:
-
Utilising monitoring tools and systems to receive and confirm unusual or unauthorised activity that may indicate insider misuse
-
Checking the integrity of alerts that are received from co-workers or other parties
-
Performing an initial assessment to confirm the incident and understand its scope and impact
-
-
Containment:
-
Taking immediate steps to contain the misuse and prevent further damage
-
Taking initial steps to recover any stolen funds, data or other assets
-
Ensuring that all digital evidence is preserved in a forensically sound manner for further investigation and potential legal action
-
-
Investigation:
-
Conducting a thorough internal investigation to understand the nature of the misuse, how it occurred, and the extent of the damage.
-
Interviewing the insider and/or other witnesses, reviewing logs, and analysing affected systems
-
Working closely with legal and human resources departments to ensure the investigation complies with legal and organisational policies
-
-
Eradication:
-
Identifying and addressing any vulnerabilities or security weaknesses that enabled the misuse. This may involve updating security policies, patching systems, and enhancing access controls
-
Providing training and education to staff to prevent future incidents and reinforce the importance of following security protocols
-
-
Recovery:
-
Restoring affected systems and data to their normal operational state, ensuring they are free from any malicious changes made by the insider
-
Verifying that all systems and data have been securely restored and that no further misuse is occurring.
-
Continuing activities to recover any stolen funds, data or other assets
-
-
Communication:
-
Keeping relevant internal stakeholders informed about the incident, the response actions taken, and the outcomes of the investigation
-
If necessary, communicating with external parties such as customers, partners, and regulatory bodies. Ensure that any communication is clear, accurate, and compliant with legal requirements
-
-
Reporting:
-
Internally, compliance and third-party assurance
-
-
Post-Incident Review:
-
Conducting a post-incident review to analyse the response and identify lessons learned
-
Updating security policies, incident response plans, and procedures based on the investigation findings
-
-
Follow-Up Actions:
-
Taking appropriate disciplinary actions against the insider involved in the misuse, following organisational policies and legal guidelines
-
Enhancing monitoring and auditing capabilities to detect and prevent future insider misuse incidents
-
-
The typical response to a malware & network intrusion incl. APT attack covers:
-
Surveillance and targeting incl. threat intelligence
-
Initial event alerting & rapid triage
-
Initial response
-
First responder activation
-
Network attack & intrusion, detection
-
-
Crisis team activation; strategy and operations
-
Insurer engagement (where applicable)
-
-
-
Secure comms & record-keeping
-
Response techniques: parallel working, expert engagement, conflict & trauma management
-
Impact identification and risk management incl. MITRE ATT&CK analysis
-
Containment and eradication techniques
-
Security response incl. pen testing, lockdown, segregation/quarantine, EDR deployment, honeypots
-
Digital Investigation incl. evidence preservation, forensics, root cause, log and network traffic analysis
-
-
Legal, regulatory and corporate communications response
-
Contractual and regulatory obligations incl. reporting
-
Confidentiality and privilege
-
Law enforcement interaction
-
-
Third-party and stakeholder engagement incl. notifications
-
System recovery techniques
-
Network and breach monitoring
-
Reporting
-
Internally, third-party assurance
-
-
Follow-up
-
Best-practice remediation
-
-
The typical response to an OT and/or ICS attack covers:
-
Surveillance and targeting incl. threat intelligence
-
Initial event alerting & rapid triage
-
Initial response
-
First responder activation
-
Network attack & intrusion detection
-
-
Crisis team activation; strategy and operations
-
Insurer engagement (where applicable)
-
-
-
Secure comms & record-keeping
-
Response techniques: parallel working, expert engagement, conflict & trauma management
-
Impact identification and risk management
-
Containment and eradication techniques
-
Security response incl. pen testing, lockdown, segregation/quarantine/air-gapping, EDR deployment
-
Digital Investigation incl. evidence preservation, forensics, root cause, log and network traffic analysis
-
-
Outage management considerations incl. legal, regulatory and corporate communications response
-
Contractual and regulatory obligations incl. SLA
-
Confidentiality and privilege
-
Law enforcement/CNI regulatory interaction
-
-
Third-party and stakeholder engagement incl. notifications
-
System recovery techniques
-
Network and breach monitoring
-
Reporting
-
Internally, third-party assurance
-
-
Follow-up
-
Best-practice remediation
-
-
The typical response to a physical technology and information theft incident covers:
-
Initial event alerting & rapid triage
-
Initial response
-
First responder activation
-
Device and information loss identification, physical intrusion detection
-
-
Crisis team activation; strategy and operations
-
Insurer engagement (where applicable)
-
-
Secure comms & record-keeping
-
-
Response techniques: alternate working, expert engagement, conflict & trauma management
-
Containment and eradication techniques
-
Security response incl. remote device disabling and data destruction
-
Digital Investigation incl. breached data analysis & data mining
-
-
Impact identification and risk management
-
Data breach considerations incl. legal, regulatory and corporate communications response
-
Confidentiality and privilege
-
Regulatory compliance analysis
-
Law enforcement interaction
-
-
Asset recovery techniques
-
Potential extortion considerations
-
Third-party and stakeholder engagement and consequent notifications
-
Data leak monitoring
-
Reporting
-
Internally, third-party assurance
-
-
Follow-up
-
Best-practice remediation
-
-
The typical response to a natural disaster and consequent information systems outage incident covers:
-
Covering storm, flood, fire, pandemic and utilities failure
-
Business continuity plans and systems reliance
-
Initial event alerting & rapid triage
-
Initial response
-
First responder activation
-
Network and services outage detection
-
-
Crisis team activation; strategy and operations
-
Government guidance
-
Insurer engagement (where applicable)
-
-
Alternative secure comms & record-keeping
-
-
Response techniques: alternative working, expert engagement, conflict and trauma management
-
Containment and eradication techniques
-
Security response incl. secure configuration, WFH, segregation & quarantine, capacity management
-
Disaster recovery
-
-
Reputational considerations:
-
Impact identification and risk management
-
Legal, regulatory obligations incl. data protection
-
Corporate communications response incl. notifications
-
-
Third-party and stakeholder engagement
-
Downstream monitoring
-
Reporting
-
Internally, third-party assurance
-
-
Follow-up
-
Best-practice remediation
-
-
How We Handle Cyber and Fraud Incidents
Understanding the wide range of cyber threats and fraud your organisation may face is the first step in protecting against them. Each incident requires a precise and informed response to minimise damage and restore normal operations.
Navigate the various types of cyber or fraud incidents and see the typical response to each. From our initial assessment to comprehensive recovery efforts, you’ll see how our expertise and strategies are applied to effectively manage and resolve these challenges.
Let's talk
Speak to our CyberCare team today
Contact the CyberCare team
If you would prefer to speak to the team, give us a call:
London: +44-203-693-7480
Mauritius: +230-434-1277
New York: +1-703-232-9015
Your contact details will only be used in connection with this enquiry. Please read our Privacy Policy.