With the rise of cyber-attacks in a fluid threat landscape an organization must quickly respond and be prepared to act on all threats. The ability to quickly respond to a security incident is crucial for limiting the impact of the attack, minimizing reputational damages and legal consequences.
In many cases, the damage from a cyber related incident is increased due to delays and mistakes in incident handling. Incident response is a highly specialized field that requires staffing by specialists who are engaged full-time in this area. It is likely to not be as successful when staffed by employees who only perform incident response tasks on an ad hoc basis. As a result, many organizations do not employ their own internal incident response team, but rather contract with external providers such as NTT.
NTT provides Incident Response (IR) Retainer services to assist organizations to effectively respond and rapidly remediate in the event of an incident. The NTT IR Team is experienced in handling incidents across various business verticals and provides a valuable resource to clients. The retainer service is offered as an add-on to NTT's Samurai MDR service and also as a standalone offering.
2. Samurai Incident Response
2.1 Service Features
The Samurai Incident Response (IR) Retainer provides incident management, containment, and root cause analysis support to assist with mitigation of incidents. The NTT IR team consists of experienced Security Analysts in the NTT Security Operations Centre (SOC) and Incident Response consultancy experts, and is delivered through the Samurai platform.
The Incident response offering provides a set of components which can provide the Client with:
- On call 24/7/365 response to incidents
- Incident lead and incident management
- Root cause analysis, containment, and eradication
- Rapid remote deployment of IR tools
- Integration with NTT’s Global Threat Intelligence Center (GTIC)
- Close collaboration with client teams
- Decades of experience in Security Monitoring and IR subjects
- Support during extended incidents
- Malware and threat behavior analysis
- Advanced Network Analysis Tools
These service components are not an exhaustive list and are provided as required during the engagement.
The IR retainer is based on an annual entitlement of 40 hours, which can be increased by the client through the purchase of additional retainer blocks of hours.
2.1.1 Incident lead and incident management
The NTT IR team will support the client by providing both hands-on and high-level incident lead and incident management, steering both NTT, client, and other involved 3rd party resources towards a common goal by assigning and prioritizing tasks, organizing meetings, risk evaluation and prioritization, damage evaluation, as well as providing stakeholder updates.
The NTT IR team will work together with the client to align reporting cadence, timelines, and updates in accordance with client requirements.
2.1.2 Root cause analysis, containment and eradication
The NTT IR team will support the incident investigation to understand the who, what, when, where, why and how of an attack. This includes:
- Review and analysis of client provided log, network, and endpoint telemetry.
- Assess the flow and history of incidents in the client’s environment to evaluate potentially related issues, campaigns, and persistence.
- Threat Intelligence, Open-Source Intelligence (OSINT), and closed source correlation.
- Providing insight and best practice guidelines on how to limit potential damage of an incident.
- Providing client’s security staff guidance on how to handle and execute the eradication process. This will be positioned from a governance approach and will guide the client’s internal security staff.
- Evaluating the possible recovery options and provide guidance to client security staff to restore affected systems from a backup or re-image the systems from a clean gold image, if applicable.
2.1.3 Rapid remote deployment of IR tools
Where the client does not have Endpoint Detection and Response (EDR) agents or a similar capability in place, NTT will work with the client to deploy EDR tools. The EDR tooling can be integrated with Samurai and will be available to the client during the incident response engagement.
On completion of the incident response engagement, the client will have the option to purchase the EDR tooling and retain this tooling in the client environment. If the client decides not to purchase EDR tooling used by NTT for the purpose of incident response, it must be removed at the end of the incident response engagement.
2.1.4 Integration with NTT's Global Threat Intelligence Center (GTIC)
Through the NTT Incident response service, clients benefit from extensive Threat Intelligence both curated and produced by Threat Intelligence researchers in NTT’s Global Threat Intelligence Centre (GTIC) via Samurai.
2.1.5 Highly collaborative with client teams
The management of an investigation is just as important as the technical and investigative skills brought to bear during an incident. NTT IR team will work closely with the client team to provide detailed and structured status reports to communicate findings that will aid in making informed business decisions.
The frequency of status reports and interaction between NTT resources and client team will be adjusted to reflect the current requirements during the incident lifecycle.
2.1.6 Malware and threat behavior analysis
Malware is a name used for various malicious software variants, such as viruses, ransomware, spyware, etc. and is designed to infiltrate and damage computer environments and its data without knowledge of the user. Understanding malware and its behavior, is critical to an organization's ability to respond to incidents, derive threat intelligence and boost defenses. NTT offers the knowledge and experience on how to identify key aspects and characteristics of various malware types and to understand the extent of the potential damage.
All identified Indicators of Compromise (IoCs) related to the malware or threat are shared with the client’s security team as part of the engagement.
2.1.7 Advanced network analysis tool
At times NTT IR team may recommend the deployment of advanced networking analysis tools to assist with the identification and mitigation of an incident. NTT IR team will discuss this in detail prior to authorization of its use.
These tools can be used to support the detection of behaviors that make endpoints act maliciously or outside of their normal mode of operation. They can help determine what changes occurred during a malware outbreak so that proper remediation can be planned. The tools can also track lateral movement of malware and determine how widespread it is across the entire network.
2.2 Retainer information
The Samurai Incident Response offering is provided as a retainer and includes 40 hours per year. If the Client requires additional Incident Response beyond 40 hours per year, additional retainers of 40 hours can be purchased.
Retainer hours are consumed in 4-hour increments.
As part of NTT´s proactive engagement to enhance the Incident response teams ability to respond promptly and efficiently, NTT will meet with the client to establish knowledge about the client’s current setup, introduce the workflow of incident-response engagements, how the client can initialize incident engagements and open up for questions from both parties.
The following details will be collected during the introduction call:
- Client points of contact
- Contacts allowed to activate IR-service
- EDR coverage in environment
The collected details will create a foundation for successful incident handling and a more seamless collaboration. Once the onboarding meeting has taken place and the basic requirements, such as accesses and points of contact, are in place the Incident Response Retainer can be started.
The graphic below outlines the onboarding process:
4. Service activation
4.1 Incident response activation
If the cause for activation is an incident escalation from the MDR Service SOC, the customer should activate the IR-retainer directly via a request in the associated incident ticket within the Samurai Help Center.
The IR retainer may also be activated via a phone call to the Incident response on-call number which is provided during onboarding. The IR retainer can only be activated by an authorized list of individuals mandated by the client. This information is captured during the onboarding process but is naturally subject to change. Any changes to the authorization list must be communicated to the NTT IR team.
The IR retainer is activated via a phone call to the Incident response on-call number which is provided during onboarding. The IR retainer can only be activated by an authorized list of individuals mandated by the client. This information is captured during the onboarding process but is naturally subject to change. Any changes to the authorization list must be communicated to the NTT IR team.
4.2 Incident scoping call
Depending on the incident severity, magnitude, urgency and known context, the NTT IR team will initiate the engagement with a scoping call. During the call, NTT and the Client’s security team will work together as one team, to gain an understanding of the current situation and how to best proceed.
NTT will meet with the POC and designated Incident Response Team members to discuss the How, What, When and Where questions. Typical questions will include - How was the issue detected? Is there any evidence, data or logs related to the incident in Samurai? What other telemetry is available outside of Samurai? What steps have been taken? What does the environment look like, where are the egress and ingress points located?
Other discussion topics may include the gathering of additional evidence, such as providing audit log records or a network diagram showing what other devices on the network that the suspicious system has access to. The more telemetry available, the faster questions can be answered during an investigation. It is very critical for the client to document all actions taken on the suspected systems at the start of an incident. If incorrect or unknown steps are taken to clean up an infected system, block lateral movement or remediate other issues it may hinder or complicate response actions or root cause analysis at a later stage.
4.3 Engagement objectives
The NTT IR team will work together with the client POC at the time of the retainer activation to identify the immediate engagement objectives. As the incident lifecycle progresses and new evidence or information is discovered, the engagement objectives may be updated. The objectives may be to identify data loss, attack vectors or to recover from the incident and provide recommendations on actions to take to prevent the incident from repeating. NTT IR team can perform incident management, by providing remote support and coordinate with security staff to assist with incident mitigation, containment, eradication, recovery, and reporting.
The end delivery to the client will be a written report of our findings which includes:
- Executive Summary
- Timeline of Activity
- Summary of Findings
4.4 Engagement lifecycle
The figure below describes the process followed by the NTT Incident Response Team during engagements.
5. Service Provisions and Requirements
In order to ensure successful delivery of the Services, NTT and Client shall provide the following, as applicable.
- NTT personnel will maintain the statement of work, and track hours utilized against the retainer.
- Depending on the scope requested by the client, NTT will assign a Lead Incident manager to work with client’s main Point of Contact (POC) throughout the life of the engagement.
- NTT will assign an IR Manager to be available to client as an out-of-band resource for issue escalation.
- NTT will provide the client with ongoing status reports, as mutually defined in the project kick-off.
- If not otherwise stated above, upon completion of the Incident response engagement, NTT will provide client with a detailed report in PDF format, describing the actions performed, results and recommendations.
- Client will assign a main Point of Contact (POC) to work with NTT and will provide knowledgeable technical and administrative staff to assist NTT.
- As required, client will provide NTT with access to their network to perform Incident response services. If required client will also provide NTT with a list of areas considered "off limits".
- Client understands NTT is not responsible for loss of business incurred by Client (or third parties associated with client), due to the performance of Services.
- As applicable, client will provide NTT with electronic copies of any applicable policies (e.g., Security Policy, Acceptable Use, Policy, Incident Response Plan, Escalation Trees, etc.), procedures, previous audits or assessments, network diagrams, configurations, evidence, and any other relevant materials (Engagement Information) associated with the Services outlined in this SOW.
- Client explicitly understands Services may employ methods which could violate client’s policies. NTT will agree, together with the client on any actions which may violate said policies prior to taking the action.
- Client fully agrees that providing Engagement Information to NTT is not a violation of client’s policies and fully agrees not to instigate any type of prosecution against NTT, or NTT employees or third-party service providers, for the receipt and storage of such Engagement Information.
- If the in-scope environment for Services provided in this SOW is hosted by a third-party provider, client agrees to notify the third-party provider in advance of the initiation of services and client accepts the responsibility for complying with any provisions set forth by the third-party provider.
- Should this SOW be executed in a context where regulatory compliance, auditing, testing or assessment or other similar compliance advisory consulting services, for example under the PCI Data Security Standard or HIPAA Privacy, Security or Breach Notification Rules apply, client understands that NTT Incident response services do not constitute any guarantee or assurance that security of client’s systems, meets regulatory requirements. Furthermore, NTT is not responsible for updating its reports and assessments or inquiring as to the occurrence or absence of such in light of subsequent changes to client’s systems, networks and assets after the date of NTT´s final report absent a signed Statement of Work, or an amendment to a Statement of Work, expressly requiring the same.
- Client understands that failure to fulfil Service Requirements or provide required documentation/evidence on a timely basis can result in delay of Services or loss of contracted hours.
- If regulatory changes (e.g., changes by a regulatory agency, legislative body, or court of competent jurisdiction) require NTT to modify the Services described herein, client agrees in good faith to work with NTT to amend the scope of work accordingly.
- Upon initial client contact, NTT will respond within 2 hours.
- Client must enroll NTT IR personnel to its Samurai tenant as required.
- Client understands that NTT Incident Response services do not constitute any guarantee or assurance that security of client’s systems, networks and assets cannot be breached or are not at risk