The biggest trouble spots within small SOC environments and, in many cases established SOC environments is the functions that IR (Incident Response) plays when investigating an impactful event to help determine or, dismiss criminal activity or intent. With the number of devices (Mobile, End-Point, Server, etc.) that are on the market how does your company respond? Artifact collection can be tedious and, repetitive for teams engaging with a multitude of alerts or events to prove or disprove malicious activity.
While most environments may have a grip on the incident response process, the one issue that remains across the boarder spectrum of SOC environment is: how do we assure the information collected is forensically sound? In many cases, it probably wont be. To add insult to injury if the information is not collected in a specific manor and, catalogued it can also lead to evidence being thrown out in a court of competent jurisdiction. Worse possible scenario? Doubt is entered on the prosecuting side and, your cyber insurance might not even cover the damages due to improper acquisition / preservation of incident or, breach artifacts.
Network Defense Solutions, Inc. has developed a specific set of tools, utilities and applications which can assist within the grounds of incident artifact collection. From processes, filesystem, startup items, downloads, etc. to scripts and utilities that can be run from Windows XP to the current Windows 11 systems and, MacOS as well as Linux. While each tool and utility suite are being built out as features are added, extended or removed, we will keep abreast of the changes to incident response so you don't have to. With tools at the ready to deploy your analysts can focus on more pressing issues.
Most of our tools and processes take approximately 30 minutes on most systems (the more data your system is comprised of the longer it will take). However, the entire process is automated. Gain access to the affected box, run the scripts and download the output files. Does your environment use carbon black, falcon strike or other EDR/XDR tools? Not a problem! So long as you can access the box you can deploy the tools to gain additional analysis on the affected endpoint.
-
Historical Information
Processes any notable incidents which are worth a mention? Did the outcome go the way in which you intended? We will do our best to find the incidents and events which required immediate attention and, attention to detail which may have been compromised. From these events and incidents we can better design tools to help your environment and security process respond to adversary activities.
-
Environment Scoping
We collect the information about your environment and which tools and utilities would be best for you. Are you a Windows shop? Or, are you a mixed environment of Linux, Windows and MacOS? Not a problem. We can provide you with the tools you need for each operating system and stored in a location that you choose in your environment. We keep the tools updated, all you have to do is deploy them.
-
Collection
Are some features you need missing or, too imposing to a forensics? Not a problem, we can edit the tools for your environment how you see fit. A multitude of artifacts can be collected or, omitted based on your needs and investigation style. Whether you are performing job duties within a low-bandwidth country or a country with high-bandwidth our tools will utilize resources on the endpoint until the data needs to be acquired.
-
Training & Education
Need training on how to utilize, edit and deploy the tools? Not a problem. We can provide training on-site, remotely or through video tutorials both at your location or on our web site. We can also tie these tools into processes within your SOP's or create new ones should the tools need to be run for specific instances.
If you would like to learn more about our OSINT services, drop us a line to find out more!
