Experience Responding to Enterprise-Wide Incidents
Computer security incident response is The Ashkelon Group’s primary focus and expertise. Since 2004, The Ashkelon Group has performed hundreds of incident response investigations across all industries, organization sizes and technical environments.
Overview of Services
The Ashkelon Group specializes in investigating large-scale intrusions performed by the most advanced threat groups. The Ashkelon Group uses the intelligence gathered during each investigation to improve its consultants’ ability to identify the actions of the attacker, the scope of the compromise, the data loss, the steps required to remove the attacker and the approach required to re-secure the network. The Ashkelon Group’s consultants have performed investigations of:
Sensitive data theft from virtually every industry including biotech companies, software companies, defense contractors, national research labs, manufacturing companies, law firms, think tanks and multinational corporations.
Payment card fraud, illicit ACH/EFT cash transfers and ATM cash draw-downs at merchants, payment processors and financial institutions.
Systems used by employees, board members and other insiders suspected of inappropriate or unlawful activity.
The Ashkelon Group has developed and maintains profiles of key attack groups including their tools, practices and objectives. By utilizing proprietary network traffic analysis and host inspection tools The Ashkelon Group consultants automate typical investigative tasks and leverage the intelligence The Ashkelon Group has generated during past investigations. This allows The Ashkelon Group consultants to investigate large-scale network intrusions more quickly and completely than is possible when traditional investigative techniques are used.
The Ashkelon Group’s Approach
The Ashkelon Group is focused on helping organizations recover from computer security events while minimizing the impact of the event on the organization. The major activities The Ashkelon Group performs during an investigation are:
Assessing the Situation
Each investigation begins by gaining an understanding of the current situation. How was the issue detected? What data has been collected? What steps have been taken? What does the environment look like?
Verifying Client Objectives
The next step is to define objectives that are practical and achievable. The goal may be to identify data loss, recover from the event, determine the attack vector, identify the attacker – or some combination of those objectives.
The Ashkelon Group consultants collect information with forensically sound procedures and document evidence handling with chain-of-custody procedures that are consistent with law enforcement standards.
Based on the evidence that is available and the client’s objectives The Ashkelon Group draws on skills that range from forensic imaging to malware and log analysis to determine the attack vector, establish a timeline of activity and identify the extent of the compromise.
Providing Management Direction
The Ashkelon Group believes that proper management of an investigation is just as important as the technical and investigative skills brought to bear during an incident. During each investigation The Ashkelon Group works closely with client management to provide detailed, structured and frequent status reports that communicate findings and equip its clients to make the right business decisions.
Developing Remediation Plans:
Effective countermeasures and remediation plans are best developed in parallel with an investigation. Remediation plans vary depending on the extent of the compromise, the size of the organization and the tactics/objectives of the attacker. As part of an investigation The Ashkelon Group delivers a comprehensive remediation plan and assists with the implementation.
Developing Investigative Reporting
The Ashkelon Group places great emphasis on tracking and documenting all findings throughout an investigation. The Ashkelon Group provides a detailed investigative report at the end of every engagement that addresses the needs of multiple audiences including senior management, technical staff, third party regulators, insurers and litigators.