Cybersecurity & Incident Response
Cybersecurity & Incident Response
Charles River Associates incorporates a proven approach to solving its clients’ most complicated information security needs. Our approach to cybersecurity and incident response combines NIST 800-61 and the MITRE ATT&CK™ Framework.
The two frameworks are industry recognized standards for effective and venerable incident response. The combined approach focuses on detecting, analyzing, containing, and eradicating threat actors from an environment; and leveraging an actor’s tactics, techniques, and procedures against them. Our incident response methodology has been used to combat and defeat threat actors both large and small.
CRA’s focus goes beyond just resolving the technical threat posed by threat actors. At CRA, we seek to address the human and business elements of an incident and solve issues which exist both pre- and post-incident.
Our dedicated expert teams and institutional knowledge lead to deeper insights and better decisions.
Whether you are experiencing an active compromise by a threat actor or you are putting the pieces together after the fact: our skilled investigators and analysts can assist with investigation and recovery. Our cyber response team (CRT) is highly experienced in responding to advanced persistence threats, data extortion, business email compromise, ransomware, insider threats, and more.
Our team brings an end to end solution. After the incident is contained, we assist organizations with regulatory inquiries, law enforcement requests, and helping organizations prepare for potential litigation. We have numerous experts that regularly testify in court.
CRA has significant experience conducting data breach investigations across all industries, and we often find the lack of cyber hygiene and defense grows into a state of compromise, incompliance, and/or adverse business impact. Our strategic cyber team collaborates with organizations to comprehensively assess and improve their cybersecurity posture and defenses through the following proactive services:
- Insider threat assessment and program development
- Cybersecurity framework assessment and program development
- Data privacy/compliance assessment
- Incident Response (IR) readiness
- Cloud cybersecurity assessment
The proactive services above leverage industry leading cybersecurity standards, guidelines, and frameworks including, but not limited to NIST, ISO, FedRAMP, SANS, and CMU CERT — as well as global, national, and regional regulations including, but not limited to GDPR, HIPPA, and the California Privacy Act of 2018 — to provide a holistic approach to cybersecurity strategy.
Our team has worked on over 1,000 ransomware cases ranging from Big Game eCrime syndicates such as Maze, Conti, Netwalker, Sodinokibi, Bit/Doppel Paymer to numerous Ransomware as a Service actors such as Dharma, RobbinHood, Cortex family. As eCrime syndicates continue to infiltrate organizations, they have changed the game as they are weaponizing data taken and posting to their blogs. Our seasoned team has developed numerous tactics, techniques, and procedures (TTPs) to combat the threats that your organization could be experiencing from these eCrime crime syndicates.
Our comprehensive solution consists of:
- Identifying the threat actor involved;
- Negotiating for decryption keys/data;
- Deploying decryption keys to the network to unencrypt data and get the organization back in business;
- Performing containment and eradication of the malware left behind by deploying or leverage end point detection response tools such as Carbon Black Defense;
- Executing a forensic investigation of how the threat actor was able to infiltrate the organization and what information was taken, if any;
- Creating a lessons learned and roadmap going forward (90, 180, 270 day plan) for the organization; and
- Responding to regulatory, class action, client, and other requests.
Our experience speaks volumes for our clients as our job one is getting you back in business due to this unfortunate event.
Typically, we find that determined attackers will try to re-enter an environment. Smart organizations will remain vigilant throughout the post-incident phase as operations are returning to normal. Not all incidents end after the adversary is eradicated from the environment, and many large incidents can have follow up needs lasting well beyond the incident’s lifespan. CRA is able to assist you in a number of ways outside of performing traditional incident response services. CRA can provide expertise to assist you with:
- Performing secondary investigations not performed during the initial response, such as determining whether an actor had access to Sarbanes-Oxley complaint systems
- Assessing response taken by another provider or an internal team, and providing insightful recommendations on how to improve and prepare for the next incident
- Assisting in the review of remediation efforts undertaken by an organization, helping to verify the taken actions meet the prescriptive goal
- Assisting legal counsel with expert testimony when needed
One of the best ways to prepare for your organization for an incident is to pit your security defenses against a human adversary in a penetration test. By utilizing our comprehensive penetration testing methodology, built on the SANS Institute’s methodology and the MITRE ATT&CK framework: CRA’s penetration tests work to effectively emulate the actions and techniques used by advanced threat actors, thus allowing us to flush out weakness and flaws in an organization’s environments that can often be missed by automated scanning tools.
A compromise assessment takes a holistic look at your environment, augmenting and verifying your security team’s capabilities. Our team provides insights from both a network- and endpoint perspective, hunting for known and unknown threats.
Our team will collect and analyze data from external threat intelligence sources, your endpoints and network traffic. We'll assess these data using the same analysis techniques, tools and technologies that we use during our incident response engagements.
Our report will detail our observations regarding malicious and suspicious activities in your environment, as well as your overall state of cybersecurity hygiene. During the assessment we will work side by side with your security- and operations teams. We’ll alert you immediately should we detect signs of active compromise, in which case our experts will be ready to assist you in dealing with it.
Partners (incident response and compromise discovery assessment)
- Endpoint: Tanium, Cylance and Carbon Black
- Network: Gigamon Insight (formerly ICEBRG)
- Threat intelligence: Recorded Future
- Certified Information System Security Professional (CISSP), Certified Information Security Manager (CISM), GIAC Certified Forensics Analyst (GCFA), GIAC Certified Incident Handler (GCIH), GIAC Certified Intrusion Analyst (GCIA), GIAC Certified Reverse Engineer Malware (GREM), GIAC Certified Network Forensics Analyst (GNFA), EnCase Certified Examiner (EnCE), Certified Computer Examiner CCE), and Qualified Security Assessor (QSA).
- Combined decades of experience specializing in providing incident response, internal affairs investigations, compromise assessments, and post response services for organizations across a wide spectrum of industries.
- Previous investigations involved responding to incidents including containing and removing state-sponsored threat actors, identifying how an advanced persistent threat (APT) infiltrated in the network; SWIFT heists Investigations; Investigating Theft of Payment Card, Personally Identifiable and Protected Health Information (PCI, PII, PHI); including responding to Ransomware events, Extortion, Business Email Compromise (BEC), Spear phishing and Denial of Service attacks (DOS).
- CRA Forensic Services is ISO27001:2013 certified, the best-known international standard for information security.
- CRA International, Inc. holds private investigator licenses in Illinois (License No. 117.001795 115.002511), Indiana (Private Investigator Firm License No. PI21600025), Massachusetts (License Number LP1045A), and Michigan (Professional Investigator Agency License No. 3701207037).