APT changed the rules

To respond to an incident that might involve a sophisticated or targeted attacker you would be well served approaching an accredited company.

IT related Incident Response and forensics services have been around for many years and had found a comfortable niche in terms of the skills and methodology needed to deliver them. However, whilst the Incident Response industry was settling down to a steady diet of credit card breaches, inappropriate use of company equipment and web defacements the really bad guys were busy. These weren’t the attackers who were interested in defacing your website or emptying the contents of your bank account, their interest was on a much bigger scale. They wanted to steal the designs for the brakes on your car, find out negotiating positions on M&A activity and use the combined knowledge from all of this to reshape the global economy. Alongside this the Incident Response community was busy training an army of Certified Encase Examiners and worrying about chains of custody and due process.

This was fine for the more traditional incidents listed above but was completely inappropriate for the new and far more dangerous threat that had been hovering below the radar for so many years. When discovering a machine compromised by a nation state attacker the “bag-and-tag” brigade were completely out of their depth. Why? Well, their “take the computer and analyse it for a couple of weeks before producing a report” approach didn’t fit with our dynamic and agile attacker. The lack of understanding about how systems and networks are compromised meant that evidence was either not understood or just plain missed. Malware that wasn’t detected by AV and required smart people with reverse engineering skills to investigate just sat on the virtual shelf gathering dust. Even containment of the incident was failing as after finding one system on the network unavailable the attacker just switched to another, often using completely different technology and malware.

The result was that the attackers just kept doing what they had been doing for so many years previously. No-one was disrupting their operations and worst of all the people affected were losing yet more money paying for incident response services whilst not removing the problem. But help and hope was at hand.

From this old world emerged a dynamic few who were equipped for this new age of Incident Response. These were the people who could work quickly, understand the methods of compromise, track attackers across the network and unlock the secrets hidden within the malware. Armed with IDA Pro rather than a plastic bag they were able to find the attacker, understand their capabilities and a handful of them could then even put in place the solutions needed to stop the attackers getting back in. Only one problem remained, how would the victims of such attacks find the people with these skills? How would they be able to validate that their skills were sharp and their approach was the right one.

Step forward both the UK Government, through CESG its Information Assurance arm and an industry body, CREST. By working with the brightest minds in the industry both organisations were able to put in place schemes to accredit the work of these companies and validate the competencies of the people doing the work. So if you find yourself in need of someone to help you respond to an incident that might involve a sophisticated or targeted attacker you would be well served approaching one of these accredited companies first. For more details of the people providing these services you can look here:

We’d also be more than happy to provide you with more information about our own unique approach to these services.



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.