CERT - Almond

Tristan PINCEAUX | Lead CERT

The increase in computer attacks is a threat that all companies are facing today. If they do not have the necessary maturity to manage an incident alone, they must be able to rely on cybersecurity experts.
The stakes are multiple: contain the actions of attackers, eradicate threats and mechanisms of persistence, restore operational conditions and restart production as quickly as possible.
The CWATCH Almond CERT team is there to accompany you in all these phases in order to react quickly and in the best way to cyber-attacks.

In light of the major trends that have marked the cyber landscape and the continuous evolution of the threat level due to the constant improvement of the capabilities of malicious actors whose main intentions remain financial gain, espionage and destabilization, there is an increased need to have a team capable of dealing with these cyber threats by proposing appropriate incident responses with good crisis management.
Our CERT team (Computer Emergency Response Team) CWATCH, with its highly qualified staff and its expertise developed through the various incidents treated, offers you a structured and quality support, at the technical and human level, so that you can overcome the possible security incidents affecting your information system.

Our services

provided by our CERT

Response to security incidents

Crisis management support

Forensic investigation on Linux, Windows (Active Directory, Windows 7/8/10/11, Exchange, Windows Server, …), network events, …

PFI investigation (PCI-DSS and credit card environments)

Removal of doubt on Antivirus alerts

Support for remediation

Support for business continuity and recovery (after ransomware for example)

Support in external and internal communication: with authorities, stakeholders and users/customers

Audit of compromise research (Security assessment / Sanity check-up)

Recurrent analysis of critical workstations or servers (e.g. VIP)

Reverse engineering of a malware or malicious strain

Cyber Threat intelligence (CTI)

Open and semi-open source searches for leaked data or credentials

External vigilance for public assets

Incident Response Process

Detection

You contact the CWATCH CERT as soon as you suspect or detect a security incident

Qualification

A CWATCH expert calls you back to qualify the incident and get more information about the context

Response system

The CWATCH CERT offers you an initial response system

Agreement

You formally confirm your agreement to start the response system

Operations

We start the response operations, intervening remotely or on site: collection, analysis, reaction & remediation

Review

With the progressive understanding of the incident, the experts regularly review the response strategy with you. Regular reports and follow-ups can be made

Report

A final report is written for the stakeholders, including details of the incident, investigations and recommendations to follow

Examples of missions

Situation at the start of the CERT service	Operations carried out by the CERT
The IT department has noticed abnormal behavior on a server exposed on the Internet and suspects a compromise.	The CERT lists all the data to be collected in order to remove the doubt about the compromise and provides the IT team with a collection agent to launch on the server. The data from the collection agent and the firewall logs are sent to CERT, which after analysis confirms that a vulnerability has been exploited to install a Remote Shell and take control of the server. The objective is now to measure the extent of the compromise and to manage the internal crisis situation. With the client’s agreement, CERT dispatched an expert to the site to coordinate operations and reassure the various stakeholders while the investigation operations continued. After 2 days of investigation, CERT determines that the attacker has not succeeded in compromising other resources. A procedure for eradicating the attack and returning to normal is documented along with the chain of events, the vulnerabilities exploited and the associated remediation plan.
A ransomware malware encrypts data on multiple workstations and network shares.	CERT establishes with the IT manager an emergency plan to contain the attack and remotely monitors the technical actions (network isolation of certain machines, backup security, etc.) Once the situation is under control, CERT provides the IT manager with a collection tool to be launched on an infected computer and a list of actions to check the attack vectors (email, web, USB key). The collected data allows CERT to identify the malware used and to identify the source (an email with a booby-trapped attachment sent to at least 4 employees). Not being able to be quickly sure of the absence of other recipients of the booby-trapped email, an alert message is written for the employees with the help of CERT. At the same time, the markers of the attack (malware used and impact on the workstation, sender and subject of the email…) are used to derive blocking rules for the firewall, the email server/relay and the workstations’ antivirus. As the malware used relies on an encryption key stored in memory, an infected station that has not been rebooted is made available to the CERT. This allows to recover the encryption key and to decrypt 80% of the data. Management asks CERT to evaluate the opportunity to pay the requested ransom to have a chance to recover the remaining data and decides not to take this option. CERT establishes a recovery plan with the IT manager and the service provider managing the backups and the computer fleet (order to rebuild the workstations / restore the backups). Once the recovery operations are completed, CERT proposes a plan to harden the filtering of emails and web browsing as well as an employee awareness program.

Situation at the start of the CERT service

Operations carried out by the CERT

The IT department has noticed abnormal behavior on a server exposed on the Internet and suspects a compromise.

The CERT lists all the data to be collected in order to remove the doubt about the compromise and provides the IT team with a collection agent to launch on the server.
The data from the collection agent and the firewall logs are sent to CERT, which after analysis confirms that a vulnerability has been exploited to install a Remote Shell and take control of the server.
The objective is now to measure the extent of the compromise and to manage the internal crisis situation. With the client’s agreement, CERT dispatched an expert to the site to coordinate operations and reassure the various stakeholders while the investigation operations continued.
After 2 days of investigation, CERT determines that the attacker has not succeeded in compromising other resources. A procedure for eradicating the attack and returning to normal is documented along with the chain of events, the vulnerabilities exploited and the associated remediation plan.

A ransomware malware encrypts data on multiple workstations and network shares.

CERT establishes with the IT manager an emergency plan to contain the attack and remotely monitors the technical actions (network isolation of certain machines, backup security, etc.)
Once the situation is under control, CERT provides the IT manager with a collection tool to be launched on an infected computer and a list of actions to check the attack vectors (email, web, USB key). The collected data allows CERT to identify the malware used and to identify the source (an email with a booby-trapped attachment sent to at least 4 employees).
Not being able to be quickly sure of the absence of other recipients of the booby-trapped email, an alert message is written for the employees with the help of CERT. At the same time, the markers of the attack (malware used and impact on the workstation, sender and subject of the email…) are used to derive blocking rules for the firewall, the email server/relay and the workstations’ antivirus.
As the malware used relies on an encryption key stored in memory, an infected station that has not been rebooted is made available to the CERT. This allows to recover the encryption key and to decrypt 80% of the data. Management asks CERT to evaluate the opportunity to pay the requested ransom to have a chance to recover the remaining data and decides not to take this option.
CERT establishes a recovery plan with the IT manager and the service provider managing the backups and the computer fleet (order to rebuild the workstations / restore the backups). Once the recovery operations are completed, CERT proposes a plan to harden the filtering of emails and web browsing as well as an employee awareness program.

Why choose us?

A team of qualified and certified experts

A multidisciplinary team

Multilingual experts

Research and collection tools developed in-house

Active monitoring of cyber intelligence

Need assistance on a security incident

Whether you are an Almond client or not, contact the CERT CWATCH

+33 (0) 1 83 75 36 94

(always preferred in case of emergency)

alerte@cwatch.almond.consulting

Almond is an authorized user of the CERT ™ mark:
Technological watch, continuous improvement of our methodologies
of incident response and knowledge sharing (IOC) between CERT ™.

The Almond CERT is a member of the InterCERT France network since 2020. InterCERT-FR is an association under the law of 1901 which gathers the incident response teams (CSIRT) in France.