Incident response

Incident preparedness

Anticipating the threat is the best way to reduce its impact on D-day. We intervene upstream to prepare your teams and your information system to react effectively. To give you peace of mind, we offer a CSIRT subscription. This contract guarantees you a capacity to intervene with a defined SLA (time commitment) and enables our experts to understand your technical context for an immediate and appropriate response.

On an organizational level, we test your processes through crisis management exercises (or tabletop exercises), based on customized scenarios. We can also draw up “reflex cards”, operational guides to help you save precious time when an alert is triggered.

On the technical side, visibility is key. We carry out logging audits to verify the completeness and relevance of your logs, which are essential for future investigations. We also carry out targeted assessments of your critical infrastructures (Active Directory, holding Entra ID or AWS) to identify and correct configuration errors or permissions problems before they are exploited.

Incident response

Digital investigation is a key stage in any incident response. Its aim is to reconstruct as accurately as possible the course of an attack, based on the traces left on systems.

Our teams carry out an in-depth analysis of compromised equipment to understand the modus operandi, define the target perimeter and measure the impact of the attack. In the event of suspected compromise, we can carry out an investigation. This is a study of a delimited perimeter in search of anomalies betraying the presence (current or past) of an attacker. This type of analysis can be accompanied by the search for an implant (software or hardware) linked to an advanced/targeted threat.

In the same way as we carry out vulnerability audits, a compromise audit aims to review your information system in search of traces of malicious intent that may have escaped your detection system. Taking a more general approach than simply removing doubts, the aim of a compromise audit is to give you greater confidence in the security status of your system.

We can also support an existing crisis unit in the area of digital investigation, or propose a post-incident counter-expertise to compare our points of view.

Cyber-remediation

Once the incident has been contained, the aim is to rebuild a healthy environment and restore confidence in the information system. Based on the findings of our investigations, we provide you with concrete post-incident recommendations. These are aimed not only at plugging the breach used by the attacker, but above all at permanently reducing the exposure surface of your IS to make a similar attack impossible.

For deep-rooted compromises affecting the network core, we support you in complex operations such as Active Directory failover (rebuilding a trusted directory) or hardening your Windows environments. The aim of these technical actions is to raise the structural security level of your IT assets to prevent any resurgence of the threat.

Training

Sharing knowledge is at the heart of Synacktiv's DNA. Our experts, who intervene on all types of incidents, provide cutting-edge technical training (face-to-face or online) to enhance your teams' skills.

Our courses cover the whole spectrum of digital forensics: from system forensics (Windows, Linux) to mobile media analysis (smartphones), including Cloud investigation and malware analysis. We also offer awareness-raising sessions for a wider audience. To find out more about our programs and upcoming sessions, please consult our training agenda.

CSIRT subscription

Subscribing to CSIRT Synacktiv enables you to call on our experts for one-off or long-term interventions (cyber crisis). The permanent objectives of CSIRT Synacktiv are :

• To contain and resolve the security incident or crisis as quickly as possible;
• Satisfy your expectations according to the terms and conditions agreed;
• Understand the nature and origin of suspicious or malicious activity. The modularity of the subscription means you can tailor the effort required to achieve results;
• Measure the scope of compromise and impact on services;
• Manage the resolution of the security incident according to project management practices;
• Recommend emergency measures to contain the attack, and longer-term measures to sustainably reduce the level of exposure of the information system.

The Synacktiv CSIRT subscription can be broken down into 3 parts:

• a level of service and intervention modality: this level of service describes overall expectations in terms of 24/7 intervention time (HNO) or working hour (HO);
• a reserve of man-days (or man-hours) initially subscribed: this volume is consumed as and when operations are carried out. It can be topped up during the subscription period if requirements exceed those initially expressed;
• options in the form of additional services that can be subscribed to throughout the subscription to increase the level of maturity and protection of your information system.