Kroll Cyber Risk experts respond to over 3,200 security events every year, in the UK and across the world. We work with organizations across many industries manage incidents of all types, complexity and severity. With our unique frontline experience, companies from all over the world count on Kroll, not only for help in a crisis, but also for proactive planning and mitigation strategies. We are also a preferred service provider for more than 50 leading cyber insurance companies and offer client-friendly retainers to cover both incident response and proactive services for peace of mind.
Rapid and Efficient Deployment of Onsite and Remote Incident Response Capabilities
Whether it’s a ransomware attack, malicious hacker or accidental exposure by an employee, Kroll’s global network of certified security and digital forensic experts provide rapid response, deploying remote solutions to anywhere in the world and/or arriving onsite within hours to help companies contain a situation and determine next steps.
Kroll is a leading provider of comprehensive cybersecurity, digital forensics and breach response services. We help companies make informed decisions at every stage, whether its proactive preparation before a cyber incident occurs or meeting obligations – including consumer notification and remediation – in response to an incident. Our goal, working in cooperation with a client’s attorneys and insurance carriers, is to smoothly guide them to recovery, leaving them in the best defensible position, reputations intact, and ready to safely resume business with minimal disruption.
Common Threats Addressed by Our Incident Response Team
Business Email Compromise and Wire Fraud
Insider Threats and Accidental Data Loss
Advanced Persistent Threats (APT)
Third Party and Vendor-Related Risks
Malware, Keyloggers, and Backdoors
Targeted Intellectual Property Theft
Payment Card Fraud (PCI/PFI)
Web Application Attacks and Password Theft
Kroll Offers a Continuum of Cyber Security and Incident Response Services for the Multifaceted Nature of Incident Response
- Incident Response Preparation and Prevention: Enhancing our clients’ ability to respond to cyberattacks with an extensive range of assessments, tabletop exercises and simulations, and the latest cyber threat intelligence.
- Intelligent Endpoint Detection and Response: Through a unique combination of technology and highly skilled professionals, our sophisticated solution empowers companies to detect and respond swiftly to credible threats.
- CyberDetectER® DarkWeb Search and Monitoring: Using our proprietary technology and troves of data compiled over many years and thousands of incident responses, Kroll continuously monitors the deep and dark web to help clients identify and respond to data exposures.
- Data Collection and Preservation: For clients amid an investigation or litigation, Kroll can provide cost-effective solutions to identify, isolate and preserve vital electronic data using the most up-to-date and forensically sound methods.
- Malware Analysis and Reverse Engineering: Further understand any code-related event through our in-depth technical analysis of benign and malicious code.
- Data Recovery and Forensic Analysis: Kroll’s cyber risk investigators are among the most knowledgeable subject matter experts in any industry. When important data has been deleted or manipulated – whether it was purposeful or accidental – they can analyze digital clues left behind to uncover critical information quickly and defensively.
- Malware and Advanced Persistent Threat Analysis and Remediation: Kroll’s forensic experts analyze malware, using the latest methods and technology, to determine what it does, how it works and the scope of its impact on an affected system.
- PHI and PII Identification: In the event of a breach, we provide clients with a master notification list that clearly identifies the types of PHI or PII involved. This lets them deliver messages and remediation services targeted to those affected, avoiding costs arising from over-notification.
- Data Breach Notification and Remediation Services: Kroll helps companies protect their brands and reestablish trust with individuals impacted by a data loss by ensuring the breadth of the response matches the harm caused by a breach.
Benefit From Client-friendly Incident Response Retainers
- Includes both proactive and reactive services
- No loss of money at end of contract term
- No required use of Kroll tools or applications
- No automatic renewals or price accelerations
- Includes access to Kroll's data response services that are core capabilities (e.g., Notification, Call Center, Monitoring and Consumer Restoration)
- Benefit from Kroll’s relationships with top cyber insurance companies, including some of the biggest underwriters in the world
Kroll in Action Cyber Incident Response
Containment and Remediation of Cyberattack That Compromised Personally Identifying Information (PII)
Client: Major Company in U.S. Transportation Industry
The client informed Kroll late on a Friday afternoon that it had suffered a cyberattack. At the outset, the company, which served a large national and international clientele, needed to quickly contain and remediate the impact of the incident. It would then need to notify those whose PII had been compromised and report the incident to regulators.
How Kroll Resolved The Problem
- Within two hours, we deployed a remote response and had personnel onsite at the company’s headquarters by the next morning. By the end of the weekend (48 hours later) the team had scaled up from two investigators to twelve.
- After identifying specific indicators of compromise (IOCs), we were able to eradicate the actor and establish containment. We then monitored the containment strategy to ensure it kept working.
- Kroll investigators created a disposition matrix, which they used to cross-reference compromised machines with individuals’ compromised data.
Utilizing the many tools at their disposal, our investigators restored the client’s system with minimal disruption to its operations. Additionally, the findings of our disposition matrix allowed the client to refine its notification list with pinpoint accuracy. As a result, the client was able to notify and address the concerns of a much smaller subset of people, avoiding a costly blanket notification, as well as the intense media coverage that typically ensues. On top of dramatically reducing its notification and remediation costs, the client was also able to provide regulators with precise details of the incident’s scope and effects.
Fortify Your Response Capabilities
With threats continually growing in both volume and sophistication, UK companies can leverage the frontline experience of Kroll’s incident response and digital forensics team to deploy an effective and multifaceted response anywhere, anytime.
Frequently Asked Questions
What is cyber incident response?
Cyber incident response is the process of responding to, managing and mitigating cyber security incidents. Its goal is to limit the damage and disruption caused by cyber-attacks and, where necessary, to restore operations as quickly as possible. When an organization is impacted by a cyber security breach, a clear perspective is required to take control of the situation and respond effectively to protect assets, operations and reputation. Timely incident response support helps companies to quickly contain the compromise and smoothly achieve recovery, leaving them in the strongest position possible, with minimal business disruption and their reputation intact.
What does an incident response team do?
An incident response team (IRT) or computer incident response team (CIRT) or is a group of experts responsible for responding to, managing and mitigating security incidents. An incident response team investigates, analyses and remediates incidents and manages internal and external communications in the event of an attack. Its role can also include developing and maintaining an incident response plan and assessing potential changes in technology, training and other aspects following a security incident. Another important role for incident response teams is running trials of an organization’s incident response approach based around real-world scenarios.
What is an incident response plan?
An incident response plan is a document which outlines an organization’s strategy for responding to security incidents, such as data breaches and ransomware. It sets out specific actions and procedures to facilitate timely and effective incident mitigation, clearly defining the steps that should be taken and the person responsible for them. An incident response plan covers each stage of an incident, to enable organizations to take timely and effective action in the event of disruption caused by a cyber-attack.
Why do you need an incident response plan?
Incident response planning plays a critical role in helping organizations to maintain a robust long-term security posture. Vital time can be lost in establishing a strategy after an incident occurs. An incident response plan helps organizations to reduce the potential damage of a cyber incident and move forward quickly and effectively following an attack. Your incident response plan is a strategic roadmap which outlines the exact steps your organization should follow after different types of incidents. It also communicates to stakeholders and regulators that your organization is fully committed to addressing new and emerging cyber threats.
What should an incident response plan include?
An Incident Response Plan is a document which sets out an organization’s strategy for responding to different types of security incidents, including ransomware attacks, IP theft and data breaches. It should include the specific procedures and responsibilities associated with addressing each stage of an incident, with defined roles for completing specific incident response actions. An incident response plan is your organization’s roadmap for taking timely and effective action in the event of disruption caused by a cyber-attack.
What is an incident response plan?
A key error which organizations make in relation to incident response is failing to implement an incident response plan to effectively manage and mitigate cyber incidents such as data breaches and ransomware. Another common mistake made by many organizations is failing to understand their on-premises and cloud environments, and the security tools and policies they have in place. Failing to invest enough in an effective strategy is also a common incident response error. With back-ups a vital part of defending an organization against the impact of a cyber incident, not reviewing them regularly is yet another common mistake.
What are the key cyber incident response steps?
Effective incident response should include six key steps:
- preparing systems and procedures, including the development of an incident response plan
- the identification of incidents and the gathering of evidence
- the containment of attackers and incident activity to limit any additional damage from the incident, which includes short-term containment, system back-up to preserve evidence, and long-term containment
- the eradication of attackers and re-entry options
- recovery from incidents, including the restoration of systems
- lessons learned and the application of feedback to the next round of preparation.
How should organizations respond to a security incident?
It is important to take fast, decisive action when a security incident occurs. Effective incident response requires a clear plan which outlines the actions key stakeholders should take in a variety of scenarios. Organizations should then follow a clear and structured sequence of steps to ensure that every aspect of managing and mitigating the incident is covered. This will include actions such as containment, threat removal and mitigation and recovery, identification of improvements and further testing. The response should also include informing the relevant authorities, depending on the nature of the incident.
What is the key to effective incident response?
The key to effective incident response is good planning and preparation. Having a robust incident response plan in place with clear responsibilities for specific team members will allow your organization to respond quickly, and take immediate, decisive action to reduce the impact of different types of cyber incidents. A proactive approach which includes a structured plan set in place before a cyber incident occurs will ensure that your organization is more able to recover, even in the event of a serious cyber incident. Another important aspect of effective incident response is ensuring that you have a good security partner.