Incident Response

Response with expertise. Recovery with efficiency.

TeamT5's Incident Response Service helps enterprises responding to hackers' attacks quickly and effectively in order to protect key digital assets with minimized losses. The service also improves the enterprise's capability to respond to cybersecurity incidents, ensure daily business operations and shorten suspension time of network services.

Build upon your cyber defense NOW!

We'll demo how our intelligence-driven solutions can help you defend against cyber threats and simplify your cybersecurity operations.

TeamT5's Incident Response Service helps enterprises handling cybersecurity incidents. Taking the hosts that were severely compromised in the incident as a starting point, IR team can comprehensively investigate the incidents. By analyzing critical network logs, we can clarify the possible access points of hackers and root cause, and further provide suggestions on how to improve the security measures and defense similar attacks in the future.

Cybersecurity incident investigation

Provide emergency response suggestions and incident investigation services for various types of incidents, such as APT, AD hacks, WebShell, backdoor programs, ransomware, data breaches, compromised equipment, etc.
Identify the root cause of the incident, compromised hosts, and provide the mitigation suggestions.

System / Web / AP log analysis

Find out the source of attacks and attack patterns

Malware analysis

Sandbox and professional manual analysis on provided malware sample.

Service Process

1st Stage

Preparation

Clarify incident status
Identify customer’s requirement
Emergency containment suggestions
Provide IR plan

Detection

Endpoint scan (ThreatSonar)
Collect and analyze critical evidence
Identify the compromise scope

2nd Stage

Investigation and Response

Survey sampling
Threat hunting
Sample analysis
Identify root cause
Log analysis
Containment recommendations

Response

Incident report with interpretation by dedicated personnel
Threat intelligence feedback for real-time defense and block
Root cause analysis and cyber security improvement recommendations

The team has more than 20 years of experience in researching in malware and APT with practical experience in handling cybersecurity incidents.

Industry-leading adversary research specialized in adversary analysis, threat hunting, vulnerability research, and root cause analysis.

Obtained multiple professional certificates, including ECSA, CISSP, CEH, CHFI, etc.

Participated in and gave speeches at international professional cybersecurity seminars, such as Black Hat (US), JSAC (Japan), CodeBlue (Japan), etc.

A member of the Taiwan Computer Network Crisis Management and Coordination Center (TWCERT/CC) and a member of FIRST, the world's largest incident response organization.

With long-term threat intelligence research and analysis, the TeamT5 IR team has experience in investigating large-scale incidents. The industry covers the technology industry, finance industry, telecommunications industry, government agencies, etc., and can quickly identify hackers' techniques, provide containment suggestions, and reduce damage. In-depth incident root cause analysis can help organizations avoiding being attacked again by the similar attacks and strengthen security posture.

CASE-01

Advanced persistent threat attack incident

Attack techniques

Use zero-day or N-day vulnerabilities, network penetration tools (Cobalt Strike), customized backdoor attacks (NT 5.x NDIS driver backdoor, Webshell, etc.) and network VPN agents (softether, etc.).

Summary of incidents

By reconnaissance of target, the attacker discovered the server vulnerability and carried out the attack. This backdoor, a severe threat, enable attackers to penetrate computers, perform various communications and steal confidential information, such as government operations, technology research and development, and commercial operations.

Protection recommendations

(1) Patch server vulnerabilities and pay attention to whether there are accounts breaches or phishing emails on the dark web to prevent from attackers' accesses.
(2) Endpoint protection measures can timely detect lateral movements within Intranet.

Learn More

CASE-02

Website hacking

Attack techniques

Use SQL injection, SSRF, file upload bypass, vulnerabilities of third-party package, network scanning tools (Serverscan, Xray), web backdoors (WebShell) and agents (Neo-reGeorg).

Summary of incidents

Attackers exploit the vulnerabilities of webpage or third-party package to upload backdoor and gain control over the website host. They then install agents and upload scanning tools for reconnaissance of intranet hosts and brute force password cracking.

Protection recommendations

(1) Have vulnerability information and promptly patch and update vulnerabilities in website systems, web programs and third-party packages.
(2) Regularly check management package access and website service logs.
(3) Monitor the field system and network status through endpoint protection software and network management equipment to detect malicious programs in real time.

CASE-03

Ransomware

Attack techniques

Use dark web intelligence or brute force password cracking techniques through network scanning to gain access to the network or system in the field (RDP, SSH, VPN, etc.).

Summary of incidents

After entering the intranet, the attacker can move laterally, expand the scope and level of control, and finally select valuable targets for encryption and blackmail. Usually the ransom targets are ESXi hosts, NAS devices, AD, and database hosts.

Protection recommendations

(1) Equipment vulnerabilities and insufficient network access verification mechanisms need to be avoided.
(2) Through the terminal protection monitoring mechanism, detect suspicious programs or mobile status, detect threats early and block the source of hacking.
(3) Strengthen the data backup mechanism.

Learn More

CASE-04

Personal information leaked

Attack techniques

Attackers use network scanning (Port scan) and Web attack techniques (SQL injection, XSS, SSRF, etc.) to gain access to websites and databases in the field.

Summary of incidents

Attackers access and download customer order information, design fraud scenarios, and send them to victims via phone calls, emails, or text messages to defraud customers of money. From the fraud contents, the root cause of incident could be the breaches of order data. Therefore, we immediately clarified the breaches of data flow and the investigation target, and conducted evidence collection analysis.

Protection recommendations

(1) It is necessary to confirm whether the web page upload verification mechanism is complete to avoid being controlled by the attacker's web shell upload.
(2) Pay attention to whether the service interface is in the risks to avoid being violently cracked by attackers.
(3) Strengthen the data flow encryption management and audit mechanism.

Learn More

FAQs

What is TeamT5 IR service?

TeamT5 Incident Response (IR) services, including professional incidence analysis, investigation and response, assist businesses and organizations to promptly and effectively handle incidents, protect critical digital assets, and ensure that operations resumes and runs normally.

At the critical moment when an incident occurs, why is it so important to have TeamT5 IR support?

The incident response aims not only to reduce the losses caused by attacks, but also learn from the incident to improve security measures. With years of IR experiences, TeamT5 can provide the following support as soon as possible:
- Clarify incident status and provide emergency containment suggestions

- Comprehensive endpoint scan to identify the compromise scope

- Investigate the root cause of the incident and provide recommendations to defense similar attacks in the future

How does TeamT5 IR compare to others?

Unlike other IR service providers, TeamT5 has more than 20 years of experience in researching in malware and Advanced Persistent Threat (APT). We specialize the adversary analysis, threat hunting, root cause analysis with practical experience in handing incidents.

What benefits can TeamT5's professional IR team bring to businesses and organizations?

- Block threats and quickly clarify threats in the environment

- Comprehensively investigate suspicious threats to avoid future attacks

- Precise incident analysis to minimize damage

- Root cause analysis and prevention suggestions to strengthen proactive defense

After the incident response process, how can I continue to defend against possible threats in the future?

Since attack techniques continue to evolve, we suggest to have TeamT5 Managed Detection and Response (MDR) Service. 7*24 endpoint monitoring and periodical threat hunting, by a professional team of experienced experts, can discover threats and provide response suggestions. Once there is a suspicious incident, TeamT5's MDR team will work with the businesses and organizations to respond, conduct in-depth investigation and analysis of the root cause of the incident, and optimize security defense measures.