【Whitepaper】Cyber Threats against Taiwan’s 2024 Presidential Election
IR-logo

Response with expertise. Recovery with efficiency.

TeamT5's Incident Response Service helps enterprises responding to hackers' attacks quickly and effectively in order to protect key digital assets with minimized losses. The service also improves the enterprise's capability to respond to cybersecurity incidents, ensure daily business operations and shorten suspension time of network services.

Build upon your cyber defense NOW!
We'll demo how our intelligence-driven solutions can help you defend against cyber threats and simplify your cybersecurity operations.
First Name
Last Name
Company Name

Industry Category

Select...

Numbers of employees

Select...
Job Title
Phone Number
Email Address

Country

Select...
Your Inquiry (Optional)
I accept the Privacy & Cookies Policy
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

TeamT5's Incident Response Service helps enterprises handling cybersecurity incidents. Taking the hosts that were severely compromised in the incident as a starting point, IR team can comprehensively investigate the incidents. By analyzing critical network logs, we can clarify the possible access points of hackers and root cause, and further provide suggestions on how to improve the security measures and defense similar attacks in the future.

Cybersecurity incident investigation
Cybersecurity incident investigation
  • Provide emergency response suggestions and incident investigation services for various types of incidents, such as APT, AD hacks, WebShell, backdoor programs, ransomware, data breaches, compromised equipment, etc.
  • Identify the root cause of the incident, compromised hosts, and provide the mitigation suggestions.
System / Web / AP log analysis
System / Web / AP log analysis
  • Find out the source of attacks and attack patterns
Malware analysis
Malware analysis
  • Sandbox and professional manual analysis on provided malware sample.

Service Process

1st Stage

1
Preparation
  • Clarify incident status
  • Identify customer’s requirement
  • Emergency containment suggestions
  • Provide IR plan
2
Detection
  • Endpoint scan (ThreatSonar)
  • Collect and analyze critical evidence
  • Identify the compromise scope

2nd Stage

3
Investigation and Response
  • Survey sampling
  • Threat hunting
  • Sample analysis
  • Identify root cause
  • Log analysis
  • Containment recommendations
4
Response
  • Incident report with interpretation by dedicated personnel
  • Threat intelligence feedback for real-time defense and block
  • Root cause analysis and cyber security improvement recommendations

The team has more than 20 years of experience in researching in malware and APT with practical experience in handling cybersecurity incidents.

Industry-leading adversary research specialized in adversary analysis, threat hunting, vulnerability research, and root cause analysis.

Obtained multiple professional certificates, including ECSA, CISSP, CEH, CHFI, etc.

Participated in and gave speeches at international professional cybersecurity seminars, such as Black Hat (US), JSAC (Japan), CodeBlue (Japan), etc.

A member of the Taiwan Computer Network Crisis Management and Coordination Center (TWCERT/CC) and a member of FIRST, the world's largest incident response organization.

With long-term threat intelligence research and analysis, the TeamT5 IR team has experience in investigating large-scale incidents. The industry covers the technology industry, finance industry, telecommunications industry, government agencies, etc., and can quickly identify hackers' techniques, provide containment suggestions, and reduce damage. In-depth incident root cause analysis can help organizations avoiding being attacked again by the similar attacks and strengthen security posture.

CASE-01
Advanced persistent threat attack incident
Attack techniques

Use zero-day or N-day vulnerabilities, network penetration tools (Cobalt Strike), customized backdoor attacks (NT 5.x NDIS driver backdoor, Webshell, etc.) and network VPN agents (softether, etc.).

Summary of incidents

By reconnaissance of target, the attacker discovered the server vulnerability and carried out the attack. This backdoor, a severe threat, enable attackers to penetrate computers, perform various communications and steal confidential information, such as government operations, technology research and development, and commercial operations.

Protection recommendations
  • (1) Patch server vulnerabilities and pay attention to whether there are accounts breaches or phishing emails on the dark web to prevent from attackers' accesses.
  • (2) Endpoint protection measures can timely detect lateral movements within Intranet.
Learn More
CASE-02
Website hacking
Attack techniques

Use SQL injection, SSRF, file upload bypass, vulnerabilities of third-party package, network scanning tools (Serverscan, Xray), web backdoors (WebShell) and agents (Neo-reGeorg).

Summary of incidents

Attackers exploit the vulnerabilities of webpage or third-party package to upload backdoor and gain control over the website host. They then install agents and upload scanning tools for reconnaissance of intranet hosts and brute force password cracking.

Protection recommendations
  • (1) Have vulnerability information and promptly patch and update vulnerabilities in website systems, web programs and third-party packages.
  • (2) Regularly check management package access and website service logs.
  • (3) Monitor the field system and network status through endpoint protection software and network management equipment to detect malicious programs in real time.
CASE-03
Ransomware
Attack techniques

Use dark web intelligence or brute force password cracking techniques through network scanning to gain access to the network or system in the field (RDP, SSH, VPN, etc.).

Summary of incidents

After entering the intranet, the attacker can move laterally, expand the scope and level of control, and finally select valuable targets for encryption and blackmail. Usually the ransom targets are ESXi hosts, NAS devices, AD, and database hosts.

Protection recommendations
  • (1) Equipment vulnerabilities and insufficient network access verification mechanisms need to be avoided.
  • (2) Through the terminal protection monitoring mechanism, detect suspicious programs or mobile status, detect threats early and block the source of hacking.
  • (3) Strengthen the data backup mechanism.
Learn More
CASE-04
Personal information leaked
Attack techniques

Attackers use network scanning (Port scan) and Web attack techniques (SQL injection, XSS, SSRF, etc.) to gain access to websites and databases in the field.

Summary of incidents

Attackers access and download customer order information, design fraud scenarios, and send them to victims via phone calls, emails, or text messages to defraud customers of money. From the fraud contents, the root cause of incident could be the breaches of order data. Therefore, we immediately clarified the breaches of data flow and the investigation target, and conducted evidence collection analysis.

Protection recommendations
  • (1) It is necessary to confirm whether the web page upload verification mechanism is complete to avoid being controlled by the attacker's web shell upload.
  • (2) Pay attention to whether the service interface is in the risks to avoid being violently cracked by attackers.
  • (3) Strengthen the data flow encryption management and audit mechanism.
Learn More
We use cookies to provide you with the best user experience. By continuing to use this website, you agree to ourPrivacy & Cookies Policy.