資料概要

アジア全域でランサムウェア攻撃が急増しており、日本、香港やシンガポールも例外ではありません。これらの攻撃は、ビジネスの運営を大きく妨害するだけでなく、組織の財務的な安定性や信用に対しても深刻な脅威をもたらしています。

本ホワイトペーパーは、サイバー緊急対応サービスのリーダーであるBlackpandaによって提供され、Blackpandaが事業を展開する国々、具体的には香港、シンガポール、日本、フィリピンにおける組織のサイバーセキュリティの現状を掘り下げます。これらの組織が直面する複雑さと課題を明らかにすることに焦点を当てています。

‍

‍

‍

BlackpandaのIR-の特徴 

1. 費用を抑えた、お手頃な年間サブスクリプション 

セキュリティ事故に備え事前に契約を行う形態のため、セキュリティ事故発生後の緊急時にIRベン ダーと慌てて契約を行う場合に比べ、費用を抑えることができます。従来のインシデント対応の約 10分の１の価格で提供します。 

2. 世界レベルの緊急サイバー支援 

業界トップレベルのサイバー消防特殊部隊が緊急事態に対応し、調査・止血・封じ込めの支援を通 してあらゆる側面を解決します。 

3. 継続的なASMスキャン 

Blackpandaが独自に開発したASM (Attack Surface Management)ツールで、インターネット公 開資産の脆弱性やセキュリティリスクのモニタリング機能、およびダークウェブ等に漏えいしたア カウント情報やパスワードの検出機能で、サイバー攻撃の予防に貢献します。 

4. 今まで存在しなかった、日本企業向けのIRaaS 

Blackpandaが開発した、クラウド型のインシデント対応SaaS商品です。

‍

【商品の詳細】

‍

AZURE ・PLUSのSOCサービスの特徴 

AZURE・PLUS株式会社は、様々なベンダーが提供するEDRに特化したSOCサービスである「AZURE ・SOC」を展開しています。お客様環境において24時間365日でのオペレーターによる脅威検知アラー トの監視とアラート発報時の管理者への通知、該当端末の隔離までを実施します。「AZURE・SOC Basic サービス」と、AZURE SOC Basicサービスに加え、アラートの対象となるエンドポイントを平 日日中帯にアナリストがThread Huntingを実施する「AZURE・SOC Advance サービス」の2つの サービスを提供しております。AZURE・SOCサービスは、多くの企業や市町村など、様々なお客様から ご要望をいただいており、お客様の運用状況に応じた、柔軟なサービスをより低価格で提供を行ってお ります。今後は今回のIRのサービスの統合に加え、XDR、NDR等の取り込みを行い統合的なセキュリ ティ監視サービスの提供を目指しております。 

【Blackpandaからのコメント】 

このたびは、AZURE・PLUS社と弊社Blackpandaの協業による弊社のIR-を提供開始できることを、 大変嬉しく思っています。AZURE・PLUS社との協業を通じて、ビジネスを拡大し、より多くの日本の お客様のサイバーセキュリティ強化に貢献することを目指します。弊社BlackpandaはAZURE・PLUS 社のSOCサービスの一環として、高度なインシデント対応サービスを提供してまいります。日本国内の 

お客様が絶え間なく変化するサイバー脅威に対抗し、強固なレジリエンス（耐久力）を構築できるよう 共に尽力して参ります。 

BLACKPANDA JAPAN株式会社 

代表取締役 

鈴木 デイビット 友 

【AZURE・PLUSからのコメント】 

昨今、様々なセキュリティインシデントが起こる中、Blackpanda社との協業は、日本企業のサイバー セキュリティ強化において、大変意義のあるものだと感じています。Blackpanda社が提供するIR-を 通じて、弊社で培ってきた国内市場における豊富な経験と知識を融合させることで、迅速かつ、効果的 なセキュリティ対応が可能になります。そして、新たな脅威が増加する中、両社で協力し、強力なバッ クアップ体制を築き上げます。企業の安全と安心を守っていくことが我々の使命だと感じています。 

AZURE・PLUS株式会社 

執行役員 

代表取締役 

清水 秀樹

‍

BLACKPANDA GROUP について 

Blackpandaグループは、アジアをリードする、地域に根ざしたサイバーインシデント対応の会社で す。サイバー空間の有事であるインシデント対応において、日本を含むアジアの企業にワールドクラス のサービスを提供しています。アジア各地域のBlackpandaサイバー消防特殊部隊によるインシデント レスポンスによってお客様をサポートし、サイバーレジリエンスの強化とデジタル業務の安全確保を支 援します。 

AZURE・PLUSについて 

AZURE・PLUS株式会社は、「興奮と感動を与えるソリューション」をコンセプトに、ネットワークを はじめとするITインフラの設計・構築や、最先端のソリューション製品のインテグレーション事業を展 開しています。近年ではセキュリティ事業に注力しており、多岐にわたるセキュリティソリューション を手掛けるとともに、自社でのEDRのSOCサービスである「Azure・SOC」の提供を始め、専門的な知 識からインシデントレスポンスの実施やお客様のニーズに合った柔軟なサービスを提供しております。 

‍

＜本件に関するお問い合わせ先＞

BLACKPANDA JAPAN株式会社 

e-mail: japan-sales@blackpanda.com 

AZURE・PLUS株式会社 プロダクト営業グループ 

e-mail: product-sales@ml.azure-plus.co.jp

‍

日時は9月11日（水）15:00〜16:30、参加費は無料です。

こんな方におすすめ!

o   インシデント発生後の対応も知っておきたい

o   コストを抑えてセキュリティ対策をしたい

o   インシデント対応時間、運用負担を転減したい

皆様のご参加をお待ちしております！

‍

こちらのリンクからお申し込みください：https://sbb.smktg.jp/public/seminar/view/23102

‍

※出典：株式会社富士キメラ総研
2023年12月14日発行「2023 ネットワークセキュリティビジネス調査総覧 (市場編)」

※講演テーマ・登壇者は変更となる場合がございます。予めご了承ください。

【お問い合わせ窓口】

SB C&S株式会社 Cybereason販売推進 〈SBCASGRP-nwsec-edr@g.softbank.co.jp 〉

‍

‍

サイバーリスク、とりわけ近年増加しているランサムウェアなどの脅威は、中小企業の事業継続に深刻な影響を及ぼす重大な問題です。BLACKPANDA JAPANは、この脅威の背後にある経済構造を徹底的に解明し、なぜこの危機が減少しないのか、その原因を明らかにします。

皆様のお役に立つことを目指し、具体的な事例をもとにした対処方法やソリューションの概要に関する情報をお届けいたします。

みなさまのご来場お待ちしております。

①   セッション日時：2024年9月19日(木)16:30~16:55（日本時間）

※開場・受付14:30~15:00

②　福井会場：コートヤード・バイ・マリオット福井 紫陽花

③　対象者：SB C&S株式会社　販売パートナーさま 

④　定員：30名

⑤　受講料：無料

⑥　プログラム：※講演テーマ・登壇者は変更となる場合がございます。予めご了承ください。

申し込みはこちら： https://sbb.smktg.jp/public/seminar/view/22641

‍

‍

この記事の重要ポイント:

• 経済産業省のASMガイドラインでも、ASMは一度きりのアセスメントではなく、定点的にモニタリングすべきとされている。
• Blackpandaは、公開資産に対する定点モニタリングの重要性を認識し、自社のインシデント対応経験を活かして独自のASMスキャンエンジンを開発。
• 中小企業向けのIR-1と近日リリース予定のエンタープライズ企業向けIR-Xの標準機能としてASMが搭載。

内閣サイバーセキュリティセンター（NISC）の横断的アタックサーフェスマネジメント（ASM）事業開始は、昨年5月に経済産業省がリリースした「ASM（AttackSurface Management）導入ガイダンス～外部から把握出来る情報を用いて自組織のIT資産を発見し管理する～」に続く、日本政府のセキュリティの取り組みとして注目を浴びています。エンドポイント環境のモニタリングも攻撃の早期検知や防御のために重要ではありますが、一方で、クラウド化やゼロトラストが浸透した昨今、インターネットから発見できて、安易に攻撃できるような公開資産の脆弱性は、ランサムウェア攻撃や不正アクセスの入り口として頻繁に悪用されており、私がこれまで対応した日本企業のインシデントでも多数を占めています。

サイバー攻撃でよく悪用されるVPN等のリモートアクセス手段やWebサーバ等の公開資産では、新たに発見された深刻な脆弱性や、運用・開発の環境変更のタイミングで生じるような脆弱性な設定を、タイムリーに発見して対処することが重要です。経済産業省のASMガイドラインでも「管理」と位置付けられている通り、ASMは本来、1度きりのアセスメントではなく、定点的にモニタリングすべき領域です。

Blackpandaでは、インシデント対応を行う中で、以前からこのような公開資産に対する定点モニタリングの重要性を感じており、インシデント発生前にお客様のセキュリティリスク状況を把握しておく手段の一つとして、自社のこれまで培ったインシデントの知見を盛り込んで、自社の開発チームで独自のASMスキャンエンジンを開発しています。自社開発であるため、スキャンデータベース等の外部ツールの情報粒度や更新頻度に依存することなく、加えて、細かいチューニング等の運用も不要で、週1回のレベルの細かい定点モニタリングを実現しています。また、BlackpandaのASMエンジンでは、脆弱な公開資産の発見に加え、ユーザのメールドメインに該当する漏えい認証情報もダークウェブやハッカーフォーラムから洗い出すことで、ランサムウェアや不正アクセスのリスクに加えて、ビジネスメール詐欺（BEC）のリスクの軽減も図ることができます。

BlackpandaのASMは、中小企業様向けのIR-1、及び近日エンタープライズ企業様向けにリリースするIR-Xの標準機能として搭載されています。これらのソリューションはいずれもSaaS型で、平常時はASMモニタリング、インシデント発生時には1度だけインシデント対応を呼び出して、調査やアドバイザリ等の支援を受けることができるプラットフォームです。従来のコンサルティング形式のインシデント対応サービスのモデルと比較すると、コスト面で大きくメリットがあるモデルになっています。

‍

‍弊社はMS&AD インターリスク総研株式会社 (本社：東京都千代田区、代表取締役：一本木　真史、以下「MS&ADインターリスク総研」と共同で「ランサムウェアの事例から学ぶインシデントレスポンスの重要性」というテーマのWeb セミナーを8/2(金)に開催いたします。

サイバーリスクは、中小企業の継続に直接影響を与える深刻な問題です。中小企業でも、適切な対策を取ることで、そのリスクを低減できます。皆様のお役に立つことを目指し、具体的な事例をもとにした対処方法やソリューションの概要に関する情報をお届けいたします。

①   開催日時：2024年8月2日(金)15:00~16:00（日本時間）

※Webinar終了後、ご希望の方には個別相談を実施します。

②　会場：ZoomWebinarを使用したライブ配信

※参加方法は開催の1営業日前にご登録いただきましたメールアドレス宛にご連絡いたします。

③　対象者：CISO、サイバーセキュリティ統括責任者、IT・情報セキュリティ部門長、および同等の職責の方

④　定員：100名

 ※同業者の方、もしくはお申し込みが定員を超えた場合にはお断りする場合もありますので予めご了承下さい。

⑤　受講料：無料

⑥　プログラム：※講演テーマ・登壇者は変更となる場合がございます。予めご了承ください。

申し込みはこちら：https://rm-navi.com/search/item/1802

‍

‍

開催概要

　　ご質問等などございましたら、japan-sales@blackpanda.comまでお問い合わせください 。

‍

この記事のポイント：

• データ窃取による脅迫やビジネスメール詐欺など、さまざまな形態のサイバー攻撃が活発化している。
• Blackpandaはサイバー攻撃者との交渉におけるリスク管理や、高度なサイバー犯罪調査も行っている。
• 国際的な法執行機関や法律事務所との協力関係を持ち、サイバー犯罪の訴訟支援体制を整備している。

‍

• 企業が直面する難題：ランサムウェア

ランサムウェアの身代金支払いについての話題が、改めてメディアに取り上げられるようになりました。政府や警察機関を始め、犯罪者の活動を助長しないためにも、身代金の支払いをしないことを推奨している中で、金銭の支払いを要求するサイバー攻撃には、ランサムウェア以外にも、目に見える被害を伴わないデータ窃取による脅迫や、ビジネスメール詐欺（BEC）、サポート詐欺等、様々な形態がいずれも活発に行われています。いざこういったサイバー攻撃の被害に遭った場合には、単純な支払い是非だけは無く、企業毎に様々な難しい経営判断が求められます。

‍

• Blackpandaのインシデント対応 (緊急対応)

緊急事態に備えて、自社に必要な支援を包括的、かつ安心できる高いレベルで提供できる業者を把握したり、事前に契約を結んでおくことがいざという時の大きな助けになります。以下では、サイバー攻撃のインシデント対応専業ベンダーとして、Blackpandaがどんな支援を提供しているか、簡単にご説明します。

こういった攻撃の被害に遭ってしまった場合には、まず、迅速な影響範囲の把握が肝心です。Blackpandaは旧来のフォレンジック手法では侵害の規模によっては数カ月かかる調査を、最新の調査ツールや技術、専門性の高い人材を駆使し、数日～数週間で実行します。

• Blackpandaの犯罪危機対応とサイバー犯罪調査支援

加えて、Blackpandaは設立当初は誘拐やテロ等の犯罪危機対応を支援する会社であったため、現在でも犯罪者に対する交渉の様々なリスクを把握するエキスパートを抱えています。弊社が身代金の支払いを推奨することは一切ございませんが、攻撃者からの度々の要求に対して、安定した被害調査や復旧を実施するための交渉の観点を含めたアドバイザリ支援が提供できます。

‍

さらには、例えばバラマキ型のランサムウェア攻撃や、サポート詐欺等で、自社の特定の従業員のシステムでの被害が発覚した際に、既に金銭が支払われてしまっていた場合に対しても、Blackpandaはサイバー犯罪調査に対する高度な技術や知見（ブロックチェーン分析による暗号資産の追跡調査、OSINT (Open Source Intelligence)¹又はHUMINT (Human Intelligence)^２やダークウェブを含む漏えい情報調査やモニタリング、聞き取り等を含む人的調査）を用いた支援が可能です。

‍

• Blackpandaの国際法執行機関との協力とサイバー犯罪訴訟支援体制

‍

なお、Blackpandaは米国シークレットサービス・アジア太平洋地域のCyber Fraud Task Forceを含む国際法執行機関や法律事務所との協力関係、日本においてはJC3（一般財団法人日本サイバー犯罪対策センター）の会員として、サイバー犯罪の民事、及び刑事訴訟の支援体制を整備してきています。JC3は、察庁の外郭団体として、国内外のサイバーセキュリティ・サイバー犯罪捜査の分野における産学官連携組織です。

‍

ホームページ：https://www.blackpanda.com/jp

お問い合わせ：japan-sales@blackpanda.com

‍

1: OSINT (Open Source Intelligence)は、合法的に入手可能な公開サービスなどの外部露ソースを調査し、診断者が攻撃者の視点からそれらが攻撃に利用可能かどうかを分析する手法です。

2: HUMINT (Human Intelligence)は、人が直接観察や判断を行い、人との接触を通じて得られる情報全般を示します。

‍

■業務連携の背景

現代のデジタル環境において、サイバー攻撃はますます巧妙化し、その対応の重要性が増しています。ＭＳ＆ＡＤインターリスク総研はＭＳ＆ＡＤインシュアランスグループにおけるリスク関連サービス事業会社として、「デジタル・データを活用したリスクマネジメントの中核」を担い、社会課題解決と企業価値の向上に向けた取り組みを推進しています。2024年7月1日より、企業がサイバー攻撃を受けたときの対応（インシデントレスポンス）を伴走支援するサービス『サイバーインシデントガード』の提供を開始し、サイバー攻撃による被害の極小化を図るとともに、お客さまの事業継続と発展に貢献します。一方、BLACKPANDAはサイバーインシデント発生時に、影響を受けたシステムの隔離や原因の調査などのアジア最先端のデジタルフォレンジックとインシデントレスポンス（以下、「DFIR」）を提供しており、早期の通常業務への復帰などの万全なサポートを実現しています。両社の連携により、迅速かつ効果的なインシデント対応を実現し、お客さまの安全性を最大限に確保された社会を目指します。

‍

■BLACKPANDAについて

BLACKPANDA は、アジアをリードする、地域に根ざしたサイバーインシデントレスポンスの会社です。サイバー空間の有事対応において、日本を含むアジアの企業にワールドクラスのサービスを提供しています。アジア各地域のBLACKPANDA常駐正社員スペシャリストによるインシデントレスポンスによってお客さまをサポートし、サイバーレジリエンスの強化とデジタル業務の安全確保を支援します。

‍

■MS&ADインターリスク総研株式会社について

ＭＳ＆ＡＤインシュアランスグループにおけるリスク関連サービス事業会社として、「デジタル・データを活用したリスクマネジメントの中核」を担い、社会課題解決と企業価値の向上に向けた取り組みを推進し、グループが目指す姿「リスクソリューションのプラットフォーマー」としてのミッション実現のため、補償・保障の前後においてデジタル・データを活用した新たなサービスと事業を展開しています。

‍

BLACKPANDA JAPAN株式会社 代表取締役 鈴木 デイビッド 友 氏からのコメント

ＭＳ＆ＡＤインターリスク総研は日本を代表するリスクコンサルティンググループであり、世界有数の損害保険グループであるＭＳ＆ＡＤホールディングスの重要な一部です。ＭＳ＆ＡＤインターリスク総研との提携は、当社の実践によって卓越したDFIR能力を示すものです。ＭＳ＆ＡＤインターリスク総研は、新しいCSIRT事業において、その強力なリスク管理資源を活用し、当社が特化しているDFIR機能を最大限に発揮することができるようになりました。私たちはＭＳ＆ＡＤインターリスク総研と協力してサイバー脅威と戦い、サイバーリジリエンスの民主化という使命に貢献してまいります。

‍

MS&ADインターリスク総研株式会社 代表取締役社長 一本木　真史 氏からのエンドースメント

サイバー攻撃の被害はますます甚大化しており、企業・団体等の規模を問わず被害が発生している状況です。万が一サイバー攻撃を受けた際には、大企業だけでなく中堅中小企業においても迅速な初動対応が重要で、お客さまや取引先、株主、関連企業等のステークホルダーへの報告はもちろん、警察や個人情報保護委員会等の公共機関への報告も必要となります。

当社はサイバー事故対応の社内組織：CSIRT（ComputerSecurity Incident Response Team）の司令塔であるコマンダーの役割を担い、情報収集やアクションプランのアドバイスをしながら、BLACKPANDAと連携し被害の状況を解明し、サイバー事故からの事業早期回復、被害の低減に貢献いたします。

‍

BLACKPANDA GROUP について

BLACKPANDAは、アジアをリードする、地域に根ざしたサイバーインシデントレスポンスの会社です。サイバー空間の有事対応において、アジアの企業にワールドクラスのサービスを提供しています。アジア各地域のBLACKPANDAスペシャリストによるインシデントレスポンスによってお客さまをサポートし、サイバーレジリエンスの強化とデジタル業務の安全確保を支援します。BLACKPANDAのミッションは、あらゆる規模の組織が最高水準のサイバーインシデントレスポンスソリューションを活用して、業務を安全に継続できるサイバーリジリエンスの民主化です。詳細はウェブページをご覧ください。https://www.blackpanda.com/jp

【本件に関する問い合わせ先】

BLACKPANDA JAPAN株式会社

Tel：090-9816-1525　E-mail：japan-sales@blackpanda.com

ＭＳ＆ＡＤインターリスク総研株式会社

E-mail: INCIDENT_GUARD@ms-ad-hd.com

‍

‍

‍

‍

‍

‍

三井物産セキュアディレクション株式会社（本社：東京都中央区、代表取締役社長：鈴木大山、以下MBSD）は、BLACKPANDA JAPAN株式会社（本社：東京都千代田区、代表取締役 鈴木 デイビッド 友、以下Blackpanda）と協業し、セキュリティ事故に備えてIR（インシデント対応）サービスを事前に契約するIR Retainerサービスの提供を開始します。セキュリティ事故発生を想定して事前に準備を行うことで、インシデント発生後に企業が自身でIRベンダーに対応を依頼する場合に比べ、事故解決までの労力とコストを抑えつつ、インシデント対応を円滑に進めることが可能となり、早期の解決を支援します。 

企業でセキュリティ事故が発生した際、自社のCSIRT機能で対応が難しい場合は、対応可能なIRベンダーを探して対応相談を行いますが、事故発生後に対応可能なIRベンダーを探し、煩雑な契約作業やIRベンダーに対する自社環境・事故状況の説明を行う必要があります。そのため、発生したセキュリティ事故対応までに多くの時間と労力を要し、結果として被害の拡大を許してしまう課題がありました。また、事故発生時には一般的に緊急対応を要するため、費用も高額となる傾向にあります。 

本サービスでは、セキュリティ事故発生前に、契約作業と利用者様環境の事前把握およびコミュニケーション体制整備を実施することで、セキュリティ事故発生に備えた準備をMBSDが支援します。万が一セキュリティ事故が発生した場合は、MBSDが利用者様との相談対応窓口を担い、Blackpandaと連携して対応いたします。事前に契約作業と利用者様環境の把握が完了している為、セキュリティ事故発生から対応開始まで、脅威の特定から封じ込め・復旧に至るまでの時間を短縮することができ、結果として被害を最小化することにつながります。さらには、事前契約型サービスのため、緊急時にIRベンダーと慌てて契約を行う場合に比べ、費用負担も抑えられるメリットもあります。 

また本サービスでは、契約期間内に事故対応支援の利用がなかった場合、契約金の一部を他のセキュリティサービスに付け替えることが可能となっており、プリペイド契約ながら掛け捨てにならない点も大きな特徴となります。詳しくは下記までお問い合わせください。 

‍

本サービスの特徴 

1. 事故発生～調査開始～復旧までの時間を短縮し被害を最小化 事前に契約を行うことにより、調査開始までの時間を短縮することが可能です。本サービスでは契約後に事前ヒアリングを行い、利用者様環境を事前に把握します。従来のようなセキュリティ事故発生時にIRベンダーと契約を行う対応と比べ、対応開始から脅威の特定、封じ込め、復旧にいたるまでのインシデント対応全体にかかる時間を短縮することが可能となり、結果として被害の最小化を実現します。 
2. ‍掛け捨てではない柔軟なサービス設計 契約期間内にセキュリティ事故が発生しなかった場合は、利用しなかった契約金の一部を別のセキュリティサービスに付け替えて利用することが可能となります。また、追加の費用負担なしで利用可能なサービスも一部含まれており、セキュリティ事故発生の有無に関わらずご利用者様のサイバーレジリエンス向上に資するサービス設計となっています。 
3. ‍費用負担を抑えた事故対応支援 セキュリティ事故に備え事前に契約を行う形態のため、セキュリティ事故発生後の緊急時にIRベンダーと慌てて契約を行う場合に比べ、費用負担を抑えることができます。 
   
   
   

Blackpandaからのコメント】 このたびは、MBSDとBlackpandaの協業によるIR Retainerサービスが提供開始できることを、大変嬉しく思っています。Blackpandaにとって、極めて重要な節目であり、これまで開拓してきた中小企業の顧客ベースから、MBSDとの協業を通じてエンタープライズ市場にビジネスを拡大し、より多くの日本のお客様への貢献を目指します。 BlackpandaはMBSDのソリューションの一環として、高度なデジタルフォレンジックおよびインシデントレスポンスサービスを提供してまいります。 MBSDとのパートナーシップは、弊社の優れた専門性と、日本のサイバーセキュリティ市場をリードするMBSDの地位を裏付けるだけでなく、日本国内のお客様が、進化し続けるサイバー脅威に対抗できるレジリエンス（耐久力）を実現するために、共同で力を尽くすことを示すものです。 

BLACKPANDA JAPAN株式会社 代表取締役 鈴木 デイビット 友 

‍

[MBSDからのコメント】 

このたび、Blackpandaと協業でIR Retainerサービスを提供開始できることを大変嬉しく思っています。サイバー攻撃による脅威は年々増加しており、国内外で事業活動に甚大な影響を及ぼすセキュリティ事故が頻発しています。MBSDはこれまでも様々なお客様の国内外のインシデント対応を支援してきました。Blackpandaと共に提供するIR Retainerサービスが、より多くのお客様のセキュリティ事故発生に迅速に対応できる体制を備えたいというニーズに応え、サイバーレジリエンス向上の実現をお手伝いできるものと期待しています。 

三井物産セキュアディレクション株式会社 執行役員 関原 優 

‍

BLACKPANDA GROUP について 

Blackpanda は、アジアをリードする、地域に根ざしたサイバーインシデントレスポンスの会社です。サイバー空間の有事対応において、日本を含むアジアの企業にワールドクラスのサービスを提供しています。アジア各地域のBlackpanda常駐正社員スペシャリストによるインシデントレスポンスによってお客様をサポートし、サイバーレジリエンスの強化とデジタル業務の安全確保を支援します。 

‍

三井物産セキュアディレクション(MBSD)について 

2001年にサイバーセキュリティの専門会社として設立。ペネトレーションテスト/TLPT/レッドチーム、Webアプリケーション/ネットワーク脆弱性診断等の各種診断サービス、統合ログ監視/Managed XDRサービス等の高度なセキュリティ技術サービス、コンサルティングサービス等を提供する企業です。詳しくは当社ホームページをご覧ください。 

‍

＜本件に関するお問い合わせ先＞ 三井物産セキュアディレクション株式会社 

アドバンスドサービス事業本部 ビジネスディベロップメントグループ 

e-mail: AS-BizDev@mbsd.jp 

‍

With the rising number of cybercrimes, tracking nefarious actors online has become a crucial focal point for both governments and private enterprises alike. When cybercrime takes place within your own digital environment, identifying the extent of the compromise and investigating the root cause should be your top priority in order to contain the damage, eradicate the threat, and mitigate further loss.

​

Digital forensics is the process of uncovering and interpreting electronic data from digital devices. It is often in relation to cybercrime and assists in pinpointing the origin of an attack, tracing it back to the source and enabling the recovery of lost or stolen data. Typically, an investigation involving digital forensics would include the following five critical steps:

‍

1. Identification

Knowing where to look for electronic evidence is extremely important when beginning an investigation. Sources of relevant evidence may include (but are not limited to) mobile phones, computers, servers, emails, and internet service providers. The process of identification may not only be digital; observation of physical surroundings (e.g., security camera positions, key card access control readers, etc.) may also provide physical evidence in putting together a timeline.

​

2. Containment

Containment serves as the first active response to a crisis, disabling the hacker from carrying out malicious activity to prevent further damage. The nature of the incident will determine the type of containment effort taken, ranging from controlling, monitoring, and enabling added security measures.

‍

Upon identification, system or network isolation might be necessary in order to reduce damages and prevent further disruption to business operations. To decide whether or not the system requires isolation, consider critical factors such as the extent to which the system, platform, or application is deployed within the company network.

‍

3. Collection & Preservation

Data collections should be done without damaging the original systems, meticulously following established procedures and ensuring data integrity. Different data acquisition methods and tools may be used for different systems. Analysis should be conducted on the acquired copy or duplicate image rather than the original point of breach to allow for evidence corroboration.

‍

The process of preserving data is key to ensure all information available is authentic and valid. Fundamental documentation of the evidence collected should include information on the date and time of collection (When), description of the evidence itself (What), information of the source system such as the operating system (Where), software or hardware specifications, and network identifier, and details of the acquisition tools used (How). There should also be established standards to properly store the data collected and prevent any evidence tampering.

‍

Much like a physical crime scene, photos (or, in this case, digital copies) are taken of the evidence at the scene of the incident. Visuals of the scene are used as a point of reference for investigation. As incident responders often work in teams, these visuals enable parallel analysis among the multiple specialists. Digital copies are also highly useful for documenting the Incident Report following the investigation.

‍

4. Analysis & Eradication

The primary goal of analysis is to determine how and when the breach happened by scrutinizing and interpreting the evidence collected. The analytical process draws on a multidisciplinary approach, pulling resources from various skillsets, expertise, and training. Approved tools and methodologies must be adhered to during this process.

‍

Time and date parameters or boundaries are often the first two key factors identified as they are important in building the timeline of events that uncover how an attacker may have entered a system, moved within it, and taken actions on objectives. Time and date parameters also help investigators narrow the scope of an investigation, eliminate externalities and hypotheticals, and focus on the time range of the attack to more efficiently obtain useful findings.

‍

Matching evidence to an event timeline may help identify corroborative evidence of the incident. Depending on the goals and priorities of the investigation, forensic investigators may interpret and draw conclusions based on facts gathered from the evidence.

‍

As part of the threat eradication process, activities such as blocking malicious network indicators, rebuilding compromised systems, resetting account credentials and others should be taken with verification steps to follow so as to ensure a comprehensive remediation. A thorough exposure check or a vulnerability assessment of the entire system and continuous monitoring are advised to identify other weak links and potential threats. To prevent future occurrences, a new set of defenses may be proposed.

‍

One important action that complements the steps above is copious note-taking. Documentation should be detailed enough such that actions taken can be replicated and reproduced by another person.

‍

5. Reporting

The last step in this process is reporting. The report should identify the source of breach, techniques and methodology used to investigate and mitigate the attack, the evidence collected, and advisory materials for stakeholders and decision makers. The report should be factual, impartial, and non-technical for stakeholders to easily understand and take necessary action.

​

-- 

​

While each company or system is unique and requires its own incident response plan, the above-mentioned serves as a general overview of the investigation process involving digital forensics. For professional advice on incident response planning suited to your firm’s specific needs, schedule a call with one of Blackpanda’s cyber incident responders to plan your response.

‍

While previously confined to Fortune 500 companies and nation state infrastructure, ransomware attacks are now a threat to SMEs and individuals with new strains and ransom demands making headlines every week.

‍

Attackers carry out ransomware attacks on businesses or individuals by gaining access to their networks most often through simple methods such as phishing or remote desktop compromise. Once the ransomware is downloaded onto an endpoint, it encrypts all the data on it and can spread to other endpoints in the network. This can happen within minutes of the attack’s penetration. By holding information hostage and locking users out of their systems, cyber attackers are able to demand ransom money in exchange for access to the system, giving the attack its distinctive name.

‍

History of ransomware

While Ransomware has been making headlines for at least the past three years as a novel attack vector, the first recorded ransomware attack occurred almost thirty years ago. In 1989, a program dubbed “AIDS Trojan'' was distributed via floppy discs to unknowing attendees of a research conference. Believing the discs were research tools, these victims inserted the malware into their computers and watched their files become encrypted with the attackers demanding ransom by mail in exchange for instructions to decrypt their systems. 

‍

In the early 2000s, Distributed Denial of Service (DDoS) attacks were more common than ransomware. This trend shifted with the catastrophic attack known as WannaCry, which in 2017 compromised entire sectors around the world, initiating what some have called “the era of ransomware.”

‍

The era of ransomware

One of the biggest innovations that supported the explosion of ransomware was the emergence of cryptocurrencies such as Bitcoin’s rise in 2010. This provided an easy and untraceable method for receiving payment from victims which created the opportunity for ransomware to become a lucrative and low-risk undertaking.

‍

With the growth of ransomware came developments in its supply-chain as cyber criminal groups began to offer Ransomware-as-a-Service packages whereby malware programs are leased to clients around the world in exchange for a portion of their profit from ransom payments.

‍

The most recent trend in ransomware development is data exfiltration. In 2020, there was a widespread adoption of ransomware paired with data-leak extortion tactics, which were rarely used by threat actors in previous years. This method involves both encrypting a victim organization’s environment and also exfiltrating data with the threat to leak it if the extortion demand is not paid.

‍

This rapid evolution of ransomware is expected to continue at an accelerated rate as attackers and criminal groups continue to reinvent their techniques in order to apply as much pressure as possible to organizations in crisis. Ransom demands are also on the rise, with the average ransomware payment reaching USD 570,000, up almost 5x from USD 115,123 in 2019. 

‍

With Asia being particularly targeted—incidents spiked 64% in 2021 compared to the previous year—, the attacks in this region show now sign of slowing. In an effort to put future breaches into context with the attacks that have come before them, this article explores the most notable incidents that Asia has faced, thus far. 

‍

What are the most famous ransomware events in Asian history?

‍

1. WannaCry

‍

What: Global ransomware attack affecting Asian hospitals and other public and private organizations.

‍

Where: Over 200,000 targets in at least 150 countries were severely affected by WannaCry. In Asia, nearly all computers in two major hospitals in Indonesia—Dharmais Hospital and Harapan Kita Hospital—were encrypted. Some Japanese and Singaporean organizations were also affected, along with university hospitals in Seoul and educational institutions in China.

‍

When: On the 12th of May 2017, WannaCry began to spread around the world. The malware was halted a few hours later by the registration of a kill switch discovered by Marcus Hutchins. This prevented already infected computers from being further encrypted or spreading WannaCry, although the virus had already spread globally.

‍

How: The virus exploited a vulnerability in Microsoft’s Windows software, which allowed it to penetrate computers and encrypt files on the PCs hard drive, rendering the devices inaccessible to users. The virus then demanded a ransom payment in bitcoin in order to decrypt them. The rapid spread of WannaCry was supported by the numerous high-profile systems, including Britain's National Health Service, that were hit by the attack and spread it across external systems that were connected. Of note, a novel variant of WannaCry forced Taiwan Semiconductor Manufacturing Company (TSMC) to temporarily shut down several of its chip-fabrication factories in August 2018.

‍

Who: The attackers went long undetected, until in December 2017 the United States and United Kingdom formally asserted that Lazarus Group, a cybercrime organization that may be connected to the North Korean government, was behind the attack.

‍

2. Singapore SingHealth and Hong Kong Health Department 

‍

What: A ransomware attack was launched against several businesses based in Singapore including multinational companies with operations in the city-state. SingHealth, Singapore’s public health network consisting of four hospitals, five national speciality centres, and eight polyclinics, was the most prominent institution hit by the attack. Files containing confidential outpatient prescriptions of 160,000 citizens, including Singapore Prime Minister Lee Hsien Loong and other ministers, were breached. In Hong Kong, computers belonging to the health department’s Infection Control Branch, Clinical Genetic Service and Drug Office were also hit, rendering the data inaccessible. 

‍

Where: Singapore and Hong Kong.

‍

When: Between July and August 2018. Singapore was hit two weeks before Hong Kong with the attacks lasting a total of four weeks.

‍

How: On the 20th of July, the Singapore Government declared that the personal particulars of 1.5 million patients in SingHealth were compromised in the Republic's worst ever cyber attack. Files stored on the computers were encrypted by ransomware and an e-mail address to contact for a decryption key was left behind but no ransom was demanded. SingHealth and Singapore's public healthcare sector IT agency IHIS were punished with penalties of S$250,000 and S$750,000 respectively, for the attack that breached the country's Personal Data Protection Act. The fines were the highest paid out to that date.

‍

Who: A cyber criminal group named Whitefly was found by the Singapore government to be responsible for the attacks, six months after they occurred.

‍

3. AXA Asia

‍

What: One week after cyber insurer AXA France announced it changed its cyber insurance policy to stop coverage for ransom payments, the company's Asia Assistance division was hit by a ransomware attack. Hackers claimed to have seized three terabytes worth of sensitive data in Asia. Stolen data included screenshots of customer identity cards, passports, bank documents, hospital bills, and medical records. 

‍

Where: AXA’s Asia division was attacked, impacting IT operations in Thailand, Malaysia, Hong Kong and the Philippines. As a result, certain data processed by Inter Partners Asia (IPA) in Thailand was also accessed.

‍

When: May 2021.

‍

How: The Avaddon malware likely gained access to AXA’s network through a phishing email in Thailand, and then rapidly spread across the network to reach all the other endpoints. It then encrypted all files within a few minutes, making them irrecoverable and giving AXA ten days to make a decision regarding the ransom payment.

‍

Who: The attack has been attributed to Avaddon, which had been active for about a year prior to the incident affecting the French insurance company. The group is thought to be based in Russia and offers its malware on a “Ransomware-as-a-Service” model to less sophisticated clients.

‍

4. Tokio Marine

‍

What: The attack targeted the company’s internal Windows servers, spreading to a large number of computers in the network. By intervening promptly, Tokio Marine was able to keep providing its insurance services during the course of the attack.

‍

Where: Tokio Marine Insurance Singapore, a subsidiary of Tokio Marine Group, was targeted by the attack.

‍

When: Between July and August 2021. 

‍

How: The ransomware attack affected Tokio Marine Singapore on a large scale, encrypting critical data across all company endpoints. After the ransomware was discovered, the network was isolated to prevent further damages. Tokio Marine also immediately filed the necessary reports to local governmental agencies, displaying a good level of preparedness to such a cyber attack. The Tokio Marine and the AXA ransomware attacks, which occurred within a few months from one another, is a sign of a growing trend of ransomware attacks targeting insurance companies. While some see this as a natural part of the shift in targets in the cyber crime industry, others recognize this as an answer to the hardening of the cyber insurance market, which is becoming more reluctant to paying for ransomware requests, effectively undermining the ransomware business model.

‍

Who: The attacker of Tokio Marine was never disclosed, and investigations are still underway to understand exactly what type of malware was deployed and where it came from.

‍

5. Eye & Retina Surgeons Singapore Eye Clinic

​

What: The attack affected the Eye & Retina Surgeons clinic server and management system. Data for an estimated 73,000 patients was affected by the breach. This comprised patient information, including names, addresses, identity card numbers, contact details,  and clinical information such as clinical notes and eye scans.

‍

Where: The Eye & Retina Surgeons clinic is based in Singapore.

‍

When: The incident occurred on the 6th of August 2021.

‍

How: A ransomware virus penetrated the network likely through a malicious email or phishing link, encrypting patient data as soon as it gained access to the business endpoints. Eye & Retina Surgeons decided not to pay the requested ransom and was unable to  recover the lost files, although reports claim no data was leaked. The company worked closely with the Cyber Security Agency of Singapore to restore system health and resume its activities.

‍

Who: The hackers responsible for this ransomware attack have not yet been identified. 

‍

IR-1: The most effective cyber risk management solution for SMEs in Asia

Waiting for an attack to happen before you contact a cyber incident response team can cost precious time and a high hourly fee, which is why pre-purchasing a retained solution is the best way to optimise response time and minimise costs.

‍

Blackpanda’s IR-1 subscription is the most effective solution for small and medium enterprises in Asia Pacific facing limited resources and knowledge in managing cyber breaches. IR-1  aims to help them manage cyber breaches and mitigate their impact by offering a 12-month subscription plan that includes 24/7 incident response availability, one incident response activation credit, discounted rates for Blackpanda services, and unlimited access to a digital library. IR-1 is staffed by highly trained specialists, and businesses can renew the subscription upon expiry.

‍

Get in touch with us to learn more about IR-1.

Cyber attacks are becoming more common. They are targeting organizations across all sectors and sizes, and small-medium enterprises (SMEs) and start-ups are getting hit especially hard. Research by Chubb found that 93% of SMEs that experienced a cyber incident reported a severe impact to their business. For these reasons, building their security will assist SMEs maintain confidence in the Asian and global markets while surviving an ever-changing cyber-threat panorama. Blackpanda’s cyber security services for small businesses can help your organization improve its cyber security posture.

‍

How can small businesses improve their cyber security?

A frequent question we are asked at Blackpanda is: “Do small businesses need cyber security?”. The biggest misconception that exposes SMEs to cyber attacks is the sense of “security through obscurity”. Start-ups and SMEs tend to believe that they will never be targeted by cyber attacks because they are not important enough. This belief is no longer valid, as nowadays, most hackers are looking to target the most vulnerable companies rather than the biggest ones.

‍

Today, hackers have adopted a “spray and pray” approach to attacking. This approach involves hackers trying their luck with thousands of accounts at a time and expecting that at least some of them open up opportunities for breaches. Other times, they identify potential targets through “hunter” bots that seek digital windows and doors left open or unlocked. This targeting has contributed to the dire statistic that 43% of all cyber attacks are against SMEs, which lack structural preparedness and organizational cyber security awareness, as well as the financial resilience necessary to survive an attack.

‍

As global supply chains become larger and more complex, hackers often attack weak links in the chain - typically SME vendors - as a stepping stone to facilitate their subsequent penetration into the networks of larger institutions with stronger security.

‍

In comparison to larger organizations, smaller businesses have busier teams with more tasks on their plate compared to larger organizations which leads SMEs to place cyber security lower on their priority list. As a consequence, employees have low cyber security awareness and do not follow cyber hygiene best practices. Cyber security’s low prioritisation also entails minimal budget allocation. Given budgetary constraints, many SMEs lack a cyber security team or are defended by IT support technicians who lack the institutional knowledge, skills and wide experience possessed by the dedicated cyber security teams of large enterprises. Technicians with little cyber security experience may not have the capability to conduct thorough and sophisticated cyber compromise assessments and respond to incidents as they occur. Naturally, hackers understand this weakness and leverage it by launching sophisticated attacks that less experienced teams cannot avert.

‍

Importantly, SMEs lack the financial resilience to withstand the direct and indirect costs of a cyber attack - including downtime losses, incident response, legal and public relations expenses, to list a few - which can rack up to millions of US dollars. This weakness is the main reason for the statistic that 1 in 6 SMEs are compromised following a cyber attack, as businesses find it impossible to recover from the financial losses brought about by a single cyber attack. These compromised SMEs irreversibly lose clients since the company’s reputation is damaged for having been unable to safeguard its clients’ personal information.

‍

Cyber security can feel intimidating and complicated to those whose expertise lie elsewhere, and for SMEs this is often the case. However, there are plenty of cyber security service options for small businesses. Outsourcing cyber security is a simple and cost-effective way to improve a company’s cyber security posture and assure partners, investors and clients of the business’ ability to protect their precious information and assets by adequately responding to cyber threats.

‍

Outsourcing cyber security can help SMEs match large companies’ security posture

SMEs tend to see cyber security as an all or nothing deal —which does not have to be the case. By taking a leaf from the book of bigger companies and outsourcing essential cyber security tasks, SMEs can optimize their cyber security posture at a lower cost.

‍

All large organisations follow the standardized approach laid in the National Institute of Standards and Technology (NIST) framework for their cyber security strategy. This offers guidance on how organization stakeholders can manage and reduce cyber security risk using business drivers - identifying the cyber security threat, protecting the digital infrastructure, and detecting malicious activity when they arise can go a long way in terms of protecting companies from cyber attacks.

‍

However, the NIST framework does not exclusively apply to large companies: any company with a good cyber security posture knows that cyber security is not just about protection through antivirus. Whilst SMEs do not have the budget to build their own in-house SOC cyber security team as part of their lines of defense like big companies do, they can outsource these tasks to an independent Digital Forensics and Incident Response company; Blackpanda is one such firm.

‍

How Blackpanda helps SMEs identify, protect, detect, respond and recover from a cyber attack

Blackpanda’s cyber security services offering helps SMEs achieve the cyber capabilities of larger organizations with in-house SOC teams, which carry out Security Information and Event Management (SIEM), threat intelligence, information risk management and Information Assurance (IA) on a daily basis. We help SMEs match this through a combination of cyber defense techniques, including Managed Detection and Response tools (MDR), Compromise Assessments, well-rehearsed Incident Response plans and playbooks, and retainer plans.

‍

Proper cyber hygiene is key to minimizing open digital doors that can be exploited by attackers. Digital hygiene is the easiest starting point for all organizations to begin minimizing vulnerabilities and to improve their cyber security posture. Blackpanda provides cyber consulting services that include a care package to ensure that clients have a clear understanding of what steps to take to improve their cyber hygiene.

‍

Identify

The first step in the NIST framework is to identify cyber threats. Identification is conducted through Endpoint Detection and Response (EDR) tools, which should be top of mind for anyone with a computer. Blackpanda works with existing EDR or —in absence of one— installs SentinelOne’s Singularity behavioural EDR on all client endpoints.

​

Protect

Blackpanda Incident Response Preparation and Consulting services help prepare your organization to defend against and respond to breaches before they occur. Our Incident Response experts work with your team to identify vulnerable assets, draft organizational response plans, and craft bespoke playbooks to common attack events and communications protocols, while thoroughly testing all processes to optimize response. By working closely with our clients, we are able to gain a profound understanding of the company, similarly to how Special Forces conduct terrain analysis before carrying out a mission.

​

Detect

Thanks to the logs generated by EDR, Blackpanda can gather critical information about the network and perform an initial Compromise Assessment to verify a company’s cyber security posture and eradicate any malware that is present in your network. Having existing malware is not uncommon at all; in fact, 100% of our first-time Compromise Assessments find one or more active malware in the client network.

​

Behavior-driven Compromise Assessments are vital to an organization’s cyber security, given that traditional EDR services monitor computers for malware activity by looking for preset queries. Malware, however, is continuously evolving, with new variants being generated daily. Traditional EDR lacks the ability to distinguish strains of malware that it has not been programmed to seek out. Due to this limitation, cyber attackers are often able to work quietly in the background, operating undetected in networks for as long as several years. As attackers employ sophisticated techniques to conceal their activity and avoid raising suspects, detecting such ongoing attacks can be highly complex.

For this reason, Blackpanda’s Level 3 Threat Hunting specialists conduct Compromise Assessments with a behavioral approach. Rather than looking for certain known malware, they look for abnormal software behavior and investigate it until they can define whether it should be perceived as a threat or not. Blackpanda Compromise Assessments involve extensive log investigations using a proprietary list of over 120+ advanced threat hunting queries, updated weekly to reflect the most recent and advanced threat intelligence. These queries are designed to uncover suspicious and malicious activities, which, paired with our behavioural searches, allow us to identify highly sophisticated and previously unknown strains of malware.

Further, Compromise Assessment clients can gain eligibility for cyber insurance offerings from select partners, including Pandamatics Underwriting. 

Large Financial Institutions conduct Compromise Assessments daily, but we recommend smaller companies to do these at least once a quarter.

‍

Respond

Blackpanda Digital Forensics and Incident Response specialists are available 24/7 to promptly respond to any cyber attack. In the event of an attack minimizing dwell time - the time that passes between the start of the breach and when it is eradicated - it is crucial to safeguard the network and reduce the amount of damage that an attacker can cause. By calling Blackpanda as soon as you discover a breach, we will be able to support you in the process of incident response and recovery. Whilst we make every effort to respond to those who contact us immediately, to enjoy prioritized response and reduced hourly rates we suggest purchasing an Incident Response and Consulting Services retainer, eliminating delays and ensuring that our team responds immediately to a breach. 

When in the middle of a cyber crisis, knowing that you have a specialized team managing incident response and recovery provides peace of mind.

‍

Recover

Due to lesser financial resilience against cyber attacks, SMEs can fall apart with a single breach. Having a sophisticated cyber insurance plan in place is the best way of managing the costs related to cyber security. Asia’s only cyber-only insurance company, Pandamatics Underwriting is partnered with BlackPanda and backed by the capital strength of Lloyds of London. Cyber policies not only cover the costs of incident response, but also the other unexpected expenses that come with facing a cyber attack, including legal, management, PR and cyber security services costs.

‍

Conclusion

SMEs tend to view cyber security as a low priority item on their checklist, seeing it as an all-or-nothing matter. Most bigger firms and institutions are likely to have an in-house cyber team. However, the recent rise in attacks against both SMEs and big firms have highlighted how important it is for organizations to build cyber resiliency irrespective of size. Preventing cyber breaches and developing a well-prepared cyber strategy can save Start-Ups and SMEs millions of dollars by avoiding strict cyber breach penalties that are in place to punish negligence.

Without a strong cyber security posture and an incident response plan in place, one cyber compromise to a SME can be the difference between business as usual and shutting down for good. Ensuring that the company is doing all that it can to protect itself from cyber breaches is crucial in an evolving cyber threat landscape where neglecting ‘the last mile’ can have unforgiving consequences. The good news is, cyber security services can come at a much smaller cost compared to having an in-house SOC team, and there are cyber security services providers like Blackpanda that can help.

Whilst a strong digital infrastructure and good cyber hygiene can protect organizations from up to 90% of cyber risks, they are not sufficient. Attackers are continuously working to find loopholes in the system, and a singular instance of negligence can severely compromise the cyber security of the company. Thus, having a trusted cyber Incident Response partner that can support your organization in covering the last mile of cyber risk is invaluable.

Blackpanda provides bespoke Digital Forensics and Incident Response services to SMEs in the APAC region, with a hyper-focused approach informed by our Special Forces background. SMEs can take cyber security seriously too, and there are options for all business types and sizes

Blackpanda is Asia’s premier Digital Forensics and Incident Response provider. By contacting us before you are breached, we will be able to help you strengthen your security posture, and we will be promptly available when you fall victim to a cyber attack.

A terrain is usually defined as the ensemble of the features of a tract of land. Geographic terrains can be of many types—jungle, mountain, desert, urban, or otherwise—and with our increasing dependence on computers we have seen an entirely new kind of terrain emerge: digital. In fact, digital and physical terrains have more in common than you might think. 

‍

As a former US Army Special Forces officer and a lifelong computer scientist, I observed that the fundamentals of military tactics in physical terrain hold true in the digital terrain of cyber security. Cyber security and physical security are merely derivations of the original concept of security; cyber attacks are nothing more than modern versions of the attacks humans have always experienced, only played out on a digital “terrain”.

‍

Cyber security is not an IT problem—it is a security problem. 

​

For this reason, in building Blackpanda, we gathered exceptional individuals from military, law enforcement, and computer forensics backgrounds to develop bespoke and hyper-focused digital forensics and incident response services across APAC. Handling cyber incidents can be extremely stressful, requiring responders to act fast in an environment full of uncertainties. The focus and discipline we bring from our unique backgrounds have taught us to maintain our focus and calm in the worst situations, persevere in times of difficulty, prepare for the worst, and approach complex security challenges with clear, tried, and tested strategies.

​

The overlap between the physical and digital terrains forms the cornerstone of our approach to incident response. In this article, I delineate the specifics of our unique perspective in the hope that by better understanding the similarities between these terrains, readers will learn more about what we do, how we do it, and who we are as a company.

The Importance of Terrain Analysis

I consider myself a classically trained military strategist and tactician, both from my time as a West Point cadet studying Cold War-era combined warfare tactics and later as a counterinsurgency battlefield commander in multiple theatres of war.

‍

When I joined the US Army as a commissioned second lieutenant in 2001, I was posted to the DMZ in Korea along the 38th parallel where I patrolled my tank and mortar platoons as part of the 2nd Infantry Division. Being stationed along the border to North Korea was considered a “hardship” tour—the training schedule was very fast-paced, and we had monthly alert sequences to defend against an invasion from the North. 

​

I spent approximately 24 months in the frigid tundra of the Korean peninsula as part of the 2nd Infantry Division. Engineers, infantry, artillery, and attack helicopters all coordinated with my tank platoon and we moved as a single unit, although each had their specific roles and capabilities. We honed our skills with a tremendous amount of training on the combined arms training grounds in the rocky mountains of Korea. There, I practised complex tactical formations and honed my skills to analyse mountains, rivers, and deep valleys in defensive and offensive positions.

When developing a military plan, whether offensive or defensive, a tactician should first conduct an analysis of the battlefield terrain. Terrain analysis is critical for understanding the “chessboard” before even considering which pieces are in play, from both enemy and friendly elements. 

‍

For example, a hilltop spur is a key terrain feature of the Korean mountains that provides a valuable dominant position. From this vantage point, the army can command fields of fire over a valley. In a desert urban scenario such as Mosul in Iraq, one could position troops at a critical four-lane highway intersection of three major throughways. Holding such an intersection could prevent the enemy from moving quickly throughout the region.

‍

In these two examples, one can see that understanding the terrain and using it to your advantage plays a critical role in obtaining an overwatch position that prevents the enemy from freely and quickly advancing past the troops.

‍

Applying Terrain Methodology to Provide Better, Faster Incident Response in APAC

‍

Our experience as an incident response and digital forensics company has taught us that no two cyber terrains are the same. Every organisation is a combination of a number of factors including industry, size, geographic location, culture, personnel, and many more. Thus, it would be naive as incident responders to treat every case with a one-size-fits-all approach. 

‍

At Blackpanda, we offer our clients on-call digital forensics and incident response services as well as pre-breach response planning, assessment, and consulting. While other incident response companies limit their intervention to showing up in the moment of a breach, our objective is to build long-term relationships and a deep understanding of our clients’ individual cyber terrains.

‍

By doing so, we can provide better, faster incident response based on the mutual and comprehensive understanding of the environment—including both its advantages and vulnerabilities. We do this through seeking enhanced visibility, carrying out manned reconnaissance, and regularly conducting response readiness drills.

‍

Enhanced Visibility | Behaviour-based Endpoint Monitoring

One of the most important things we do when we begin working with new clients is to install endpoint technologies that automatically monitor for threats and rapidly gather forensic data following an attack. These tools enhance our visibility across an environment and allow us to respond more effectively to an attack. They can be thought of as the initial scout and ensuring the tactical team that follows close behind can secure the position or, in this case, the endpoint.

Typical anti-virus tools simply act as gatekeepers, blocking only processes with known threat signatures. Behaviour-based EDR instead works by observing the overall activities of a computer, setting a baseline of normal behaviour in the environment, and flagging suspicious behaviours themselves—detecting even new threats with previously unrecognised signatures.

With both tools installed prior to a breach, the enhanced visibility of settings, behaviour, and forensic evidence allows our team to not only detect threats faster but also triage, hunt for similar activity across all endpoints, and decommission malware more quickly and efficiently during an attack.

‍

Manned Reconnaissance | Compromise Assessments

Even the most advanced cyber security technologies may be thwarted or evaded as cyber criminals continue to evolve their tactics daily. For this reason, we highly recommend businesses amplify their reconnaissance efforts through regularly conducted human-led Compromise Assessments.

​During a Compromise Assessment, our threat hunting specialists perform an inside-out investigative sweep of your cyber terrain for any signs of compromise including dormant, active, or past attacks that other tools may have missed. We use a continuously updated library of thousands of proprietary queries to search for malware on the network and assess the overall security posture of the organisation. We also scrape the Dark Web for leaked information and hacker forum chatter about the company that may indicate an existing compromise or foreshadow an upcoming attack. 

​The human-led, tech-enhanced, and comprehensive nature of Blackpanda’s compromise assessments means that our specialists form a deep understanding of your environment and overall security posture in the process.

We recommend organisations conduct Compromise Assessments at least quarterly, if not weekly or daily, depending on your risk tolerance. By regularly checking internal systems for vulnerabilities and early signs of attacks, our team will come to know an environment like the back of their hand—facilitating faster and more effective response to attacks on your organisation and also stamping out early problems before they reach their final form.

Regular Drills | IR Planning and Tabletop Exercises

In the military, one of the most critical factors of mission success is proper planning. Setting up scenarios and running through reaction protocols is the best way to ensure that response is prompt and effective, smoothing out any potential bumps and hiccups before a live engagement. 

‍

At Blackpanda, we provide the same level of preparation through our Incident Response Planning and Tabletop Exercises. We work closely with clients to understand their terrain and unique strengths, weaknesses, and requirements, designing detailed action plans for dealing with a range of threats. These Incident Response Plans and Playbooks cover everything from communications, escalation, and handover procedures to technical responses for individual attack types. 

‍

We then test those plans by conducting tabletop exercises—live practice runs where relevant actors across the organisation are involved in improving the speed and efficiency of response and recovery. Through these efforts, both Blackpanda and your internal team gain a stronger awareness of your digital environment, “terrain” features, advantages, and disadvantages.

‍

In Closing: No terrain is ever 100% secure

The above terrain-focused methodology and pre-breach services allow us to develop greater visibility and deeper understanding of your organisation’s digital environment; however, no terrain—whether physical or digital—can ever be 100% secure.

‍

In words taken from the world-class US Army Survival, Evasion, Resistance, and Escape (SERE) Level C School: “Preparation is the key to survival.” 

‍

As such, modern organisations must have a plan in place for when defensive measures fail and specialised emergency response is required. The best way to minimise damage and financial loss is by having a trained and professional incident response team on call, through Blackpanda’s IR-1 subscription, designed to help SMBs successfully manage cyber breaches and mitigate their impacts by reducing operational downtime and financial and reputational damages. 

Just as each Army division specialises in a particular setting—whether airborne, armoured, infantry, or other—we chose for Blackpanda to focus on a “One-Kick Philosophy” of mastering digital forensics and incident response, unmatched in the cyber terrain.

We take a hyper-focused approach in preparing our clients for cyber incidents, ensuring that their networks are secure and intervening promptly when things take a turn for the worst. By contacting us before you are breached, we can help strengthen your security posture ahead of time and be promptly available in a time of crisis. 

Our emphasis on preparedness is informed by our military background and terrain-focused methodology, reinforcing our identity as Asia’s premier digital forensics and incident response provider.

To learn more about our white-glove, Asia-focused digital forensics and incident response services, contact Blackpanda today.