home.kpmg/in

Advisory

Cyber incident response

02 | Cyber incident response

Since the advent of the information age, economies have grown at a breakneck speed with information technology pervading every sphere of human life. However, this phenomenon has given rise to an ever evolving class of cyber threats, affecting individuals and organisations. The recent breaches at major organisations highlight an increasing sophistication, stealth and persistence of cyber attacks resulting in regulatory oversight and negative business impact. It is, therefore, imperative that organisations develop effective incident response frameworks to counter cyber attacks.

Cyberattacks in the current era have become more specialised and concentrated in nature, targeting individuals and organisations. The cyber threats are no longer IT centric, and can be pervasive throughout an organisation with a high chance of reoccurrence.

With the attack patterns becoming more targeted and sophisticated, the impact due to cyber incidents have caused enormous damages spanning financial losses, erosion of shareholder value, intellectual property theft and trust.

KPMG in India can help your organisation respond to cyber threats effectively and efficiently, with our bouquet of services ranging from rapid cyber incident response, containment of threat, continuous monitoring to training and capacity building. Our team comprising certified forensic experts, malware analysts, network forensic analysts, cyber law experts and former law enforcement officials help your organisation respond to suspected cyber incidents and take measures to mitigate such incidents in future.

Identity impersonation

22% 22%

Phishing attacks

E-mail-basedattacks

E-mail-basedattacks

Phishing/Social engineering

Malware/ ransomware

Web-based applications

Vulnerabilities associated with

system

Malware/ ransomware

Exploiting web-based applications

Intruding the system by

exploiting vulnerabilities

Physical theft of computing

devices

61%69%

33%28%

75%

Based on KPMG in India’s Cyber Crime Survey 2017, the top five cyber-attacks being faced by organisations are:

© 2019 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Cyber incident response | 02

KPMG in India’s cyber incident response methodologyOur incident response process was created according to several internationally accepted frameworks, including National Institute of Standards and Technology - Special Publication 800 86 (NIST SP800-86), the International Organization for Standardization publication 18044:2004 (ISO 18044:2004) and the SANS Institute’s published six-step incident response

process. While these guides were utilised to verify completeness of framework and methodology, KPMG in India’s approach as depicted below was further refined through real world experiences, evidentiary rules and deep technical knowhow during incident response engagements:

We have successfully assisted several organisations to respond to their large, complex and sensitive cyber incident situations, including many high profile cases in the public domain. Our team is well versed with the sensitivity, urgency and complexity associated with business disruption and interruption situations.

KPMG in India’s multi-locational cyber labs

• Agentless remote acquisition capabilities

• Integrated threat intelligence based analysis

• Automated malware analysis using multiplesandbox environments

• Automated multiple antivirus reverse lookups

• Dedicated platforms for analysis of networkperipheral logs

Cyber incident response

Containment

Isolation of infected systems

Blocking of rogue

connections

Removal of threat

Data preservation

Forensic analysis

Peripheral log analysis InterviewsMalware

analysis

Evidences indicating mens rea

Technological Human

Investigation

© 2019 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.© 2018 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

03 | Cyber incident response

© 2019 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Table top/simulated cyber incidents

• Assistance in protecting andmitigating risks

• Tailored exercises that mimicreal world incidents

• Simulation of a real worldscenario to respond to incidents.

Maturity assessment

• Review of an organisation’sability and readiness to respondto cyber security incidents.

• Recommendations to improvethe incident responseprogramme.

Incident response programme development

• Assistance in creation of anincident response programme,process design and playbookdevelopment.

Monitoring/early warnings

• Proactive monitoring checks andearly warnings based on analysisof logs and incidents to helpreduce risks and threats of cyberincidents

• Creation of long-termdevelopment and sustenance ofcyber-response capability.

Staff Augmentation

• Continuous monitoring of knownissues for a limited period, todetect and contain the cyberfrauds.

• This may include review ofan organization’s technicalinfrastructure including host-based log analysis and/ornetwork analysis.

Pre-exit forensics

• Review of certain individualsassigned asset laptop/desktop toidentify instances of IP transferto personal accounts/USB drives,etc. using forensic techniques.

Compromise assessment

• Proactive assessment/reviewof an organisation’s technicalinfrastructure including host-based log analysis, and/ornetwork analysis to determineif any unidentified compromisehas occurred previously.

Incident management

• Assistance in resolving cyberincidents, which includes allphases of incident responseprocess, viz. forensic triage,containment, investigation,remediation and reporting.

Expert witness

• Post investigation, depositionof KPMG in India personnelin the court of law as expertwitness in the matter topresent case facts.

Cyber incident response services

Protect Detect Investigate

Aligned to client’s business and compliance needs

Training and capacity building

Cyber incident response | 04

© 2019 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.© 2018 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

Select credentialsIncident

typeDetails KPMG in India’s intervention Engagement outcome

Bank SWIFT breach investigation

One of the largest private commercial banks in South Asia with a network covering all major financial institutions

• Forensic preservation and rootcause analysis (RCA) of the incident

• Cyber security review of the client’sinfrastructure, including:

- SWIFT environment

- Domain controller - E-mail infrastructure - Internet-facing infrastructure.

• Identified and analysed thetimeline of SWIFT cyber heist

• Uncovered modus operandi ofattackers in penetrating the bank’stechnical infrastructure

• Advised the client to takereasonable containmentmeasures.

Investigation of ransomware attacks

An automobile manufacturing company with a substantial market share in India, and having significant exports across Asia, Europe, etc.

• Forensic analysis of infectedsystems

• RCA using system files, event logs,e-mails, web browser

• Reverse engineering of identifiedmalicious files in a controlledsandboxed environment

• Assistance in remediation

• Blocked malicious files fromcausing infection on othermachines

• Identified the root cause of themalware infection and blocking ofthe command and control (C&C)server IP address at the networklevel

• Provided recommendations forstrengthening the IT environment.

Bank ATM Cyber Heist

One of the large private sector commercial banks in India with a network covering all major financial institutions.

• Forensic acquisition and analysisof ATM Switch Servers and othercomputer systems

• Cyber Security review of internetfacing infrastructure,including theEmail Server

• Analysis and review of ISO 8583messages generated in ATMmachines

• Clearly identifying root cause ofincident, along with the timelineand modus operandi

• Support for containment ofmalware

• Identification of controlweaknesses in Bank’s digitalpayment systems

Web application breach investigation

A multinational tele-communications company, and one of the largest cellular service providers in India

• Determining the modus operandiof provisioning free data bundles tonon–eligible users from web basedgraphical user interface

• Assessing the financial exposure ofthe company

• Identifying involvement of aninsider in the cyber fraud.

• Identified the users who had re-ceived free data bundles using thefraudulent provisioning method

• Revealed nexus of fraudulentbeneficiaries with external hackersby means of data analysis.

Man in the e-mail attack

The Client is one of the largest intellectual property management companies in the world, having an exposure in India

• Determining timeline of potentialman in the email attack, and its rootcause

• Identifying control weaknessesand providing suitablerecommendations.

• Uncovered the modus operandi ofhighly targeted Office365 spearphishing attacks

• Conducted searches on ThreatIntelligence Platforms to identifypatterns of rogue IP addressesand malicious domains

• Assisted the Client in continuousmonitoring and taking real timecontainment measures.

Follow us on: home.kpmg/in/social media

The information contained herein is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

© 2019 KPMG, an Indian Registered Partnership and a member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved.

The KPMG name and logo are registered trademarks or trademarks of KPMG International.

This document is meant for e-communication only.

Printed in India.

Maneesha GargPartner and Co-Head Forensic ServicesLead - Corporate Intelligence T: +91 120 386 8501E: maneesha@kpmg.com

Manish Tembhurkar Technical DirectorIT Advisory ServicesT: +91 98181 99432 E: mtembhurkar@kpmg.com

KPMG in India contacts: Nilaya VarmaPartner and Head Markets EnablementT: +911246691000E: nilaya@kpmg.com

Akhilesh Tuteja Partner and HeadRisk ConsultingCo-Leader – Global Cybersecurity T: +91 98710 25500E: atuteja@kpmg.com

Atul GuptaPartner and Head IT Advisory ServicesLeader: CybersecurityT: +91 98100 81050E: atulgupta@kpmg.com

Jagvinder S BrarPartner and Co- Head Forensic Services T: +91 123 336 9469E: jsbrar@kpmg.com

home.kpmg/in