1 - Data Discovery Service Description

1. Introduction

The Samurai Data-discovery service is a service package designed to enhance client visibility on internal IT-architecture, data flows and security posture. Through a series of workshops, interviews and reports with concrete next-step recommendations, NTT experts will help the client identify the data that’s most important to their business goals, review projects that may affect said data and recommend next-steps based on best-practices.

This service is intended for new NTT Samurai MDR clients however it can be used for clients who wish to expand or review an existing commitment.

2. Data-discovery service

2.1 Service features

The Data-discovery service is delivered in two phases. If extended support is required to fulfill the engagement scope, the service can be expanded accordingly. For more info see section 2.2 Service Package.

Phase One:

The initial phase includes an internal workshop to walk-through the client IT-environment, security posture, project roadmap, planned initiatives and any other potential future organizational/infrastructure changes.

NTT Consultants will support the client in identifying the data that´s most important to the client business and operation. The phase will be concluded with the delivery of concrete next-step recommendations tailored to the client desired future security posture, roadmap and samurai enrollment strategy in the form of a report.

Phase Two:

The second phase is initiated six months post the initial phase, during which the client and NTT Consultants review the report from the first phase, progress on next-step action plan, new projects and changes to the IT-environment.

The second phase will be concluded with the delivery of an updated version of the initial report.

2.1.1 First Phase Deliverables

  • Initial workshop report containing:
    • Identified critical data elements and associated security controls.
    • Identified potential impact of internal projects and initiatives on critical data infrastructure.
    • If applicable, discuss security impact of potential organizational changes.
    • Recommendations based on best practices given the information provided by the customer.

2.1.2 Second Phase Deliverables

  • Six-month update report:
    • Impact of eventual changes in the environment.
    • New projects and IT-environment updates.
    • Recommendations based on best practices given the information provided by the customer.

2.2 Service package

The Data discovery service, as defined above, is a fixed fee engagement. Additional service packages can be purchased to extend delivery.

Initial workshop and associated activities will not exceed 60 hours. Six-month follow-up and associated activities will not exceed 40 hours.

Delivery of the report associated with each portion of the service will constitute the closure of that portion.

2 - Incident Response Retainer Service Description

1. Introduction

With the rise of cyber-attacks in a fluid threat landscape an organization must quickly respond and be prepared to act on all threats. The ability to quickly respond to a security incident is crucial for limiting the impact of the attack, minimizing reputational damages and legal consequences.

In many cases, the damage from a cyber related incident is increased due to delays and mistakes in incident handling. Incident response is a highly specialized field that requires staffing by specialists who are engaged full-time in this area. It is likely to not be as successful when staffed by employees who only perform incident response tasks on an ad hoc basis. As a result, many organizations do not employ their own internal incident response team, but rather contract with external providers such as NTT.

NTT provides Incident Response (IR) Retainer services to assist organizations to effectively respond and rapidly remediate in the event of an incident. The NTT IR Team is experienced in handling incidents across various business verticals and provides a valuable resource to clients. The retainer service is offered as an add-on to NTT’s Samurai MDR service and also as a standalone offering for either emergency incident response needs, or proactive risk mitigation.

2. Samurai Incident Response

2.1 Service Features

The Samurai Incident Response (IR) Retainer provides incident management, containment, and root cause analysis support to assist with mitigation of incidents. The NTT IR team consists of experienced Security Analysts in the NTT Security Operations Centre (SOC) and Incident Response consultancy experts, and is delivered through the Samurai platform.

The Incident response offering provides a set of components which can provide the Client with:

  • On call 24/7/365 response to incidents
  • Incident lead and incident management
  • Root cause analysis, containment, and eradication
  • Rapid remote deployment of IR tools
  • Integration with NTT’s Global Threat Intelligence Center (GTIC)
  • Close collaboration with client teams
  • Decades of experience in Security Monitoring and IR subjects
  • Support during extended incidents
  • Malware and threat behavior analysis
  • Advanced Network Analysis Tools

These service components are not an exhaustive list and are provided as required during the engagement.

The IR retainer is based on an annual entitlement of 40 hours, which can be increased by the client through the purchase of additional retainer blocks of hours.

2.1.1 Incident lead and incident management

The NTT IR team will support the client by providing both hands-on and high-level incident lead and incident management, steering both NTT, client, and other involved 3rd party resources towards a common goal by assigning and prioritizing tasks, organizing meetings, risk evaluation and prioritization, damage evaluation, as well as providing stakeholder updates.

The NTT IR team will work together with the client to align reporting cadence, timelines, and updates in accordance with client requirements.

2.1.2 Root cause analysis, containment and eradication

The NTT IR team will support the incident investigation to understand the who, what, when, where, why and how of an attack. This includes:

  • Review and analysis of client provided log, network, and endpoint telemetry.
  • Assess the flow and history of incidents in the client’s environment to evaluate potentially related issues, campaigns, and persistence.
  • Threat Intelligence, Open-Source Intelligence (OSINT), and closed source correlation.
  • Providing insight and best practice guidelines on how to limit potential damage of an incident.
  • Providing client’s security staff guidance on how to handle and execute the eradication process. This will be positioned from a governance approach and will guide the client’s internal security staff.
  • Evaluating the possible recovery options and provide guidance to client security staff to restore affected systems from a backup or re-image the systems from a clean gold image, if applicable.

2.1.3 Rapid remote deployment of IR tools

Where the client does not have Endpoint Detection and Response (EDR) agents or a similar capability in place, NTT will work with the client to deploy EDR tools. The EDR tooling can be integrated with Samurai and will be available to the client during the incident response engagement.

On completion of the incident response engagement, the client will have the option to purchase the EDR tooling and retain this tooling in the client environment. If the client decides not to purchase EDR tooling used by NTT for the purpose of incident response, it must be removed at the end of the incident response engagement.

2.1.4 Integration with NTT’s Global Threat Intelligence Center (GTIC)

Through the NTT Incident response service, clients benefit from extensive Threat Intelligence both curated and produced by Threat Intelligence researchers in NTT’s Global Threat Intelligence Centre (GTIC) via Samurai.

2.1.5 Highly collaborative with client teams

The management of an investigation is just as important as the technical and investigative skills brought to bear during an incident. NTT IR team will work closely with the client team to provide detailed and structured status reports to communicate findings that will aid in making informed business decisions.

The frequency of status reports and interaction between NTT resources and client team will be adjusted to reflect the current requirements during the incident lifecycle.

2.1.6 Malware and threat behavior analysis

Malware is a name used for various malicious software variants, such as viruses, ransomware, spyware, etc. and is designed to infiltrate and damage computer environments and its data without knowledge of the user. Understanding malware and its behavior, is critical to an organization’s ability to respond to incidents, derive threat intelligence and boost defenses. NTT offers the knowledge and experience on how to identify key aspects and characteristics of various malware types and to understand the extent of the potential damage.

All identified Indicators of Compromise (IoCs) related to the malware or threat are shared with the client’s security team as part of the engagement.

2.1.7 Advanced network analysis tool

At times NTT IR team may recommend the deployment of advanced networking analysis tools to assist with the identification and mitigation of an incident. NTT IR team will discuss this in detail prior to authorization of its use.

These tools can be used to support the detection of behaviors that make endpoints act maliciously or outside of their normal mode of operation. They can help determine what changes occurred during a malware outbreak so that proper remediation can be planned. The tools can also track lateral movement of malware and determine how widespread it is across the entire network.

2.2 Retainer information

The Samurai Incident Response offering is provided as a retainer and includes 40 hours per year. If the Client requires additional Incident Response beyond 40 hours per year, additional retainers of 40 hours can be purchased.

Retainer hours are consumed in 4-hour increments.

3. Onboarding

As part of NTT´s proactive engagement to enhance the Incident response teams ability to respond promptly and efficiently, NTT will meet with the client to establish knowledge about the client’s current setup, introduce the workflow of incident response engagements, how the client can initialize incident engagements and open up for questions from both parties. 

The following details will be collected during the introduction call: 

  • Client points of contact 
  • Contacts allowed to activate IR-service 
  • EDR coverage in environment 

The collected details will create a foundation for successful incident handling and a more seamless collaboration. Once the onboarding meeting has taken place and the basic requirements, such as accesses and points of contact, are in place the Incident Response Retainer can be started.

No onboarding meeting is provided when an Incident Response Retainer has been procured and activated for emergency incident response assistance. For emergency IR cases, onboarding will be done in parallel to the incident scoping call done as outlined in section 4.2.

The graphic below outlines the onboarding process:

process.png

4. Service activation

4.1 Incident response activation

MDR Client

If the cause for activation is an incident escalation from the MDR Service SOC, the customer should activate the IR-retainer directly via a request in the associated incident ticket within the Samurai MDR portal.

The IR retainer may also be activated via a phone call to the Incident response on-call number which is provided during onboarding. The IR retainer can only be activated by an authorized list of individuals mandated by the client. This information is captured during the onboarding process but is naturally subject to change. Any changes to the authorization list must be communicated to the NTT IR team. 

Standalone Client

The IR retainer is activated via a phone call to the Incident response on-call number which is provided during onboarding. The IR retainer can only be activated by an authorized list of individuals mandated by the client. This information is captured during the onboarding process but is naturally subject to change. Any changes to the authorization list must be communicated to the NTT IR team.

Emergency Client

The IR retainer is procured and activated via a phone call to the 24/7 Emergency Incident response on-call number.

4.2 Incident scoping call

Depending on the incident severity, magnitude, urgency and known context, the NTT IR team will initiate the engagement with a scoping call. During the call, NTT and the Client’s security team will work together as one team, to gain an understanding of the current situation and how to best proceed.

NTT will meet with the POC and designated Incident Response Team members to discuss the How, What, When and Where questions. Typical questions will include - How was the issue detected? Is there any evidence, data or logs related to the incident in Samurai? What other telemetry is available outside of Samurai? What steps have been taken? What does the environment look like, where are the egress and ingress points located? 

Other discussion topics may include the gathering of additional evidence, such as providing audit log records or a network diagram showing what other devices on the network that the suspicious system has access to. The more telemetry available, the faster questions can be answered during an investigation. It is very critical for the client to document all actions taken on the suspected systems at the start of an incident. If incorrect or unknown steps are taken to clean up an infected system, block lateral movement or remediate other issues it may hinder or complicate response actions or root cause analysis at a later stage.

4.3 Engagement objectives

The NTT IR team will work together with the client POC at the time of the retainer activation to identify the immediate engagement objectives. As the incident lifecycle progresses and new evidence or information is discovered, the engagement objectives may be updated. The objectives may be to identify data loss, attack vectors or to recover from the incident and provide recommendations on actions to take to prevent the incident from repeating. NTT IR team can perform incident management, by providing remote support and coordinate with security staff to assist with incident mitigation, containment, eradication, recovery, and reporting.

The end delivery to the client will be a written report of our findings which includes:

  • Executive Summary
  • Overview
  • Timeline of Activity
  • Summary of Findings
  • Recommendations

4.4 Engagement lifecycle

The figure below describes the process followed by the NTT Incident Response Team during engagements.

blobid1.jpg

5. Service Provisions and Requirements

In order to ensure successful delivery of the Services, NTT and Client shall provide the following, as applicable.

  • NTT personnel will maintain and track hours utilized against the retainer.
  • Depending on the scope requested by the client, NTT will assign a Lead Incident manager to work with client’s main Point of Contact (POC) throughout the life of the engagement.
  • NTT will assign an IR Manager to be available to client as an out-of-band resource for issue escalation.
  • NTT will provide the client with ongoing status reports, as mutually defined in the project kick-off.
  • If not otherwise stated above, upon completion of the Incident response engagement, NTT will provide client with a detailed report in PDF format, describing the actions performed, results and recommendations.
  • Client will assign a main Point of Contact (POC) to work with NTT and will provide knowledgeable technical and administrative staff to assist NTT.
  • As required, client will provide NTT with access to their network to perform Incident response services. If required client will also provide NTT with a list of areas considered “off limits”.
  • Client understands NTT is not responsible for loss of business incurred by Client (or third parties associated with client), due to the performance of Services.
  • As applicable, client will provide NTT with electronic copies of any applicable policies (e.g., Security Policy, Acceptable Use, Policy, Incident Response Plan, Escalation Trees, etc.), procedures, previous audits or assessments, network diagrams, configurations, evidence, and any other relevant materials (Engagement Information) associated with the Services outlined in this Service Description.
  • Client explicitly understands Services may employ methods which could violate client’s policies. NTT will agree, together with the client on any actions which may violate said policies prior to taking the action.
  • Client fully agrees that providing Engagement Information to NTT is not a violation of client’s policies and fully agrees not to instigate any type of prosecution against NTT, or NTT employees or third-party service providers, for the receipt and storage of such Engagement Information.
  • If the in-scope environment for Services provided in this Service Description is hosted by a third-party provider, client agrees to notify the third-party provider in advance of the initiation of services and client accepts the responsibility for complying with any provisions set forth by the third-party provider.
  • Should this Service Description be executed in a context where regulatory compliance, auditing, testing or assessment or other similar compliance advisory consulting services, for example under the PCI Data Security Standard or HIPAA Privacy, Security or Breach Notification Rules apply, client understands that NTT Incident response services do not constitute any guarantee or assurance that security of client’s systems, meets regulatory requirements. Furthermore, NTT is not responsible for updating its reports and assessments or inquiring as to the occurrence or absence of such in light of subsequent changes to client’s systems, networks and assets after the date of NTT´s final report absent a signed Statement of Work, or an amendment to a Statement of Work, expressly requiring the same.
  • Client understands that failure to fulfil Service Requirements or provide required documentation/evidence on a timely basis can result in delay of Services or loss of contracted hours.
  • If regulatory changes (e.g., changes by a regulatory agency, legislative body, or court of competent jurisdiction) require NTT to modify the Services described herein, client agrees in good faith to work with NTT to amend the scope of work accordingly.
  • Upon initial client contact, NTT will respond within 2 hours.
  • Client must enroll NTT IR personnel to its Samurai tenant as required.
  • Client understands that NTT Incident Response services do not constitute any guarantee or assurance that security of client’s systems, networks and assets cannot be breached or are not at risk.

3 - Samurai Cybersecurity Advisor Service Description

1. Introduction

The Samurai Cybersecurity Advisor (CSA) service add-on provides a dedicated technical senior-level resource to help Samurai Managed Detection & Response (MDR) clients get the most value from the service, and reduce business risk.

Services provided by the CSA include:

  • Monthly threat reviews
  • Tracking of a detection and response recommendation improvement list
  • Dialogues around detection & emerging threats
  • Acting as a link between clients and the Samurai MDR service

2. Samurai Cybersecurity Advisor service

2.1 Monthly Threat Reviews

The Samurai MDR service will detect, respond and report relevant threats that pose a risk to a client, but it is the client’s responsibility to bring the risk to closure. To help the client with this, a program of monthly threat reviews is included with the CSA service.

The monthly threat reviews are the main interaction point between clients and the CSA.

Through regular CSA-led threat reviews, clients will:

  • be trained and educated to understand threats and risks reported by the Samurai MDR service,
  • be provided recommendations to improve detection and response, and
  • receive follow-up to ensure that reported threats and risks are handled and mitigated.

The threat review program is initiated at the time of onboarding. During the onboarding orientation call the monthly meetings will be scheduled for the remainder of the contract period.

2.2 Detection and Response Recommendation Improvement List

The CSA will maintain and update a detection and response improvement list through the entire lifecycle of the Samurai MDR service. The improvement list focuses on suggestions that will improve detection of threats e.g. new systems recommended to be onboarded by the client into the Samurai MDR service, or could also include actions that either the client, the SOC or NTT Security Holdings need to take in relation to improving threat detection and response. The ultimate benefit of this process to the client is an improved security posture.

2.3 Detection & Emerging Threats

The CSA will stay informed of threat detection improvements made by NTT and follow the changing threat landscape. During the monthly threat review meetings, the CSA will lead a dialogue with the client to ensure the correct telemetry exists within the clients given Samurai MDR configuration to take full benefit of any new detections created for emerging threats, and provide actionable recommendations where needed.

The CSA is a technical senior-level resource with extensive experience working within Managed Detection & Response. Complimenting the CSA’s extensive experience with the Samurai MDR service, the CSA also has access to NTT threat intelligence, the specialist MDR SOC workbench, and the client’s MDR tenant.

This access provides the CSA the ability to perform searches and threat hunts as required within the scope of the service offered, while also having well-established contact routes with the different NTT Teams involved in the Samurai MDR delivery.

2.5 Scope information

The Samurai Cybersecurity Advisor Service add-on, as defined above, is a fixed fee engagement. The engagement will not exceed 192 hours yearly, and additional service packages can be purchased to extend delivery. Used hours per single month may not exceed 40 hours unless approved in dialogue with NTT.

The CSA service is delivered during business hours of central European time (CET).

4 - Samurai Onboarding Service Description

1. Introduction

The Samurai Onboarding service add-on is designed to support the client journey during the transition onto the Samurai Managed Detection and Response (MDR) service. NTT personnel will through an initial workshop and subsequent interaction answer any questions and provide all the necessary documentation and information required to enroll to Samurai MDR.

This service is intended for new NTT Samurai MDR clients however it can be used for clients who wish to expand or review an existing commitment.

2. Samurai Onboarding service

2.1 Service Features

Core service activities:

  • Initial workshop to define devices and/or services in scope of enrollment to Samurai.
  • Supply Samurai documentation and information.
  • Service onboarding support.
  • Service verification post-onboarding.
  • General support and inquiries regarding device and 3rd party service support.

Core service deliverables:

  • Onboarding plan
  • Onboarding guides relevant for the customers environment
  • Portal training session.
  • Initial kick-off session, not to exceed 1 full day.
  • Support during the transition

2.2 Scope information

  • The Samurai Onboarding service add-on, as defined above, is a fixed fee engagement. The engagement will not exceed 60 hours and additional service packages can be purchased to extend delivery.

5 - Table-Top Exercise Service Description

1. Introduction

When dealing with incidents, crisis, or disasters, one of the most imperative steps in the plan is to be properly prepared. Preparation plays a major part of incident handling as it enables organizations to improve efficiency of decision making in the heat of the moment during an attack, which leads to quicker recovery, minimizing impact and costs. It is also key for incident handlers to be able to act confidently and reduce the risk of making mistakes when carrying out their work throughout an incident.

One way to prepare for an incident and evaluate the documentation, processes and preparedness of the client’s participants is to carry out a Table-Top exercise with the goal of working through the scenario, with an open discussion in a collaborative low-stress environment. 

The output of the exercise is to develop the incident response capabilities. After the Table-Top exercise the participants will have gained an understanding for what their strengths and weaknesses are in terms of handling an incident properly, be able to update their documentation, revise their processes and train their personnel to enhance their incident response capabilities.

2. Table-Top Exercise

2.1 Visual Overview

2.2 Objectives

The exercise is conducted with the goal of improving client incident response readiness by evaluating processes, routines and documentation.

On a high level the objective is achieved through having the client’s participants test the incident response process in a “safe” environment without stress and through giving a detailed report which highlights points of improvements in the process.

Aim to have an answer to questions such as:

  • Are there pre-defined roles and responsibilities and is the coverage sufficient for the incident scenario?
  • Did the staff assigned to the roles have all permissions and privileges to handle the incident in a satisfactory fashion?
  • Are the points of escalation and contacts documented and defined?
  • When to isolate hosts on a network

2.3 Plan & Prepare

NTT will set up an initial meeting with the client to decide on suitable exercise scenarios based on the client’s wishes and NTT experts’ 20+ years of Threat Intelligence experience. The goal is to have a scenario tailored to be relevant to the client’s environment and needs, while revolving around handling incidents such as:

  • Threat actors’ intrusions to deploy ransomware or steal intellectual property
  • Nation-state attacks
  • Insider-threats
  • Successful phishing attempts
  • User executing malware on corporate device

Where technical emphasis can be put on specific areas, for example:

  • Workstations
  • Domain-controllers
  • Email-servers
  • ICS/OT
  • Office 365
  • Cloud infrastructure

After the scoping call NTT will produce the material necessary for the scenario walkthrough.

2.4 Exercise Session

The Table-Top exercise is designed to fundamentally test the processes and routines that together are the basis for the incident response capability.

NTT experts will lead the client’s participants through the scenario, enable conversations to identify potential gaps in processes and documentation, helping to achieve an understanding of their respective strengths and weaknesses in the context of incident response. Taking the incident step by step, our consultant will walk you through the events as they unfold depending on your own incident response actions and detection capabilities.

The client’s participants will get time to discuss amongst themselves without NTT interaction to find their own genuine course of action if this were to be outside of a simulation. During the time of the scenario taking place, NTT experts will document and map out the decision making, points of escalation and threat hunting processes of the client’s participants.

2.5 Report

The reporting covers the scenario setup and walkthrough, in detail, to bring visibility to the incident response process in action during the specific engagement scenario, complete with an incident response checklist.

Analyzing the events, processes and decisions with the expertise of NTT personnel with the result of getting actionable points of improvement for the process and routines.

Moreover, comparing the incident response capability and process in the scenarios to established industry frameworks that are relevant for the scenario ensuring a benchmark to compare to global industry standards, for example, NIST 800-61 or MITRE ATT&CK.

The report can also be used to have a detailed look into how the process and routine of incident response can play out in a real-world scenario.

2.6 Scope information & Requirements

2.6.1 Requirements

NTT will require participants in the scenario session that own relevant functions within the incident response process, moreover the participants will have mandate to help choose relevant scenarios for the client’s purposes.

NTT will require an overview of the IT environment, e.g., what OS is running on endpoints, servers, geographical split of sites, high value assets, documented incident response process routine, relevant documentation and lastly, what are some of your currently known pain points that you wish to address and improve.

2.6.2 Scope Information

A standard Table-Top exercise is a fixed fee engagement that will not exceed 80 hours. An estimation of the distribution of effort is as follows for each step of the engagement:

ActivityEstimation (days)
Preparations ahead of TabletopSix (6)
Tabletop exerciseOne (1)
Produce a Single (1) deliverable report at the completion of the engagementThree (3)
TotalTen (10)

For client’s that require a Table-Top exercise that goes beyond a standard scope of service (eg. extensive custom scenario use-cases, groups of participants, longer expected duration), a custom engagement can be scoped by the NTT team to accommodate as required.

Table-Top exercises are delivered remotely during business hours of central European time (CET).