Attack Detection Assessment
1.1. Attack Detection Assessment. The attack detection assessment services (Attack Detection Assessment) is intended to assist Customer in measuring its capability to recognize and react to cyber-attacks. Verizon will evaluate Customers operational incident-handling procedures. Attack Detection Assessment includes six phases that are cumulative in nature, providing multiple overlapping analyses of the strengths and weaknesses of Customers operational incident handling capabilities.
1.1.1. Phase 1: Defensive Countermeasures. During phase 1, Verizon will review the selection, positioning and configuration of Customers in-place security technologies including but not limited to firewalls, host and network-based intrusion detection, beacon identification and anti-virus. Verizon will provide a profile of Customers defensive and threat hunting capabilities. Verizon will review Customers event logging and alerting technologies such as security event management (SEM) tools and intelligence integration platforms. Verizon will perform an on-site physical security inspection at one Customer location as defined in the Engagement Letter under the supervision of a designated Customer point of contact.
1.1.2. Phase 2: Cyber Security Event Visibility. Verizon will identify gaps in Customers cyber security event detection which enable such events to go undetected. Phase 2 involves the correlation of Verizon cyber intelligence sources against Customer internet communications (e.g., firewall logs, netflow, etc.) for a sample period of up to 30 days (retroactive). In Phase 2, Verizon will benchmark the effectiveness of Customers cyber security event capture methods. Phase 2 will require the completion and execution of a Customer IP schedule (CIP).
1.1.3. Phase 3: Incident Classification. Verizon will perform a review of Customers incident classification process documentation and will perform in-person interviews with identified Customer personnel. Verizon will evaluate the effectiveness of these process to detect cyber threats faced by Customer. Verizon will perform phase 3 at Customers location as defined in the Engagement Letter.
1.1.4. Phase 4: Intel Fusion. Verizon will measure the effectiveness of cyber intelligence contained in Customers operational incident handling processes. Verizon will evaluate Customers ability to correlate cyber intelligence artifacts against cyber security event log streams. Verizon will review Customers intelligence sources, data collection mechanism(s), archive and retention platforms, vetting and overall intelligence integration across log streams. Verizon will provide recommendations, if required, for changes to the collection, handling and application of cyber intelligence artifacts (i) to enable earlier detection of attacks in motion, (ii) during pre-attack research and (iii) to provide early indication of a possible intrusion or data theft. Phase 4 will be conducted on Customers premises as defined in the Engagement Letter and will involve review of documentation and one-on-one interviews with identified Customer personnel.
1.1.5. Phase 5: Visualization and Situational Awareness. Verizon will test Customers selection, deployment, configuration and usage of visualization tools. Verizon will perform manual inspection of the visualization tools and platforms, walk through examples and interview identified Customer personnel. In phase 5, Verizon will evaluate Customers application of these tools.
1.1.6. Phase 6: Incident Triage. Verizon will review the process utilized by Customers operational incident handling personnel, or Computer emergency readiness team (CERT), in handling potential security incidents. Verizon will review how Customers incident handling activities map to the existing Customer incident response plan. In phase 6, Verizon will evaluate Customers staffs technical skillset, toolsets and familiarity with their role/function within documented policy. Verizon will review the quality and timeliness of cyber security incident information collection and documentation, as provided to CERT staff, to confirm the information is properly actionable. Verizon will evaluate the implementation and effectiveness of Customers device tuning and optimization as a result of an incident. Verizon will conduct phase 6 at Customers location as defined in the Engagement Letter and will involve a review of Customers documentation as well as one-on-one interviews with identified Customer personnel.
During any phase, Verizon will communicate to Customers point of contact significant weaknesses or points of security exposure as may be identified by Verizon.