Espionage Health Check
1. Scope of Work.
1.1 Espionage Health Check. With Espionage Health Check Verizon conducts an investigation on Customers in scope systems, IP ranges, or applications to identify evidence of a security breach in progress. Espionage Health Check takes a three phased approach to determine if Customer is experiencing a security breach in progress, unauthorized access and/or communication with known bad actors consistent with recent Verizon investigations. The Professional Services will include an onsite inspection, a physical inspection, and a logical inspection of Customers in scope systems and hardware.
1.1.1 Phase 1: Cyber Intelligence Correlation 'Go-Forward. Phase 1 involves the collection and cross-correlation of Verizons intelligence set against Customer device logs, netflow for the IP addresses shown in Customers CIP Schedule, and Internet communications during the term of the Project. For a specified period (to be agreed to between Customer and Verizon prior to phase 1 commencing) while investigative work is underway, Verizon will collect log information from Customer systems and from our public IP backbone from the IP addresses shown in the CIP Schedule. These sources will be matched from time to time as often as Verizon deems necessary within the period for this phase to identify potentially malicious activity in-progress. Findings that Verizon deems to be critical will be shared with the Customer as soon as practicable following discovery.
1.1.2 Phase 2: Cyber Intelligence Correlation Retroactive. Phase 2 will examine logs of historical data from Customers systems provided from Customer and historical data from Verizons public IP backbone from the IP addresses shown in the CIP Schedule. Such historical data will be limited to a specified number of months from within the most recent twelve months as agreed to between Customer and Verizon prior to phase 2 commencing (collectively, the Phase 2 Data). Verizon will collect and process Phase 2 Data, in order to focus on previous or earlier connections with known bad actors. Verizon will analyze the Phase 2 Data to: a) look into Customers network communications patterns over time, and b) correlate potentially suspicious connections to Customers physical systems and hosts. This Phase 2 review will be conducted on a one-time-only basis.
1.1.3 Phase 3: Boots-on-the-Ground Verification. In phase 3, Verizon will take a sampling of Customers data through forensics images or logical file copies of Customer systems, and conduct in-depth digital forensic analysis of the data. Verizon will collect digital images of a limited number of Customer-identified critical systems, as determined by Verizon and Customer, that are typically involved in cyber espionage attacks. These may include but are not limited to Customer domain controllers, sensitive data stores, remote access and transaction processing systems. This is a partially invasive action and should be scheduled after usual business hours or during a suitable maintenance window, as designated by Customer. The Customer- provided list of Customer systems to be included in the sample will be refined as phases 1 and 2 are completed.
Verizon cannot determine the exact level of effort required for this Project without knowing the amount of data, systems, or the results of the analysis from phase 1 or phase 2. Verizon will stay in communication with the Customer throughout the Project and, if additional Hours are required, Verizon will discuss with the Customer and add such Hours pursuant to an Engagement Letter. If Customer requires further assessment and investigative work, such services may be provided pursuant to another Professional Services engagement.
1.2 Project Management. Verizon will appoint a Project Manager who will work with Customer to schedule a kickoff meeting to initiate the Project. Verizon and Customer will collaborate to determine required stakeholders and other attendees, agenda, location, and whether the meeting will be on site or remote. Verizon will produce an agreed project plan, which specifies required resources (Verizon and Customer), dates, times, and locations for the tasks described (the Project Plan).
2. Deliverables and Documentation to be Produced by Verizon. Deliverables are intended for Customer and Verizon use only. Customer may disclose a Deliverable to a third party pursuant to Verizons confidentiality terms. Verizon will provide:
2.1 The Project Plan; and
2.2 A Management Report that summarizes the results of the analysis, identifies any bad actors and questionable activity detected and makes recommendations of reinforcements, countermeasures and monitoring Customer may employ to help defend its organization from cyber-espionage.
3. Documentation to be produced by Customer and Customer Obligations (if any). Delivery of the Professional Services by Verizon is dependent on Customers performance of the following, Customer will: