Incident Management Retainer Service Handbook
Introduction ⫘
The Secureworks Incident Response Consulting practice is staffed to provide Emergency Incident Response and Proactive services for Incident Management Retainer customers. Incident Management Retainer customers also have access to the full portfolio of Secureworks Consulting services.
This document is based on Request for Comments (RFC) 2350. Use this link for more information regarding RFC 2350.
Distribution List for Notifications ⫘
The current version of this document is available online.
Any questions about updates or content should be sent to irservices@secureworks.com.
Contact Information ⫘
The full name of the team is Secureworks Incident Response Consulting and is also referred to by the short names of Secureworks Incident Response, Secureworks IR, and Secureworks IR Consulting.
This section contains contact information for the team around the world, as well as how best to engage the team.
Addresses ⫘
Global Headquarters/USA/Atlanta Office Mailing Address ⫘
Secureworks/IR Consulting
1 Concourse Pkwy NE #500
Atlanta, GA 30328
UK/London Office Mailing Address ⫘
Secureworks/IR Consulting
One Creechurch Place
1 Creechurch Ln
London EC3A 5AY, United Kingdom
UK/Edinburgh Office Mailing Address ⫘
Secureworks/IR Consulting
1 Tanfield
Edinburgh EH3 5DA, United Kingdom
Japan/Tokyo Office Mailing Address ⫘
Secureworks/IR Consulting
Solid Square East Tower 20F
580 Horikawa-cho, Saiwai-ku
Kawasaki, 212-8589
Australia/Sydney Office Mailing Address ⫘
Secureworks/IR Consulting
Building 3, 14 Aquatic Drive
Frenchs Forest, Sydney
NSW, Australia 2086
Time Zones ⫘
Secureworks Incident Response leverages Coordinated Universal Time (UTC) and UTC offsets for technical and non-technical Emergency Incident Response efforts. More information on UTC can be found at this link: About UTC.
Global Headquarters/USA/Atlanta Office Time Zone Information ⫘
UTC-5, UTC-4. Use this link for Atlanta time zone information.
UK/London Office Time Zone Information ⫘
UTC+0, UTC+1. Use this link for London time zone information.
UK/Edinburgh Office Time Zone Information ⫘
UTC+0, UTC+1. Use this link for Edinburgh time zone information.
Japan/Tokyo Office Time Zone Information ⫘
UTC+9. Use this link for Tokyo time zone information.
Australia/Sydney Office Time Zone Information ⫘
UTC+10, UTC+11. Use this link for Sydney time zone information.
Incident Response Hotline Numbers ⫘
For Secureworks Incident Response Hotline inquiries in English, reference this link: English Incident Response Hotlines.
For Secureworks Incident Response Hotline inquiries in Japanese, reference this link: Japanese Incident Response Hotlines
Please reference the following link for additional Secureworks Incident Response Hotline guidance.
Electronic Mail Address ⫘
irservices@secureworks.com relays mail to Secureworks Incident Response personnel that are on duty during regular business hours (09:00-17:00 Monday to Friday USA ET/GMT, except holidays).
If contact with Secureworks Incident Response is desired outside business hours for the USA ET/GMT time zones, a telephone call should be made to the Incident Response Hotline.
Please note the communication methods specified in the Points of Customer Contact section.
Secure Communication ⫘
By default, Secureworks Incident Response uses encrypted email services to exchange sensitive information with external parties via email.
Additional information regarding the encrypted email services used by Secureworks Incident Response and other secure communication options can be obtained upon request and at the point of service delivery.
Team Members ⫘
Additional information on Secureworks Incident Response team members will be communicated at the point of service delivery.
Other Information ⫘
Additional information about Secureworks Incident Response services can be found at this link: Secureworks Incident Response service website.
Points of Customer Contact ⫘
For Emergency Incident Response services, the primary method to contact Secureworks for situations that require a timely response is by calling the Secureworks Incident Response Hotline.
At any time, constiuents may contact the Secureworks Incident Response Hotline 24/7 for initial contact using the telephone numbers for each service region referenced in the preceding Incident Response Hotline Numbers section.
Secureworks Incident Response personnel will be notified by Secureworks Incident Response Hotline personnel to engage with customers to conduct no charge scoping calls. A recommended course of action and the estimated billable effort required, if any, will be provided by Secureworks Incident Response personnel once the nature and scope of the circumstances have been evaluated.
For Proactive services or non-urgent requests, Secureworks ticketing systems can be used to submit callback requests and requests for information.
Secureworks ticketing system guidance can be found at this link: Incident Management Retainer Ticketing Guidance.
For Proactive services or non-urgent requests, sending email to irservices@secureworks.com can be used to submit callback requests and requests for information. Emergency communications should not be escalated via email.
All communications are conducted in English or Japanese.
Because email is an imperfect means of communication that is susceptible to filtering and time delay, if constituents do not receive an expected response, they should follow-up by placing a telephone call to the Incident Response Hotline in their service delivery region.
When possible, please provide the information noted in the Service Request Reporting Forms section.
Charter ⫘
Mission Statement ⫘
The primary mission of Secureworks Incident Response is to provide incident response services to customers with established service level agreements (SLAs) for mitigating cybersecurity emergencies. The Secureworks Incident Management Retainer service include Emergency Incident Response support, as well as cybersecurity capability validation services to reduce the risks and impacts of cybersecurity emergencies.
In addition, Secureworks Incident Response may provide constituents with best-effort support in preparing for and responding to cybersecurity emergencies.
Constituency ⫘
The constituency of Secureworks Incident Response consists of:
- Secureworks Incident Management Retainer customers
- Global organizations requesting on-demand Proactive services or Emergency Incident Response services from Secureworks
Affiliations ⫘
Affiliations are maintained with various private, commercial, and governmental security information-sharing organizations.
Secureworks Incident Response is recognized and accredited by the following organizations:
- Secureworks is a member of FIRST (Forum of Incident Response and Security Teams). Access this link for additional details: Secureworks FIRST team profile.
- Secureworks is accredited by the U.K. National Cyber Security Centre (NCSC) as a Cyber Incident Response (CIR) scheme provider. Access this link for additional details: Secureworks CIR profile.
- Secureworks is accredited by the U.S. National Security Agency/Central Security Services (NSA/CSS) as a Cyber Incident Response Assistance (CIRA) provider under the NSA/IAD National Security Cyber Assistance Program (NSCAP). Access this link for additional details: NSA/CSS NSCAP CIRA accredited companies.
Authority ⫘
Secureworks Incident Response provides Incident Management Retainer services in accordance with customer contracts and requests for service.
Operating Model ⫘
Types of Incidents and Level of Support ⫘
Secureworks offers Emergency Incident Response services to organizations that need urgent assistance with cybersecurity emergencies impacting their information systems or data.
Constituents should contact Secureworks Incident Response if their organization needs urgent assistance with a cybersecurity emergency, including, but not limited to the following situations:
- Business Disruption Attacks— An attack that successfully prevents or impairs the normal functionality of networks, systems, or applications by disabling or destroying resources.
- Unauthorized Access— When an individual or entity gains logical access without permission to the constituent's network, system, application, data, or other resource.
- Malicious Code— Successful installation of malicious software that infects an operating system or application.
- Improper/Inappropriate Use— When a person violates the constituent's acceptable computer-use policies.
- Loss of Information— When an incident involves material loss of Information that occurred due to Unauthorized Access, Malicious Code, or Improper/Inappropriate Use, but the cause or extent of which is unknown.
The customer-defined priority and response processes with the Secureworks Incident Management Retainer allow customers to specify the appropriate service component, priority, and course of action for their specific need at any point in time during the contract term.
Secureworks personnel will be assigned according to the following priorities, listed in decreasing order:
- Emergency Incident Response support for Incident Management Retainer customers
- Proactive Incident Response support for Incident Management Retainer customers
- Other entities requesting on-demand Emergency Incident Response or Proactive services from Secureworks Incident Response and Consulting Services
All interaction with Secureworks Incident Response is considered normal priority unless specifically conveyed as URGENT or EMERGENCY by the constituent point of contact.
Cooperation, Interaction, and Disclosure of Information ⫘
Secureworks Incident Response supports use of the Information Sharing Traffic Light Protocol (TLP). Information received with the tags WHITE, GREEN, AMBER, or RED will be handled appropriately. Access this link for additional details regarding the Information Sharing TLP: FIRST TLP guidance.
All incoming information is handled confidentially by Secureworks Incident Response, regardless of its priority.
For normal communication not containing sensitive information, Secureworks Incident Response uses conventional methods such as unencrypted email or telephone.
When reporting a sensitive situation, please state so overtly (e.g., by using the label SENSITIVE in the subject line of email), and if possible, using encryption as well.
To limit incident information to a "need-to-know" basis and avoid any information leakage, constituents should provide Secureworks Incident Response personnel with guidance regarding who is authorized to discuss the senstive situation.
Secureworks Incident Response will assign a code name for each consulting engagement to disguise the nature of the engagement.
Communication and Authentication ⫘
Please reference the Secure Communication section. Usage of encryption in all cases where sensitive information is involved is highly recommended. Usage of out-of-band communication channels when organizational messaging infrastructure is suspected of having been compromised is highly recommended.
Services ⫘
The Secureworks Incident Management Retainer offers a wide range of services applicable to varying scenarios and needs for incident response and cybersecurity capability validation. Additional service information is available on the Secureworks website, noted in the Other Information section.
Customers should reference their Incident Management Retainer Service contract for service terms and service description details.
Please reference the following link for copies of the Secureworks Incident Management Retainer Service Description.
Service Request Reporting Forms ⫘
Once Secureworks Incident Response receives a constiuent's service request, a Secureworks Incident Response team member will establish contact to discuss the inquiry. Constituents should be prepared to discuss the impacts, timeline of known events, and actions taken to aid in the scoping process with Secureworks Incident Response.
Constiuents should convey the following information using the communication channels specified in the Points of Customer Contact section.
Service request tickets or emails should have the following subject: Incident Management Request Service Request: <Organization Name>
The service ticket request description or email message body should also include the following information:
- Organization Name:
- Organization Site Location Affected (please include city/state/country):
- Point of Contact Name:
- Point of Contact Primary Telephone Number:
- Point of Contact Secondary Telephone Number:
- Point of Contact Email Address:
- Retainer Service Requested (Proactive services, Emergency Incident Response services):
- Request Description (please include threat indicators, current status [occurring, contained, future threat], and business impact information for Emergency Incident Response requests):
- Request Urgency (urgent/non-urgent):
- Desired Timeframe for a Scoping Call (please specify a date and time with local time zone):
Please reference the following link for Secureworks ticketing system guidance.