Guide on Incidents
A Guide on Incident Response Reporting
Cogito’s SecureSME as a Service is designed to provide secure, reliable management of digital certificates and cryptographic services. The Service is designed with logging and alerting in place to ensure it is Cogito that should be notifying its clients in response to an incident. However, incidents may arise that require prompt action and collaboration with our support and security teams. This guide provides examples of when and why you should contact Cogito for incident response.
Certificate Compromise or Suspicious Activity
Scenario: You suspect that a certificate issued has been compromised (e.g., private keys have been leaked or maliciously used) or you detect suspicious activity, such as unauthorised certificate requests or approvals.
When to Contact Cogito Group:
- Immediate Contact Required if:
- A private key associated with an active certificate has been exposed or compromised.
- You notice unusual or unauthorised certificate issuance or revocation in the portal.
- Certificates are being used in ways not aligned with your organisation’s policy or the security profile originally intended.
How Cogito Group can assist:
- Investigating the scope and impact of the compromise.
- Reissuing, revoking, or suspending certificates as necessary.
- Providing guidance on mitigating further risk (e.g., changing key management policies).
Unauthorised Access or Privilege Escalation
Scenario: An unauthorised user gains access to the portal, or an existing user escalates their privileges to perform unauthorised administrative actions, such as issuing, revoking, or managing certificates.
When to Contact Cogito:
- Immediate Contact Required if:
- You detect unauthorised access to your portal.
- There are unexplained changes to roles or permissions within the system, particularly those related to admin privileges.
- Audit logs indicate suspicious behaviour related to user management or certificate handling.
How Cogito Can Assist:
- Conduct a forensic investigation into the unauthorised access or escalation.
- Lock down the affected user accounts or roles.
- Assist with remediation steps, such as resetting access controls and reviewing system logs.
Service Availability Issues or Degradation
Scenario: You experience an interruption or significant performance degradation in the services, affecting your ability to manage certificates, request new certificates, or renew existing ones.
When to Contact Cogito:
- Contact Cogito if:
- You are unable to access the portal or API.
- Certificate requests, renewals, or revocations are not processing as expected.
- There is a delay in certificate issuance that affects your business operations.
How Cogito Can Assist:
- Diagnose and resolve any service availability or performance issues.
- Provide status updates on any service disruptions.
- Offer guidance on temporary workarounds to minimise business impact.
Certificate Revocation Issues or Failures
Scenario: You attempt to revoke a certificate through the portal or API, but the revocation fails or does not propagate as expected, potentially leaving a compromised certificate active.
When to Contact Cogito:
- Immediate Contact Required if:
- Certificate revocation requests are not being processed in a timely manner.
- Revoked certificates are still being accepted by systems or applications.
- CRLs (Certificate Revocation Lists) or OCSP (Online Certificate Status Protocol) responses are not reflecting the revoked status of certificates.
How Cogito Can Assist:
- Investigate the root cause of revocation delays or failures.
- Ensure that revocations are propagated correctly across systems.
- Provide support to ensure that systems consuming CRLs or OCSP responses reflect the correct certificate status.
Suspected Tampering or Log Alteration
Scenario: You believe that audit logs within the portal (e.g., related to certificate issuance, revocation, or user activity) have been tampered with or altered, potentially hiding malicious actions.
When to Contact Cogito:
- Immediate Contact Required if:
- There are discrepancies or gaps in audit logs related to certificate management actions.
- Logs for critical actions (e.g., certificate requests or revocations) have been deleted or modified.
- You suspect that someone has attempted to cover their tracks by altering system logs.
How Cogito Can Assist:
- Perform a thorough audit of log files to identify any unauthorised modifications.
- Help restore logs from backups or reconstruct logs where necessary.
- Provide forensic support to trace the source of tampering attempts and prevent future incidents.
API Misuse or Malicious Calls
Scenario: You detect unusual or malicious activity via the API, such as an excessive number of certificate requests, revocation attempts, or failed authentication attempts from an unauthorised source.
When to Contact Cogito:
- Immediate Contact Required if:
- There are signs of API misuse, including abnormal traffic, large volumes of requests, or attempts to access certificates outside of approved parameters.
- API calls are being made from suspicious or unapproved IP addresses.
- API keys have been leaked or misused, allowing unauthorised interactions with the service.
How Cogito Can Assist:
- Investigate the source of API misuse and block malicious activity.
- Revoke compromised API keys and assist in regenerating new keys.
- Strengthen API security configurations to prevent similar misuse in the future.
Certificate Expiry or Renewal Failures
Scenario: Certificates under your control are nearing expiry, and renewal processes through the service fail, potentially leading to service disruptions or downtime.
When to Contact Cogito:
- Contact Cogito if:
- Automatic certificate renewals are failing or not processing correctly.
- You are unable to manually renew certificates through the portal or API.
- Expired certificates are causing service interruptions.
How Cogito Can Assist:
- Diagnose and resolve renewal process issues.
- Help facilitate manual or automated renewals as needed.
- Ensure proper communication between the service and your systems to avoid future expirations.
Malicious or Suspicious Certificate Requests
Scenario: You detect certificate requests originating from an unknown or untrusted source, or certificate issuance policies are being bypassed, potentially allowing malicious certificates to be issued.
When to Contact Cogito:
- Immediate Contact Required if:
- Suspicious certificate requests are being submitted that bypass normal approval workflows.
- Certificates are being issued to untrusted or unauthorised users or entities.
- Policy-based restrictions on certificate issuance are not being enforced.
How Cogito Can Assist:
- Investigate and block suspicious certificate requests or issuance.
- Revoke any certificates that were improperly issued.
- Implement additional security controls or approval workflows to mitigate future risks.
Data Breach or Suspected System Compromise
Scenario: You believe there has been a data breach involving your service instance, such as unauthorised access to certificate data, user credentials, or API keys.
When to Contact Cogito:
- Immediate Contact Required if:
- You detect unauthorised access to certificate management systems or data.
- User credentials or API keys associated with the service have been leaked.
- Sensitive data within the service has been accessed or exfiltrated.
How Cogito Can Assist:
- Conduct a full security investigation into the breach.
- Help contain the incident by revoking access to compromised accounts or systems.
- Provide post-incident guidance on strengthening security configurations and preventing future breaches.
Contacting Cogito Group for Incident Response
When contacting Cogito Group for an incident response related to the as a Service, ensure you provide:
- Incident details: Date and time of the event, description of suspicious or malicious activities, and any relevant logs or screenshots.
- Affected systems: Identify the certificates, systems, users, or processes impacted by the incident.
- Severity level: Indicate the severity of the incident (e.g., critical impact on operations, minor issue, etc.).
- Contact information: Provide the name and contact details of the person managing the incident at your organisation.
You can reach Cogito Group’s Incident Response Team through the designated support portal, email, or emergency hotline.
By following this guide and reaching out when incidents occur, Cogito can help you swiftly mitigate risks, ensure business continuity, and secure your certificate management operations.