Submitting for TalHarris of Chainalysis

[RFP Idea] Incident Response by Chainalysis

Abstract

Chainalysis’ Crypto Incident Response (CIR), the leading crypto readiness and response solution, is an important security measure to have in place to protect Radiant in the event of a hack or exploit. By procuring CIR, Radiant will have access to continuous threat monitoring coupled with Chainalysis’ world-class team of sophisticated investigators and cybersecurity experts on standby 24/7/365. In the event of a hack or exploit, our global team is ready to respond immediately, which limits the scope of damages and increases the likelihood of recovering exploited funds. With Chainalysis’ Incident Response, bad actors are deterred from your protocol and are ultimately less likely to attempt an exploit.

Motivation

In 2022, $3.8 Billion in crypto was stolen, primarily from DeFi protocols with a high percentage exploited by North Korea-linked attackers. As a result, it has become a top priority to have enhanced security measures in place that go above and beyond smart contract audits and bug bounties. In the last few months, other leading projects like Abracadabra, Morpho Labs, and Aura Finance have eagerly adopted Chainalysis’ Incident Response solution to keep their projects and communities safe.

Rationale

CIR aligns with the core component of Radiant’s mission to keep your community safe. Having funds swept away by an unknown threat actor, never to be seen again, will cause irreversible damage to your community, your users, and your brand. CIR helps protect against these risks and empowers your users to interact with your protocol with confidence. Safety and security are also at the core of Chainalysis’ mission of “Building Trust in Blockchains”. To this end, we have continued to expand our Incident Response offering and include additional security measures such as Operational Security audit and guidelines, Emergency Response planning, and real-time smart contract monitoring. CIR helps ensure that Radiant has a robust security framework to defend against the evolving threat landscape and the most sophisticated threat actors.

Key Terms

What constitutes an Incident that triggers our Response Program?

Anytime there is an unauthorized withdrawal of cryptocurrency or a cryptocurrency ransom demand. This includes assets of the DAO as well as community members who could be impacted through their use of Radiant’s protocol.

Specifications

CIR delivers numerous benefits to the Radiant community, including:

• Hack Deterrence: The best outcome is Radiant never getting hacked. CIR helps deter hackers by letting them know a leading global crypto investigative team is on your side.

• Partnering with the Best: CIR enables Radiant to tap into Chainalysis’ expertise for complex blockchain analysis and investigations. To date, Chainalysis has aided in the recovery of over $11 Billion in stolen funds through our own investigations and others we’ve supported.

• Reaction Time: In the event a hack occurs, having Chainalysis in place decreases the time to respond and increases the likelihood of asset freezing and recovery by the customer or law enforcement.

• Technical Skills: Our proprietary tools and years of experience tracing funds through various types of complex platforms is a crucial part of CIR. This applies to both identified and unidentified mixers as well as existing and new bridging protocols between blockchains.

• Continuous Threat Monitoring: Our partnership with Hypernative.io enables us to monitor your protocol for advanced threat detection.

• Network: Chainalysis has a huge customer base and, with it, a sizable network of both professional and personal connections to almost all significant exchanges and services in the crypto space. Additionally, our strong relationship with Law Enforcement Agencies around the world makes us efficient in engaging the relevant parties when needed.

Ultimately, CIR ensures a comprehensive security approach that goes beyond Radiant Capital’s current security vendors, such as PhishFort, Immunefi, Open Zeppelin, and others. If the community has questions about how CIR works with or complements your existing tools and frameworks, we’d be happy to address them.

Steps to Implement

Implementing Chainalysis Incident Response requires no technical integration and minimal time investment. Our comms prep, war room exercises, and OpSec review can be conducted with your security team. Similarly, generating a partnership announcement for deterrence purposes can be done in partnership with our respective marketing teams.

Setting up preventive monitoring with our partners at Hypernative.io does not require a technical lift.

Timeline

The CIR offering runs for 12 months and can be renewed annually. Radiant can choose the Service Start date that is most appropriate.

Note: the Service Start Date does not need to be the same as the contract signing date. Services and onboarding will begin on the Service Start Date.

Funding

The annual investment is $30,000. It can be paid with a stablecoin, RDNT, or USD.

SLAs: Chainalysis will provide the Crypto Incident Response service set forth herein upon its receipt of written notice from the Licensee of a breach of the Licensee’s systems or network that directly involves:

• (i) the unauthorized withdrawal of cryptocurrency from the Licensee or

• (ii) a cryptocurrency ransom demand from Licensee (each, an “Incident”).

Crypto Incident Response will be limited to no more than one hundred (100) hours, in the aggregate, during the twelve (12) month period following the Order start date (the “Incident Period”). The Crypto Incident Response service will only be available to the Licensee for bonafide Incident(s) that occur during the Incident Period. For the avoidance of doubt, Chainalysis will have no obligations in connection with any Incident(s) that arise outside of the Incident Period. If additional hours are required following the 100-hour cap, Licensee shall be responsible for paying Chainalysis’s then-current rates for such services on a time and materials basis.

I fully support this proposal. Please see referenced questions I posed about this in August as well as a much appreciated and thorough response from @CArnone below.

Given the launch of new networks and growing TVL, additional security will not be unreasonable. I can only suggest to consider and compare competing security monitoring systems, e.g. Forta, Open Zeppelin Guard. As far as I understand, this offer has the advantage of a comprehensive package of services from a team of specialists, which includes everything required?

Does the team have a track record of countering threats?

Replying on behalf of Tal Harris from Chainalysis:

Thank you for the question here. You’re correct that our Incident Response solution is a comprehensive package of software and services and that there’s no comparable offering in the market. We focus on all aspects of Incident Response: Prevention, Preparation, Response, and Recovery, bringing together preventative monitoring and alerts with Hypernative.io (http://hypernative.io/), operational security audits and emergency response planning, a global, world-class team of investigators on standby 24/7/365, and access to our powerful crypto and law enforcement network in the event of an exploit to assist with asset freezing and recovery. Since the launch of Incident Response roughly one year ago, Chainalysis has played a key role in recuperating roughly $50 million worth of stolen funds, and over the past decade, we’ve helped crypto organizations recover over $11 Billion in stolen crypto.

Below are two public examples of the work we’ve done in the last year -

Chainalysis CIR compliments other security offerings you currently have, like Phishfort, Immunefi, Open Zeppelin Defender, Open Zeppelin Audit, etc.

Replaying for THarris from Chainalysis:

Below are some of the services we understand are implemented or are in the process of being implemented at Radiant. We have made a quick note regarding how our proposal compliments each of these while highlighting our differentiation:

i. PhishFort: This anti-phishing software works well at a technological level. Where Chainalysis differs in this OpSec category of security is that our Incident Response solution relates more to processes and safeguards that go outside of the phishing attack vector. For example, we can provide guidelines for critical key management practices. Others relate to newly adapted non-phishing malware (like remote access) that have been modified to specifically target Web3 organizations and key members of the community. With that being said, PhishFort is a robust tech solution that compliments our Incident Response’s ability to educate/inform your community while improving processes.

ii. Immunefi: Great incentive for hackers who do not have truly malicious intent. Nation state level attackers have no interest in bug bounties. In this way, Immunefi is perfect for savvy developers who find and exploit but want to improve the protocol. We are here to handle the organized crime technologist who finds an exploit, but has no interest at all in the health of the protocol or its users.

iii. Open Zeppelin Defender: They are a strong monitoring/alert system that connects directly to the protocol technology to respond to what is detected. In short, the alerts from Defender are used to generate technology changes, while the alerts Chainalysis receives from HyperNative are used to initiate an on-chain response from our 24/7/365 investigators. When funds are taken off of the Radiant platform, that is the domain Chainalysis Incident Response operates in. This rapid response from the investigation team gives us the best possible path to quarantine the stolen funds (limit further exit paths) as well as freeze funds for recovery as soon as they are possible.

iv. Open Zeppelin Audit: This helps Radiant protocol and its security be top notch and do their best to prevent the exploit attacks that may target your smart contracts. Our service does not include any smart contract auditing, so we have no overlap in this category.

v. Peck Shield Audit: With the main offering of Peck Shield, they focus on penetration testing and other types of tests to see how well guarded against those types of attacks. Our OpSec value is in helping develop the policies and procedures of the team to guide users through the right methods. Peck shield is a good complimentary service that can test the policies and procedures and show areas where those procedures, etc. can be improved.

vi. Chaos Labs: This ‘risk’ solution is focused on the volatility of the markets and assets themselves, whereas the ‘risk’ we focus on is bad actors attempting to exploit or steal funds, which is outside of any market related holdings or trading strategies.

This RFP spawned from a prior feedback that had received 8 comments and 8 votes.

image2579×149 59.6 KB

This topic was automatically closed after 7 days. New replies are no longer allowed.