This article was originally posted on my Medium account. It has been reproduced here for your viewing pleasure.
If you work in cybersecurity, there is a good chance that you have heard of, participated in, or created an Incident Response Plan (IRP). It is a fundamental tenet of a successful cybersecurity team. In addition, it serves as the living document that outlines what your Incident Response Team (IRT) will do in the case of a cybersecurity incident.
To help facilitate the creation of this IRP, we’re going to break it down into the following steps:
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons Learned
Step 1: Preparation
While a cybersecurity incident is typically a reactive scenario, the best approach to preparing for one is to take proactive actions before the incident. Preparation can take the form of targeted, specific tabletop exercises, the development of incident response playbooks, or the establishment of a solid initial security baseline for your OS images. Practice makes perfect and should happen often, but randomly. A bad actor isn’t going to wait for business hours, and neither should you.
Step 2: Identification
Unless you have the gift of future sight (which, if you do, would love those winning lottery numbers), you won’t be able to start dealing with an incident if you don’t know the size or scope of the security threat. The best place to start is a rapid examination of the initial compromised device. Identification of the root cause is crucial. Be sure to also keep in mind ways the threat actor could have moved laterally to evade detection, especially with automated tools.
The collection of valuable indicators of compromise (IOCs) is essential for accurately identifying an event. Consider identifying any unique IOCs that your IRT may use to search throughout your whole network for more proof of compromise rather than just rebuilding the infected device from the beginning.
Assuming the incident is from a malicious bad actor, the following questions should be asked: what network connections does the bad actor utilize? Are they connecting to any domains? Did the malware try to exfiltrate data? Were any new processes spawned? Did the malware generate any new registry keys or configurations unique to the infected system?
Once you have gathered the IOCs, your IRT will use them to look for more evidence of compromise and discover any other compromised workstations in your network.
Step 3: Containment
Now that your IRT has identified the IOCs of the currently active threat, you must contain the threat to prevent it from spreading into other systems or establishing persistence elsewhere. Consider using tools like Splunk to perform short tail analysis of your logs and look for anything that seems out of the ordinary.
If possible, it is good to create a forensically sound image of the disk for a deep dive analysis and additional creation of more IOCs, which can identify any other machines, software, or services that have become compromised.
Step 4: Eradication
Now that you’ve identified and contained the threat, it’s time to perform the cleanup. This can take many forms, including disabling accounts, removing malware, patching software packages, and updating the OS of affected machines.
Step 5: Recovery
Once cleanup is concluded, restoring all services to business functionality is the next step. This includes using your backups, reconnecting cleared devices back to the network, and constantly monitoring for any reinfection.
Step 6: Lessons Learned
Inevitably, ‘what did we learn? How can we prevent this from happening again?’ will be asked. This stage is where Post Incident Review (PIR) takes place. It is a play-by-play of all the events from incident creation, going over all the steps taken. This discussion should involve all stakeholders from the affected systems, application owners, and your IRT. Use this feedback to update, change, or create new playbooks to be able to respond to new events.
Best Practices
Failing to plan is planning to fail. If you do not have playbooks for your team to use during a cyber incident, you are setting your team up to fail. Being proactive and creating these playbooks is crucial to you and your team’s success.
Tabletop Exercises. Tabletop Exercises can give you and the stakeholders that depend on your IRT a great window into how you would react to a cyber incident. These exercises should be focused on targeted attack scenarios directed at specific systems or infrastructure.
Threat hunting. Another way you can get ahead of the attackers is to start looking for them yourself. Don’t rely purely on your SIEM. Keep in mind the many ways an attack can start. Perform phishing tests. Examine your networks. Perform analysis on your logs. Insider Threats cause 60% of Data Breaches. Don’t become a statistic.
Resources:
https://www.cisa.gov/ — Cybersecurity & Infrastructure Security Agency, a US-based government run website that publishes alerts on emerging malware and is a fantastic resource for all things cybersecurity.
NCSC Planning guide — The NCSC (National Cyber Security Centre) is a British government organization that provides cyber security support to critical UK organizations.
Incidentresponse.org — Playbook templates matched to NIST incident response frameworks.