Incident Response Process

Based on Cybersecurity and Infrastructure Agency (CISA)

Used for incidents with confirmed malicious activities for which the incident has been declared or not ruled out.

Incident Response Process

Incident Response Process

1. Preparation

1.1 Document & training on policies and procedures for Incident Response

• Define a baseline for "normal" --> Identify deviations

• Staffing plans --> Coordination Lead

• Notification procedures

  • Infrastructure for classified & out-of-band communications (Escalation & Reporting)

  • Reporting to law enforcement

• Contingency plans

  • Surge support & additional resourcing

  • Assign roles & responsibilities

• Testing Procedures & Staff Readiness

• DRP (Disaster recovery), BCP (Business Continuity), backup policies

1.2 Infrastructure

• Infrastructure diagram & Asset Inventory (Updated) --> Systems, networks, cloud platform, 3rd party hosted networks

• Sensor monitoring & detection: AV, EDR, DLP, IDS, SIEM & PCAP captures

1.3 Cyber Threat Intelligence (CTI)

Monitor proactively intel feeds (gov, partners, vendors, open source) identify potential malicious activity

• Threat landscape reporting

• Threat actor profiles

• Organizational threats & campaigns

Indicators:

• Atomic: domains, IP address

• Computed: YARA rules, regex that detect signs of malicious activity

• Patterns & behaviors: TTPs (Tactics, Techniques, Procedures)

Atomic indicators good for detecting initial signs of campaign, but shelf life limited as adversaries change their infrastructure often

Recommended to use Patterns & behaviors (sustainable context) -- MITRE ATTACK Framework

1.4 Active Defence

• redirect adversary to sandbox or honeynet --> delay adversary and study TTPs

• Implement fake data objects (honeytokens) & fake accounts (canaries) for malicious activity

• Transference to Padded cells

1.5 Operational Security

• Segment SOC systems separately from enterprise IT systems

• Sensors and security devices managed via out-of-band means

• Phone notification system of compromise/incidents

• Hardened workstations for monitoring and response activities

• Robust backup & recovery processes

• DO NOT submit malware samples/PII to public analysis services

• Ticketing or Case management system

2. Detection/Identification

Determine extent, type and magnitude of compromise of the incident

Where the incident occurred: cloud, OT, hybrid, host and network systems

Key Questions

• What was the initial attack vector? (i.e., How did the adversary gain initial access to the network?)

• How is the adversary accessing the environment?

• Is the adversary exploiting vulnerabilities to achieve access or privilege?

• How is the adversary maintaining command and control?

• Does the actor have persistence on the network or device?

• What is the method of persistence (e.g., malware backdoor, webshell, legitimate credentials, remote tools, etc.)?

• What accounts have been compromised and what privilege level (e.g., domain admin, local admin, user account, etc.)?

• What method is being used for reconnaissance? (Discovering the reconnaissance method may provide an opportunity for detection and to determine possible intent.)

• Is lateral movement suspected or known? How is lateral movement conducted (e.g., RDP, network shares, malware, etc.)?

• Has data been exfiltrated and, if so, what kind and via what mechanism?

2.1 Declare incident

2.2 Determine Investigation Scope

• Extent of compromise:

  • Assets

  • Level of privilege attained by adversary

  • Operational impact

• Discover the network data, host based artifacts --> Firewall, host, proxy, router traffic logs

• Endpoint forensics analysis --> capture a memory and disk image for evidence preservation

• Root cause & enabling conditions

• Gather indicators of incident

• Correlate events & Document timeline (logs) --> findings report during post-incident

2.3 Match with Known Adversarial TTPs (MITRE ATTACK)

• Analyze how TTPs fit into the attack lifecycle --> why what and how

• Technical objectives --> Mechanisms --> Steps and Tools

3. Containment

Prevent further damage and remove adversary access

3.1 Considerations

• Any impact to current operations, availibity of services, business operations

• Duration of containment process, resources needed, extent of containment (Full, partial)

• Impact on collection, preservation, documentation of evidence

Dilemma: To be complete in containment, ensure business continuity but avoid tipping off adversary/ allowing adversary to persist

3.2 Containment Procedures

Network Containment

• Isolate impacted systems and network segments from each other and non impacted systems and networks

• Update firewall filters

• Block & Lock unauthorized accesses, malware

• Scan for and Close specific unused ports and mail servers/others

• Change sys admin & user passwords, rotate private keys & service/application account secrets --> revocate privileged access (where compromise is not ruled out)

• Direct adversary to sandbox --> monitor activity, gather additionaly evidence, identify attack vectors

Business Continuity Planning (BCP)

• Consider business needs and establish temporary services provisioning

• Capture forensics images to preserve evidence (legal use)

4. Eradication & Recovery

Allow return to normal operations by eliminating the artifacts of the incident (Remove malicious code, re-image infected systems, reboot, backup)

Mitigation of the vulnerability or other conditions of exploit

Before doing any recovery efforts, ensure that:

• All persistent access into network has been accounted for

• Adversary activity contained

• Forensics evidence collected

4.1 Eradication Process

• Remediate all infected IT environments (cloud, network, systems, OT, hybrid)

• Re-image infecte systems (rebuild from scratch)

• Rebuild hardware (if the compromise involves ROOTKITS)

• Replace compromised files with clean versions

• Install patches, check for updates

• Monitor signs of adversary response during containment activites

• Develop response scenarios for threat actor using possible alternative attack vectors

Continue detection and monitoring after ERADICATION --> if rediscovered, repeat containment, technical analysis --> until full scope of compromise confirmed.

Once no new adversary activity detected after set time, begin recovery phase:

4.2 Recovery Process

• Reconnect and rebuild systems to networks

• Tighten perimeter security

  • Firewall rulesets

  • Boundary router ACLs

  • Zero trust access rules

• Monitor for abnormal behaviors

5. Post Incident

Document incident, inform leadership, harden environments to prevent future incidents, apply lessons learnt for future trainings and policies

5.1 Adjust & Tune Sensors, Alerts and Logs Collection

• Identify and address blind spots

• Emulate adversary TTPs to ensure counter measures in place are effective in detecting or mitigating the observed activities (Red team & Tuning team)

5.2 Finalize Reports

• Provide post incident updates as required by Law & Higher management

5.3 Lessons Learnt

• review the efefctiveness and efficiency of incident handling

• Initial root cause (Has it been eliminated?)

• Problems faced executing the courses of actions (COAs)

• Missing gaps in policies and procedures

• Infrastrcture gaps in security

• Review and update roles, responsibilities, interfaces and authority

• Identify technical and operational training needs

• Improving tools to perform detection, analysis and response