6 - Incident Response Procedures
Financial Information
Data held about bank and investment accounts, plus information such as payroll and tax returns. Payment card information comprises the card number, expiry date, and the 3-digit card verification value (CVV). Cards are also associated with a PIN, but this should never be transmitted to or handled by the merchant. Abuse of the card may also require the holder's name and the address the card is registered to. The Payment Card Industry Data Security Standard (PCI DSS) defines the safe handling and storage of this information
Incident Security Level Classification
Data integrity System process criticality Downtime Economic Data correlation Reverse engineering Recovery time Detection time
Personally Identifiable Information (PII)
Data that can be used to identify an individual, referred to as a data subject. Includes data points such as full name, birth date, place of birth, address, social security number, biometric ID, and so on. Some bits of information (such as a social security number) may be unique; others uniquely identify a data subject in combination (for example, surname with birth date and street address). Data that can be linked to a subject, such as an IP address or geolocation data, may also be considered. PII is useful in compromising accounts and launching attacks against consumers. Large databases are traded between criminals. Collection and processing is often regulated, so there are many compliance impacts to consider too.
Incident Security Level : Reverse engineering
Investigation of attack tools might allow you to attribute the attack to an adversary group. You can also discover the capabilities of the malware and adjust the incident security level appropriately.
Incident Response Phase: Containment
Limit the scope and magnitude of the incident. The principal aim of incident response is to secure data while limiting the immediate impact on customers and business partners.
Incident Response Phase: Preparation
Make the system resilient to attack in the first place. This includes hardening systems, writing policies and procedures, and setting up confidential lines of communication. It also implies creating incident response resources and procedures.
Incident Security Level: Data correlation
Use cyber-threat intelligence (CTI) to link indicators discovered on your system with TTPs of known adversary groups. This will help you to identify adversary capability. An attack launched with commodity malware is less likely to be as severe as an attack by an organized crime or nation state APT.
OODA: Orient
What is the state of play? Is the attack just beginning, or has the network been compromised for some time? What are the resources and goals of the adversary?
High Value Asset (HVA)
A critical information system. Critical means that if the confidentiality, integrity, or availability of the asset is compromised, it impacts mission essential functions of the organization. Must be easily identifiable to the response team, and an incident involving an HVA must be considered high priority.
Reporting Requirements: Device theft/loss
A device storing data is lost or stolen. The device may be protected by encryption or strong authentication, in which case a breach may be suspected, but not proven.
Organization Impact
Affects mission essential functions, meaning that the organization cannot operate as intended. Along with the scope, the duration of the impact will have a substantial effect on costs.
Incident Security Level: Data integrity
If an incident involves an actual or suspected privacy breach or data breach, it will be more critical than most other incidents, depending on the precise nature of the data affected.
Localized Impact
Means that the scope of an incident is limited to a single department, small user group, or one or two systems.
Total Impact
Refers to costs that arise following the incident, including damage to the company's reputation.
OODA: Observe
You need information about the network and the specific incident and a means of filtering and selecting the appropriate data.
Computer Emergency Response Team (CERT)
A group of experts who respond to cybersecurity incidents. These teams deal with the evolution of malware, viruses and other cyberattacks.
Security Incident Response Team (CSIRT)
A group that responds to computer security incidents when they occur. An incident could be a denial of service or the discovering of unauthorized access to a computer system.
Reconstitution of Resources Steps
1. Assuming the system has been appropriately contained, analyze processes and network activity for signs of malware. This may involve the use of automated antimalware software and/or manual investigation using tools such as Sysinternals, Wireshark, and so on. 2. Terminate the suspicious processes and securely delete them from the file system. If data files are infected, use tools to recover information from the files before quarantining or deleting them. 3. Identify and disable autostart locations in the file system, Registry, and task scheduler to prevent the processes from being executed. 4. Replace contaminated OS and application processes with clean versions from trusted media. 5. Reboot the system (still contained or quarantined within a secure network segment) and analyze for signs of continued malware infection in processes or network activity. 6. If there is continued malware infection and you cannot identify a source in the file system, investigate whether the firmware of an adapter or USB device has been infected. 7. If tests are negative, reintroduce the system to a production role and continue to monitor closely, using appropriate validation techniques to ensure that the system is protected against the exploit vector.
Segmentation-based Containment
A means of achieving the isolation of a host or group of hosts using network technologies and architecture. Uses VLANs, routing/subnets, and firewall ACLs to prevent a host or group of hosts from communicating outside the protected segment. As opposed to completely isolating the hosts, you might configure the protected segment as a sinkhole or honeynet and allow the attacker to continue to receive filtered (and possibly modified) output over the C&C channel to deceive him or her into thinking the attack is progressing successfully. Analysis of the malware code by reverse engineering it could provide powerful deception capabilities. You could intercept the function calls made by malware to allow the adversary to believe an attack is proceeding while building detailed knowledge of their tactics and (hopefully) identity. Attribution of the attack to a particular group will allow an estimation of adversary capability.
Isolation-Based Containment
A mitigation strategy that can be applied to many types of incident. Involves removing an affected component from whatever larger environment it is a part of. This can be everything from removing a server from the network after it has been the target of a DoS attack, to placing an application in a sandbox virtual machine (VM) outside of the host environments it usually runs on. Whatever the circumstances may be, you'll want to make sure that there is no longer an interface between the affected component and your production network or the Internet. The most obvious reason has to do with malware infections, particularly fast-spreading worms and viruses. If a server infected with a worm is still connected to the rest of its subnet, the worm could easily make its way to other hosts on that subnet. Disconnecting the server could mean the difference between disinfecting hundreds of devices and just one.
Incident Response Plan
A playbook (or runbook) is a data-driven standard operating procedure (SOP) to assist junior analysts in detecting and responding to specific cyber-threat scenarios, such as phishing attempts, SQL injection data exfiltration, connection to a blacklisted IP range, and so on. The playbook starts with a SIEM report and query designed to detect the incident and identify the key detection, containment, and eradication steps to take.
Call List/Escalation List
A printed list of incident response contacts, ideally showing the hierarchy for notification and escalation.
Payment Card Industry Data Security Standard (PCI DSS)
A proprietary standard for all organizations that processes, transmits or stores payment cardholder data. The standard provides a framework with technologies and practices that needs to be adhered to in order to protect and secure the cardholder data. Card brands comply with the standards incorporated by the payment card industry data security standard and is one of the major technical requirements for their data security compliance programs.
Communication Plan
A secure method of communication between the members of the CSIRT is essential for managing incidents successfully. You must prevent the inadvertent release of information beyond the team authorized to handle the incident. Status and event details should be circulated on a need-to-know basis and only to trusted parties identified on a call list. Regulations will also set out disclosing requirements, or the information that must be provided to each of the affected parties.
Incident Response Phase: Post-incident Activity
Analyze the incident and responses to identify whether procedures or systems could be improved. It is imperative to document the incident. This phase is very commonly referred to as lessons learned. The outputs from this phase feedback into a new preparation phase in the cycle.
Eradication
After an incident has been identified, analyzed, and contained, you can move on to mitigating and removing it from your systems. This is done with the intent to stop an incident as it is occurring or shut down the negative effects that an incident has left behind. In either case, you need to identify which hosts and other devices are affected, and exactly how they are affected. If, for example, you've isolated specific portions of a network on subnets to stop a computer worm from spreading, you can begin the process of removing the infection from the affected subnet.
Reporting Requirements: Data exfiltration
An attacker breaks into your systems and transfers data to another system. This is the most serious type of breach. You should also note that data exfiltration may be suspected, but not proven. A suspected breach has similar regulatory notification requirements to an actual breach.
Reporting Requirements: Insider data exfiltration
As above, but the attack is perpetrated by an employee or ex-employee with privileges on the system.
OODA: Act
Remediate the situation quickly and decisively. Then start the loop again until the incident is fully resolved: Observe, Orient, Decide, Act.
Incident Security Level: Economic
Both data integrity and downtime will have important economic effects, both in the short term and the long term. Short-term costs involve incident response itself and lost business opportunities. Long-term economic costs may come to reputation and market standing. In addition, the impact of an incident can be both tangible and intangible. Tangible consequences would be corrupt data on a hard drive, a deleted list of clients, and stolen passwords. However, incidents can have more intangible consequences that still cause harm to the organization.
Response Coordination: Regulatory Bodies
Companies operating in a regulated industry or processing personal data in the context of regulations such as GDPR must comply with reporting requirements. This means that a supervising authority must be notified about certain types of incident—usually, but not exclusively data breaches—within a certain timeframe.
Change Control Process
Corrective actions and remediating controls need to be introduced in a planned way, following the organization's change control process. Validates the compatibility and functionality of the new system and ensures that the update or installation process has minimal impact on business functions.
Recovery Phase
Eradicating malware, backdoors, and compromised accounts from individual hosts is not the last step in incident response. You should also consider a recovery phase (or sub-phase) where the goal is restoration of capabilities and services. This means that hosts are fully reconfigured to operate the business workflow they were performing before the incident. Patching Restoration of Permissions Verification of Logging/Communication to Security Monitoring Vulnerability Mitigation and System Hardening
System Hardening Examples
Deactivate unnecessary components, including hardware, software, network ports, operating system processes and services, and applications. When not in use, these components may slip by your detection, allowing an attacker to stealthily use them as a vector or target of an attack. Disable unused user accounts. Accounts like the system's defaults or those of terminated employees are more potential vectors that can go unnoticed. Implement patch management software that will allow you to test software updates, and then deploy them efficiently. Vendors release security fixes often; incorporating these fixes into your environment can halt the impact of a system breach. Restrict host access to peripheral protocols like USB and Bluetooth. Attackers with physical access to systems can easily bypass many security measures if they can simply plug in a USB drive loaded with malware. Restrict shell commands per user or per host for least privilege purposes. Having shell access can give the attacker a great deal of power over a system, so it's best to reduce its functionality if affected by an incident.
Reporting Requirements
Describes the necessity of notifying external parties when certain types of incident and notably data breaches occur. Data exfiltration Insider data exfiltration Device theft/loss Accidental data breach Integrity/availability
Defensive Capabilities and Courses of Action
Detect—Identify the presence of an adversary and the resources at his or her disposal. Destroy—Render an adversary's resources permanently useless or ineffective. Degrade—Reduce an adversary's capabilities or functionality, perhaps temporarily. Disrupt—Interrupt an adversary's communications or frustrate or confuse their efforts. Deny—Prevent an adversary from learning about your capabilities or accessing your information assets. Deceive—Supply false information to distort the adversary's understanding and awareness.
Incident Response Phase: Detection and Analysis
Determine whether an incident has taken place and assess how severe it might be (triage), followed by notification of the incident to stakeholders.
Recovery Phase: Restoration of Permissions
Following an incident, all types of permissions should be reviewed and reinforced. This especially affects file and firewall ACLs and system privileges assigned to administrative user or group accounts.
Response Coordination
Given the communication plan, incident response will typically require coordination between different internal departments, and with external agencies, such as law enforcement and regulators. Legal Human Resources (HR) Public Relations (PR) Internal and external Law enforcement Senior leadership Regulatory bodies
Reporting Requirements: Accidental data breach
Human error or a misconfiguration leads to data being made public or sent to unauthorized recipients.
Recovery Phase: Patching
If an attack used a software or firmware exploit, the target system (and other systems with the same vulnerability) must be patched. Assuming that effective patch management procedures are in place and this wasn't an example of a zero-day attack, you also need to investigate why the systems were unpatched in the first place. If no patch is available, you need to apply different mitigating controls, such as extended monitoring or network segmentation.
Indicator of Compromise (IoC) Generation and Monitoring
If the response team feels that it did not receive enough actionable information during an incident, they can also verify that security monitoring and logging services are up to par. During the incident, analysts may have developed new filter and query statements and scripts to discover and correlate indicators of compromise (IoCs). The team may have detected new or variant malware code and created signatures to identify it. These new detection rules and binary signatures can be added to security systems to provide ongoing monitoring.
Report Writing: Evidence Retention
If there is a legal or regulatory impact, evidence of the incident must be preserved for at least the timescale defined by the regulations. This can be a period of many years. If a civil or criminal prosecution of the incident perpetrators is expected, evidence must be collected and stored using forensics procedures.
Incident Security Level: System process criticality
In a well-documented network, it should be apparent when an incident disrupts or threatens a mission essential function. Incidents affecting these systems must be prioritized for remediation.
Reconstitution of Resources
In circumstances where sanitization and then reconstruction or reimaging of the system is not possible (perhaps where it is necessary to recover data, or an up-to-date image of the specific system configuration is not available) you will need to reconstitute a resource manually.
Corporate Information
Information about profit, cash flow, salaries, market shares, key customers, and so on is all of interest to a company's competitors. A hack may be aimed at transferring funds from the company's cash accounts. Accounting information is highly susceptible to insider fraud and misdealing. If an attacker obtains a company's organization chart, showing who works for whom, the attacker has found out a great deal about that organization and may be able to use that information to gain more. Sensitive financial information, such as plans for mergers and acquisitions (M&A) may be targeted with a view to manipulating stock prices or influencing the deals being struck, or preventing the transactions from taking place.
Intellectual property (IP)
Information created by a company, typically about the products or services that they make or perform. Can include copyright works, patents, and trademarks. An obvious target for a company's competitors and in some industries (such as defense or energy) is of interest to foreign governments. May also represent a counterfeiting opportunity (movies, music, and books for instance).
Response Coordination: Legal
It is important to have access to legal expertise so that the team can evaluate incident response from the perspective of compliance with laws and industry regulations. A legal officer is usually best placed to communicate with law enforcement if that is required. Legal input will also be needed to mitigate the risk from civil lawsuits by companies or individuals seeking reparations for the breach.
Response Coordination: Human Resources (HR)
Many incident prevention and remediation actions affect employee contracts, employment law, and so on. Incident response requires the right to intercept and monitor employee communications. It is vital that contact with suspected insider threats is mediated through HR, so that no breaches of employment law or employment contracts is made. HR is also likely to be involved in communicating relevant details of the breach to the wider workforce, if necessary. They should also be involved in any training programs initiated as a means of mitigating the risk of other incidents of the same type.
The OODA Loop
Model developed by the US military strategist Colonel John Boyd Observe Orient Decide Act
Reporting Requirements: Integrity/availability
Most data breaches affect the confidentiality attribute of the information. Attacks that compromise the availability (destruction of systems-processing data) and integrity (a virus corrupting backups for instance) are also likely to require regulatory notification and reporting, however.
Sensitive Personal Information (SPI)
Not identifying information, but privacy-sensitive information about a subject that could harm them if made public and could prejudice decisions made about them if referred to by internal procedures. As defined by GDPR, this includes religious beliefs, political opinions, trade union membership, gender, sexual orientation, racial or ethnic origin, genetic data, and health information
Incident Response Phase: Eradication and Recovery
Once the incident is contained, the cause can be removed, and the system brought back to a secure state. The response process may have to iterate through multiple phases of detection, containment, and eradication to effect a complete resolution.
Reconstruction/Reimaging
One method of restoring the host software and settings following sanitization is to reimage the host disk using a known clean backup or template image you created prior to the incident. Another option is to reconstruct a system using a configuration template or scripted install from trusted media.
Incident Response Phases
Preparation Detection and Analysis Containment Eradication and Recovery Post-incident Activity
Incident Form
Records the detail about the reporting of an incident and assigns it a case or job number. The form should capture the following information: Date, time, and location both of the incident and of the detection of the incident. Reporter and incident handler names and contact details. How the incident was observed or detected, including any identification signature made by IDS or SIEM software. Type of incident (worm, data breach, unauthorized use of privileges, and so on) and a first assessment of criticality. Scope of the incident, listing business processes, network systems, PC/server hosts, cloud services, and users/user groups affected. Incident log describing the event and providing a timeline of the steps taken plus people involved in resolving it. When the incident is closed, the handler may record his or her recommendations for preventing reoccurrence.
Immediate Impact
Refers to direct costs incurred because of an incident, such as downtime, asset damage, fees and penalties, and so on.
Personal Health Information (PHI)
Refers to medical and insurance records, plus associated hospital and laboratory test results. May be associated with a specific person or used as an anonymized or de-identified data set for analysis and research. An anonymized data set is one where the identifying data is removed completely. A de-identified set contains codes that allow the subject information to be reconstructed by the data provider. Trades at high values on the black market, making it an attractive target. Criminals seek to exploit the data for insurance fraud or possibly to blackmail victims. Data is extremely sensitive and its loss has a permanent effect. Unlike a credit card number or bank account number, it cannot be changed. Consequently, the reputational damage that would be caused by a data breach is huge.
Lessons-Learned report (LLR)
Report generated after the Lessons Learned activity. What actions did you take? Is this the best solution? In other words, is the solution that you used a stop-gap measure, or is this something that you could reproduce consistently and use as a policy? Are there more capable solutions out there? How did the teams react to the issue? Could they have solved the incident more quickly or efficiently? In the event of the same or a similar incident occurring, how would you respond differently? Do the answers to these questions need a change in your security policy or an update to the incident response plan? Is there a change control process in place that will enable the organization to implement these corrective actions?
Incident Security Level: Detection time
Research has shown that the existence of more than half of all data breaches is not detected for weeks or months after the intrusion occurs, while in a successful intrusion data is typically breached within minutes. A historic data breach will still have investigation and reporting requirements. A major breach will still have a high-security-level classification, even if it took place weeks or months ago.
Recovery Phase: Vulnerability Mitigation and System Hardening
Should also consider how you can reduce the host attack surface through system hardening. Most effective as a preventative measure when designing system security, but this is not always feasible given the constraints of time, budgets, and the need for convenience. Can be useful after an incident has occurred to shut down any lingering effects or to purge a system of an infection. Can also remove and prevent further unauthorized users from accessing compromised systems.
Recovery Phase: Verification of Logging/Communication to Security Monitoring
Similarly, it is important to ensure that scanning and monitoring/log retrieval systems are functioning properly following the incident. You should check that an attacker has not been able to disable or subvert such systems, and that they were properly configured in the first place (and if they were configured properly, why they might not have provided warning of the attack).
Incident Security Level: Recovery time
Some incidents require lengthy remediation as the systems changes required are complex to implement. This extended recovery period should trigger heightened alertness for continued or new attacks. Consider how the scope of an incident may impact recovery time. Complex and resource-intensive systems may not be easily restored.
Lessons Learned Activity
Starts with a meeting where staff discuss the incident and the response made. Who was the adversary? Was the incident insider-driven, external, or a combination of both? Why was the incident perpetrated? Discuss the motives of the adversary and the data assets they might have targeted. When did the incident occur, when was it detected, and how long did it take to contain and eradicate? Where did the incident occur (host systems and network segments affected)? How did the incident occur? What tactics, techniques, and procedures (TTPs) were employed by the adversary? Were the TTPs known and documented in a knowledge base such as ATT&CK, or were they novel? What security controls would have provided better mitigation or improved the response?
Report Writing: Incident Summary Report
Summaries need to be adapted for the different audiences, but they will cover the following sort of ground: Identify how the incident occurred and how to prevent further exploitation of the same vulnerability. Assess the impact and damage to systems, reputation, finances, and so forth. Update the organization's security policies and processes as needed, based on lessons learned from the incident.
Response Coordination: Senior Leadership
System administrators—These personnel know better than anyone about the normal baseline behavior for the network and its systems, so their input can be a great help in identifying a cause and restoring operations. Managers and executives—It may be necessary to escalate certain response efforts up the chain of command. These decision makers are ultimately in control of the organization, and incident-handling decisions that could profoundly affect operations should not be made without their approval.
Incident Response Training
The actions of staff immediately following detection of an incident can have a critical impact on successful investigation and remediation. Clear policies and effective training on incident detection and reporting procedures equip staff with the tools they need to react calmly and positively to threatening events. This is of particular use in detecting insider threat, by encouraging employees to report legitimate suspicions in a secure way. Incident response is also likely to require coordinated action and authorization from several different departments or managers, which adds further levels of complexity. Cross-departmental training so that managers and other senior staff understand the processes and priorities of other sections of the business will make effective communication easier when things go wrong.
Response Coordination: Law Enforcement
The authorities can provide services to assist in your incident handling efforts, or you may simply want to communicate the situation to them to prepare for legal action in the future. Involving agencies can change the character of the investigation and result in more extensive business interruption, so this decision must be taken by senior executives in conjunction with legal guidance.
Incident Response Plan Update
The conclusions of the lessons-learned report should drive changes to incident response. This might involve small tweaks to procedure, better explanation or greater clarity for incident handlers, new templates for communicating with trusted parties, or major changes to the security controls used. Updates to incident response procedures will also require updated training and testing programs.
Incident Security Level: Downtime
The degree to which an incident disrupts business processes. An incident can either degrade (reduce performance) or interrupt (completely stop) the availability of an asset, system, or business process. To learn the extent of the damage, you should communicate with members of the CSIRT, as well as other employees, to identify every dimension of the organization that could possibly be affected by the incident.
Impact Analysis
The process of assessing what costs are associated with an incident, such as a data breach. It will use security-monitoring data to assess the scale of the incident. Damage incurred in an incident can have wide-reaching consequences, including: Damage to data integrity and information system resources. Unauthorized changes and configuration of data or information systems. Theft of data or resources. Disclosure of confidential or sensitive data. Interruption of services and system downtime.
Sanitization and Secure Disposal
The simplest option for eradicating a contaminated system is to replace it with a clean image from a trusted store. The host's persistent storage devices must be fully sanitized before the replacement image is applied. One issue with file system sanitization is to ensure that malware has not infected system or device firmware (or to reimage these firmwares too).
Response Coordination: Public Relations (PR)
The team is likely to require marketing or public relations (PR) input, so that any negative publicity from a serious incident can be managed. Information about the incident can be released in a controlled way when appropriate through known press and external PR agencies. This will include managing reactions and questions about the incident on social media.
Incident Response Testing
There are few ways to prove beyond a doubt that incident-handling procedures are robust enough to cope with major breaches or DDoS attacks, but the best approach is testing. This is not without its own challenges, as arranging a test to simulate a significant incident is a costly and complex exercise.
Cryptographic Erase (CE)
This wiping method uses the native command to call a cryptographic erasure, which erases the encryption key. While the encrypted data remains on the storage device itself, it is effectively impossible to decrypt, rendering the data unrecoverable.
OODA: Decide
What are the options for countermeasures? What are our goals? Can we prevent a data breach from happening or should we focus on gathering forensic evidence to try to prosecute later?
Containment
When analysis suggests that a system is compromised, you need to move quickly to identify the most appropriate containment technique. Your course of action will depend on several factors: Ensure the safety and security of all personnel. The first concern of all managers involved with the security response is the safety and security of personnel. Prevent ongoing intrusion or data breach. This is likely to be the overriding priority in terms of systems and data. Identify whether the intrusion is the primary attack or a secondary one (part of a more complex campaign). Avoid alerting the attacker to the fact that the intrusion has been discovered. Preserve forensic evidence of the intrusion. While waiting for the forensics analyst to arrive, treat the system as one would any crime scene by preventing anyone from compromising the system further or destroying evidence.