Chapter 22: Incident Response
Documented Incident Types/Category Definitions
Document incident types / category definitions provide planners and responders with a set number of preplanned scripts that can be applied quickly, minimizing repetitive approvals and process flows.
Incident Management
Having an incident response management methodology is a key risk mitigation strategy. One of the steps that should be taken to establish a plan to handle business interruptions as a result of a cyber event of some sort is the establishment of a Computer Incident Response Team (CIRT) or a Computer Emergency Response Team (CERT) The organization's CIRT will conduct the investigation into the incident and make the recommendations on how to proceed. In addition to individuals with a technical background, the CIRT should include non-technical personnel to provide guidance on ways to handle media attention, legal issues that may arise, and management issues regarding the continued operation of the organization.
Escalating Privileges
Is the next step after gaining access. You want to escalate your privileges to a higher privileged account because the range of accessible activities is greater, including pilfering files, creating backdoors so you can return, and covering your tracks by erasing logs.
Information Criticality
Is the relative importance of specific information to the business. It is a key measure used in the prioritization of actions throughout the incident response process.
Quaratine
One method of isolating a machine is through a quarantine process. Quarantine is a process of isolating an object from its surroundings, preventing normal access methods. The machine may be allowed to run, but its connection to other machines is broken in a manner to prevent the spread of infections. Quarantine can be accomplished through a variety of mechanisms, including the erection of firewalls restricting communication between machines.
NIST
The National Institute of Standards and Technology, a US governmental entity under the Department of Commerce, produces a wide range of Special Publications (SPs) in the area of computer security. Grouped into several different categories, the most relevant SPs for incident response come from the Special Publication 800 series: -Computer Security Incident Handled Guide, SP 800-61 Rev 2 -NIST Security Content Automation Protocol (SCAP), SP 800-126 Rev 2 -Information Security Continuous Monitoring for Federal Information Systems and Organizations, SP 800-137 -Guide to selecting Information Technology Security Products, NIST SP 800-36 -Guide To Enterprise Patch Management Technologies, NIST SP 800-40 v3 -Guide To Using Vulnerability Naming Schemes [CVE/CCE], NIST SP 800-51 Rev 1
State of Compromise
The new standard of information security involves living in a state of compromise, where you should always expect that adversaries are active in their networks.
Standards and Best Practices:
There are many options available to a team when planning and performing processes and procedures.
Exercise
You don't really know how well a plan is crafted until it is tested. Exercises come in many forms and functions, and doing a tabletop exercise where planning and preparation steps are tested is an important final step in the planning process.
Incident Response Policy
details the roles and responsibilities of the organizational elements with respect to the process elements detailed in this chapter.
Enumeration
is a listing of the systems and vulnerabilities to build an attack game plan.
Remote Administration Trojan (RAT)
is a software placed in the victim's network, creating network backdoors and tunnels that allow stealth access to its infrastructure.
Incident Identification/Detection
An incident is defined as a situation that departs from normal, routine operations.
Incident Response Process:
Incident response is the set of actions security personnel performs in response to a wide range of triggering events. These actions are vast and varied because they have to deal with a wide range of causes and consequences. Through the use of a structured framework, coupled with properly prepared processes, incident response becomes a manageable task.
Incident Response Plan
Incident response plan is a documentation associated with the steps an organization performs in response to any situation determined to be abnormal in the operation of a computer system.
Incident Response
Is a term used to describe the steps an organization performs in response to any situation determined to be abnormal in the operation of a computer system.
Making Security Measurable
MITRE, working together with partners from government, industry, and academia, has created a set of techniques (called making security measurable) to improve the measurability of security.
Recovery
After the issue has been eradicate, the recovery process begins. At this point, the investigation is complete and documented. Recovery is the returning of the asset into the business function. Eradication, removed the problem, but in most cases the eradicated system would be isolated. The recovery process includes the steps necessary to return the systems and applications to operational status. Recovery is an important step in all incidents. One of the first rules is to not trust a system that has been compromised, and this includes all aspects of an operating system. First, the cause of the incident needs to be determined and resolved. This is done through an incident response mechanism. Second, the data, if sensitive and subject to misuse, needs to be examined in the context of how it was lost, who would have access, and what business measures need to be taken to mitigate specific business damage as a result of the release. Recovery can be a two step process. First, the essential business functions can be recovered, enabling business operations to resume. The second step is the restoration of all services and operations. Notes: There are many different incident response processes in the information security space. For the Security+ exam, you should know the steps of their process: -Preparation -Identification -Containment -Eradication -Recovery -Lessons Learned
Security Measure Implementation
All data that is stored is subject to breach or compromise. The level of risk in each state differs because of several factors: -Time. Data tends to spend more time in storage and hence is subject to breach or compromise over longer time periods. -Quantity. Data in storage tends to offer a greater quantity to breach or compromise than data in transit, and data in processing offers even less. If records are being compromised while being processed, then only records being processed are subjected to risk. -Access. Different protections mechanisms exist in each of the domains, and this has a direct effect on the risk associated with breach or compromise. Operating systems tend to have very tight controls to prevent cross process data issues such as error and contamination. Data in transit is subject to breach or compromise from a variety of network level attacks and vulnerabilities. Data minimization. Removing unnecessary data. Notes: Data breaches may not be preventable, but they can be mitigated through minimization and encryption efforts. Developing and deploying a data classification scheme can assist in preventative planning efforts when designing security for data breaches.
Initial Response
Although there is no such thing as a typical incident, for any incident there is a series of questions that can be answered to form a proper Initial Response. Regardless of the source, the following items are important to determine during an initial response: -Current time and date -Who/What is reporting the incident -Nature of the incident -When the incident occurred -Hardware/Software involved -Point of contact for involved personnel The purpose of the initial response is to begin the incident response action and place it on a proper pathway towards success.
Old School
Attacks are not a new phenomenon in enterprise security, and a historical examination of large numbers of attacks shows common methods. These are the traditional steps: 1. Footprinting 2. Scanning 3. Enumeration 4. Gain access 5. Escalate privileges 6. Pilfer 7. Create backdoors 8. Cover tracks 9. Denial of Services (DOS)
Incident Response Team
Establishing an incident response team is an essential step in the preparation phase. The incident response team is a critical part of the incident response plan. Team membership will vary depending on the type of incident or suspected incident but may include the following members: -Team lead -Network/Security analyst -Internal and external subject matter experts -Legal counsel -Public affairs officer -Security office contact
Foundations of Incident Response:
Incident response is not just an information security operation. It is an effort that involves the entire business. The security team may form the nucleus of the effort, but the key tasks are performed by many parts of the business. The causes of incidents are many, from the environment (storms) to errors on the part of users to unauthorized actions by unauthorized users, to name a few. Although the causes may be many, the results can be stored into classes. A low impact incident may not result in any significant risk exposure, so no action other than repairing the broken system is needed. A moderate risk incident will require greater scrutiny and response efforts, and a high-level risk exposure incident will require the greatest scrutiny. To manage incidents when they occur, a table of guidelines for the incident response team needs to be created to assist in determining the level of response. Two major elements play a role in determining the level of response. Information criticality is the primary determinant, and this comes from the data classification and the quantity of data involved. The second major element involves a business decision on how this incident plays into current business operations.
Roles and Responsibilities
Its critical to define the roles and responsibilities of the incident response team members. Defining them before an incident occurs empowers the team to perform the necessary tasks during the time sensitive aspect of an incident. Permissions to cut connections change servers, or start/stop services are common examples of predefined actions that are best defined in advanced to prevent time consuming approvals during an actual incident. Permission to cut connections change servers, or Start/stop services are common examples of predefined actions that are best defined in advanced to prevent time consuming approvals during an actual incident.
STIX and TAXII
MITRE has continued its efforts in the process of making security measurable and adding automation to the mix.
Containment and Eradication
Once the incident response team has determined that an incident most likely has occurred, it must attempt to quickly contain the problem, at this point or soon after containment begins, depending on the severity of the incident, management needs to decide whether the organization intends to prosecute the individual who caused the incident (in which case collection and preservation of evidence is necessary) or simply wants to restore operations as quickly as possible without regard to possibly destroying evidence. In certain circumstances, management might not have a choice, such as if specific regulations or laws require it to report particular incidents. If management makes the decision to prosecute, specific procedures need to be followed in handling potential evidence. Individuals trained in forensics should be used in this case. If an intruder is still connected to the organization's system, one response is to disconnect from the internet until the system can be restored and vulnerabilities can be patched. This might result in loss of revenue. Another response might be to stay connected and attempt to determine the origin or the intruder. A decision will need to be made as to which is more important for your organization. Your incident response policy should identify who is authorized to make this decision. Other possible containment activities might include adding filtering rules or modifying existing rules on firewalls, routers, and intrusion detection systems; updating antivirus; and removing specific pieces of hardware or halting specific software applications. If an intruder has gained access through a specific account, disabling or removing that account may be necessary.
Preparation
Preparation is the phase of incident response that occurs before a specific incident. Preparation include all the tasks needed to be organized and ready to respond to an incident. The organization needs to establish the steps to be taken when an incident is discovered (or suspected); determine points of contacts; train all employees and security professionals so they understand the steps to take and who to call; establish an incident response team; acquire the equipment necessary to detect, contain, and recover from an incident; establish the procedures and guidelines for the use of the equipment obtained; and train those who will use the equipment.
Gaining access
The first actual incursion is gaining access to an account on the system, almost always an ordinary user, as higher privilege accounts are harder to target.
Investigation Best Practices
The first rule of incident response is "do no harm". If the investigation itself causes issues for the business, how is this different from a business perspective than the original vector? In the fact, in advanced threats, the attackers take great care not to impact the system or business operations in any way that could lead to discovery. It is important for the response team to exercise extreme caution and to do no harm, lest they make future investigations impractical or deemed not worthy pursuing.
Quakbot Worm Isolation
The following summary notes made by a firm that was hit by the Quakbot worm. Consider how your incident response process would respond to this scenario. -Laptop infected while off the network -When rejoined company network -Spread to open network drives within minutes -Spread to a group of computers within 60 minutes using a common administrator credential -Infection identified by server antivirus detecting dropped files -Malware analysis identified commands and control connections -Identified additional infected systems from network logs. -Could not immediately take infected computers out of service because they were being used in a critical function. -Computers were also geographically dispersed -Had to isolate a portion of the network (while still allowing critical data flows) while remediating one computer at a time during a maintenance window. Although Quakbot may not be a threat to your network, similar threats abound, and the response measures will be similar. Once the immediate problems have been contained, the incident response team needs to address the cause of the incident. If the incident is the result of a vulnerability that was not patched, the patch must be obtained, tested, and applied. Accounts may need to be disabled or passwords may need to be changed. Complete reloading of the operating system might be necessary if the intruder has been in the system for an unknown length or has modified system files. Determining when an intruder first gained access to your system or network is critical for determining how far back to go in restoring the system or network.
Goals of Incident Response:
The goals of an Incident Response process are multidimensional in nature. -Confirm or dispel incident -Promote accurate information accumulation and dissemination -Establish controls for evidence -Protect privacy rights -Minimize disruptions to operations -Allow for legal/Civil recourse -Provide accurate reports/recommendations Incident response depends upon accurate information. Without it, the chance of following data in the wrong direction is a possibility, as is missing crucial information and only finding dead ends.
Common Indicators Of Compromise:
There are common indicators of compromise: -Unusual outbound traffic. This is probably is the clearest indicator that data is going where it shouldn't -Geographical irregularities. Communications going to countries in which no business ties exist is another key indicator that data is going where it shouldn't -Unusual login activities. Failed logins, login failures to non-existent accounts, and so forth, indicate compromise. -Anomalous usage patterns for privileged accounts. Changes in patterns of when administrators typically operate and what they typically access indicate compromise. -Changes in database access patterns. This indicates hackers are searching for data or reading it to collect large quantities. -Automated web traffic. Timing can show some requests are scripts, not humans -Change in HTML response sizes. SQL injection can result in large HTML response times -Large numbers of requests for specific files. Numerous requests for specific files, such as join.php, may indicate automated attack patterns -Mismatched port to application traffic. This is a common method of attempting to hide activity. -Unusual DNS requests. Command and control server traffic often use unusual DNS requests -Unusual registry changes. Unusual changes are indications of abnormal changes to a system state -Unexpected patches. Some hackers/malware will patch to prevent other hackers from entering a target. -Bundles of data/files in the wrong place. Large aggregations of data, frequently encrypted, may be files being prepared for exfiltration -Changes to mobile device profiles. Mobile is the new perimeter, and changes may indicate malware. -DDOS/DOS Attacks. Denial of service is used as a tool to provide a smokescreen or distraction. There are several standards associated with IOCs, but the 3 main ones are Cyber Observable Expressions (CyBOX), a method of information sharing developed by MITRE; OpenIOC, an open source initiative established by Mandiant that is designed to failitate rapid communication of specific threat information associated with known threats; and the Incident Object Description Exchange Format (IODEF), an XML format specified in RFC 5070 for conveying incident information between response teams, both internally and externally with respect to organizations.
Network Monitoring (Netflow)
To monitor network flow data, including who is talking to whom, one source of information is Netflow data. Netflow is a protocol/standard for the collection of network metadata on the flows of network traffic. Netflow is now an IETF standard and allows unidirectional (oneway) captures of communication metadata.
Cyber Incident Response Teams
Typically more than one person will respond to an incident. Defining the cyber incident response team, including identifying key membership and backup members, is a task that needs to be done prior to an incident occurring.
Scanning
is the examination of machines to determine what operating systems, services, and vulnerabilities exist.
System Preparation
systems require preparation for effective incident response efforts. Incident responders are dependent upon documentation for understanding hardware, software, and network layouts. Understanding how access control is employed, including specifics across all system, is key when determining who can do what - a common incident response question. Having lists of critical files and their hash values, all stored offline can make system investigation a more efficient process.
First Responder
A cyber first responder must do as much as possible to control damage or loss of evidence. Obviously, as time passes, evidence can be tampered with or destroyed. Look around on the desk, on the rolodex, under the keyboard, in desktop storage areas, and on cubicle bulletin boards for any information that might be relevant. Secure floppy disks, optical discs, flash memory cards, USB drives, tapes, and other removable media. Request copies of logs as soon as possible. Most ISP will protect logs that could be subpoenaed. Take photos (Polaroids) or video. Include photos of operating computer screens and hardware components from multiple angles. Be sure to photograph internal components before removing them for analysis. The first responder can do much to prevent damage or can cause significant loss by digitally altering evidence, even inadvertently. Collecting data should be done in a forensically sound nature, and be sure to pay attention to recording time values so that time offsets can be calculated.
Netflow Data:
A flow is unidirectional (one-way), so bidirectional flow would be recovered as 2 separate flows. Netflow data is defined by these 7 unique ways: -Source IP address -Destination IP address -Source Port -Destination Port -Layer 3 protocol -TOS type (OSCP) -Input Interface (IfIndex)
Cyber Kill Chain
A modern cyber attack is a complex, multistage process, the concept of a kill chain is the targeting of specific steps of a multistep process with the goal of disrupting the overall process. The term Cyber Kill Chain is the application of this philosophy to a cyber incident, with the expressed purpose of disrupting the attack.
Device Removal
A more extreme response is device removal. In the event a machines does becomes compromised, it is simply removed from production and replaced. When device removal entails the physical change of hardware, this is a resource intensive operation. Reimaging machines are a time consuming endeavor. VM images make this easier.
Lessons Learned
A post mortem session should collect Lessons Learned and assign action items to correct weaknesses and to suggest ways to improve.
Advanced Persistent Threat
A relatively new attack phenomenon is the Advanced Persistent Threat (APT), which is an attack that always maintains a primary focus on remaining in the network, operating unprotected, and having multiple ways in and out. Most APTs begin via a phishing or spear phishing attack, which establishes a foothold in the system. From this foothold, the attack methodology is similar to the traditional attack method described in the previous section, but additional emphasis is placed on the steps needed to maintain a presence on a network. As shown here: 1. Define target 2. Research target 3. Select tools 4. Test for detection 5. Initial intrusion 6. Establish outbound connection 7. Obtain credentials 8. Expand access 9. Strengthen foothold 10. Cover tracks 11. Exfiltrate data The initial intrusion is usually performed via social engineering (spear phishing), over email, using zero day custom malware. Another popular infection method is the use of a watering hole attack, planting the malware on a web site that the victim employees will likely visit. the next step, obtaining credentials and escalating privileges, is performed through the use of exploits and password cracking. The true objective is to get root/admin access.
Threat Intelligence
A second major tool for defenders who are hunting attackers is threat intelligence. Threat intelligence is the actionable information about malicious actors, their tools, infrastructure, and methods. Incident response is a game of resource management. A combination of threat intelligence with the Cyber Kill Chain (the attacker's most likely path) will give you the means to prioritize actions against most meaningful threats.
Researching Vulnerabilities
After the hacker has a list of software running on the systems, he will start researching the internet for vulnerabilities associated with that software. Numerous web sites provide information on vulnerabilities in specific programs and operating system. Understanding how hackers navigate systems is important because system administrators and security personnel can use the same steps to research potential vulnerabilities before a hacker strikes
Reporting
After the system has been restored, the incident response team creates a report of the incident. Detailing what was discovered, how it was discovered, what was done, and the results, this report acts as a corporate memory and can be used for future incidents. Part of the report will be recommendations, if appropriate, to change existing policies and procedures, including disaster recovery and business continuity.
Detection
An incident response team can't begin an investigation until a suspected incident has been detected. At that point, the detection phase of the incident response policy kicks in. One of the first jobs of the incident response team is to determine whether an actual security incident has occurred. One of the first groups to notice an incident is the network and security administrators that run firewalls and intrusion detection systems. Viruses and social engineering attacks as possible incidents. A common technique is to develop a reporting template that can be supplied to an individual who suspects an incident so that the necessary information is gathered in a timely manner.
indicators of compromise (IOCs)
An indicator of compromise (IOC) is an artifact left behind from a computer intrusion activity. Detecting IOCs is a quick way to jump start a response element. IOCs act as a tripwire for responders. An IOC can be tied to a specific observable event, which then can be traced to related events, and to stateful events such as registry keys
MITRE created, Trusted Automated eXchanged of Indicator Information (TAXII)
As the main transport mechanism for cyberthreat information represented by STIX
Anatomy of an Attack
Attackers have a method by which they attack a system. Although the specifics may differ from event to event, there are some common steps that are employed. There are numerous types of attacks, from old school hacking to the new persistent threat (APT) attack. The differences are subtle and are related to the objectives of each form of attack.
Duplication
Duplication of drives is a common forensics process. It is important to have accurate copies and proper hash values so that any analysis is performed under proper conditions. Proper disk duplication is necessary to ensure all data, including meta-data, is properly captured and analyzed as part of the overall process.
Department of Justice (DOJ)
In April 2015, the U.S. Department of Justice's Cybersecurity Unit released a best practice document, Best Practicing For Victim Response and Reporting of Cyber Incidents. This document identifies steps to take before a cyber incident, the steps to take during an incident response action, a list of actions not to take, and what to do after the incident. The URL for the document is in the "For More Information" section at the end of the chapter.
Initial Response Errors
Mistakes such as these are common during initial response: -Failure to document findings appropriately -Failure to notify or provide accurate information to decision makers -Failure to record and control access to digital evidence -Waiting too long before reporting -Underestimating the scope of the evidence that may be found.
Incident Response Defined:
NIST Special Publication 800-61 defines an incident as the act of violating an explicit or implied security policy. This violation can be intentional, incidental, or accidental, with causes being wide and varied in nature. These include but are not limited to the following: -Attempts (either failed or successful) to gain unauthorized access to a system or its data. -Unwanted disruption or denial of service -The unauthorized use of a system for the processing or storage of data -Changes to system hardware, firmware, software characteristics without the owner's knowledge, instruction, or consent. -Environmental changes that result in data loss or destruction -Accidental actions that result in data loss or destruction
Eradication
Once a problem has been contained to a set footprint, the next step is eradication. Eradication involves removing the problem, this may mean rebuilding a clean machine. This process is made easier with VMs (snapshots).
Containment/Incident Isolation
Once the incident response team has determined that an incident has occurred and requires a response, the first step is to contain the incident and prevent it from spreading. If this is a virus or worm that is attacking database servers, then the protection of the uninfected servers is paramount. Containment is the set of actions that are taken to constrain the incident to the minimal number of machines. This preserves as much of production as possible and ultimately makes handling the incident easier. This can be complex because in many cases to contain the problem, one has to fully understand the problem, its root cause, and the vulnerabilities.
Escalation and Notification
One key decision point in initial response is that of escalation, when a threshold of information becomes known to an operator and the operator decides to escalate the situation, the incident response process moves to a notification and escalation phase. Assessing the risk associated with an incident is an important step.
Reporting Requirements/Escalation
Planning the desired reporting requirements including escalation steps is an important part of the operational plan for an incident. Who will speak about the incident and to whom? How does the information flow? who need to be involved? When does the issue escalate to higher levels of management? These are all questions best handled in the calm of pre-incident planning meeting where the procedures are crafted rather than on the fly as an incident is occuring.
Organization Preparation
Preparing an organization requires an incident response plan, both for the initial effort and for the maintenance of that effort. At a minimum, the following items should be addressed and periodically reviewed in terms of incident response preparation: -Develop and maintain comprehensive incident response policies and procedures -Establish and maintain an incident response team. -Obtain top level management support -Agree to ground rules/rules of engagement -Develop scenarios and responses -Develop and maintain an incident response kit -System plans and diagrams -Network architectures -Critical asset lists -Practice response procedures -Fire drills -Scenarios ("who do you call?")
What Not To Do As Part Of Incident Response:
The US department of justice has 2 specific recommended steps that you should not take as part of an incident response action. -Do not use the compromised system to communicate -Do not hack into or damage another network or system. The victim organization should always assume that any communications across affected machines will be compromised. This eavesdropping action is standard hacking behavior, and if you tip off your actions, they can be countered before you regain control of your system. Hacking, even retaliatory hacking, is illegal, and given the difficulty in attribution, attempts to respond by hacking the hacker may accidentally result in hacking an innocent third party machine.
Identification
The act of Identification is coming to a decision that the information related to the incident is worthy of further investigation by the IR (Incident Response) team and, in addition, what aspects of the IR team are needed to respond.
APT Attack Model
The computer security investigative firm Mandiant (now a division of FireEye) was one of the pioneers in the use of incident response techniques against APT style attacks. They published a model of an APT attack to be used as a guide, listed here: 1. Initial compromise 2. Establish foothold 3. Escalate privileges 4. Internal reconnaissance 5. Move laterally 6. Maintain presence 7. Complete mission The key step is step 5, moving laterally. Lateral movement is where the adversary traverses your network, using multiple accounts, and does so to discover material worth stealing as well as to avoid being locked out by normal operational changes. This is one element that can be leveraged to help slow down, detect, and defeat APT attacks. Blocking lateral movement can defeat APT attacks from spreading through a network and can limit their stealth.
Strategy Formulation
The response to an incident will be highly dependent upon the particular circumstances of the intrusion. There are many paths one can take in the steps associated with an incident; the challenge is in choosing the best steps in each case. During the preparation stage, a wide range of scenarios can be examined, allowing time to formulate strategies. A variety of factors should be considered in the planning and deployment of strategies, including, but not limited to, the following: -How critical are the impacted systems? -How sensitive is the data? -What is the potential overall dollar loss involved/rate of loss? -How much downtime can be tolerated? -Who are the perpetrators? -What is the skill level of the attacker? -Does the Incident have adverse publicly potential? These pieces of information provide boundaries for the upcoming investigations. -Restore normal operations -Offline recovery -Online recovery -Determine public relations play -"to spin or not to spin" -Determine probable attacker -Internal: handle internally or prosecute? -External: Prosecute -Involve law enforcement -Determine type of attack -DOS, theft, vandalism, policy violation -Ongoing intrusion -Pivoting -Classify victim system -Critical server/application -Number of users -What other systems are affected Using the answers to these questions helps the team determine the necessary steps in the upcoming investigation phase.
Investigation
The true investigation phase of an incident is a multistep, multiparty event, with the exception of very simple events, most incidents will involve multiple machines and potentially impact the business in multiple ways. The primary objective of the investigative phase is to make the following determinations: -What happened -What systems are affected -What was compromised -What was the vulnerabilities -Who did it (if possible to determine) -What are the recovery/remediation options
CyBOX
is a standardized schema for the communication of observed data from the operational domain.
Structured Threat Information eXpression (STIX)
is a structured language for cyber threat intelligence information
Incident
is any event in an information system or network where the results are different than normal.
Footprinting
is the determination of the boundaries of a target space. There are numerous sources of information, including web sites, DNS records, and IP registrations. Understanding the boundaries assist an attacker in knowing what is in their target range and what isn't.
Using Nmap to fingerprint an operating system:
nmap -O -v [website/IP]