Incident Response Process

Six-Step Incident Response Process

The Incident Response (IR) process will be the most important process you’ll ever implement in your organization. It is key in how your organization responds to a cyber incident. We will cover the SANS Six-Step Incident Response process. You’ll implement strategies to prepare for cyber incidents; how you will identify an incident; curate a containment plan based on the threat intelligence you’ve gathered after identifying the incident; return to business operations by eradicating and remediating the threat; appropriately recover by conducting proper patch management, blocking malicious IOCs, password changes, or restoring backups; reviewing the lessons learned from the incident and where the organization can improve.

You can imagine the IR process as a perpetual loop, always improving your organization after every incident. The incident response process is the following six key steps:

• #1 Preparation
• #2 Identification and Scoping
• #3 Containment and Threat Intel
• #4 Eradication and Remediation
• #5 Recovery
• #6 Lessons Learned

#1 Preparation

The preparation phase will be the foundation of your IR process. If you do not properly prepare for incidents you’re bound to fail, even though failure can provide some of the best lessons. Realistically, failure in our industry could lead to the loss of millions of dollars, whether it’s the loss of intellectual property or reputation impacting sales, or a ransomware attack.

When you’re building a home, you prepare with ideas and transform those ideas into a blueprint. This blueprint provides measurements, different types of materials, implementation of processes and policies, a variety of teams and their specialties, and hardware, it may provide contact information for appropriate communication channels as well (i.e. project manager, sales rep.) Hopefully, that hamster wheel started to turn, brainstorming ideas that are associated with this analogy.

What did you come up with?

Processes, Procedures, and policies are a great starting point for implementing an IR process within your organization. These documents can include appropriate communication channels and identify who is responsible for what. You can establish the appropriate teams, including a Computer Security Incident Response Team known as a CSIRT. Implementing processes and procedures will guide CSIRT and identified stakeholders when responding to an incident.

#2 Identification and Scope

The identification and scope phase occurs after an incident has been identified. An incident can be defined as a violation of your organization’s security policies. In your preparation phase, you determine what action against your organization would be considered a violation of security policies. For example, unauthorized activity occurs on your SQL server from an unexpected external location. Hopefully the former is categorized as an incident in your organization. However, identification and scope also require notification when an incident occurs.

The method by which your organization is notified of an incident will be established in phase one, the Preparation phase. A notification could originate from either your Security Information and Event Management (SIEM) system via correlation of datasets that meet appropriate logic for a particular event, a phone call from your help-desk team, an email from an end user, or a notification could originate from your Threat Hunting team, which is proactively hunting in your environment.

After your CSIRT identifies the incident activity surrounding your SQL server, you must begin scoping the incident. This phase requires identifying other machines within your environment that could be compromised. If you skip identifying and scoping the incident, the attackers could remain in the environment for further compromise, leading to a ‘whack-a-mole’ approach in the containment and threat intel approach.

#3 Containment and Threat Intelligence

Containment and Threat Intelligence is an interesting phase, this phase works within a microcycle along with identification and scoping. Threat Intelligence in this context refers to gathering intelligence correlating to the incident. If you have unauthorized activity occurring on your SQL server, let us assume there may be an indication of malware on the SQL server, you are going to gather intelligence regarding the incident. Gathering the appropriate intelligence will allow you to curate a containment strategy.

An Incident Responder will gather Indicators of Compromise (IOC) and Indicators of Attack (IOA). An IOC can include atomic indicators such as file hashes, file paths, file names, domains, and IP addresses. Now an IOA can represent the tactics or techniques used by the adversary in your environment. These IOAs could be lateral movement to other machines via Psexec; phishing emails to exploit social engineering for initial access; and malware being used to execute data exfiltration to a C2 server. A great resource to review different tactics and techniques of adversary actions would be MITRE ATT&CK. “If you are not collecting information on attacker activity, you are starting from the absolute beginning in every investigation.” - Chad Tilbury.

As you gather this intelligence you’ll work with your team to curate a containment strategy. Organizations may implement different containment strategies to prevent or slow additional adversary activity. This can be accomplished in several ways. Implement additional network and host monitoring, segmentation, traffic shaping, etc. The goal is to degrade the adversary’s activity and prevent them from achieving their goal. There is a caveat, you may want to observe your adversary and gather additional information. Additional information could allow the IR team to identify and scope the rest of the environment for compromise. There have been instances where IR teams have contained the adversary too early, and the adversary retaliated in other parts of the environment. Additional information would allow the IR team to enact a permanent eradication and remediation plan.

#4 Eradication and Remediation

In the most important phase of the IR process, we want to completely remove or eradicate the adversary’s foothold from the environment and return to normal business operations. This phase cannot occur until the complete identification, scope, and understanding of the incident has occurred. If you decide to skip directly to eradication and remediation as stated previously, you will be engaging in a game of whack-a-mole continuously dealing with the adversary.

We will want to block IOCs found during the containment and threat intelligence phase. This can include malicious IP addresses used for command and control or data exfiltration; domains and URLs; and file hashes associated with found malware. We want to configure use cases within our SIEM to properly alert certain event behaviors with the Indicators of Attack identified in the environment. Changing passwords on known and potentially affected accounts. We will want to rebuild compromised systems from ‘known-good’ backups.

It is important during this phase an eradication and remediation plan is in place. Every time your team experiences an incident be prepared for growing pains when developing these plans. Prepare for the eradication and remediation plan to change over time to be effective within your environment.

#5 Recovery

Our initial goal in the recovery phase will be to return to normal business operations. In this phase, we will patch vulnerabilities and exploits found in our environment; and maybe implement a network redesign for an increase in security.

Do not limit yourself there, web portals may require reconfiguration to be protected from web attacks. Implementing a web proxy for an additional layer of security for your end users. We want to improve our overall security posture to prevent immediate reinfection.

#6 Lessons Learned / Follow-up

Last but not least, lessons learned from the incident are crucial in perfecting your incident response plan. In this phase, we can implement changes to our incident response plan, including our policies and procedures. Maybe we need to change the point of contact information for key stakeholders or create additions to our identification and scoping procedure.

In this phase, we can also incorporate auditing of our network and use a penetration team to conduct red team activities to ensure the security measurements we implemented work. Red teams can also help identify other vulnerabilities and attack vectors in your environment. These teams are crucial in securing your environment from adversaries.

#

Below is a list of reading material to help your Incident Response process for your organization:

• Incident Response for Windows: Adapt effective strategies for managing sophisticated cyberattacks targeting Windows systems by Anatoly Tykushin (Author), Svetlana Ostrovskaya (Author)

• Blue Team Handbook: Incident Response Edition: A condensed field guide for the Cyber Security Incident Responder. Paperback – August 3, 2014 by Don Murdoch GSE (Author)

• Digital Forensics and Incident Response: Incident response tools and techniques for effective cyber threat response, 3rd Edition 3rd ed. Edition by Gerard Johansen (Author)

• Incident Response Techniques for Ransomware Attacks: Understand modern ransomware attacks and build an incident response strategy to work through them by Oleg Skulkin (Author)

• Intelligence-Driven Incident Response: Outwitting the Adversary 1st Edition by Scott J. Roberts (Author), Rebekah Brown (Author)

• Incident Response in the Age of Cloud: Techniques and best practices to effectively respond to cybersecurity incidents by Dr Erdal Ozkaya (Author)