Chapter 11: Containment, Eradication, and Recovery Flashcards
Containment, Eradication, and Recovery Phase
Moves an org from the primarily passive incident response activities that take place during Detection and Analysis to more active undertakings
Once an org understands that a cybersecurity incident is underway, they take actions designed to minimize the damage caused by the incident and restore normal operations ASAP
Containment
The first activity that takes place during this phase, and it should begin as quickly as possible after analysts determine that an incident is underway
Containment activities are designed to limit the scope and impact of an incident
Scope of the Incident
* The number of systems or individuals involved in an incident
Impact of the Incident
* The effect that it has on the org
NOTE: Containment means very different things in the context of different types of security incidents
* EX: Let’s say the org is experiencing active exfiltration of data from a credit card processing system
* Incident responders might contain the damage by disconnecting the system from the network, which prevents attackers from continuint exfiltration
* But if the org is experiencing a DoS attack, disconnecting the network connection actually helps the attacker achieve their objective in this case
* Here, containment could be placing filters on an upstream internet connection that blocks all inbound traffic from networks involved in the attack, or blocks web requests that bear a certain signature
Dion’s Containment Priorities
1. Ensure the safety and security of all personnel
2. Prevent an ongoing intrusion or data breach
3. Identify if the intrusion is the primary or secondary attack
4. Avoid alerting the attacker that the attack has been discovered
5. Preserve forensic evidence of the intrusion and attack
Containment Collateral Damage
Containment isn’t always perfect, and as such can cause collateral damage to a business
Using the previous examples:
* Disconnecting a credit card processing system may bring transactions to a halt
* Blocking inbound traffic may render the site inaccessible to leigitmate users
Incident responders undertaking containment strategies must understand the potential side effects of their actions while weighing them against the greater benefit of the org
Containment Strategy Criteria
Selecting the right containment strategies is one of the most difficult tasks facing incident responders
NIST recommends the following criteria to develop an appropriate containment strategy and weigh it against business interests:
* Potential damage to, and theft of, resources
* Need for evidence preservation
* Service availability (EX: network connectivity, service provided to external parties)
* Time and resources needed to implement the strategy
* Effectiveness of the strategy (EX: partial containment, full containment)
* Duration of the solution (EX: emergency workaround to be removed in four hours, temporary workaround to be removed in two weeks, permanent solution)
NOTE: There’s no formula or decision tree that guarantees responders will ever make the right decision during incdient response—understand these criteria, the intent of managament, and technical and busines operating environments to do your best
Network Segmentation
Used as a proactive control in a defense-in-depth approach to infosec, and is used to prevent the spread of future security incidents
It’s also crucial in incident response
During the early stages of an incident, responders may realize that a portion of systems are compromised, but wish to continue to observe the activity on those systems while they determine other appropriate responses
At the same time, they want to protect other systems on the network from potentailly compromised systems
So you could build a separate VLAN that contains those systems, keeps them somewhat isolated, and allows continued live analysis
Isolation
Network segmentation might not go far enough to meet containment objectives, and in those cases analysts may decided to use strong isolation practices to cut off an attack
Isolation is a mitigation strategy that involves removing an affected component from a larger environment
There are two primary isolation techniques:
1. Isolating Affected Systems
2. Isolating the Attacker
Isolating Affected Systems
This is taking network segmentation to the next level
Affected systems are completely disconnected from the remainder of the network, although they may still be able to communicate with each other and the attacker of the internet
With an isolation approach, the quarantine network connects direct it to the internet and has no access to other sysems
It may be implemented by altering firewall rules rather than bypassing a firewall directly, but the objective remains the same regardless:
* Allow the attacker to access the isolated systems but restrict their ability to access other systems and cause further damage
NOTE: This technique can be used to physically and logically isolate extremely sensitive systems from other networks—commonly referred to as an airgapped system
Isolating the Attacker
A variation on the isolation strategy—depends on the use of sandbox systems that are set up purely to monitor attacker activity and don’t contain any information or resources of value to the attacker
Placing attackers in a sandbox environment allows continued observation in a fairly safe, contained environemtn
Some orgs will use honeypot systems for this
Removal
Removal of compromised systems from the network is the strongest containment technique in the analysts incident response toolkit
It’s different from segmentation and isolation in that the affected systems are completely disconnected from other networks, although they may still be allowed to communicate with other compromised systems within the quarantine VLAN
In some cases, each suspect system may be physically disconnected from the network so that they’re prevented from communicating even with each other
The exact details of removal will depend on the circumstances of the incident and the professional judgment of incident responders
NOTE: NIST goes to great lenghts to reinforce that removal isn’t foolproof, despite being a strong weapon
Evidence Acquisition and Handling
The primary objective during the containment phase of incident response is to limit the damage to the org and its resources
While that takes precedence over other goals, responders still need to gather evidence during containment
This evidence can be crucial in continuing analysis of the incident for internal purposes, or it can be used during legal proceedings against the attacker
NIST recommends that investigators maintain a detailed evidence log that includes the following:
* Identifying information like the location, serial number, model number, hostname, MAC, and IP of a computer
* Name, title, and phone number of each individual who collected or handled the evidence during the investigation
* Time, time zone, and date of each occurrence of evidence handling
* Locations where the evidence was stored
Identifying Attackers
This is a complex task to accomplish, so before heading down the road of investigating an attack’s origin, as why you’re pursuing it
Is there really business value in uncovering who attacked you, or would your time be better spent on containment, eradication, and recovery activities?
NIST says:
* “Identifying an attacking host can be a time-consuming and futile process that can prevent a team from achieving its primary goal—minimizing the business impact”
NOTE: LEO may approach this situation with objectives that differ from those of the attacked org’s analysts—their responsibilities may conflict with the core cybersecurity objectives of containment, eradication, and recovery, so always take that into account before involving LEO
Eradication
Once the incident is contained, it’s time to move on to eradicaton
The primary purpose of the eradication phase is to remove any of the artifacts of the incident that may remain on the org’s netowkr
This could include the removal of any malicious code from the network, sanitization of compromised media, and the security of compromised user accounts
Dion’s Notes
* The simplest option for eradicating a contaminated system is to replace it with a clean image from a trusted source
* However, you can’t always format the HD because some malware can bypass this
* Make sure you do proper sanitization and disposal
Three Eradication Methods
* Reconstruction: A method of restoring a system that has been sanitized using scripted installation routines and templates
* Reimaging: A method of restoring a system that has been sanitized using an image-based backup
* Reconstitution: Restoring a system that can’t be sanitized using manual removal, reinstallation, and monitoring processes
Seven Steps for Reconstitution
1. Analyze processes and network activity for signs of malware
2. Terminate suspicious processes and securely delete them from the system
3. Identify and disable autostart locations to prevent processes from executing
4. Replace contaminated processes with clean versions from trusted media
5. Reboot the system and analyze for signs of continued malware infection
6. For continued malware infection, analyze firmware and USB devices for infection
7. If tests are negative, reintroduce the system to the production environment
Recovery
The recovery phase of incident response focuses on restoring normal capabilities and services
It includes reconstituting resources and correcting security control deficiencies that may have led to the attack—these are the actions taken to ensure that hosts are fully reconfigured to operate like before the incident occurred
This could include rebuilding and patching systems, reconfiguring firewalls, updating malware signatures, etc
The goal of recover is not just to rebuild the org’s network, but also to do so in a way that reduces the likelihood of a successful future attack
Recovery Is Long and Challenging
It’s the longest and most challenging part of the IR, and to ensure it’s done right you must:
* Restore from known good backup
* Reinstall the OS
* Potentially buy new, trusted equipment
* Harden devices
* Change passwords
* Increase security
Four Main Types of Recovery Actions
* Patching: Installing a set of changes to a computer program or its supporting data designed to update, fix, or improve it
* Permissions: All types of persmissions should be reviewed and reinforced after an incident
* Logging: Ensure that scanning, monitoring, and log retrieval systems are functioning properly following the incident
* System Hardening: The process of securing a system’s configuration and settings to reduce IT vulnerability and the possibility of being compromised
Dion’s Three Mottos for Hardening
1. Uninstall anything you aren’t using—hardware, sowftware, programs, etc
2. If you need it, patch it frequently—scan, patch, scan
3. Always restrict users to the least privilege
Understand the Root Cause
During both eradication and recovery efforts, always work to develop a clear understanding of the incident’s root cause
This is criticual to implementing a secure recovery that corrects control deficiencies that led to the original attack
Understanding the root cause of an attack is completely different thatn identifying the attacker
This process is also known as implementing compensating controls, because those controls compensate for the original security deficiency
NOTE: Root cause analysis can also help identify other systems in your environment that share the same vulnerability—if a Cisco router that has a device configuration is compromised, you can go fix all your other Cisco routers that are the same
Remediation and Reimaging
Once an attacker gains control of a system, consider it completely compromised and untrustworthy—it’s not safe to simply correct the security issue and move on, because the attacker can still have an undetected foothold on it
The system should be rebuilt, either from scratch or by using an image or backup of the system from a known, good, and secure state
Rebuilding and/or restoring should always be done with the incident root cause analysis in mind
* If a system was compromised because it contained a security vulnerability, backups and images of that system likely have the same vulnerability
* Rebuiding the system from scratch can reintroduce the same vulnerability as well, rendering the same system susceptible to the same attack
