Given an incident, apply mitigation techniques or controls to secure an environment Flashcards
Reconfigure endpoint security solutions
Application approved list
Application block list/deny list
Quarantine
Application approved list
An allow list (or approved list) denies execution unless the process is explicitly authorized.
Application block list/deny list
A block list (or deny list) generally allows execution, but explicitly prohibits listed processes.
Quarantine
If mitigating techniques are not successful, or the results are uncertain, the endpoint will require careful management before being integrated back onto the network. If further evidence needs to be gathered, the best approach may be to quarantine or sandbox the endpoint or suspect process/file. This allows for analysis of the attack or tool and collection of evidence using digital forensic techniques.
Configuration changes
Firewall rules MDM DLP Content filter/URL filter Update or revoke certificates
Firewall rules
Allow only authorized application ports and, if possible, restrict the destination addresses to authorized Internet hosts. Where authorized hosts cannot be identified or a default deny is too restrictive, use URL and content filtering to try to detect malicious traffic over authorized protocols.
Restrict DNS lookups to your own or your ISP’s DNS services or authorized public resolvers, such as Google’s or Quad9’s DNS services.
Block access to “known bad” IP address ranges, as listed on don’t route or peer (DROP) filter lists.
Block access from any IP address space that is not authorized for use on your local network.
Block all Internet access from host subnets that do not need to connect to the Internet, such as most types of internal server, workstations used to manage industrial control systems (ICSs), and so on.
MDM
Mobile Device Management (MDM) provides execution control over apps and features of smartphones. Features include GPS, camera, and microphone. As with DLP, an intrusion might reveal a vector that allowed the threat actor to circumvent enrollment or a misconfiguration in the MDM’s policy templates.
DLP
Data loss prevention (DLP) performs a similar function, but instead of user access it mediates the copying of tagged data to restrict it to authorized media and services. An attack may reveal the necessity of investing in DLP as a security control if one is not already implemented. If DLP is enabled and configured in the correct way to enforce policy, the attacker may have been able to circumvent it using a backdoor method that the DLP software cannot scan. Alternatively, the attacker may have been able to disguise the data so that it was not recognized.
Content filter/URL filter
Update or revoke certificates
Compromise of the private key represented by a digital certificate or the ability to present spoofed certificates as trusted is a critical security vulnerability as it allows an attacker to impersonate trusted resources and potentially gain unauthorized access to secure systems.
Remove compromised root certificates—if an attacker has managed to install a root certificate, the attacker can make malicious hosts and services seem trusted. Suspicious root certificates must be removed from the client’s cache.
Revoke certificates on compromised hosts—if a host is compromised, the private key it used for digital signatures or digital envelopes is no longer safe. The certificate associated with the key should be revoked using the Key Compromise property. The certificate can be rekeyed with a new key pair but the same subject and expiry information.
Containment
When an incident has been identified, classified, and prioritized, the next phase of incident response is containment. Containment techniques can be classed as either isolation-based or segmentation-based.
Isolation
Isolation involves removing an affected component from whatever larger environment it is a part of. This can be everything from removing a server from the network after it has been the target of a DoS attack, to placing an application in a sandbox VM outside of the host environments it usually runs on. Whatever the circumstances may be, you’ll want to make sure that there is no longer an interface between the affected component and your production network or the Internet.
A simple option is to disconnect the host from the network completely, either by pulling the network plug (creating an air gap) or disabling its switch port. This is the least stealthy option and will reduce opportunities to analyze the attack or malware. If a group of hosts is affected, you could use routing infrastructure to isolate one or more infected virtual LANs (VLANs) in a black hole that is not reachable from the rest of the network. Another possibility is to use firewalls or other security filters to prevent infected hosts from communicating.
Finally, isolation could also refer to disabling a user account or application service. Temporarily disabling users’ network accounts may prove helpful in containing damage if an intruder is detected within the network. Without privileges to access resources, an intruder will not be able to further damage or steal information from the organization. Applications that you suspect may be the vector of an attack can be much less effective to the attacker if the application is prevented from executing on most hosts.
Segmentation
Segmentation-based containment is a means of achieving the isolation of a host or group of hosts using network technologies and architecture. Segmentation uses VLANs, routing/subnets, and firewall ACLs to prevent a host or group of hosts from communicating outside the protected segment. As opposed to completely isolating the hosts, you might configure the protected segment as a sinkhole or honeynet and allow the attacker to continue to receive filtered (and possibly modified) output over the C&C channel to deceive him or her into thinking the attack is progressing successfully. Analysis of the malware code by reverse engineering it could provide powerful deception capabilities. You could intercept the function calls made by malware to allow the adversary to believe an attack is proceeding while building detailed knowledge of their tactics and (hopefully) identity. Attribution of the attack to a particular group will allow an estimation of adversary capability.
SOAR
A class of security tools that facilitates incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment.
Runbooks
Playbooks
Runbooks
An automated version of a playbook that leaves clearly defined interaction points for human analysis.
