Lesson 17 Flashcards
Incident Response Process (PICERL)
Picerel Peperation Identification Containment Eradication Recovery Lessons Learned)
Preperation -> Identification -> Containment ->Eradication-> Recovery -> Post Incident Activity
- Preparation—make the system resilient to attack in the first place. This includes
hardening systems, writing policies and procedures, and setting up confidential
lines of communication. It also implies creating incident response resources and
procedures. - Identification—from the information in an alert or report, determine whether
an incident has taken place, assess how severe it might be (triage), and
notify stakeholders. - Containment—limit the scope and magnitude of the incident. The principal aim
of incident response is to secure data while limiting the immediate impact on
ctomers and business partners. - Eradication—once the incident is contained, remove the cause and restore the
affected system to a secure state by applying secure configuration settings and
installing patches. - Recovery—with the cause of the incident eradicated, the system can be
reintegrated into the business process that it supports. This recovery phase may
involve restoration of data from backup and security testing. Systems must be
monitored more closely for a period to detect and prevent any reoccurrence
of the attack. The response process may have to iterate through multiple
phases of identification, containment, eradication, and recovery to effect a
complete resolution. - Lessons learned—analyze the incident and responses to identify whether
procedures or systems could be improved. It is imperative to document the
incident. The outputs from this phase feed back into a new preparation phase in
the cycle.
Cyber Incident Response Team
- Reporting, categorizing, and prioritizing (triage)
- CIRT/CERT/CSIRT/SOC
- Management/decision-making authority (led by at least director level. person that can make decisions)
- Incident analysts
- 24/7 availability (costly)
- Roles beyond technical response
- Legal
- Human Resources (HR)
- Marketing
Other names for CIRT
cyber incident response team (CIRT),
computer security incident response team (CSIRT)
computer emergency response team (CERT).
SOC
Incident
response might also involve or be wholly located within a security operations center
(SOC)
Other roles needed on for Incident Response (CIRT)
Roles beyond technical response
•Legal
•Human Resources (HR)
•Marketing
•Legal—it is important to have access to legal expertise, so that the team can
evaluate incident response from the perspective of compliance with laws and
industry regulations. It may also be necessary to liaise closely with law enforcement
professionals, and this can be daunting without expert legal advice.
• Human Resources (HR)—incident prevention and remediation actions may affect
employee contracts, employment law, and so on. Incident response requires the
right to intercept and monitor employee communications.
• Marketing—the team is likely to require marketing or public relations input, so that
any negative publicity from a serious incident can be managed.
Communication Plan and Stakeholder Management
- Prevent inadvertent disclosure
- Call list identifying trusted parties
- Communication plan
- Share data on a need to know basis
- Out-of-band communications—avoid alerting intruder
- Stakeholder management
- Communication with internal and external stakeholders
- Notification and reporting
•Prevent inadvertent disclosure and call list (incident response)
You must prevent the inadvertent release of information beyond the team authorized
to handle the incident. Status and event details should be circulated on a need-to-know
basis and only to trusted parties identified on a call list.
Communication plan
- Communication plan
- Share data on a need to know basis
- Out-of-band communications—avoid alerting intruder
Secure communication between the trusted parties of the CIRT is essential for
managing incidents successfully. It is imperative that adversaries not be alerted to
detection and remediation measures about to be taken against them. It may not be
appropriate for all members of the CSIRT to be informed about all incident details.
The team requires an “out-of-band” or “off-band” communication method that cannot
be intercepted. Using corporate email or VoIP runs the risk that the adversary will
be able to intercept communications. One obvious method is cell phones but these
only support voice and text messaging. For file and data exchange, there should
be a messaging system with end-to-end encryption, such as Off-the-Record (OTR),
Signal, or WhatsApp, or an external email system with message encryption (S/MIME
or PGP). These need to use digital signatures and encryption keys from a system
that is completely separate from the identity management processes of the network
being defended.
Stakeholder Management
- Stakeholder management
- Communication with internal and external stakeholders
- Notification and reporting
Trusted parties might include both internal and external stakeholders. It is not helpful
for an incident to be publicized in the press or through social media outside of planned
communications. Ensure that parties with privileged information do not release this
information to untrusted parties, whether intentionally or inadvertently.
You need to consider obligations to report the attack. It may be necessary to inform
affected parties during or immediately after the incident so that they can perform their
own remediation. It may be necessary to report to regulators or law enforcement. You
also need to consider the marketing and PR impact of an incident. This can be highly
damaging and you will need to demonstrate to customers that security systems have
been improved.
Incident Response Plan
- Lists the procedures, contacts, and resources available to responders for various incident categories
- Playbooks and runbooks
- Incident categorization
- Prioritization factors
- Data integrity
- Downtime
- Economic/publicity
- Scope
- Detection time
- Recovery time
incident response plan (IRP)
An incident response plan (IRP) lists the procedures, contacts, and resources
available to responders for various incident categories.
Playbooks and runbooks
playbook (or runbook) is a data-driven standard operating procedure (SOP) to assist
junior analysts in detecting and responding to specific cyberthreat scenarios, such as
phishing attempts, SQL injection data exfiltration, connection to a blacklisted IP range,
and so on. The playbook starts with a SIEM report and query designed to detect the
incident and identify the key detection, containment, and eradication steps to take.
Incident categorization
Incident categories and definitions ensure that all response team members and other
organizational personnel all have a common base of understanding of the meaning
of terms, concepts, and descriptions. The categories, types, and definitions might vary
according to industry
Prioritization factors
- Prioritization factors
- Data integrity
- Downtime
- Economic/publicity
- Scope
- Detection time
- Recovery time
Data Integrity (prioritization factors)
Data integrity—the most important factor in prioritizing incidents will often be the
value of data that is at risk.
Downtime (prioritization Factor)
Downtime—another very important factor is the degree to which an incident
disrupts business processes. An incident can either degrade (reduce performance)
or interrupt (completely stop) the availability of an asset, system, or business
process. If you have completed an asset inventory and a thorough risk assessment
of business processes (showing how assets and computer systems assist each
process), then you can easily identify critical processes and quantify the impact of
an incident in terms of the cost of downtime.
Economic/publicity (prioritization Factor)
Economic/publicity—both data integrity and downtime will have important
economic effects, both in the short term and the long term. Short-term costs involve
incident response itself and lost business opportunities. Long-term economic costs
may involve damage to reputation and market standing.
Scope(prioritization Factor)
• Scope—the scope of an incident (broadly the number of systems affected) is not a
direct indicator of priority. A large number of systems might be infected with a type
of malware that degrades performance, but is not a data breach risk. This might
even be a masking attack as the adversary seeks to compromise data on a single
database server storing top secret information.
• Detection time(prioritization Factor)
• Detection time—research has shown that the existence of more than half of data
breaches are not detected for weeks or months after the intrusion occurs, while in
a successful intrusion data is typically breached within minutes. This demonstrates
that the systems used to search for intrusions must be thorough and the response
to detection must be fast.
• Recovery time(prioritization Factor)
• Recovery time—some incidents require lengthy remediation as the system changes
required are complex to implement. This extended recovery period should trigger
heightened alertness for continued or new attacks.
Cyber Kill Chain Attack Framework
Effective incident response depends on threat intelligence. Threat research provides
insight into adversary tactics, techniques, and procedures (TTPs). Insights from threat
research can be used to develop specific tools and playbooks to deal with event
scenarios. A key tool for threat research is a framework to use to describe the stages
of an attack. These stages are often referred to as a cyber kill chain
1, Reconnaissance
- Weaponization
- Delivery
- Exploitation
- Installation
- Command and Control (C2)
- Actions on Objectives
- Reconnaissance
- Reconnaissance—in this stage the attacker determines what methods to use to
complete the phases of the attack and gathers information about the target’s
personnel, computer systems, and supply chain.
- Weaponization
- Weaponization—the attacker couples payload code that will enable access with
exploit code that will use a vulnerability to execute on the target system.
- Delivery
- Delivery—the attacker identifies a vector by which to transmit the weaponized
code to the target environment, such as via an email attachment or on a
USB drive.
- Exploitation
- Exploitation—the weaponized code is executed on the target system by this
mechanism. For example, a phishing email may trick the user into running the
code, while a drive-by-download would execute on a vulnerable system without
user intervention.
- Installation
- Installation—this mechanism enables the weaponized code to run a remote
access tool and achieve persistence on the target system.
- Command and control (C2 or C&C)
- Command and control (C2 or C&C)—the weaponized code establishes an
outbound channel to a remote server that can then be used to control the remote
access tool and possibly download additional tools to progress the attack.
- Actions on objectives
- Actions on objectives—in this phase, the attacker typically uses the access he
has achieved to covertly collect information from target systems and transfer
it to a remote system (data exfiltration). An attacker may have other goals or
motives, however.
MITRE ATT&CK
Another atack framework
MITRE ATT&CK
•Database of TTPs
•Tactic categories
•No explicit sequencing
The Diamond Model of Intrusion Analysis
Another Attack framework
•Framework for describing adversary capability and infrastructure plus effect on victim
Incident Response Exercises
Tabletop
•Facilitator presents a scenario
•Does not involve live systems
- Least costly
Walkthroughs
•Responders demonstrate response actions (Unlike a tabletop exercise, the responders perform actions such asrunning scans and analyzing sample files, typically on sandboxed versions of thecompany’s actual response and recovery tools.)
Simulations
•Red team performs a simulated intrusion
- Simulations—a simulation is a team-based exercise, where the red team attempts
an intrusion, the blue team operates response and recovery controls, and a
white team moderates and evaluates the exercise. This type of training requires
considerable investment and planning.
Tabletop
Tabletop
•Facilitator presents a scenario
•Does not involve live systems
- Least costly
Walkthroughs
Walkthroughs
•Responders demonstrate response actions (Unlike a tabletop exercise, the responders perform actions such asrunning scans and analyzing sample files, typically on sandboxed versions of thecompany’s actual response and recovery tools.)
Simulations
Simulations
•Red team performs a simulated intrusion
- Simulations—a simulation is a team-based exercise, where the red team attempts
an intrusion, the blue team operates response and recovery controls, and a
white team moderates and evaluates the exercise. This type of training requires
considerable investment and planning
Incident response versus disaster recovery and business continuity
Incident response versus disaster recovery and business continuity
•Disaster recovery plan
•Response and recovery planning for major incidents
•Business continuity plan
•Making business procedures resilient
•Continuity of operation planning (COOP)
•Disaster recovery plan
- Disaster recovery plan
- Response and recovery planning for major incidents
Disaster recovery plan—a disaster can be seen as a special class of incident where the organization's primary business function is disrupted. Disaster recovery requires considerable resources, such as shifting processing to a secondary site. Disaster recovery will involve a wider range of stakeholders than less serious incidents.
•Business continuity plan
- Business continuity plan
- Making business procedures resilient
Business continuity plan (BCP)—this identifies how business processes should
deal with both minor and disaster-level disruption. During an incident, a system
may need to be isolated. Continuity planning ensures that there is processing
redundancy supporting the workflow, so that when a server is taken offline for
security remediation, processing can failover to a separate system. If systems do not
have this sort of planned resilience, incident response will be much more disruptive.
Continuity of Operation Planning (COOP)
• Continuity of Operation Planning (COOP)—this terminology is used for
government facilities, but is functionally similar to business continuity planning. In
some definitions, COOP refers specifically to backup methods of performing mission
functions without IT support.
Incident response, forensics, and retention policy
Incident response, forensics, and retention policy
•Digital forensics requirements
•Retention policies for evidence preservation
The incident response process emphasizes containment, eradication, and recovery.
These aims are not entirely compatible with forensics. Digital forensics describes
techniques to collect and preserve evidence that demonstrate that there has been no
tampering or manipulation. Forensics procedures are detailed and time-consuming,
where the aims of incident response are usually urgent. If an investigation must use
forensic collection methods so that evidence is retained, this must be specified early in
the response process.
Retention policy is also important for retrospective incident handling, or threat
hunting. A retention policy for historic logs and data captures sets the period over
which these are retained. You might discover indicators of a breach months or years
after the event. Without a retention policy to keep logs and other digital evidence, it will
not be possible to make any further investigation.