Incident Response

https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf

Lifecycle Phases

Preparation -> Detection and Analysis -> Containment, Eradication, and Recovery -> Lessons Learned and Reporting

Preparation

• Create incident response plan

  • Incident response plans should have the sections:

    • Preparation

    • Identification

    • Containment

    • Eradication

    • Recovery

    • Lessons Learned

  • Example Incident Response Plans

    • Carnegie Mellon University

    • Wright State University

• Create Incident Response Team

  • Conduct training and create incident response run books

  • Microsoft Run Books

  • Run book examples

• Create asset-inventories

• Run risk assessments

• Enact defensive measures, eg DMZ, NIDS/HIDS/NIPS, AV, Centralized Logging, EDR, Network Firewalls, Local Firewalls, WAFs, GPOs, NAC, web proxies, SPF/DKIM/DMARC, mark external emails, use email spam filters, DLP, sandboxing, attachment file restrictions, physical defenses, awareness training, phishing simulations, etc...

Detection and Analysis

• Identify scanning, including:

  • Remote to Local Scanning (R2L): Search for HTTP connections of non standard ports

  • Remote to Local DoS/DDoS (L2R): search for anamolus traffic that differs from baselines

  • Local to Local Scanning (L2L): internal vulnerability scanners

• Login Failures: search for windows event ID 4625

Containment

• Containment

  • Perimeter containment

    • Block inbound traffic and outbound traffic.

    • IDS/IPS Filters to identify further malicious traffic and take automated actions, such as blocking active connections.

    • Web Application Firewall policies, to detect and take action against web attacks.

    • Null route DNS, to prevent DNS resolutions so internal hosts cannot find the IP address of a given domain name and establish a connection.

  • Network containment

    • Switch-based VLAN isolation, to restrict network access.

    • Router-based segment isolation, to restrict network access.

    • Port blocking, to prevent connections on specific ports.

    • IP or MAC Address blocking, to restrict network access.

    • Access Control Lists (ACLs), to provide rules that restrict what hosts on the network can and cannot do.

  • Endpoint containment

    • Disconnecting the infected system from any network connections (turning WiFi off, pulling ethernet cable).

      • Powering off the infected system.

      • Blocking rules in the local firewall.

      • Host intrusion prevention system (HIPS) actions, such as device isolation.

• Eradication

  • Remove malicious artifacts

  • Reimage systems

• Recovery

  • Identify root cause

  • Patch systems

  • Disable uneeded services

  • Update EDR, AV, IDPS, and SIEM rules

  • Share intelligence

• Lessons Learned and Reporting

  • Post incident review meetings: what could be improved

  • Create report that should contain

    • Executive Summary

    • Incident Timeline

    • Incident Investigation

    • Appendix

    • Report considerations

      • Report Audience

      • Incident Investigation

      • Screenshots and Captions