Blue Team Toolkit
  • 👊Welcome!
  • application-security
    • Application Security
  • DFIR Toolkit
  • Incident Response
    • Containment, Eradication, and Recovery
    • Network Analysis
    • MITRE ATT&CK Framework
    • post-incident
    • preparation
  • network-hardening
    • Basic Network Tools
    • Basic Port Info
    • NMAP
    • Wireshark
  • Phishing Analysis
    • Basic Email Info
    • Email Headers
  • reversing
    • gdb
    • reversing
  • Security Information and Event Monitoring
    • DeepBlueCLI
    • Linux Log Analysis
    • Log Review Approach
    • Network Device Log Analysis
    • Other Tools
    • SIFT Workstation
    • Splunk
    • Syslog
    • Sysmon
    • Web Server Log Analysis
    • Windows Log Analysis
  • Systems Forensics
    • Autopsy
    • Basic File Metadata
    • Browser History Capturer
    • Browser History Viewer
    • Digital Evidence Handling
    • Exiftool
    • File Hashing
    • File Systems
    • forensics-workstation
    • FTK Imager
    • John the Ripper
    • JumpList Explorer
    • KAPE
    • Linux Artifacts
    • Memory File Analysis
    • Prefetch Explorer Command Tool PECmd.exe
    • Scalpel
    • Steghide
    • Sysinternals
    • Volatility
    • Windows Artifacts
    • Windows File Analyzer
    • YARA
  • systems-hardening
    • Active Directory Hardening
    • linux-hardening
    • windows-hardening
Powered by GitBook
On this page
  • Lifecycle Phases
  • Preparation
  • Detection and Analysis
  • Containment

Incident Response

PreviousDFIR ToolkitNextContainment, Eradication, and Recovery

Last updated 1 year ago

Lifecycle Phases

Preparation -> Detection and Analysis -> Containment, Eradication, and Recovery -> Lessons Learned and Reporting

Preparation

  • Create incident response plan

    • Incident response plans should have the sections:

      • Preparation

      • Identification

      • Containment

      • Eradication

      • Recovery

      • Lessons Learned

    • Example Incident Response Plans

  • Create Incident Response Team

    • Conduct training and create incident response run books

  • Create asset-inventories

  • Run risk assessments

  • Enact defensive measures, eg DMZ, NIDS/HIDS/NIPS, AV, Centralized Logging, EDR, Network Firewalls, Local Firewalls, WAFs, GPOs, NAC, web proxies, SPF/DKIM/DMARC, mark external emails, use email spam filters, DLP, sandboxing, attachment file restrictions, physical defenses, awareness training, phishing simulations, etc...

Detection and Analysis

  • Identify scanning, including:

    • Remote to Local Scanning (R2L): Search for HTTP connections of non standard ports

    • Remote to Local DoS/DDoS (L2R): search for anamolus traffic that differs from baselines

    • Local to Local Scanning (L2L): internal vulnerability scanners

  • Login Failures: search for windows event ID 4625

Containment

  • Containment

    • Perimeter containment

      • Block inbound traffic and outbound traffic.

      • IDS/IPS Filters to identify further malicious traffic and take automated actions, such as blocking active connections.

      • Web Application Firewall policies, to detect and take action against web attacks.

      • Null route DNS, to prevent DNS resolutions so internal hosts cannot find the IP address of a given domain name and establish a connection.

    • Network containment

      • Switch-based VLAN isolation, to restrict network access.

      • Router-based segment isolation, to restrict network access.

      • Port blocking, to prevent connections on specific ports.

      • IP or MAC Address blocking, to restrict network access.

      • Access Control Lists (ACLs), to provide rules that restrict what hosts on the network can and cannot do.

    • Endpoint containment

      • Disconnecting the infected system from any network connections (turning WiFi off, pulling ethernet cable).

        • Powering off the infected system.

        • Blocking rules in the local firewall.

        • Host intrusion prevention system (HIPS) actions, such as device isolation.

  • Eradication

    • Remove malicious artifacts

    • Reimage systems

  • Recovery

    • Identify root cause

    • Patch systems

    • Disable uneeded services

    • Update EDR, AV, IDPS, and SIEM rules

    • Share intelligence

  • Lessons Learned and Reporting

    • Post incident review meetings: what could be improved

    • Create report that should contain

      • Executive Summary

      • Incident Timeline

      • Incident Investigation

      • Appendix

      • Report considerations

        • Report Audience

        • Incident Investigation

        • Screenshots and Captions

https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf
Carnegie Mellon University
Wright State University
Microsoft Run Books
Run book examples