IR

avatar
Created by
GiganticAngonoka72710

Cards (27)

  • Incident Response Summary
    Preparation
    • The preparation phase of incident response (IR) emphasizes establishing a robust response capability within an organization to ensure effective incident management.
    • The formation of a CSIRT is crucial, ensuring the right experts are available during incidents.
    • Proper documentation, including policies and procedures, aids seamless response and provides records for future use, such as litigation or improving security posture. Technological preparation includes maintaining an inventory of assets, baseline security tools, ensuring visibility.
  • Incident Response Summary
    Identification and Scoping
    • This phase highlights the importance of a feedback loop between identification and scoping, emphasizing that it is a cyclic process rather than linear. The goal is to continually refine the incident responder's understanding of the incident and its scope.
    • Intelligence-driven actions are crucial, as responders need relevant information to avoid working blindly. This phase involves staying on top of the evolving incident environment, guided by threat intelligence.
  • Incident Response Summary
    Containment and Threat Intelligence Creation
    • The emphasis in this phase is on threat intelligence's role in the cyclic process of identification, scoping, and containment. Incidents constantly evolve, necessitating the responsibility to stay informed and remain a step ahead of threat actors by leveraging intelligence.
    • Containment strategies are discussed to minimize potential damage caused by threat actors.
  • Incident Response Summary
    Eradication, Remediation, and Recovery
    • This phase stresses that remediation is an ongoing part of the IR process, reliant on the effectiveness and synergy of previous phases.
    • While containment limits threat actor damage, eradication involves planning and executing the removal of threats from the environment.
    • Post-removal actions are covered in remediation and recovery, focusing on restoring normal operations and addressing vulnerabilities exploited during the incident.
  • Practical: Identification and Scoping
    • Outdated Endpoint Protection: The device owned by Derrick Marshall, Head of IT - Operations and Support, had outdated endpoint protection definitions.
    • Phishing Incidents: Michael Ascot's credentials were compromised due to a phishing incident, which the Security Operations Center (SOC) quickly addressed by advising a credential update.
    • Discovery of Phishing Domains: Multiple phishing domains related to the incident were identified and added to the Schedule of Disclosure (SoD).
  • Practical: Containment and Threat Intel Creation
    • Malicious IP Discovery: Identified a malicious IP serving as the threat actor's host for additional malicious downloads.
    • Threat Actor Association: Another malicious IP (3.250.7.149) was linked to the tal0nix threat actor, associated with phishing reports involving an Office 365 (O365) page prompting login via email and password.
    • Malicious Droppers: Two different versions of a malicious Dropper were discovered.
  • Practical: Eradication, Remediation, and Recovery
    • Credential Leakage and Reuse: The leakage of swiftspend_admin credentials and threat actor discovery of password reuse led to the Jenkins server compromise.
    • Jenkins Platform Compromise: A scheduled exfiltration script (backup.sh), disguised as a backup implementation, was discovered, using a compromised Jenkins service account as a backdoor.
    • Domain Hijacking: The swiftspend domain (backup.swiftspend.com) was hijacked by manually adding the threat actor’s IP (194.26.135.132) to the server’s hosts file, which then received exfiltrated files.
  • Technical Summary
    • A technical summary provides a concise overview of the relevant findings regarding an incident, covering its progression from detection to recovery.
    • Its primary purpose is to describe the technical aspects of the incident clearly and effectively, making it a useful reference for technical audiences. Selecting the most pertinent details while maintaining a comprehensive view of the incident.
    • The summary should address various aspects of the compromise, including the foothold, exploited vulnerabilities, and visibility issues, to aid in preventing future occurrences.
  • Executive Summary
    • The executive summary is designed for high-level stakeholders, such as those in the C-Suite, to understand the broader impact and implications of an incident.
    • It should document the findings in a formal manner and cover relevant details that affect the business on a macro scale.
  • Executive Summary:
    • Impact of the Compromise: This should detail any financial losses, data theft, downtime of critical systems, or damage to sensitive information, including personal identifiable information (PII) and proprietary data. It should also address any reputational damage if the case is high-profile.
    • Events Leading to the Compromise: A brief explanation of how the incident occurred.
    • Actions Taken and Planned: A summary of both the immediate actions already undertaken and the strategies planned for short-term, mid-term, and long-term remediation, recovery, and prevention.
  • Spreadsheet of Doom (Doom)
    • The Spreadsheet of Doom (SoD) is an Excel spreadsheet containing a carefully maintained collection of Indicators of Compromise (IoCs).
    • These IoCs act as warning signs, alerting security experts to suspicious behaviour or potential system breaches. By keeping track of these indicators, the SoD offers a detailed snapshot of possible threats, allowing for quick identification, analysis, and response.
    • Whether it involves tracking IP addresses, URLs, file hashes, or other distinguishing features associated with malicious activitie
  • Sigma
    • Sigma is an open-source generic signature language developed to describe log events in a structured format. This allows for quick sharing of detection methods by security analysts.
    • It also allows for a more flexible way of ‘storing’ a detection method as it can be easily transformed into different formats depending on the SIEM that you’re using. This can be achieved through tools such as Uncoder.io, among others.
  • Premature Shift from Scoping to Eradication
    • A frequent issue is moving to eradication too quickly, driven by management or internal pressure to avoid further data or business loss. This premature shift can result in unsuccessful eradication efforts.
    • Proper scoping—understanding the threat actor and the full scope of damage—is critical.
    • This often leads to a "whack-a-mole" scenario, where the problem simply shifts rather than being resolved. To avoid this, a thorough scoping phase and an intelligence-driven approach are essential.
  • Eradication: Be Prepared for (Initial) Failure
    • Even with thorough scoping, initial remediation attempts may fail. This should not be discouraging, as the eradication process is inherently iterative. Feedback from the eradication phase should inform further scoping and vice versa.
    • Expect that threats may reappear and become more sophisticated. Threat actors are adept at avoiding detection and may act carelessly only when it serves their purpose.
  • Eradication
    Main Goal
    The primary objectives of the eradication phase are twofold:
    1. Eradicate the Threat: Prioritize systems based on sensitivity and criticality to recover the most critical ones first. This helps in mitigating the immediate impact and restoring normal operations efficiently.
    2. Recover from Business Impact: Return to a state of normalcy by addressing and mitigating the business impact caused by the threat. This involves not only removing the threat but also managing the aftermath to stabilize operations.
  • Automated Eradication
    • Automated eradication involves using tools like Anti-Viruses (AVs) and Endpoint Detection and Response (EDR) systems to quarantine, clean, and remove malware. This method is effective for less sophisticated threats that use well-known malicious tools.
    • However, more sophisticated or targeted threats are designed to bypass these automated systems, so relying solely on automated eradication is not advisable. Despite this, automated eradication allows analysts to focus on more complex threats.
  • Eradication Methods: Complete System Rebuild
    • Rebuilding a system from scratch is a straightforward method to ensure that all traces of an attacker are removed. This involves wiping the system clean and reinstalling applications, reverting configurations, and restoring data.
    • While this method guarantees a clean slate, it also involves complete removal of all system contents
    • For critical systems or those with significant legacy constraints, such as those where even brief downtime could result in substantial financial losses, a complete rebuild may not be feasible.
  • Targeted System Cleanup
    • In cases where downtime is unacceptable or revealing detection could lead to further damage, a targeted system cleanup is employed.
    • This approach involves precise and intelligence-driven efforts to remove attacker traces without alerting the attacker to detection or impending cleanup.
    • Success in this method is highly dependent on thorough scoping. Rushing the scoping phase and moving prematurely to eradication can lead to failure, as proper scoping is essential for effective targeted cleanup.
  • Remediation
    • The remediation phase of the incident response (IR) process is crucial for improving an organization's security posture. Throughout the IR process, the organization gains insights into both its vulnerabilities and strengths
    • Effective remediation involves identifying vulnerabilities and misconfigurations that allowed an attacker to exploit the environment, as well as recognizing successful elements like threat actor discovery methods and network visibility
    • These insights lead to plans that enhance security
  • Key Remediation Steps
    Network Segmentation
    • Implementing network segmentation limits communication between specific computers and subnets to only what is necessary, significantly reducing the attack surface.
    • Effective remediation plans should also improve the security team’s visibility of the network.
    • This enhanced visibility allows for the easier detection of unusual network behavior indicative of malicious activity, enabling quicker detection and prevention.
  • Key Remediation Steps
    IAM Review
    • Restrict Access to Compromised Accounts: During the IR process, compromised accounts should be reviewed, and any vulnerabilities or misconfigurations should be addressed. Removing the mode of compromise, such as a plaintext password or vulnerable application, is crucial.
    • User account entitlements should follow the principle of least privilege, granting access only to necessary data and resources to perform job functions. This minimizes the risk of accounts being used for unauthorized purposes.
  • Key Remediation Steps
    IAM Review
    • Restrict Access to Highly Privileged Accounts: Access to highly privileged accounts, like domain administrators, should be controlled and audited. Access is typically granted on a request-and-approval basis for specific business needs and limited to a certain period.
    • Preventing threat actors from accessing these accounts is vital, as such access would grant them extensive control over the environment.
  • Key Remediation Steps
    Patch Management
    • While cleanup is addressed during eradication, remediation focuses on addressing the root causes of the compromise, such as vulnerable applications.
    • Prioritizing patching of identified vulnerabilities across the environment, not just on affected endpoints, is essential.
    • A robust patch management system should track applications, be vigilant for new vulnerabilities, and apply necessary patches promptly. This proactive approach helps prevent future exploits.
  • Recovery
    • The recovery phase focuses on implementing changes that bring systems back online, enabling the continuation of normal business operations.
    • A successful recovery plan capitalizes on remediation efforts to strengthen the organization's security posture, ensuring that changes are correctly implemented and no vulnerabilities are overlooked.
  • Recovery: Continuous Testing and Monitoring
    • After vulnerabilities are addressed through remediation efforts like reducing the attack surface and patching, organizations should conduct tests to verify the effectiveness of these measures.
    • This involves penetration tests and attack simulations to create a feedback loop that consistently evaluates and enhances the defensive strategies implemented.
    • Only when the systems demonstrate resilience against similar attacks can they be safely reintroduced into production.
  • Recovery: Backups
    • During recovery, restoring affected systems to normal functionality highlights the importance of maintaining backups, not just of data but also of unique system configurations. This is particularly crucial if a compromised system undergoes a complete rebuild.
    • While detailed documentation is valuable, having automated setup scripts based on these documents is even more beneficial. In cloud-based environments, maintaining updated baseline images of systems is advisable for efficient recovery.
  • Recovery: Action Plan for Recovery
    Action Plan for Recovery
    • The recovery process is not a sprint but a continuous endeavor. Action plans should be categorized into near-term, mid-term, and long-term objectives, reflecting the organization's capability and capacity to implement changes.
    • Near-term changes, which are the most critical and provide immediate value, should be prioritized and initiated promptly. This structured approach ensures a strategic and sustainable recovery, aligning with the organization's overall goals and capacity.