Reaction, Coordination, and Implementation
Imagine that you’re an account manager preparing a presentation for a potential client. You’ve done your research, put in the hours, and expended the effort to make this deal go off without a hitch. There’s just one problem: the presentation has been renamed to a string of random text ending in “.pwned”, along with every other file on your desktop and the desktops of every other user on your floor. The only readable file is a simple, helpful text file that informs you that the only way for you to get your data back is to pay a small ransom in cryptocurrency. Your organization is the victim of a ransomware attack.
In the wake of this realization, it is natural for a flood of thoughts and emotions to wash over the members of an organization, especially those responsible for the health and operational well-being of the business. However, it is crucial for an organization to understand that responding to an incident must become the central focus, as it allows for the opportunity to answer the how’s and the what’s and to process the various emotions that are felt during this time.
It is equally crucial that a framework exist to ensure that the efforts and resources are spent on response effectively. Such a framework, commonly referred to as an Incident Response (IR) plan, addresses the process of implementing a coordinated response aimed at achieving a specific set of goals directly relevant to the organization utilizing a phase-based structure. Applying the K.I.S.S. concept, this structure can be ordered into four basic phases, as described by the Sophos Threat Response Team:
o Phase 1 — Initial Response
o Phase 2 — Triage
o Phase 3 — Threat Neutralization
o Phase 4 — Planning and Prevention
While the scenario of a ransomware attack is being used as an example of how this four-phase structure is deployed, the general concepts can be utilized to create a variety of IR plans.
PHASE 1 — Initial Response
In the world of tv crime-drama, there is a show called “The First 48”. This program highlights the importance of the first few hours after a crime occurs and how the actions taken during that time heavily influence the outcome of an investigation. This same principle can be seen in football, where the snap triggers a response from the defense. In the world of threat response, instead of a snap, we have the “scramble”. The scramble refers to the first minutes to hours following the detection of an incident and the implementation of a response plan, during which a designated team performs multiple simultaneous tasks with the goal of going after what Sophos MTR terms “quick wins”.
Of course, the duration of the scramble will vary depending on several key factors that are organization specific. These factors include the size of the attack, the availability of staff, experience, and pre-existing supporting infrastructure. Yet, the focus on quick wins remains the same — gathering information and beginning the process of identifying and removing or blocking compromised accounts, malicious files, and IP addresses, among other things.
As the momentum behind these quick wins begins to build, the first lines of communication must be established with all parties that have a vested interest in the organization. This “kickoff” call, occurring within the first hour, encourages ground-up involvement with other departments such as legal, public relations, and management that are responsible for handling non-technical, but equally essential, portions of incident response.
PHASE 2 — Triage the Issues
As lines of communication are stabilized and the quick wins become few and far between, responders will begin to investigate deeper beneath the surface of the affected network to gain a better understanding of the nature and scope of the attack and to determine how to prioritize remedial actions. It is at this point that the pre-existing support infrastructure of the organization determines the success of this phase.
At the time of this writing, it’s impossible to go back in time and without logs it’s even harder. Maintaining a centralized system of event logging, such as Sysmon, is essential to effectively respond to an attack for several key reasons. First, it aids in establishing a network baseline for comparison that assists in detecting event spikes, trend increases, and other warning signs such as registry manipulation and Active Directory changes. Furthermore, responders can utilize tools, both open source and proprietary, to query for potential malware and other potentially unwanted applications (PUAs).
Queries can uncover a plethora of incident artifacts that are integral to investigation:
● Executables, DLLs, .bat and PS scripts
● Compressed files, dump files
● Advanced IP scanners, screen sharers
● PATH locations, User account manipulation
● Active/scheduled processes
● Data exfiltration attempts
Hunting for these Indicators of Compromise (IoCs) allow responders to map artifacts to Techniques, Tactics, and Procedures (TTPs) to potentially identify the threat actors that have targeted their organization and apply remedial measures in the third phase of the response.
PHASE 3 — Neutralizing the Threat
The chief goal of this phase is to encircle the whole attack. By targeting artifacts discovered during the scramble and subsequent triage, responders can accomplish the following tasks:
● Isolate machines
● Disable/remove users
● Block hashes and IP addresses
● Remove malicious files
● Kill tasks and disrupt persistence measures
● Determine data loss
It is imperative to not only remove the active threat, but to ensure that opportunities for re-infection are eliminated. Even then, if the active threat is neutralized and the myriad of remote connections setup are severed, the process of incident response is not yet complete. Recovery is performed in vain if the original vulnerabilities are not addressed and the organization goes unhardened outside of the reactive measures implemented. It is here that we arrive at the fourth phase of threat response.
PHASE 4 — Planning and Prevention
Though planning and prevention define the fourth phase of incident response, it is not the final phase, as it represents a continuous cycle of growth for the organization. When striving for prevention and planning for disaster, there are numerous factors to consider. Technical considerations include but are not limited to the following:
● Environment scoping and asset awareness
● Balancing protection with detection on both front and back end
● Proper application of mitigations and controls to limit noise and exposure
● Accurate and relevant logging and reporting
● Understanding what tools you have and how to use them
Non-technical considerations are equally integral and often cover a larger canvas than the technical side. These considerations can be easy to forget or undervalue, as an organization must balance roles and responsibilities with intangible factors such as reputation. Non-technical considerations include but are not limited to the following:
● Financial impact and work authorization
● Public Relations
● Chain of command and response authority
● Awareness of individual and organizational limitations
● Evidence preservation and handling
● Regulatory considerations and third-party involvement
Implementing a coordinated Incident Response Plan takes time and effort to ensure that it:
● Is contextually accurate
● Is Flexible enough to adapt but rigid enough to prevent confusion
● Updates and improves continuously
● Accurately reflects the capabilities and shortcomings of the organization
Responding to a threat through incident response procedures is a critical and increasingly mandatory part of participating in commerce in a digital world. With the advent of exploitation as a service streamlining the cyber-attack process, and the rising industry of cyber insurance further complicating the landscape, organizations must be prepared to deploy a form of incident response, whether in-house or as a managed service, to harden against the ever-present threat.