Incident Response SANS: The 6 Steps in Depth - Cynet

Incident response helps organizations ensure that organizations know of security incidents and that they can act quickly to minimize damage caused. The aim is ... RelatedContent IncidentResponse WhatIsaComputerSecurityIncidentResponseTeam(CSIRT)? WhatIsaSOC?10CoreFunctionsand6KeyChallenges SecurityAutomation:Tools,ProcessandBestPractices IncidentResponseManagement:KeyElementsandBestPractices IncidentResponsePolicy:AQuickGuide SecurityOrchestrationAutomationandResponse(SOAR):AQuickGuide IncidentResponseTeam:ABlueprintforSuccess IncidentResponseTemplate:PresentingIncidentResponseActivitytoManagement IncidentResponseSANS:The6StepsinDepth UpgradingCybersecuritywithIncidentResponsePlaybooks 6IncidentResponsePlanTemplatesandWhyYouShouldAutomateYourIncidentResponse NISTIncidentResponse IncidentResponseSANS:The6StepsinDepth Incidentresponsehelpsorganizationsensurethatorganizationsknowofsecurityincidentsandthattheycanactquicklytominimizedamagecaused.Theaimisalsotopreventfollowonattacksorrelatedincidentsfromtakingplaceinthefuture. TheSANSInstituteisaprivateorganization,whichprovidesresearchandeducationoninformationsecurity.Inthisarticle,we’lloutline,indetail,sixcomponentsofaSANSincidentresponseplanincludingelementssuchaspreparation,identification,containment,anderadication.ReadontolearnmoreaboutCynet’s24/7incidentresponseteamandhowtheycanhelpyourorganization. Inthisarticle: Theconceptofincidentresponse WhatisSANS? SANSincidentresponseplan Cynet’s24/7incidentresponseteam On-DemandDemo Watchanon-demanddemovideoofEDRinaction Watch Presentationtemplate TheDefinitive'IRManagement&Reporting'PPT Download WhatIsIncidentResponse? Incidentresponseisaprocessthatallowsorganizationstoidentify,prioritize,containanderadicatecyberattacks.Thegoalofincidentresponseistoensurethatorganizationsareawareofsignificantsecurityincidents,andactquicklytostoptheattacker,minimizedamagecaused,andpreventfollowonattacksorsimilarincidentsinthefuture. WhatIsSANS? TheSANSInstituteisaprivateorganizationestablishedin1989,whichoffersresearchandeducationoninformationsecurity.Itistheworld’slargestproviderofsecuritytrainingandcertification,andmaintainsthelargestcollectionofresearchaboutcybersecurity.SANSalsooperatestheInternetStormCenter,anearlywarningsystemforglobalcyberthreats. SANSIncidentResponsePlan TheSANSInstitutepublisheda20-pagehandbookthatlaysoutastructured6-stepplanforincidentresponse.Belowisabriefsummaryoftheprocess,andinthefollowingsectionswe’llgointomoredepthabouteachstep: Preparation—reviewandcodifyanorganizationalsecuritypolicy,performariskassessment,identifysensitiveassets,definewhicharecriticalsecurityincidentstheteamshouldfocuson,andbuildaComputerSecurityIncidentResponseTeam(CSIRT). Identification—monitorITsystemsanddetectdeviationsfromnormaloperations,andseeiftheyrepresentactualsecurityincidents.Whenanincidentisdiscovered,collectadditionalevidence,establishitstypeandseverity,anddocumenteverything. Containment—performshort-termcontainment,forexamplebyisolatingthenetworksegmentthatisunderattack.Thenfocusonlong-termcontainment,whichinvolvestemporaryfixestoallowsystemstobeusedinproduction,whilerebuildingcleansystems. Eradication—removemalwarefromallaffectedsystems,identifytherootcauseoftheattack,andtakeactiontopreventsimilarattacksinthefuture. Recovery—bringaffectedproductionsystemsbackonlinecarefully,topreventadditionalattacks.Test,verifyandmonitoraffectedsystemstoensuretheyarebacktonormalactivity. Lessonslearned—nolaterthantwoweeksfromtheendoftheincident,performaretrospectiveoftheincident.Preparecompletedocumentationoftheincident,investigatetheincidentfurther,understandwhatwasdonetocontainitandwhetheranythingintheincidentresponseprocesscouldbeimproved. Step1:Preparation Thegoalofthepreparationstageistoensurethattheorganizationcancomprehensivelyrespondtoanincidentatamoment’snotice. InaSANSincidentresponseplan,thesearecriticalelementsthatshouldbepreparedinadvance: Policy—defineprinciple,rulesandpracticestoguidesecurityprocesses.Ensurethepolicyishighlyvisiblebothtoemployeesandusers,forexamplebydisplayingaloginbannerthatstatesallactivitieswillbemonitored,andclearlystatingunauthorizedactivitiesandtheassociatedpenalties. ResponsePlan/Strategy—createaplanforincidenthandling,withprioritizationofincidentsbasedonorganizationalimpact.Forexample,organizationalimpactishigherthemoreemployeesareaffectedwithintheorganization,themoreaneventislikelytoimpactrevenues,orthemoresensitivedataisinvolved,suchassalaries,financialorprivatecustomerdata. Communication—createacommunicationplanthatstateswhichCSIRTmembersshouldbecontactedduringanincident,forwhatreasonsandwhentheycanbecontacted.Forexample,theremaybeoperationsstaffoncallatallhours,everyoneintheorganizationshouldknow,whichincidentresponderstocontacttohelpbringsystemsbackup.Thecommunicationplanshouldstatethepolicyforcontactinglawenforcement,andwhoshouldmakecontact. Documentation—documentationisnotoptionalandcanbealifesaver.Iftheincidentisconsideredacriminalact,yourdocumentationwillbeusedtopresschargesagainstsuspects.Anyinformationyoucollectabouttheincidentcanalsobeusedforlessonslearnedandtoimproveyourincidentresponseprocess.Documentationshouldanswerthequestions:Who,What,When,Where,Why,andHow?. Team—buildaCSIRTteamwithallrelevantskills,notjustsecurity.IncludeindividualswithexpertiseinsecuritybutalsoIToperations,legal,humanresources,andpublicrelations—allofwhomcanbeinstrumentalindealingwithandmitigatinganattack. Accesscontrol—makesurethatCSIRTstaffhavetheappropriatepermissionstodotheirjob.Itisagoodideatohave,aspartoftheincidentresponseplan,networkadministratorsaddpermissionstoCSIRTmemberaccounts,andthenremovethemwhentheincidentisover. Training—ensureinitialandongoingtrainingforallCSIRTmembersonincidentresponseprocesses,technicalskillsandrelevantcyberattackpatternsandtechniques.CarryoutdrillsatregularintervalstoinsurethateveryoneintheCSIRTknowswhattheyneedtodoandisabletoperformtheirdutiesduringarealincident. Tools—evaluate,selectanddeploysoftwareandhardwarethatcanhelprespondtoanincidentmoreeffectively.Allofthetoolsshouldbepackagedina“jumpbag”thatcanbequicklyaccessedbyCSIRTmemberswhenanincidentoccurs. Leveraginganintegratedbreachprotectionplatformforincidentresponse AnintegratedsecurityplatformlikeCynet360ishighlyusefulforincidentresponseteams.Thisplatformcanautomaticallydeterminebehavioralbaselines,identifyanomaliesthatindicatesuspiciousbehavior,andcollectallrelevantdataacrossendpoints,networks,anduserstohelptheCSIRTexploretheanomaly. Cynet360canhelpyourorganizationperformremotemanualactiontocontainsecurityevents.Theseactionscanincludedeletingfiles,stoppingmaliciousprocesses,resettingpasswordsandrestartingdevicesthathavebeenaffected.Cynetcanalsohelpyourorganizationcarryoutmeasuressuchaspreventingrapidencryptionoffilesorautomaticallyisolatingendpointsthathavebeenthetargetofmalware. LearnmoreaboutCynet360’sincidentresponsecapabilities. Step2:Identification Thisstepinvolvesdetectingdeviationsfromnormaloperationsintheorganization,understandingifadeviationrepresentsasecurityincident,anddetermininghowimportanttheincidentis. TheSANSincidentresponseidentificationprocedureincludesthefollowingelements: SettingupmonitoringforallsensitiveITsystemsandinfrastructure. Analyzingeventsfrommultiplesourcesincludinglogfiles,errormessages,andalertsfromsecuritytools. Identifyinganincidentbycorrelatingdatafrommultiplesources,andreportingitassoonaspossible. NotifyingCSIRTmembersandestablishingcommunicationwithadesignatedcommandcenter(forexamplethiscouldbeseniormanagement,IToperations) strong{Assigningatleasttwoincidentresponderstoaliveincident,oneastheprimaryhandlerwhoassessestheincidentandmakesthedecision,andtheothertohelpinvestigateandgatherevidence. Documentingeverythingthatincidentrespondersaredoingaspartoftheattack—answeringtheWho,What,Where,Why,andHowquestions. Threatpreventionanddetectioncapabilitiesacrossallmainattackvectors. Step3:Containment Thegoalofcontainmentistolimitdamagefromthecurrentsecurityincidentandpreventanyfurtherdamage.Severalstepsarenecessarytocompletelymitigatetheincident,whilealsopreventingdestructionofevidencethatmaybeneededforprosecution. TheSANScontainmentprocessinvolves: Short-termcontainment—limitingdamagebeforetheincidentgetsworse,usuallybyisolatingnetworksegments,takingdownhackedproductionserverandroutingtofailover. Systembackup—takingaforensicimageoftheaffectedsystem(s)withtoolssuchasForensicToolKit(FTK)orEnCase,andonlythenwipeandreimagethesystems.Thiswillpreserveevidencefromtheattackthatcanbeusedincourt,andalsoforfurtherinvestigationoftheincidentandlessonslearned. Long-termcontainment—applyingtemporarilyfixestomakeitpossibletobringproductionsystemsbackup.Theprimaryfocusisremovingaccountsorbackdoorsleftbyattackersonthesystems,andaddressingtherootcause—forexample,fixingabrokenauthenticationmechanismorpatchingavulnerabilitythatledtotheattack. Step4:Eradication Eradicationisintendedtoactuallyremovemalwareorotherartifactsintroducedbytheattacks,andfullyrestoreallaffectedsystems. TheSANSeradicationprocessinvolves: Reimaging—completewipeandre-imageofaffectedsystemharddrivestoensureanymaliciouscontentisremoved. Preventingtherootcause—understandingwhatcausedtheincidentpreventingfuturecompromise,forexamplebypatchingavulnerabilityexploitedbytheattacker. Applyingbasicsecuritybestpractices—forexample,upgradingoldsoftwareversionsanddisablingunusedservices. Scanformalware—useanti-malwaresoftware,orNext-GenerationAntivirus(NGAV)ifavailable,toscanaffectedsystemsandensureallmaliciouscontentisremoved. Step5:Recovery Thegoalofrecoveryistobringallsystemsbacktofulloperation,afterverifyingtheyarecleanandthethreatisremoved. TheSANSrecoveryprocedureinvolves: Definingtimeanddatetorestoreoperations—systemownersshouldmakethefinaldecisiononwhentorestoreservices,basedoninformationfromtheCSIRT. Testandverifying—ensuringsystemsarecleanandfullyfunctionalastheygolive. Monitoring—ongoingmonitoringforsometimeaftertheincidenttoobserveoperationsandcheckforabnormalbehaviors. Doeverythingtopreventanotherincident—consideringwhatcanbedoneontherestoredsystemstoprotectthemfromrecurrenceofthesameincident. Step6:LessonsLearned Nolaterthantwoweeksfromtheendoftheincident,theCSIRTshouldcompileallrelevantinformationabouttheincidentandextractlessonsthatcanhelpwithfutureincidentresponseactivity. TheSANSlessonslearnedprocessincludes: Completingdocumentation—itisneverpossibletodocumentallaspectsofanincidentwhileitisgoingon,andachievingcomprehensivedocumentationisveryimportanttoidentifylessonsfornexttime. Publishinganincidentreport—thereportshouldprovideplay-by-playreviewoftheentireincident,andanswertheWho,What,Where,Why,andHowquestions. IdentifywaystoimproveCSIRTperformance—extractitemsfromtheincidentreportthatwerenothandledcorrectlyandcanbeimprovedfornexttime. Establishabenchmarkforcomparison—derivemetricsfromtheincidentreportthatyoucanusetoguideyouinfutureincidents. Lessonslearnedmeeting—conductameetingwiththeCSIRTteamandotherstakeholderstodiscusstheincidentandcementlessonslearnedthatcanbeimplementedimmediately. SANSsuggeststhisgeneralformatfortheincidentreport: Whenwastheproblemfirstdetectedandbywhom Thescopeoftheincident Howitwascontainedanderadicated Workedperformedduringrecovery AreaswheretheCIRTteamswereeffective Areasthatneedimprovement FollowtheSANSIRFrameworkwithCynet Cynet360providespowerfulcapabilitiesacrossthethreefirstSANSstages: Identification–CynetEDR,networkanalytics,UEBAanddeceptiontechnologycapabilitiesformanintegrated,multilayereddetectionfabricthatunveilsmaliciousactivityacrosstheentireenvironment–endpoint,networkandusers. Containment–Cynet360responseorchestration,awidesetofremediationtoolstoisolateinfectedendpoints,resetcompromiseduseraccounts,blockattacker-controlledtrafficandquarantineordeletemaliciousfiles. Eradication–Cynet360providescompletevisibilityacrossallendpoint,userandnetworkactivitytoaccelerateandoptimizeinvestigations.Ithelpsrespondersdiscovertherootcauseofanattack,understanditsscopeandimpact,andeliminatemaliciousinfrastructureandactivityusingitsresponseorchestrationmodule. ContactCynetforimmediatehelp ForemergencyassistancefromCynet’ssecurityexperts,callthematUS1-(347)-474-0048,International+44-203-290-9051,orcompletetheformbelow. Let’sGetStarted Readytoextendvisibility,threatdetectionandresponse? RequestaDemo