SECURITY INCIDENT RESPONSE

Security Incident Response Template

SECURITY INCIDENT RESPONSE

  • Ben
  • February 20, 2021
  • 0 comments

Document Scope:

This document is intended to define the specific actions and response for security related events that include viruses and malware and other identified security risks.

This should act as a blueprint for actions in times of crisis and be taught, tested and validated on a regular basis.

Organizational Structure and Roles:

RoleResponsibility
OwnershipShareholders of the various entities that we support.
CIOChief Information Officer, communicates with the business and ownership regarding incident.
Director of ITCommunicate with the business, coordinates response efforts with outside parties and technical assets.
Application ManagerCommunicate with the business, coordinates response efforts with software vendors.
IT EngineeringEngineers responsible for architecting proper security protocols and ensuring adoption and compliance at a technical level.
Support DeskFront line helpdesk personnel that will be crucial in early detection and preventing spread.
VendorsThird party providers of software, hardware or services useful in an incident response.
SOCOfficial Security Operations Center for the company and our subsidiary affiliates. Perimeter prevention, IDS, ADS and forensic response.

Key Terms

TermDefinition
C&C, CC, C and CCommand and Control is a server that malware or other threats will call back to get instructions and payloads to download.  
MalwareUnwanted software that is installed on a system that collects information, calls home to a command and control server or other forms of malicious activity.
VirusSoftware that causes destruction of data, creates a denial of service, attempts to replicate or cause harm to the computer systems, network or data.
Root KitA specific type of virus that overlays on top of the operating system fully integrating with the OS and not just acting as a third-party application or virus.
Scareware  Generally, a pop up add on a site that has been hijacked threating the user to call or click some action giving a remote attacker full access to the asset in question.
Worms  Rapidly spreading malicious software that will crawl the network and attack resources once inside.
Trojans  Malicious software that embeds itself inside the windows operating system allowing it to download additional payloads or overtake the operating system. These generally present as freeware or shareware to get a user to install.
AdawareAnnoying software that will display pop-ups, ads or collect information about your system in exchange for money from third parties.
Spyware  Malicious software that secretly lays low and collects items like passwords, key strokes and files and sends to a third-party server to be used in a future attack.
RansomwareMalicious software that encrypts or deletes data in exchange for currency or proprietary information for its release.
IDS (Intrusion detection system)Analyses systems to determine if an attacker has or is attempting to attack assets within the network.
ADS (Anomaly detection system)Uses heuristics to determine if malicious traffic or activity is hiding as normal traffic.
IT HygieneProper use of IT controls and procedures to ensure that systems and users are safe while conducting normal business activities. These would include adhering to privileges of least access, logging, using synchronized time, etc…
SpamGenerally considered junk mail, however has evolved to more than selling unwanted products and services to delivering malicious payload.
PayloadMalicious software that is downloaded via a remote command, email attachment, web download or malicious script via browsers.
Phish (Phishing)Targeted attacks via email to get a user to release confidential information, assets or execute malicious payload perpetrating as another legit user.

Anatomy of Response

Credit Nist 800-61r2 pg 21 Figure 3.1

Preparation

Preventative measures are critical to avoid responding to alerts all day long. All good security plans require a multi layered approach to security involving technical and non-technical responses:

  • Ensure next generation adaptive firewalls are in place with current firmware, current definitions and aggregate log reporting.
  • Use of aggressive email threat protection scanning for:
    • Spam
    • Malicious macros / files
    • Fraudulent links
    • Phishing attacks
  • Proper ACL’s in network design
  • Proper security controls in all systems such as, not limited to:
    • Active Directory
    • Local Machine administration
  • End user Training
    • Its critical: see something, say something
    • Teach what is legit and what isn’t
  • Technical Training
    • Response training
    • Enhanced troubleshooting and threat mitigation training

Communication Plans:

Communication plans should be ready to execute by the CIO, Director of IT or Applications Manager with the corresponding parties:

  • Ownership
  • Legal
  • Law Enforcement
  • Human Resources
  • Production Teams
  • Incident Response Teams
  • SOC Firm

Preventative measures

It is critical after an event to ensure prevention against re-infection. Follow the following procedures to prevent re-infection.

  1. Educate the user.
    1. Send the internet security document to the user, copying their manager.
  2. Patch windows fully via windowsupdate.com
  3. Patch all adobe products fully:
    1. Acrobat
    1. Flash
  4. Patch Java fully via java.com
  5. Check for non-standard or unsafe software installed on the machine
  6. Ensure SCCM / MDM / MAM is installed on the machine and receiving updates
  7. Ensure device is in the proper OU.
  8. Set the users password to a strong password.

Detection & Analysis

Identify attack has occurred

There are lots of malicious programs out there that present in various different forms. Some of them appear to be more malicious than others on the surface. However, all threats should be taken seriously as they can be a distraction while another attack is occurring.

Signs of an infection:

  • Homepage search engine hijacking
  • Redirected to a different site without warning
  • Pop Ups
  • Crashes
  • Unfamiliar programs and toolbars
  • Slow computer online and offline
  • Browser won’t load pages or some pages, especially security pages
  • Scan results from credited tools

Identify type of attack

The first item in responding is understanding what attack has occurred. Be familiar with the types of attacks outline above

Containment Eradication & Recovery

Remediate according to type of attack

Response Matrix

SeverityAttack TypeResponse Procedures
1RansomwareDisconnect from the core network immediately or move into a containment VLAN.   Have device shipped back to corporate for an image.   Have device reloaded from brand new image without connecting to network.   Disable computers account in Active Directory   Immediately notify Engineering. Change user’s password.   Educate user.  
3Virus / Trojan threat level low to MediumQuarantine document   Grab sample for anaylsis   Remove   update system   Change user’s password.   Educate user.  
2Virus / Trojan threat level High or CriticalQuarantine document   Grab sample for anaylsis   Reimage machine   Change user’s password.   Educate user.  
3SpywareQuarantine document   Grab sample for anaylsis   Remove   update system   Change user’s password in all systems.   Educate User.
3AdawareQuarantine document   Grab sample for anaylsis   Remove   Update / Patch system   Change user’s password in all systems.   Educate User.
2RootkitsQuarantine document   Notify Engineering   Grab sample for anaylsis   Reimage machine   Change user’s password.   Educate user.
2WormsQuarantine document   Notify Engineering   Grab sample for anaylsis   Reimage machine   Change user’s password.   Educate user.
1Brute Force (successful)Engage SOC Cyber Security firm, Identify assets being targeted   Put together game plan before changing items such as passwords.   Lessons Learned
2ScarewareQuarantine document   Grab sample for anaylsis   Remove   Update / Patch system   Change user’s password in all systems.   Educate User.   Conduct Interview.
1Email Account CompromiseReset password (which kills the session).   Remove mailbox delegates. Remove mail forwarding rules to external domains.   Remove global mail forwarding property on mailbox.   Enable MFA on the user’s account.   Set password complexity on the account to be high.   Enable mailbox auditing.   Produce Audit Log for the admin to review.  

Core Response Actions

  1. Ensure there is an IT helpdesk ticket for documentation.
  2. Initiate full scan with Malware Bytes and SCEP.
  3. Remove all non-standard or non-approved applications.
  4. Remove system restore points
    1. Disable system restore as well
  5. Remove all temporary files
  6. Patch windows fully via windowsupdate.com and software center.
  7. Patch all adobe products fully:
    1. Acrobat
    1. Flash (remove)
  8. Patch Java fully via java.com.
  9. Remove all non-approved users from local admins.
  10. Ensure SCCM / MDM / MAM is installed on the machine and receiving updates.
  11. Ensure device is in the proper OU.
  12. Set the users password to something in accordance with the Domain password policy. Ensure to change local domain and resource domains if necessary.
    1. Never email password, place in ticket or otherwise document. Passwords to users should be communicated via text message, in person or voice.
  13. Destroy burner account used if applicable.
  14. Notify end user and local leadership of threat.

Determine attack method

This can be difficult, especially with the item being removed, but given most items are a just annoying, we will not jeopardize the network security for investigation.

  1. Get an extract of all the windows event viewer logs.
    1. Attach logs to the ticket.
  2. Interview the user and see if they noticed any strange behavior lately.
    1. Some questions to ask:
      1. Have they received any emails from people they don’t know lately and clicked links or opened attachments in those emails?
      1. Have they seen any pop ups or other items that look suspicious?
      1. Have they used any USB drives or other removable media lately?
      1. Are they aware of anyone else having issues like this?
      1. Have they let anyone remote connect into their computer lately?
      1. Do they have any reason to believe someone has access to their password or their account?
  3. Quickly check internet history, check for malicious sites or social networking.
  4. Run virustotal.com on one of the infected files, pull a copy of the report and attach to the ticket.

Post Incident Activity

It is critical after an event to ensure prevention against re-infection. Follow the following procedures to prevent re-infection.

  1. Educate the user.
    1. Send the internet security document to the user, copying their manager.
  2. Complete Lessons learned documentation for severity 1 and 2 events.
  3. Discuss at change control or with IT leadership any changes in day to day protocols that need addressed to mitigate threats going forward.

Educate – Learn – Adapt

It is crucial that we perform a post mortem on all major incidents and update our defenses, training and response plan.  Link to the IT Lessons learned

Approved Tools:

Tool NameUse TypeLocation
FarbarDetectionhttps://support.malwarebytes.com/docs/DOC-1318
VirusTotalAnalysishttps://www.virustotal.com/
MBam RootkitEradicationhttps://support.malwarebytes.com/docs/DOC-1089
Microsoft DefinitionsPreparation / Eradicationhttps://www.microsoft.com/en-us/wdsi/definitions
Microsoft TeamsCommunicationhttps://teams.microsoft.com
Burner AccountsEradicationContact IT Engineering
Forensic ImagesAnalysisContact SOC
Evidence CollectionAnalysisContact SOC
DocumentationPreparation / Detection / Analysis / Eradication 
Contact InformationPreparation / Detection / Analysis / EradicationOutlook Contact cards – pre-shared by Engineering
SOC Client Policy MatrixEradicationPATH
Email Lockdown PowershellEradicationPATH  
MxToolboxAnalysishttp://www.mxtoolbox.com