SECURITY INCIDENT RESPONSE
SECURITY INCIDENT RESPONSE
Document Scope:
This document is intended to define the specific actions and response for security related events that include viruses and malware and other identified security risks.
This should act as a blueprint for actions in times of crisis and be taught, tested and validated on a regular basis.
Organizational Structure and Roles:
| Role | Responsibility |
| Ownership | Shareholders of the various entities that we support. |
| CIO | Chief Information Officer, communicates with the business and ownership regarding incident. |
| Director of IT | Communicate with the business, coordinates response efforts with outside parties and technical assets. |
| Application Manager | Communicate with the business, coordinates response efforts with software vendors. |
| IT Engineering | Engineers responsible for architecting proper security protocols and ensuring adoption and compliance at a technical level. |
| Support Desk | Front line helpdesk personnel that will be crucial in early detection and preventing spread. |
| Vendors | Third party providers of software, hardware or services useful in an incident response. |
| SOC | Official Security Operations Center for the company and our subsidiary affiliates. Perimeter prevention, IDS, ADS and forensic response. |
Key Terms
| Term | Definition |
| C&C, CC, C and C | Command and Control is a server that malware or other threats will call back to get instructions and payloads to download. |
| Malware | Unwanted software that is installed on a system that collects information, calls home to a command and control server or other forms of malicious activity. |
| Virus | Software that causes destruction of data, creates a denial of service, attempts to replicate or cause harm to the computer systems, network or data. |
| Root Kit | A specific type of virus that overlays on top of the operating system fully integrating with the OS and not just acting as a third-party application or virus. |
| Scareware | Generally, a pop up add on a site that has been hijacked threating the user to call or click some action giving a remote attacker full access to the asset in question. |
| Worms | Rapidly spreading malicious software that will crawl the network and attack resources once inside. |
| Trojans | Malicious software that embeds itself inside the windows operating system allowing it to download additional payloads or overtake the operating system. These generally present as freeware or shareware to get a user to install. |
| Adaware | Annoying software that will display pop-ups, ads or collect information about your system in exchange for money from third parties. |
| Spyware | Malicious software that secretly lays low and collects items like passwords, key strokes and files and sends to a third-party server to be used in a future attack. |
| Ransomware | Malicious software that encrypts or deletes data in exchange for currency or proprietary information for its release. |
| IDS (Intrusion detection system) | Analyses systems to determine if an attacker has or is attempting to attack assets within the network. |
| ADS (Anomaly detection system) | Uses heuristics to determine if malicious traffic or activity is hiding as normal traffic. |
| IT Hygiene | Proper use of IT controls and procedures to ensure that systems and users are safe while conducting normal business activities. These would include adhering to privileges of least access, logging, using synchronized time, etc… |
| Spam | Generally considered junk mail, however has evolved to more than selling unwanted products and services to delivering malicious payload. |
| Payload | Malicious software that is downloaded via a remote command, email attachment, web download or malicious script via browsers. |
| Phish (Phishing) | Targeted attacks via email to get a user to release confidential information, assets or execute malicious payload perpetrating as another legit user. |
Anatomy of Response
Credit Nist 800-61r2 pg 21 Figure 3.1
Preparation
Preventative measures are critical to avoid responding to alerts all day long. All good security plans require a multi layered approach to security involving technical and non-technical responses:
- Ensure next generation adaptive firewalls are in place with current firmware, current definitions and aggregate log reporting.
- Use of aggressive email threat protection scanning for:
- Spam
- Malicious macros / files
- Fraudulent links
- Phishing attacks
- Proper ACL’s in network design
- Proper security controls in all systems such as, not limited to:
- Active Directory
- Local Machine administration
- End user Training
- Its critical: see something, say something
- Teach what is legit and what isn’t
- Technical Training
- Response training
- Enhanced troubleshooting and threat mitigation training
Communication Plans:
Communication plans should be ready to execute by the CIO, Director of IT or Applications Manager with the corresponding parties:
- Ownership
- Legal
- Law Enforcement
- Human Resources
- Production Teams
- Incident Response Teams
- SOC Firm
Preventative measures
It is critical after an event to ensure prevention against re-infection. Follow the following procedures to prevent re-infection.
- Educate the user.
- Send the internet security document to the user, copying their manager.
- Patch windows fully via windowsupdate.com
- Patch all adobe products fully:
- Acrobat
- Flash
- Patch Java fully via java.com
- Check for non-standard or unsafe software installed on the machine
- Ensure SCCM / MDM / MAM is installed on the machine and receiving updates
- Ensure device is in the proper OU.
- Set the users password to a strong password.
Detection & Analysis
Identify attack has occurred
There are lots of malicious programs out there that present in various different forms. Some of them appear to be more malicious than others on the surface. However, all threats should be taken seriously as they can be a distraction while another attack is occurring.
Signs of an infection:
- Homepage search engine hijacking
- Redirected to a different site without warning
- Pop Ups
- Crashes
- Unfamiliar programs and toolbars
- Slow computer online and offline
- Browser won’t load pages or some pages, especially security pages
- Scan results from credited tools
Identify type of attack
The first item in responding is understanding what attack has occurred. Be familiar with the types of attacks outline above
Containment Eradication & Recovery
Remediate according to type of attack
Response Matrix
| Severity | Attack Type | Response Procedures |
| 1 | Ransomware | Disconnect from the core network immediately or move into a containment VLAN. Have device shipped back to corporate for an image. Have device reloaded from brand new image without connecting to network. Disable computers account in Active Directory Immediately notify Engineering. Change user’s password. Educate user. |
| 3 | Virus / Trojan threat level low to Medium | Quarantine document Grab sample for anaylsis Remove update system Change user’s password. Educate user. |
| 2 | Virus / Trojan threat level High or Critical | Quarantine document Grab sample for anaylsis Reimage machine Change user’s password. Educate user. |
| 3 | Spyware | Quarantine document Grab sample for anaylsis Remove update system Change user’s password in all systems. Educate User. |
| 3 | Adaware | Quarantine document Grab sample for anaylsis Remove Update / Patch system Change user’s password in all systems. Educate User. |
| 2 | Rootkits | Quarantine document Notify Engineering Grab sample for anaylsis Reimage machine Change user’s password. Educate user. |
| 2 | Worms | Quarantine document Notify Engineering Grab sample for anaylsis Reimage machine Change user’s password. Educate user. |
| 1 | Brute Force (successful) | Engage SOC Cyber Security firm, Identify assets being targeted Put together game plan before changing items such as passwords. Lessons Learned |
| 2 | Scareware | Quarantine document Grab sample for anaylsis Remove Update / Patch system Change user’s password in all systems. Educate User. Conduct Interview. |
| 1 | Email Account Compromise | Reset password (which kills the session). Remove mailbox delegates. Remove mail forwarding rules to external domains. Remove global mail forwarding property on mailbox. Enable MFA on the user’s account. Set password complexity on the account to be high. Enable mailbox auditing. Produce Audit Log for the admin to review. |
Core Response Actions
- Ensure there is an IT helpdesk ticket for documentation.
- Initiate full scan with Malware Bytes and SCEP.
- Remove all non-standard or non-approved applications.
- Remove system restore points
- Disable system restore as well
- Remove all temporary files
- Patch windows fully via windowsupdate.com and software center.
- Patch all adobe products fully:
- Acrobat
- Flash (remove)
- Patch Java fully via java.com.
- Remove all non-approved users from local admins.
- Ensure SCCM / MDM / MAM is installed on the machine and receiving updates.
- Ensure device is in the proper OU.
- Set the users password to something in accordance with the Domain password policy. Ensure to change local domain and resource domains if necessary.
- Never email password, place in ticket or otherwise document. Passwords to users should be communicated via text message, in person or voice.
- Destroy burner account used if applicable.
- Notify end user and local leadership of threat.
Determine attack method
This can be difficult, especially with the item being removed, but given most items are a just annoying, we will not jeopardize the network security for investigation.
- Get an extract of all the windows event viewer logs.
- Attach logs to the ticket.
- Interview the user and see if they noticed any strange behavior lately.
- Some questions to ask:
- Have they received any emails from people they don’t know lately and clicked links or opened attachments in those emails?
- Have they seen any pop ups or other items that look suspicious?
- Have they used any USB drives or other removable media lately?
- Are they aware of anyone else having issues like this?
- Have they let anyone remote connect into their computer lately?
- Do they have any reason to believe someone has access to their password or their account?
- Some questions to ask:
- Quickly check internet history, check for malicious sites or social networking.
- Run virustotal.com on one of the infected files, pull a copy of the report and attach to the ticket.
Post Incident Activity
It is critical after an event to ensure prevention against re-infection. Follow the following procedures to prevent re-infection.
- Educate the user.
- Send the internet security document to the user, copying their manager.
- Complete Lessons learned documentation for severity 1 and 2 events.
- Discuss at change control or with IT leadership any changes in day to day protocols that need addressed to mitigate threats going forward.
Educate – Learn – Adapt
It is crucial that we perform a post mortem on all major incidents and update our defenses, training and response plan. Link to the IT Lessons learned
Approved Tools:
| Tool Name | Use Type | Location |
| Farbar | Detection | https://support.malwarebytes.com/docs/DOC-1318 |
| VirusTotal | Analysis | https://www.virustotal.com/ |
| MBam Rootkit | Eradication | https://support.malwarebytes.com/docs/DOC-1089 |
| Microsoft Definitions | Preparation / Eradication | https://www.microsoft.com/en-us/wdsi/definitions |
| Microsoft Teams | Communication | https://teams.microsoft.com |
| Burner Accounts | Eradication | Contact IT Engineering |
| Forensic Images | Analysis | Contact SOC |
| Evidence Collection | Analysis | Contact SOC |
| Documentation | Preparation / Detection / Analysis / Eradication | |
| Contact Information | Preparation / Detection / Analysis / Eradication | Outlook Contact cards – pre-shared by Engineering |
| SOC Client Policy Matrix | Eradication | PATH |
| Email Lockdown Powershell | Eradication | PATH |
| MxToolbox | Analysis | http://www.mxtoolbox.com |