Workflow
- Execute Response Actions step by step. Some of them directly connected, which means you will not be able to move forward not finishing the previous step. Some of them are redundant, as those that are related to the blocking a threat using network filtering systems (containment stage)
- Start executing containment and eradication stages concurrently with next identification steps, as soon as you will receive information about malicious hosts
- If phishing led to code execution or remote access to victim host, immediately start executing Generic Post Exploitation Incident Response Playbook
- Save all timestamps of implemented actions in Incident Report draft on the fly, it will save a lot of time
Preparation
Practice in the real environment. Sharpen Response Actions within your organization
Make sure that most of the Response Action has been performed on an internal exercise by your Incident Response Team.
You need to make sure that when an Incident will happen, the team will not just try to follow the playbooks they see first time in their lives, but will be able to quickly execute the actual steps in your environment, i.e. blocking an IP address or a domain name.
Take training courses to gain relevant knowledge
We do not rise to the level of our expectations. We fall to the level of our training.
Here are some relevant training courses that will help you in the Incident Response activities:
- Investigation Theory by Chris Sanders. We recommend you to have it as a mandatory training for every member of your Incident Response team
- Offensive Security trainings. We recommend PWK to begin with
- SANS Digital Forensics & Incident Response trainings
Offensive Security trainings are in the list because to fight a threat, you need to understand their motivation, tactics, and techniques.
At the same time, we assume that you already have a strong technical background in fundamental disciplines — Networking, Operating Systems, and Programming.
Make sure that personnel will report suspicious activity i.e. suspicious emails, links, files, activity on their computers, etc
Develop a simplified, company wide-known way to contact IR team in case of suspicious activity on the user system.
Make sure that the personnel is aware of it, can and will use it.
Raise personnel awareness regarding phishing, ransomware, social engineering, and other attacks that involve user interaction
Train users to to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.
Make sure you have access to external communication Network Flow logs
Make sure that there is a collection of Network Flow logs for external communication (from corporate assets to the Internet) configured.
If there is no option to configure it on a network device, you can install a special software on each endpoint and collect it from them.
Warning:
- There is a feature called "NetFlow Sampling", that eliminates the value of the Network Flow logs for some of the tasks, such as "check if some host communicated to an external IP". Make sure it's disabled or you have an alternative way to collect Network Flow logs
Make sure you have access to external communication HTTP logs
Make sure that there is a collection of HTTP connections logs for external communication (from corporate assets to the Internet) configured.
Make sure you have access to external communication DNS logs
Make sure that there is a collection of DNS logs for external communication (from corporate assets to the Internet) configured.
If there is no option to configure it on a network device/DNS Server, you can install a special software on each endpoint and collect it from them.
Warning:
- Make sure that there are both DNS query and answer logs collected. It's quite hard to configure such a collection on MS Windows DNS server and ISC BIND. Sometimes it much easier to use 3rd party solutions to fulfill this requirement.
- Make sure that DNS traffic to the external (public) DNS servers is blocked by the Border Firewall. This way, corporate DNS servers is the only place assets can resolve the domain names.
Make sure you have the ability to block an external IP address from being accessed by corporate assets
Make sure you have the ability to create a policy rule in one of the listed Mitigation Systems that will you to block an external IP address from being accessed by corporate assets.
Warning:
- Make sure that using the listed systems (1 or multiple) you can control access to the internet of all assets in the infrastructure. In some cases, you will need a guaranteed way to block an external IP address from being accessed by corporate assets completely. If some of the assets are not under the management of the listed Mitigation Systems, (so they can access the internet bypassing these systems), you will not be able to fully achieve the final objective of the Response Action.
Make sure you have the ability to block an external domain name from being accessed by corporate assets
Make sure you have the ability to create a policy rule or a specific configuration in one of the listed Mitigation Systems that will you to block an external domain name from being accessed by corporate assets.
Warning:
- Make sure that using the listed systems (1 or multiple) you can control access to the internet of all assets in the infrastructure. In some cases, you will need a guaranteed way to block an external domain name from being accessed by corporate assets completely. If some of the assets are not under the management of the listed Mitigation Systems, (so they can access the internet bypassing these systems), you will not be able to fully achieve the final objective of the Response Action.
Make sure you have the ability to block an external URL from being accessed by corporate assets
Make sure you have the ability to create a policy rule or a specific configuration in one of the listed Mitigation Systems that will you to block an external URL from being accessed by corporate assets.
Warning:
- Make sure that using the listed systems (1 or multiple) you can control access to the internet of all assets in the infrastructure. In some cases, you will need a guaranteed way to block an external URL from being accessed by corporate assets completely. If some of the assets are not under the management of the listed Mitigation Systems, (so they can access the internet bypassing these systems), you will not be able to fully achieve the final objective of the Response Action.
Make sure you have the ability to list users who opened a particular email message
Make sure you have the ability to list users who opened/read a particular email message using the Email Server's functionality.
Make sure you have the ability to list receivers of a particular email message
Make sure you have the ability to list receivers of a particular email message using the Email Server's functionality.
Make sure you have the ability to block an email domain
Make sure you have the ability to block an email domain on an Email Server using its native filtering functionality.
Make sure you have the ability to block an email sender
Make sure you have the ability to block an email sender on an Email Server using its native filtering functionality.
Make sure you have the ability to delete an email message
Make sure you have the ability to delete an email message from an Email Server and users' email boxes using its native functionality.
Make sure you have the ability to quarantine an email message
Make sure you have the ability to quarantine an email message on an Email Server using its native functionality.
Identification
Put (potentially) compromised accounts on monitoring
Start monitoring for authentification attempts and all potentially harmful actions from (potentially) compromised accounts.
Look for anomalies, unusual network connections, unusual geolocation/time of work, actions that were never executed before.
Keep in touch with the real users and, in case of need, ask them if they executing some suspicious actions by themselves or not.
List hosts communicated with an external domain
List hosts communicated with an external domain using the most efficient way.
List hosts communicated with an external IP address
List hosts communicated with an external IP address using the most efficient way.
List hosts communicated with an external URL
List hosts communicated with an external URL using the most efficient way.
List users that have opened am email message
List users who opened/read a particular email message using the Email Server's functionality.
Collect an email message
Collect an email message using the most appropriate option:
- Email Team/Email server: if there is such option
- The person that reported the attack (if it wasn't detected automatically or reported by victims)
- Victims: if they reported the attack
- Following the local computer forensic evidence collection procedure, if the situation requires it
Ask for the email in .EML format. Instructions:
- Drug and drop email from Email client to Desktop
- Archive with password "infected" and send to IR specialists by email
List receivers of a particular email message
List receivers of a particular email message using the Email Server's functionality.
Make sure that an email message is a phishing attack
Check an email and its metadata for evidences of phishing attack:
- Impersonalisation attempts: sender is trying to identify himself as somebody he is not
- Suspicious askings or offers: download "invoice", click on link with something important etc
- Psychological manipulations: invoking a sense of urgency or fear is a common phishing tactic
- Spelling mistakes: legitimate messages usually don't have spelling mistakes or poor grammar
Explore references of the article to make yourself familiar with phishing attacks history and examples.
Extract observables from an email message
Extract the data for further response steps:
- attachments (using munpack tool:
munpack email.eml) - from, to, cc
- subject of the email
- received servers path
- list of URLs from the text content of the mail body and attachments
This Response Action could be automated with TheHive EmlParser.
Containment
Block an external IP address from being accessed by corporate assets
Block an external IP address from being accessed by corporate assets, using the most efficient way.
Warning:
- Be careful blocking IP addresses. Make sure it's not a cloud provider or a hoster. If you would like to block something that is hosted on a well-known cloud provider or on a big hoster IP address, you should block (if applicable) a specific URL using alternative Response Action
Block an external domain name from being accessed by corporate assets
Block an external domain name from being accessed by corporate assets, using the most efficient way.
Warning:
- Be careful blocking doman names. Make sure it's not a cloud provider or a hoster. If you would like to block something that is hosted on a well-known cloud provider or on a big hoster doman, you should block (if applicable) a specific URL using alternative Response Action
Block an external URL from being accessed by corporate assets
Block an external URL from being accessed by corporate assets, using the most efficient way.
Block a domain name on an Email server
Block a domain name on an Email Server using its native filtering functionality.
Block an email sender on the Email-server
Block an email sender on an Email Server using its native filtering functionality.
Quarantine an email message
Quarantine an email message on an Email Server using its native functionality.
Eradication
Report incident to external companies
Report incident to external security companites, i.e. National Computer Security Incident Response Teams (CSIRTs).
Provide all Indicators of Compromise and Indicators of Attack that have been observed.
A phishing attack could be reported to:
- National Computer Security Incident Response Teams (CSIRTs)
- U.S. government-operated website
- Anti-Phishing Working Group (APWG)
- Google Safe Browsing
- The FBI's Intenet Crime Complaint Center (IC3)
This Response Action could be automated with TheHive and MISP integration.
Delete an email message from an Email Server and users' email boxes
Delete an email message from an Email Server and users' email boxes using its native functionality.
Recovery
Unblock a blocked IP address
Unblock a blocked IP address in the system(s) used to block it.
Unblock a blocked domain name
Unblock a blocked domain name in the system(s) used to block it.
Unblock a blocked URL
Unblock a blocked URL in the system(s) used to block it.
Unblock a domain on email
Unblock an email domain on an Email Server using its native functionality.
Unblock a sender on email
Unblock an email sender on an Email Server using its native functionality.
Restore a quarantined email message
Restore a quarantined email message on an Email Server using its native functionality.
Lessons learned
Develop the incident report
Develop the Incident Report using your corporate template.
It should include:
- Executive Summary with a short description of damage, actions taken, root cause, and key metrics (Time To Detect, Time To Respond, Time To Recover etc)
- Detailed timeline of adversary actions mapped to ATT&CK tactics (you can use the Kill Chain, but most probably most of the actions will be in Actions On Objective stage, which is not very representative and useful)
- Detailed timeline of actions taken by Incident Response Team
- Root Cause Analysis and Recommendations for improvements based on its conclusion
- List of specialists involved in Incident Response with their roles
Conduct Lessons Learned exercise
The Lessons Learned phase evaluates the team's performance through each step.
The goal of the phase is to discover how to improve the incident response process.
You need to answer some basic questions, using developed incident report:
- What happened?
- What did we do well?
- What could we have done better?
- What will we do differently next time?
The incident report is the key to improvements.