The task of an Incident response, when a computer incident occurs, could be complicated, especially at the stage of determining if it is an actual incident or not. As so many factors must be looked at from various perspectives, before labeling an occurrence to be an Incident.
Upon discovering that it is an actual incidence that has occurred, the incident response team has a goal in mind.
These goals can be classified into three:
- Effectively eradicating the threat from the organizations computing infrastructure.
- Minimizing the impact (damages, destruction etc.), that such incident must have created.
- Swiftly, restoring business operations and activities of the organization, back to normalcy.
To be able to attain such goals, two activities are to be carried out by the Incident Response Team. They are:
A. Investigation (Investigate).
B. Remediation (Restoration of Service).
A. INVESTIGATION:
Whenever there is a catastrophe, or infrastructure failure something certainly triggers it, or would have been the cause. While the reason for such an incident cannot be determined immediately, a proper investigation over time reveals every necessary information’s needed to proceed further with the investigation.
What is Investigation?
“Investigation in computer forensics, is the application of tools, information, techniques, and methods in dissecting, and analyzing the evidence gathered from the computer incident crime scene, with the intent to obtain facts, identify information’s about the perpetrator of such crime, and drawing conclusions to your findings.” – Fixitgearware Security
During an investigation, the key activities carried out by the Incident Responder are:
- Determining the initial attack vector.
- Discovering the malware, and various tools used in the attack.
- Isolating and determining what computer systems were impacted during the incident.
- Determining the level of damage caused (what was the threat actor able to achieve).
- Accessing the incident, to ascertain if it is still persistent or not.
- Document time of incident occurrence.
To understand these various components, let’s explain further.
Determining The Initial Attack Vector:
This involves discovering what component was used to gain an initial foothold in the organization network. This may include questions such as:
- Was it a vulnerable component that was exploited e.g. older versions of software’s, servers, etc.?
- Did the threat actor use a social engineering attack, to exploit one of the organizations team?
- Or did a trusted vendor install a backdoor they are not aware of, and this backdoor was taken advantage of, by the threat actor.
- Is it a disgruntled worker, insider attack?
- Did a weak security configuration lead to the exploitation?
These are a few pieces of information’s, looked out for when trying to determine the initial attack vector, during the investigation phase.
Discovering The Malware, and various Tools used in the Attack:
During this phase, the incident response team is trying to determine the level of the malware that was used in conducting such an attack, and the tools used. This leads to questions such as:
- Is the malware a virus, rootkit, or worm? Worms are known to propagate across a network, and do not require users’ interaction. Which makes it very damaging to a network.
- What are the tools used in making these malwares? This is where the expertise of a malware investigator would be required, to determine what methods the malware code was obfuscated or encoded in.
- In addition, understanding the programming language the malware is coded on, is essential as well.
Isolating and Determining What Computer Systems were Impacted During the Incident:
The various computers affected are isolated from the network, to protect other computers and resources on the network. The systems discovered to be impacted by the attack, becomes the core focus of the Incidence Response team. What could these systems be?
- Printers, desktop computer, laptop computers.
- Was it a server, or Firewall that was impacted? Assuming the firewall configuration wasn’t properly implemented; hence it becomes part of the devices or systems impacted and, to be isolated for investigation.
Determining The Level of Damage Caused (what the threat actor was able to achieve):
Threat actors who compromise high profile organizations have many goals in mind, but the motivation that trumps the list over the years of recurring cyber-attack, is always data exfiltration. During this stage of determining the level of damage, certain information should be looked at, which may lead to asking questions such as:
- What are the data’s stolen? Are they sensitive, classified, or just normal data that has no implications?
- Was the organization server permanently damaged? Incidents such as DDOS are capable of such wreckage.
- Is the server encrypted by a malware known as ransomware etc.? rendering information’s inaccessible.
These and many more are examples of possible damage that could be caused during a cyber incident or attack.
Accessing the Incident, to Ascertain If It is Still Persistent or Not:
Being familiar with the techniques of a Red-Teamer or Offensive Security expert, certainly the term post exploitation rings a bell. Threat actors are known to create backdoors through the installation of vulnerable software’s, scheduling cron jobs (usually good for keyloggers that transmits each keystrokes the administrator enters to a remote server belonging to the threat actor), and many other methods.
These various techniques are used during the post exploitation phase to keep the incident persistent. However, these are not tied to just these methods, resulting to questions to be asked during this phase:
- If it was malware, is the malware polymorphic in nature, and still on the network?
- Is there a scheduled Job created, to download new file updates from the attacker’s server, at specific times?
- If it is a worm or virus, does it replicate the name of an existing process, to make it look legitimate when viewed in the Task Manager (For Windows), or Processes (using command in Linux).
These are but a few ways threat actors utilize to remain persistent on a network.
Document Time of Incident Occurrence:
It is important as a first responder to have knowledge on “Evidence Form” and document accurately, time frames of when the incident was reported, and every step taken during your evidence collection, and investigation. Also, note that the “Evidence Form” is different from the “Chain of Custody Form”. Avoid mixing things up during this phase, to avoid a failed investigation.
B. Remediation (Restoration of Service):
The remediation phase is considered an easy stage, if the investigation is properly conducted, and conclusions accurately drawn. The information’s obtained during the investigation phase should be used to develop remediation plans. If all findings and plans are accurate, they should then be implemented on the affected network or computer systems.
So, What Are These Remediation Plans?
- Is the server compromised because of outdated components? Update it with recent patches released by the vendor of the server.
- Was the initial foothold due to misconfigurations? Implement appropriate security controls or configurations to fix it.
- If social engineering techniques were used to transfer the malicious codes to the organizations network, via a phishing link. Then create an appropriate training to sensitize your workers.
Want to get training for your organization’s team? Head on to our contact form, leave us a message, or send us an email right away, and we will surely get back to you.
- Did the threat actor discover these information’s used in compromising the organization, from an exposed container (Kubernetes, Docker etc.), implement the appropriate security controls, to protect subsequent or future attacks.
- If data were exfiltrated, communicate these to your customers or users, and suggest immediate security steps they need to take. This is to prevent further social engineering from the threat actors leveraging these stolen data belonging to your customers or users of your services, to conduct more damaging outcomes (usually this affects the organization’s reputation).
There are many remediation plans, carried out by an incident response team. However, a hint to assist you in planning your remediation and mitigations steps if you are part of an incident response team, is that both should be based on your findings during your investigation.
Put your comments below in the comment section on your thoughts about this.