Dealing with a cyber incident can be a daunting experience. Whether you're targeted by phishing, malicious network scanning, or ransomware, it's easy to feel overwhelmed. Even if your organization hasn't been affected by an incident yet, it's essential to understand attacker tactics and stay informed of potential incidents that may impact your organization. Knowing how to detect an incident and recognizing a threat from common attack types can significantly affect your organization's success in containing and eradicating a cyberattack.
Breaking Down Modern Incident Response
Figure 1: Modern Incident Response Life Cycle
Prepare
The diagram starts on the left with the first step of incident response – to prepare. The Prepare phase involves implementing controls to prevent incidents from occurring in the first place.
Detect and Identify
The next phase of Detect and Identify kicks off the Observe, Orient, Decide, and Act (OODA) loop. Although this cycle is on the diagram once, it does not mean it will only be completed once during the detection phase of incident response. Every incident is different, meaning each incident should be treated independently.
Contain and Eradicate
From the OODA loop, the Contain and Eradicate phases are next. One important lesson from incident response is that it is difficult to predict how long these two phases will take, so setting a strict timeline or time limit can be difficult. These phases usually take longer than expected.
Recovery
After the Contain and Eradicate phases come Recovery. The Recovery phase is the process of implementing mitigations against the incident that has taken place and making sure that the threat is fully eradicated.
Lessons Learned
The final phase is Lessons Learned, but this does not mean the work ends there. Be sure all employees and involved individuals know where the organization made improvements and why those improvements will help protect the network in the future. Notice how Lessons Learned links to the beginning of the Life Cycle. There should be constant feedback between the end of one incident and the potential start of another.
Uncovering the Most Common Incident Response Scenarios
Now that the process for a Modern Incident Response Life Cycle has been discussed, below you will find the five most common incident response scenarios, as well as how to Protect, Detect, and Respond to each scenario.
1. Phishing
Phishing is the #1 most common incident response scenario. It is most likely the initial compromise for ALL of the following scenarios. Now is the time, more than ever, to focus on training employees to be vigilant of malicious emails by implementing regular training and testing with company-wide phishing campaigns.
Protect
- Security awareness training and testing. It's crucial that everyone at the company can recognize phishing emails and other social engineering methods. To enhance their awareness and get an understanding of your baseline, consider conducting a social engineering assessment.
- DomainKeys Identified Mail (DKIM), Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting and Conformance (DMARC). Implementing DKIM, SPF, and DMARC (all free!) will help prevent phishing emails from becoming an incident response situation.
- DMARC is an email authentication, policy, and reporting protocol.
- DKIM is an email authentication method that identifies forged email sender addresses.
- SPF is also an email authentication method; however, it detects the forging of sender addresses during email delivery.
- Email sandboxing. Sandboxing methods, such as Mimecast, add an extra layer of protection against malicious emails. Emails containing links or attachments can be tested before they reach a mail server.
- Multi-factor authentication (MFA). MFA is an authentication method in which a user is granted access to an application or system only after successfully presenting two or more pieces of evidence to an authentication mechanism. MFA will ensure an attacker cannot gain unauthorized access to any accounts in the network, even if the user provides those credentials through a phishing attack. Warn employees of MFA fatigue and remind them only to authenticate when actively trying to access an application or system.
Detect
- Unexpected emails from known or unknown individuals. If the person or conversation seems out of the blue, be vigilant and confirm that the email is legitimate.
- Emails that contain links and/or attachments. Links and attachments can be a “back door” to your network. Remember, the hacker cannot get in unless you give them an opening. Also, look for spelling errors or unusual domains in emails you receive.
- Emails prompting extreme feelings. Phishing emails often push the user in the direction the malicious actor wants. If any email is trying to persuade or rush you into doing an action, resist the urge.
Respond
- Quarantine. The malicious email should be quarantined from all accounts on the system. Be sure no one can access the email from your network until an administrator reviews it.
- SIEM. Check for any custom threat intelligence rules to add to your security information and event management method (SIEM).
- Indicators of compromise (IoC). Watch network alerts for indicators of compromise. Indicators of compromise arise when metrics found on a network stray from what we determine is “normal” traffic, thus indicative of a compromise. You can refer to SBS’ previous article on indicators of compromise for more information.
2. Malware
The term malware refers to a broad category of harmful software often used to gain unauthorized access to a system or network. This can allow attackers to steal (exfiltrate) valuable data, intelligence, or other information.
Protect
- Application whitelisting. Whitelisting specific applications ensures a device will only allow pre-approved applications to be installed, preventing malicious applications from being downloaded and installed.
- AV scans and endpoint protection. Use a solution with second-generation detection capabilities (behavioral analysis vs. detection by definition) that includes scripting control.
- Multi-factor authentication (MFA). Same as in the phishing scenario, MFA will ensure an attacker cannot gain unauthorized access to any accounts that are in the network.
Detect
- Slow computer and Blue Screen of Death (BSOD). If your device seems to be running much slower or you receive an unexpected BSOD, these are common symptoms of malware on your device. Be sure to report such issues to your IT and IS staff.
- Dwindling storage space. If your device suddenly (and unexpectedly) runs out of storage, malware may be hiding in your system.
- Pop-ups or unwanted applications. Keep track of the applications installed on your device and pay attention if you get any confusing pop-ups. If you find any applications that you did not install on your system yourself, it could be malware camouflaging itself.
- Managed detection and response (MDR). MDR combines technology and human expertise to perform threat hunting, monitoring, and response. MDR can rapidly identify and limit the impact of threats without the need for additional staffing.
- Extended detection and response (XDR). XDR provides extended visibility, analysis, and response across endpoints, workloads, users, and networks over a consolidation of tools and data.
Respond
- Key risk indicators (KRI). Key risk indicators act as a logging metric used to establish the upper and lower bounds of “normal” on networks or client-server infrastructures. Refer to the above article on indicators of compromise for more information on KRI.
- Contain and eradicate. Disconnect the computer from the network, but don’t power the device off. Work through the system and eradicate any malicious files or applications.
3. Ransomware
Technically, ransomware is included under the malware umbrella we discussed above. However, ransomware deserves to be highlighted separately due to its destructive nature. Modern ransomware has taken a turn for the worse. Attackers are now dropping ransomware after being in a network for a while and gaining information and data. Ransomware covers an attacker’s tracks on their way out and distracts users while data is being exfiltrated.
Protect:
- AV scans and endpoint protection. Use a solution with second-generation detection capabilities, including scripting control. Also, maintain all security patches on all workstations, servers, and network devices.
- Multi-factor authentication (MFA). MFA ensures a user would be notified if a malicious actor tried to log into an account.
- Suspicion. Take extreme caution with any email containing attachments and/or links. Ransomware can be masked in emails and links to look like safe attachments.
- Service accounts. Limit service accounts to only one service per service account. Passwords for services accounts should also be at least 15 characters long with high complicity and password entropy (a measurement of how unpredictable, and therefore un-guessable, a password is).
- Active Directory. Disable NTLM and NTLM v2 ciphers in Active Directory in favor of Kerberos v5 or higher.
- Business-approved connections. Only implement business-approved connections between VLANs.
- Uninstall. Decrease the attack surface on all workstations and servers by uninstalling applications and services that are not needed for business reasons.
- Data-level backup. Implement data-level backup for file shares and SQL databases so the latest data sets can be recovered if the server is compromised. The data needs to be restored from a date after the compromise.
- Administrator accounts. Rename the administrator account from its default name (Administrator). Do this in Group Policy. Also, use good admin account hygiene: do not browse the internet or use email while using an administrator account. This account is needed for specific and explicit business operations and the time required to perform that task. In addition, no standard users should have local administrative access, either. It is often estimated that 94% of Microsoft vulnerabilities arise due to local admin rights.
Detect
- Unusual pop-ups on the device and encrypted files. As the most obvious sign of detection, ransomware will likely notify the user on the device and encrypt all files your device can see and access on your network.
- Firewall logs. Logs will show all activity of data being received and sent from outside of the network. Ensure your firewall logs are correctly configured and retained before an attack occurs, which will help investigate where external traffic is coming and going and when the attack occurred.
- Key risk indicators. Define key risk indicators, such as high disk usage on servers or workstations and user account logins during non-business hours to help detect a potential ransomware incident.
- Place an EDR/MDR solution to detect scripting on all servers. EDR is a tool that can be deployed to protect endpoints. MDR is a service that provides security monitoring and management across an IT environment. Maintain aggressive EDR/MDR policies on all activity and do not wholly whitelist or bypass the tool. Instead, work through each issue with the tool to keep its efficacy. Also, enable Windows Defender to run parallel with the EDR solution and have the Defender snap-in for MDR solutions.
- Apply application whitelisting and geolocation. Especially on all foreign applications and IP addresses in the firewall.
Respond
- Detect. Detect a network intrusion before ransomware begins to encrypt files. As mentioned above, modern ransomware is caused by attackers already in the network.
- Monitor. Monitor key risk indicators and indicators of compromise vigilantly. It is essential to know what normal looks like on your network. “Know your normal” will be reiterated throughout this article to reinstate its importance. Anything outside your “normal” levels should raise red flags.
- Contain. Containment is a top priority in any incident response scenario. Creating an environment where nothing gets out of the network that is not approved and nothing runs on a workstation or server that isn’t approved is key to eradication.
- Managed Detection and Response (MDR). MDR combines technology and human expertise to perform threat hunting, monitoring, and response. MDR can rapidly identify and limit the impact of threats without the need for additional staffing.
- Extended Detection and Response (XDR). XDR provides extended visibility, analysis, and response across endpoints, workloads, users, and networks over a consolidation of tools and data.
4. Internet-Facing Vulnerabilities
Every device connected to the internet can be scanned for vulnerabilities from outside sources. Hackers do not specifically look for one victim of their scans; they set up scripts and scan every port and device they can. Any devices identified over the internet that can be exploited may become an attacker’s next victim.
Protect
- AV scans and endpoint protection. Once again, use a solution with second-generation detection capabilities, including scripting control.
- Whitelist. Only whitelist the scripts your web apps use. Block everything else.
- DMZ. Implement a DMZ for anything you host locally. A DMZ is a separate, firewalled zone that protects the rest of your network from being accessed by internet traffic from the application or system you host.
- Burp Suite. Scan your websites with Burp Suite. Burp Suite can find SQL injection, cross-site scripting, and other potential security pitfalls in your websites.
- Geolocation blocking. If your organization doesn’t do business with companies in other countries, those countries should be blocked from accessing your web systems. Use your firewall or web application firewall (WAF), which helps protect web applications, to block everything you don’t do business with.
Detect
- Audit your webservers, routers, and firewalls with penetration tests and vulnerability assessments regularly. Vulnerability assessments will identify any known external vulnerabilities, and penetration tests will determine if those vulnerabilities are exploitable, allowing an attacker to access your network from the outside.
- Use a web application firewall (WAF). A WAF helps monitor and block HTTP traffic to and from web applications. A WAF makes it possible to filter the content of specific web applications and protect the device from malicious content.
- Indicators of compromise. Know your organization’s indicators of compromise.
- Managed detection and response (MDR). MDR combines technology and human expertise to perform threat hunting, monitoring, and response. MDR can rapidly identify and limit the impact of threats without the need for additional staffing.
- Extended detection and response (XDR). XDR provides extended visibility, analysis, and response across endpoints, workloads, users, and networks over a consolidation of tools and data.
Respond
- Indicators of compromise. Know your organization’s indicators of compromise.
- Contain. The organization is compromised if advisories gain access to your network due to known vulnerabilities. Be sure to disconnect compromised devices or network segments from the rest of your corporate network; doing so will ensure no lateral movement in your network movement can be performed by the attacker.
- Eradicate. Eradicate compromised devices or network segments. Be sure devices and segments are clear of any present malware.
5. Business Email Account Takeover
Business email account takeover occurs when a malicious user gains access to a legitimate user’s email account. For example, once an attacker gains access to the credentials from a phishing email sent out to employees, the attacker will have access to that user’s email.
Protect
- Multi-factor authentication (MFA). See previous descriptions of MFA.
- External email access. Only enable external (outside your network) email access for the specific countries in which your employees work.
- Geolocation blocking. If your organization doesn’t do business with companies in other countries, those countries should be blocked from accessing your email systems. Use Conditional Access to block everything you don’t do business with.
Detect
- User behavior analytics (UEBA) in the SIEM. Look for user logins at strange times or suspicious user activity. Another good idea is to set alerts for employees accessing their email accounts at strange times. Remember to ask yourself the same question - what does normal look like on your network?
- Email logging. Look out for unusual county code logins to cloud-based email accounts. Remember, by default, Office 365 and G-suite do not log strange country code logins and cloud-based email accounts. Be sure your organization’s email platform is licensed properly.
- Abnormal email rules. Be aware of missing or deleted emails. Other users might receive emails from the compromised account without the corresponding email in the sender’s Sent Items folder. The presence of inbox rules that the intended user or the administrator didn’t create. These rules may automatically forward emails to unknown addresses or move them to the Notes, Junk Email, or RSS Subscription folders. The user’s mailbox may also be blocked from sending mail, and the Sent or Deleted Items folders in Microsoft Outlook or Outlook on the web contain common hacked account messages.
- Global Address List. The user’s display name might be changed in the Global Address List.
- Unusual profile changes. Name changes, telephone number changes, postal code updates, and unusual credential changes, such as multiple password changes.
- OS interactive attempts. Look for strange OS interactive attempts in logs and IP address connection attempts that are out of the norm for the user.
Respond
- Contain. Shut down the email account so that no users can access it.
- Change passwords and block access. Change all account passwords and block email access from countries where employees won’t log in.
- Examine. Look for what was in your email that got compromised. Remember that you may need to file a breach report for PII that is exposed.
The Bottom Line: Know Your Normal
Throughout this article, a few key terms were stated multiple times, but the bottom line is this: “Know Your Normal.” If you’re unfamiliar with key risk indicators and indicators of compromise that can help you identify when your network is not “normal,” please check out SBS’ previous article. Knowing when KRIs or IoCs arise in your devices or network is the first step in responding to an incident.
Some organizations find themselves in a position where they cannot monitor or don’t know how to monitor their network. In this situation, investing in a platform that monitors your network is best. A SIEM supports threat detection, compliance, and security incident management by collecting and analyzing security events, including user entity behavior analysis (UEBA) and security orchestration automation response (SOAR). UEBA helps organizations notice abnormal behaviors, such as logins from unusual locations. SOAR assists with the actual response to cybersecurity incidents. A SIEM can also automate actions that would usually need to be performed manually by an analyst.
Multi-factor authentication (MFA) is a recurring Protect control throughout this article, and it is one of the only factors proven to stop hackers from accessing accounts after obtaining a user’s credentials. Think of MFA as the hand-sanitizer of Protect controls – MFA prevents 99.9% of account compromises, according to Microsoft.
Knowing what is normal on your network and implementing MFA will help your organization decrease risk while being mindful of anything abnormal. Remember, phishing attacks are the most common cause of all these incident scenarios, so be sure employees are trained and tested accordingly. Implement controls to Prevent, Detect, and Respond to incidents, and continue to mature your security maturity to keep your organization and customer data safe.