Incident Response: Validation, Containment & Forensics
23 likes14,980 views
The document outlines an advanced Security Operations Center (SOC) framework focused on incident response and management, detailing the incident response lifecycle, including stages like reconnaissance, containment, eradication, recovery, and post-incident analysis. It emphasizes the importance of situational awareness and provides a structured kill chain model to identify threats and remediate incidents effectively. Additionally, the document discusses handling advanced persistent threats and offers specific procedures and rules for detecting and responding to various cyber threats.
![12
Incident Response
Kill Chain Model for Use Cases Assist in Incident Response
Situational Awareness
- Outbound Protocols
- Outbound protocols by size
- Top destination Countries
- Top destination Countries by size
Reconnaissance
- Port scan activity
- ICMP query
Weaponization and Delivery
- Injection
- Cross Site Scripting
- Cross Site Request Forgery
- Failure to Restrict URL
- Downloaded binaries
- Top email subjects
- Domains mismatching
- Malicious or anomalous Office/Java/Adobe files
- Suspicious Web pages (iframe + [pdf|html|js])](https://image.slidesharecdn.com/session8-a-socircase-2-170522123032/85/Incident-Response-Validation-Containment-Forensics-4-320.jpg)
Incident Response: Validation, Containment & Forensics
- 1. Advanced SOC Section 5 - Incident Response
- 2. 10 Incident Lifecycle Management Threat Management – NIST Aligned Process
- 3. Situational Awareness Ability to identify what is happening in the networks and system landscape Reconnaissance Weaponization & Delivery Lateral Movement Data Exfiltration Persistency Identification and selection of the target/s host or network by active scanning Transmission/Inject of the malicious payload in to the target/s Detect, exploit and compromise other vulnerable hosts Steal and exhilarate data Establish a foothold in the corporate network In military strategy, a “Kill Chain” is a phase model to describe the stages of an attack, which also helps inform ways to prevent attacks. 11 Incident Response Kill Chain Model for Use Cases Assist in Incident Response
- 4. 12 Incident Response Kill Chain Model for Use Cases Assist in Incident Response Situational Awareness - Outbound Protocols - Outbound protocols by size - Top destination Countries - Top destination Countries by size Reconnaissance - Port scan activity - ICMP query Weaponization and Delivery - Injection - Cross Site Scripting - Cross Site Request Forgery - Failure to Restrict URL - Downloaded binaries - Top email subjects - Domains mismatching - Malicious or anomalous Office/Java/Adobe files - Suspicious Web pages (iframe + [pdf|html|js])
- 5. 13 Incident Response Kill Chain Model for Use Cases Assist in Incident Response Lateral Movement - Remove or add account - Remote WMI communications - Remote Group Policy Editor - Remote Session Communications (during outside working hours?) - Antivirus terminated Data Exfiltration - Upload on cloud storage domains - Suspicious HTTP Methods (Delete, Put) - Uploaded images - FTP over non standard port - IRC communication - SSH | ICMP Tunneling Persistency Phase - Unusual User Agents - Outbound SSL VPN - Outbound unknown
- 6. Advanced SOC Incident Response - APT
- 7. 15 Incident Response Advanced Persistent Threat “Advanced Persistent Threat” is a complex and targeted cyber attacks over long periods of time (i .e “persistent”).These attacks are well funded and mostly state sponsored and carried out by professionals. The motive behind the attack is to gain access to the target system and maintain access for prolonged periods. Step 1 •Reconnaissance Step 2 •Initial Intrusion into the Network Step 3 •Establish a Backdoor into the Network Step 4 •Obtain User Credentials Step 5 •Install Various Utilities Step 6 •Privilege Escalation / Lateral Movement / Data Exfiltration Step 7 •Maintain Persistence
- 8. 16 Incident Response Incident Response Process - Preparation Preparation Identification & Verification Containment Eradication Recovery Post Incident Analysis Investigation Always install software from trusted sources and verify digital sign and MD5 hash. Use benchmarks for building systems on the network including harden systems Use group policy to distribute enterprise wide end point security measures and remove admin privileges from all end user systems and server Enable appropriate logging on all the network devices Leverage SIEM to correlate data from multiple defense tool sources. Use data to identify potential compromise such as blocked emails, code execution in browser, and probable large data in HTML, outgoing traffic to specific IP’s on unusual ports, abnormal DNS requests, drive by malware download, AV clean fail alert, reinfection in 5 minutes, multiple failed DNS resolution attempts, SAM file access, privilege account failed, forced pwd change) Systems that require admin privileges must be identified in CMDB as high value target. Identify and block all grey-listed domain Collect detailed behavioral profiles on all the data and functions handled by each application Decrypt and re-encrypt confidential traffic through applications or some other encryption utilities, wherever possible Identify, create and constantly update a list of all IPs that are known to be associated with malware command and control. (Threat Intelligence / Reputation IP) Setup procedures for external notification through contributing to Open Source Intelligence.
- 9. 17 Incident Response Incident Response Process – Signs of Compromise Preparation Identification & Verification Containment Eradication Recovery Post Incident Analysis Investigation Identification of same email from public domain to significant number of users or C-level employees or high value targets; encrypted attachments, password protected and zipped and protected to escape email malware filter; (put user in the reference list) End point alert / HIPS / Host based malware alerts for local script execution for the same user, raise incident Identify unusual traffic volumes to multiple ports or IP addresses or excessive packet loss (connection over 4 hours to external IP) Examine abnormal services on known ports and abnormal ports for well-known services, verify reputation scores of IP (SSH to port 80) EDR and WAF alerts for scripts, hash mismatch Botnet filter alerts for traffic to blacklisted domains Email / SPAM filter misbehavior/ maintenance activity followed by suspicious activity on the network specially related to unknown/ suspicious remote destinations. Monitor packet flow inside and outside from the network for likely patterns of Command and Control (C+C) traffic, outbound custom encrypted communications, covert communication channels with external entities, etc. Threat Intelligence alerts for connections / data sent to suspicious destination outside organization specially belonging to less reputed geographic location and at odd hours. Examine if any data breach has occurred like large HTML packet Review hourly and daily reports of network usage to identify unusual occurrences and spikes in traffic.
- 10. Use Case Use Case Model –Attack Based- Kill Chain- Use Case 17 B Category Sub Category SIEM Rule Source Use Case Condition Action Correlate Reconn End point protection Email gateway Harmful attachment (binary/ infected word or pdf file, password or encrypted file attached) the source of the email is internal IP Add email recipient machines source IP address of the event to shortlist 1. Delivery End point protection AV server all antivirus and anti-malware software events Source IP address would be added to the compromised host active list Define a second high-level rule that cross correlates to determine if the host source IP address is also found on shortlist 1. (If Yes - raise an Incident) Host Exploitation End point protection Local System Rule 1: A registry change has occurred in one of the registry start locations such as Runonce Rule 2: If new unknown process has been spawned Add them to shortlist 1 C&C End point protection Firewall / IPS End point communicates to the known bad C&C IP address Add them to "compromised active list") Local Compromise End Point protection Local System Rule 1: Creation of local accounts. Rule 2: Creation of escalation of privileges. Rule 3: Group policy changes. Rule 4: If Antivirus or Antimalware software processes have been terminated. Add them to shortlist 2 Correlation rule if an IP address exists on shortlist 2 more than once raise and incident alert. Internal Recon End Point protection Firewall / IPS Rule 1 - Per to peer communication Rule 2 - Beaconing of desktop network communications trying to find a way of routing to the Internet this would show as firewall drop events Rule 3 - Multiple communications where the source network zone is desktop and the destination network zone is desktop. Correlate rules 1-3 where the source also exists on either shortlist 1 or shortlist 2 and if it does raise this as an incident and add the IP to the compromised host asset list. Lateral Movement End Point protection Local System Rule 1: Windows program audit events where netstat has been used add source IP to shortlist 2. Rule 2: Windows net logon event add source IP address to shortlist 2. Add to shortlist 2 for any of the event detected Correlation rule 2: If rules 1—6 correlate with an IP address on shortlist 1 raise as an incident alert and compromised host asset list. Establish Persistence End Point protection Firewall Internal Rule 1: Internal to Internal communications between hosts in the same network zone on unknown communications channels for example a desktop communicating to another desktop using HTTPS. Data Exfiltration Data Protection Email gateway / Proxy and FW Rule 1: Windows program audit event where NTbackup has been used add source IP to shortlist 2. ii. Rule 2: Windows events for registry access to the following registry locations as this indicates the Correlate multiple email sending events where attachment are being sent to a single unknown email in the same day and the for a total data size of > 100mb Add to shortlist 1.
- 11. 18 Incident Response Incident Response Process – Limit the Damage Preparation Identification & Verification Containment Eradication Recovery Post Incident Analysis Investigation Take the infected system into separate VLAN Use packet capturing utilities to replay old (or malicious) traffic to identify additionally infected systems Examine system to identify any lateral movement made within the enterprise by the attacker and perform the same checks on affected systems. Identify end point IOC (hash, registry change, process running, service running to identify the other infected system) Based on the initial investigation, do the following – Block IP address of the attacker, terminate vulnerable/ infected process, disable or change user password Preserve information and artifacts associated with the incident. Update the firewall / anti-malware blacklist to block attackers IPs and monitor them in detail including communication protocol Remove sensitive data from unsecured and unnecessary locations. Alert related key users on possible attacks and limit system & user privileges to copy, modify and delete secondary data/ information. Alert law enforcement and other authorities such as CERT, if required. Notify internal users and affected departments/ systems owners.
- 12. 19 Incident Response Incident Response Process – Source and Anatomy Preparation Identification & Verification Containment Eradication Recovery Post Incident Analysis Investigation In case of spear phishing, verify the links clicked and the destination URL Investigate the information provided or data uploaded on the phished site Identify suspicious changes in listening ports, system services and drivers, startup tasks, and scheduled tasks on the infected system Identify for new account with high privileges or permission changes Identify DNS requests Verify Host Intrusion Prevention System (HIPS) and alerts for execution of scripts or malicious code Use file system and memory analysis and look for a malware/ code specific entity in Memory (process information, running service information) Analyze changes in the registry for unexpected registry keys. Extract and identify characteristics of adversary with other affected systems; this may be achieved by using correlation rules to search for identified characteristics of attacks such as: Files System calls Processes Network Ports IP addresses Host names Investigate further to Identify all: Active (beaconing) and passive (listening) backdoors Other entry points like web servers, mail servers, VPN
- 13. 20 Incident Response Incident Response Process - Remove Cause Preparation Identification & Verification Containment Eradication Recovery Post Incident Analysis Investigation Reset all affected systems, users and service passwords Remove backdoors by running updated anti- malware tool, use vendor supplied stringers as necessary for eradication and clean up Fix vulnerable systems they’re exploiting for access with updated patches Run registry cleaners and scan for memory resident malicious codes and clean up with alternate boot mediums. Develop or update antivirus and/or security devices (IPS/IDS) signatures. Re-engineer the system or the systems to prevent re-infection. Segment critical data to more restricted areas and implement auditing for critical data access Enable block mode for sensitive data on data loss prevention tool.
- 14. 21 Incident Response Incident Response Process – Resume Normal Operation Preparation Identification & Verification Containment Eradication Recovery Post Incident Analysis Investigation Clean all traces like infected files, binaries, infected code and data. Clean browsing history, registry and memory. Preferable post taking all snapshots, install with clean image Update all antivirus / anti malware programs with new signatures and patches Scan the infected system with latest antivirus and anti- malware programs Scan for suspicious items discovered on all infected and interconnected systems using updated antimalware used to disinfect the targeted systems. Perform System integrity checks for all the infected systems. Restoring all systems for which integrity has affected due to the attack, from last know good backup. Confirming all systems and services restored to normal operations. Perform System integrity checks for all infected systems. Restoring all systems for which integrity as affected due to the attack, from last know good backup. Confirming all systems and services restored to normal operations. Restore the data from previous backup
- 15. 22 Incident Response Incident Response Process – Post Mortem & Lesson Learned Preparation Identification & Verification Containment Eradication Recovery Post Incident Analysis Investigation Perform forensics to identify the source of attack and motivation like state sponsors Identify if the attackers used a third party (e.g., contractor, client, joint venture) as an attack vector Identify if the attackers had insider assistance Identify if the attackers had physical access to the facilities or network Collect evidence from packet captures / network information, logs and infected system browsing history and malicious code and its reverse engineering Reverse-engineer binaries to help identify attack methods, communication protocols, and attack servers. Create images of hard drives from infected hosts. Ensure preservation of evidence besides maintaining chain of custody as required by legal authorities. Perform communications (internal/external user groups, public media etc.)
- 16. Advanced SOC Exercise – IR Playbook
- 17. 24 Example Carbanak – A-SOC Capabilities 2 Malicious Web server sends or reflects exploit code <click> 1 Install Malware Mail-Client 5 Victim Domain Name Server Attacker Used Spearphised emails Command & Control 4 web-page + 3 Follow link Lateral Movement Screen capture/ Video recording 9 6 Remotely Control Malware Contact Updater By IP Address (C&C) 7 8 Word file with MA Data upload – Screens and VR
- 18. 25 Example Carbanak – A-SOC Capabilities 2 Malicious Web server sends or reflects exploit code <click> 1 Install Malware Mail-Client 5 Victim Domain Name Server Attacker Using Spearphised emails Command & Control 4 web-page + 3 Follow link 9 6 Remotely Control Malware Contact Updater By IP Address (C&C) 7 8 Word file with MA Lateral Movement Screen capture/ Video recording Data upload – Screens and VR d) Monitor Web Traffic a) Monitor DNS c) Monitor Port & Protocol Usage b) Monitor NetFlow e) Data in HTML Response - Netflow b) Monitor NetFlow
- 20. Topic Descriptions / Actions Purpose The purpose of this document is the provide guidance to Tier2 Triage and Tier 3 Response analysts on the approach to incident remediation. Scope The scope of this guidance includes 3 stages: Containment Eradication Recovery Containment The intention of this stage is to limit the damage caused by the incident without yet removing the cause of the incident. This is typically done as the first step as it may take additional time to understand the cause of the incident and the appropriate eradication strategy. Examples of containment may include shutting down of affected systems, closing firewall ports etc. Eradication This stage is typically done after the containment stage where the cause of the incident is removed. Eradication can only be performed before containment if the incident cause is immediately clear and eradication can be performed swiftly before additional damage is caused by the incident. Examples of eradication include deleting malicious code, removing malicious accounts etc. Recovery This stage is done once the “victim” system impacted is no longer vulnerable. Examples of recovery include restoring from backup, patching servers etc. 27 Incident Response IR response process
- 21. Topic Descriptions / Actions Attack Category Authentication (Internal User) Attack Sub Categories Misc Login Succeeded, Unknown Authentication, Host Login Succeeded, Host Login Failed, Misc Login Failed, Privilege Escalation Failed, Privilege Escalation Succeeded, Mail Service Login Succeeded, Mail Service Login Failed, Auth Server Login Failed, Auth Server, Group Added, Group Changed, Group Removed, Computer Account Added, Computer Account Changed, Computer Account Removed, Remote Access Login Succeeded, Remote Access Login Failed, General Authentication Successful, Telnet Login Succeeded, Telnet Login Failed, Suspicious Password, Samba Login Succeeded, Samba Login Failed and etc Response Remediation Options 1. Containment a. Terminate processes with any active connections with attacker IP or port b. Disable user id in question 2. Eradication a. Work with network team to physically locate internal attacker b. Turn off switch port of internal attacker c. Remove user access 3. Recovery a. Implement strong password policy b. Reconfigure vulnerable service as applicable c. Restore to previous good state from backup or recovery application 28 Incident Response IR response process
- 22. “Website defacement" refers to any unauthorized changes made to the appearance of either a single webpage, or an entire site. Worse, the hacker will replace the home page with an embarrassing (or worse) message. Web page Defacement: The most straight forward and visually identifiable attack where the web page content is changed and replaced by the perpetrators. The website data is not deleted. Data Deletion: This is a second stage of damage where the website is defaced and also the data and other pages are deleted. Install Malicious Software: Website defacement can be augmented by introducing a malicious code in the target environment to establish stronghold. The malicious code can then be used for further compromises such as lateral movement. IRC bot: In more severe case, once the attacker has established a foothold, they can install an IRC bot which can then be controlled through IRC channels. 29 Incident Response IR Response Exercise – Website Defacement
- 23. 30 Incident Response IR Playbook Exercise – Website Defacement Preparation 1 Create a hot cluster of servers to run website. - Build a back up site and setup routing backups. Enable detailed logging on web server and test the site for vulnerabilities 2 The website should be protected by a WAF firewall, IPS, Host based IPS and anti-malware and monitored logs and alerts for unauthorized access/ change of files / privilege escalation to the system backups. Enable detailed logging on web server and test the site for vulnerabilities 3 Deploy monitoring tools to quickly detect any abnormal behavior on your critical websites. (e.g. Sucuri) 4 Home page should be access controlled from Management IP 5 Log all access and alert for any change to home page file, immediately verify with change request Preparation Identification & Verification Containment Eradication RecoveryInvestigation
- 24. 31 Incident Response IR Playbook Exercise – Website Defacement Preparation Identification & Verification Containment Eradication RecoveryInvestigation Identification & Verification SIEM Use Case Monitored Element Description Log Source Configuration / Threshold Priority More than 30 request for same web file (e.g. *.php) file by the same IP address and port number or same user During attack the URL targeted by attacker changes with each request but the actual file name trying to target with each request will remain the same Web Server 30 request in 5 minutes 2 Home page (*.php) change Enable home page file auditong feature, configure alert for file change and priority 1 log alert Web Server File change from auditing - 1 1 DNS requests over port 80 infected hosts sending C&C communications masked as DNS requests over port 80 is the common thing so watch in Web gateway if any DNS request is observed on port 80 Web Server Port / Protocol mismatch 1 High number of HEAD requests on web server Likely indicating an attempt to discover vulnerable CGI scripts. High number of non-standard HTTP requests, indicating a possible attack or information gathering to precede an attack. Web Server 10 in 1 min 2 Web server not responding or slow response (HTML response time is huge) due to possible DoS attack. Web server has not served any pages in an hour and the IDS have reported multiple DoS attack events. Web Server Slow response / 10 sec to open file 2 SQL Injection, XSS, Injection, Redirects, Failed attempts, SQL Injection, XSS and other attacks from WAF Weg gateway/ Firewall 1
- 25. 1. Extract attack source IP from SIEM/ WAF as log source (IIS/Apache) 2. Notify application owner of attack 3. Implement firewall rule to block attacker IP 4. If attack source is on local network, remote to a machine within same subnet of unauthorized device 5. Ping offending machine IP 6. Run “arp –a” command on command prompt to extract MAC Address 7. Block the IP/MAC (NAC) and disable the user 25 Incident Response IR Playbook Exercise – Website Defacement SQL Injection Preparation Identification & Verification Containment Eradication RecoveryInvestigation Identification & Verification
- 26. 32 Incident Response IR Playbook Exercise – Website Defacement Preparation Identification & Verification Containment Eradication RecoveryInvestigation Containment 1 Take the infected host out of the cluster. 2 Redirect all traffic to the backup servers. 3 If the source of the attack is another system on the network, disconnect it as soon as possible. 4 Conduct site/page replication for redirection, as required. 5 Disable links to affected page or redirect to a correct version of the page. 6 Backup all data stored on the web server for forensic purposes and evidence collecting. The best practice here if applicable is to make a complete bit-by-bit copy of the hard-disk containing the web server. This will be helpful to recover deleted files.
- 27. 33 Incident Response IR Playbook Exercise – Website Defacement Preparation Identification & Verification Containment Eradication RecoveryInvestigation Investigation 1 Check files with static content (in particular, check the modification dates, hash signature). 2 Check mash up content providers. 3 Check links presents in the web page (src, meta, css, script etc). 4 Review database for modifications, content changes, traces of script injections, etc. 5 Review server logs and application access logs. 6 Look for evidence of data exfiltration.
- 28. 34 Incident Response IR Playbook Exercise – Website Defacement Preparation Identification & Verification Containment Eradication RecoveryInvestigation Eradication 1 Patch identified vulnerabilities (including all technical and source code vulnerabilities). 2 Remove code/scripts installed by the attacker. 3 Change all user passwords if the web server provides user-authentication and/or there is evidence or any reason to think that passwords may have been compromised. 4 Update patches, anti-virus and malwares and scan the system for vulnerabilities. 5 Compare eradication outcome against a known good backup.
- 29. 35 Incident Response IR Playbook Exercise – Website Defacement Preparation Identification & Verification Containment Eradication RecoveryInvestigation Recovery 1 Full restore from a good known backup. Apply validated and verified latest database content updates on top of the good known backup if required to compensate for any content changes between compromise and recovery. 2 Reconnect dependent systems. 3 Perform testing (sandbox test environment, user acceptance testing etc). 4 Reconnect web server to the internal LAN/Internet, as required. 5 Confirm normal operations.
- 30. Questions? Questions, Comments and Feedback