Your Org Got Hacked. Now What?
In 2017, a cyber attack occurred every 39 seconds on average. But what happens when hackers actually get through and their attack is successful? Discover the incident part of incident response and how IR professionals need to proceed.
Choosing a Containment Strategy
Evidence Gathering and Handling
Identifying the Attacking Hosts
Eradication and Recovery
This article is inspired from the NIST Computer Security Incident Handling Guide, and focus on the “Containment, Eradication & Recovery” phase. It aims at leading IR teams to successfully handle and respond to cyber incidents.
1. Choosing a Containment Strategy
When a cyber intrusion happens, it’s important to contain the breach before more damage is made. In this phase, you’ll have to make quick decisions (e.g., shut down a system, disconnect it from a network, disable certain functions, etc.).
Moreover, your containment strategy might be based on the type of incident your company is experiencing. g. Criteria for determining the appropriate strategy include:
- Potential damage to and theft of resources
- Need for evidence preservation
- Service availability (e.g., network connectivity, services provided to external parties)
- Time and resources needed to implement the strategy
- Effectiveness of the strategy (e.g., partial containment, full containment)
- Duration of the solution (e.g., emergency workaround to be removed in four hours, temporary workaround to be removed in two weeks, permanent solution).
It is also crucial for IR teams to make sure that their containment plans will not cause any more damage. As NIST cites, Incident Handlers should not assume that just because a host has been disconnected from the network, further damage to the host has been prevented.
2. Evidence Gathering and Handling
The “Evidence Gathering & Handling” phase is mainly to understand what happened in order to resolve the incident. However, sometimes, it might be useful for legal proceedings, so it’s important to thoroughly document how all evidence, including compromised systems, has been preserved.
In addition, evidence should be accounted for at all times; whenever evidence is transferred from person to person, chain of custody forms should detail the transfer and include each party’s signature. A detailed log should be kept for all evidence, including the following:
- Identifying information (e.g., the location, serial number, model number, host name, media access control (MAC) addresses, and IP addresses of a computer)
- Name, title, and phone number of each individual who collected or handled the evidence during the
- Time and date (including time zone) of each occurrence of evidence handling
- Locations where the evidence was stored.
As a professional in this field, you should start collecting evidence as soon as you suspect an intrusion may have occurred.
Since cyber incidents cause a dynamic chain of events to occur, an initial system snapshot may do more good in identifying the problem and its source than most other actions that can be taken at this stage. From an evidentiary standpoint, it is much better to get a snapshot of the system as-is rather than doing so after incident handlers, system administrators, and others have inadvertently altered the state of the machine during the investigation.
3. Identifying the Attacking Hosts
During a cyber attack, SysAdmins or Owners are often tempted to identify the attacking host/s. However, it is important to stay focused on containment, eradication, and recovery at this point. One thing to keep in mind is that the primary goal is to minimize business impacts, not let your curiosity run wild.
Here are some of the most commonly performed activities for attacking host identification:
- Validating the Attacking Host’s IP Address
- Researching the Attacking Host through Search Engines
- Using Incident Databases
- Monitoring Possible Attacker Communication Channels
4. Eradication and Recovery
Once the incident has been contained, it is important to remove the remaining malware. In addition, teams will have to identify and mitigate all vulnerabilities that were exploited, as well as locate all affected hosts so that they can be remediated.
In recovery, administrators restore systems to normal operation, confirm that the systems are functioning normally, and (if applicable) remediate vulnerabilities to prevent similar incidents.
For large-scale incidents, recovery may take months; the intent of the early phases should be to increase the overall security with relatively quick (days to weeks) high value changes to prevent future incidents.
Sort of a ‘lesson learned’, the next phase of the Computer Security Incident Handling Guide is to list the necessary questions to answer and steps to build a stronger incident response plan for the organization. Ultimately, this will become the game plan to prevent new incidents from happening.
Want to learn how to effectively analyze, handle, and respond to security incidents? Discover our newly-launched Incident Handling & Response Professional (IHRP) training course below.
–DISCOVER IHRP– | –GET FREE TRIAL–
Connect with us on Social Media