Responding to an Incident
Once planning for your incident response team and policies is finished enough to be operational, you should start thinking about how an actual incident response will occur. The first step is understanding how the team will scope and contain a potential threat. If you cannot do this, you will likely not be able to remediate the situation. Scoping means understanding all systems, people, and networks involved with the incident. Containment is making sure that the breach is isolated to only those systems under investigation so that attackers cannot expand to other systems. Incident scoping and containment are urgent because the longer an IRT takes to contain an incident, the more time attackers will entrench themselves further into an organization and delete logs or other evidence that may prove their presence or the activity they performed. When it comes to breaches, exposure time is absolutely critical.
Incident response teams must make decisions on where and how to stop attackers. In many mature organizations, systems are often housed in different areas of the network or different offsite locations, or they may utilize multiple cloud providers. This makes containment much easier to implement because of the natural network isolation that occurs, preventing threats from easily spreading over gateways and firewalls. However, it complicates the job for cyber forensics investigators because now they have multiple systems for which they must collect evidence and multiple networks they must understand and assess. Seasoned cyber forensics investigators understand how to collect information on different systems and prepare for different use cases, such as systems being left on, shut down, damaged, virtualized, and so on. This may mean that different strategies need to be deployed among different applications. Be aware that individuals responsible for a forensics investigation may have conflicting actions to the incident responders. For example, it is very common that organizations have a policy in place to reimage any system infected with malicious software. This incident response action directly contradicts what a forensics investigator would do, which is to clone and investigate the system to understand how it was compromised and help the organization avoid future breaches. Best practice is for the incident response plan to define how these complicated situations should be handled, meaning it should identify which party has more authority to make the proper steps occur. We lean toward giving the forensics team higher authority, but the choice depends on the business and situation.
When should an IRT claim it has achieved proper containment? This question can be extremely tricky to answer, and we have seen situations in which the IRT thought an incident was contained but later found more systems showed up as compromised with the same or a new malicious variant after the case was reported closed. Why do these teams fail? In many cases, they don’t understand the true scope of the breach before attempting to contain it, or they have a false sense of containment. This could happen due to a disconnect between what the forensics investigation found or people did not recognize the importance of certain information. An example is misunderstanding which system was initially infected to identify the exploit used to breach the network before the malicious software spread laterally within the network. Incident response teams must understand the full scope of the breach to contain it, which typically includes understanding the full life cycle of the attack. We covered this concept in Chapter 2, “Cybercrime and Defenses,” when we talked about the Cyber Kill Chain Model. Forensic specialists can provide valuable information to the rest of the IRT team by examining logs, traffic, and systems to gain insight on the full scope of a breach. Our recommendation is to have a member or group with forensics expertise be responsible for identifying when an incident is properly contained. This book is designed to help you be part of that team!
To fully understand how to scope an incident, the forensic specialist must identify a few things:
What are the device types that may potentially contain evidence?
What are the operating system and software running on the devices?
What are the network communication capabilities of the device, and what does normal network traffic from those devices look like?
How are the devices connected, and what devices can they talk to?
What are the available logs on the system, and is it possible to tell if they have been modified?
What is the timeline of the incident, and where did it begin?
How critical or how sensitive is the data associated with the device?
After these questions have been answered, forensic investigators can normally proceed to preserving evidence and assessing the severity and extent of the breach.