Once you find your business as the victim of a malicious cybersecurity incident, your immediate task will be to act as quickly as possible to limit the impact and damage. Your actions will be influenced by the systems and data at risk, business continuity plans and the objectives of your incident response operation. There are many potentially conflicting pressures to consider.
You are effectively working in a crime scene, so in an ideal world evidential integrity would be maintained for possible legal action or prosecution. This requirement for integrity can conflict with the need to resume business as usual, let alone budgetary and time constraints.
For most incidents, the first priority is containment, to stop the spread to neighboring systems or data and limit the damage. Containment activities are normally fairly ‘quick and dirty’ fixes until further information is available: think removing machines from the network, revoking privileges from accounts, firewalling known attackers or changing passwords.
The National Police Chiefs Council (NPCC) defines four principles related to digital evidence, and these should be forefront in the mind of incident handlers when containing an incident:
- Principle 1: No action taken by law enforcement agencies, persons employed within those agencies or their agents should change data which may subsequently be relied upon in court.
- Principle 2: In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
- Principle 3: An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
- Principle 4: The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.
It is important to realize that containment activities may cause changes to ‘evidence’ collected at a later date, so anything you do must be carefully documented. Where prosecution and legal action are likely, obtaining a forensically-sound image of the evidence will be a high priority before containment activities can commence. This can be costly, and it can also delay the process of resuming normal operations.
If you think you are under attack by an advanced adversary, it might be important to put containment on hold until you have covertly observed the attackers’ actions within your environment. Tipping off an attacker that you are aware of their presence before you know enough about what they are doing to contain them completely can be dangerous – they may escalate their activities and this risk must be carefully managed.
Eradication, eradication, eradication
Once you have contained the immediate incident, the response will move to the eradication phase. Further deep analysis of the cybersecurity incident might be appropriate at this stage. You might wish to consider:
- Forensic acquisition of the affected device(s)
- Offline expert analysis of malware identified
- Further live analysis of the compromised systems
- Creating detective signatures for malware and techniques identified in use that may be deployed across the network to identify other affected systems if these exist
- Examining behavior from available information sources to determine whether the attacker is continuing activities following containment, or escalating activities
Understanding the nature and extent of the cybersecurity incident is critical for successful eradication. Incomplete eradication will allow an adversary to retain access to systems and data.
Again, when making changes during eradication, a chain of custody record and preservation of evidence will be critical where prosecution is likely. Timestamped documentation of all activities and decisions should be kept throughout.
As analysis progresses, further information about the nature of the attack may become clear. If new compromises are detected, priorities for your incident should be reviewed, together with the containment strategies you have adopted, and the objectives of the response.
For many incidents involving malware, rebuilding affected systems from scratch or restoring from known-good backups will be required and where the root cause of the compromise is known, this should be rectified prior to recovery.
Recovery phase
Once eradication is thought to be complete, the response operation will move finally into recovery, restoring systems to normal operation. Temporary containment measures such as segregation of networks, or re-routing of traffic may be rolled back to the normal state.
The recovery phase is likely to involve careful monitoring of system behavior and attack signatures for any signs of further malicious activity. After a prolonged period of elevated monitoring with no recurrence, the incident may be considered closed. Never be complacent though, as when dealing with particularly sophisticated and targeted attacks, there may never be an end to the incident.