Fieldnote: Incident Response

by Posted on

Incident Reponse Plan (IRP)

Everyone has a Plan Until They Get Punched in the Face” – Mike Tyson  

Questions to consider: 

  • What data is most critical to your organisation? 
  • Does your insurance cover ransomware? 
  • If we need to pay the ransomware – do we understand how to make payments in different cryptocurrencies? 

Which Indicators of Compromise (IoC) will trigger the IRP?

Who’s responsibility is it to action the IRP?

The phases of incident management are as follows:

The steps that NIST set out as an Incident Response is a good place to start:

Preparation

  • Business Continuity Plan needs to be actioned if required (in case of widespread malware attack) 
  • Review backups often to ensure cover – regular snapshots should be taken 
  • Review network/folders permissions to ensure only authorised users have access 

Identification

  • Detecting Ransomware on the network is crucial
  • Where are the indicators likely to come from
  • Investigate Endpoint / Server AV Alerts
  • Investigate SIEM Alerts
  • Helpdesk message from user
  • Automated report emailed to SOC team
  • Threat reports from Cloud security tools

Containment

  • Isolate any machines suspected of carrying ransomware as soon as possible – the highest priority to prevent the spread 

(It’s safe to assume that the malware/ransomware has been on the network for a while) 

  • Disconnect machine from network / internet / Wi-Fi 

If it’s a remote user (working from home) – disable the network card on the device and have them courier the laptop to the office.  

  • Carry out an investigation of the affected machine 

Once the machine arrives do not reconnect it to the office or home network  

  • Log Ransomware and malware incidents as high priority/priority 1 
  • After you have assessed the situation there are six levels of classification when it comes to incidents. You are going to want to evaluate which one the incident falls under. 

High-level incident: 

Moderate-level incident: 

Low-level incident:  

  • Gather as much information as possible to establish the scope of the issue 

Who would likely be in contact with the affected user/device? Contact members of their immediate team 

  • When/Where/Who/How 

Eradication

  • Isolate infected/affected machine 
  • Ensure malware signatures are up to date 
  • Update all other endpoints in the network to have the latest anti-malware updates 
  • Run full system/network scan on the estate 
  • Check AV logs / Email / IDS / File Share / Backup / Infected device logs 

Useful software to have on hand: 

https://www.hitmanpro.com/en-us

https://www.emsisoft.com/en/home/emergencykit/

Recovery

  • Clarify if the issue is a full-blown incident 
  • Notify management that full incident is taking place 
  • Classify as priority high/1 or medium/2 or low/3 
  • If required – notify the Police Cyber Crime Unit and the insurance company that an incident has taken place 
  • Seek out legal advice if required 
  • Notify applicable Clients of the breach within 72 hours 

Useful links: 

A site which could identify which variant of ransomware you might have: 

https://id-ransomware.malwarehunterteam.com/

Reporting

  • Performing problem cause analysis – how did the attack penetrate defence layers? 
  • Post-incident review 
  • Follow up meeting should be taking place 24/48 hours after the incident 
  • Root cause identification 
  • Perform trend analysis 
  • How can we prevent a reoccurrence of the attack? 

Additional Reading!

Malware and ransomware protection in Microsoft 365

https://docs.microsoft.com/en-us/compliance/assurance/assurance-malware-and-ransomware-protection

Published by admin