Open in app

Sign in

Write

Sign in

Cyber Security - Incident Response Part 1: Preparation

Alican Kiraz
Trendyol Tech
Published in
8 min readApr 14, 2022

--

Hi everyone, in this series of articles, we will cover the design, development, and incident response examples of IR Planning.The content of the article;

  1. What is the Preparation Phase?
  2. Workflow in Preparation Phase
  3. Creation of the Preparation Infrastructure
  4. The Design of the Preparation Inventory List
  5. IR Examples: IR Phishing Plan

First, we need to examine the NIST.SP.800–61 document prepared by NIST to understand the IR process. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

Kaynak: NIST.SP.800–61

The preparation phase is constantly improved with the experience and research gained as the process progresses. To summarize;

  • Measures to be taken to prevent the event from happening are determined.
  • The teams that will intervene at the time of the incident are determined.
  • The team responsibilities that teams will involve in the incident investigation are defined.
  • The tools that the involved teams will use and the policies and procedures to be addressed throughout the process are determined.

One of the critical points in the IR Preparation phase is that all preliminary information on the necessary subjects for Incident Handlers (IH) is ready. In addition, we should prepare a structure for IHs to easily access this information during incident response steps. If we categorize and analyze this necessary information;

Preparation of Contact Lists: It is the determination of the people to be contacted during the incident response process. The critical point here is to scale the event first and to include the teams in the event according to the result. This scaling is determined by the severity of the incident and the confidentiality of the information it contains. And these lists are compared with the results, and the eligible teams are included in the incident. As far as possible, non-disclosure agreements should be made before the people, teams, and institutions included in the list. For example, According to the incident’s risk level and impact, a Low-grade Incident and a High-grade incident must have different contact lists. It will be beneficial to create escalation lists to analyze the new sub-tasks that will occur during the investigation of the events.

Reporting Mechanisms: At the incident response stage, the beginning of the pipeline is when the incident is notified to You, and this point is the zero point of incident response. You can provide an easy notification system by creating appropriate channels for company employees at the zero point and raising security awareness. In this way, you can start investigating and reporting the incident simultaneously and quickly. We can design a 2-stage plan for this; The first is to set up an incident reporting hotline to handle reports to be made within the Institution. For this, we need to create notification channels via mail, slack, and over the phone. Employees should be encouraged to notify the channel, and it should be resolved quickly so as not to affect the motivation in the notifications made. The second stage is to create an Abuse/Incident mail line for reports from outside the Institution. In addition, creating a web form within the anonymous reporting line will help obtain intelligence.

Incident Response Process Follow-up: For the incident, a platform or process information system should be established so that people directly or indirectly involved in the incident within their competencies can follow the Incident flow.

Communication: To communicate with the people who will take part in the Incident Response as soon as possible, they must be in contact with mobile devices secured with MDM. It should inform the team about the incident with end-to-end encrypted services with up-to-date cryptographic standards.

In addition, the following physical and software tools should be ready to use.

  • Software and hardware to be used during Forensic Analysis
  • Toolsets to be used in Endpoint and Network analysis stages
  • Log review environment for reviewing instant and historical logs
  • Sandbox environment for inspection of suspicious files and datasets
  • Required software to isolate the relevant suspect machine (Containment Process Tools)
  • The necessary software to isolate the Network where the Related Event develops (Containment Process Tools)

“POWER IS NOTHING WITHOUT CONTROL” — Pirelli

Determination and listing of Institution Inventory;

  • We must identify the physical and software commercial products in the institution. We must determine the place and importance of these products in the corporate topology.
  • We have to draw the network diagrams and the data flow diagram. We need to determine the conversations of services between devices.
  • We must determine the software installed on the Server and Clients.
  • We should list the frequently used commands, processes, and services on servers.
  • We must list the network access points and access restrictions on the clients.
  • We should list the security devices and analyze the False-Positive alarms they can create between each other.
  • We should list the external disk usage rights, download/upload policies, and application whitelist/blacklists owned by the client groups.
  • We must list the Security agents installed in Client groups and Server VLANs.
  • We must evaluate and list servers based on their role, risk assessments, and business continuity status.
  • We must list the users with admin rights between the Client and Server groups. We should also evaluate and arrange according to the separation of duties.
  • After checking the access rights of AD, DB and Service account across VLANs and topologies, we should list them.
  • We must list the advisor accounts located in AD and list their authorization/access.
  • We should examine and list the VPN accounts of consultants who support us outside of our institution.
  • We should list and categorize the servers according to the versions of the OSes they use.

If you create a list of many inventories your institution has in advance, you will gain speed and convenience for incident response at the time of the incident. In addition, transferring these lists to SIEM as lookup lists will provide incredible convenience and analysis capability for IHs.

Risk Assessments: We have completed steps such as establishing the IR infrastructure in your institution and determining the inventories. Next, We need to make a severity/rating/scaling of the inventory lists. When an event occurs, we must determine which inventory or system it affects, how important it is to the Organization, and which teams it affects. Then we should scale the information we collect and take action according to the result. In this way, the IR team will gain speed.

For example, let’s plan the Preparation phase of a Phishing IR Plan. After let’s simulate the event and see the benefits. In our plan, we must first prepare the following steps;

  1. Let’s categorize mail users according to their authorizations, accesses, and business lines and prepare a list.
  2. Let’s list the software we use in mail security.
  3. Let’s list our Mail Service and version information.
  4. Let’s list the technologies we use in mail security (DKIM, S/MIME, etc.).
  5. Let’s list our protection shields (EDR, EPP, DLP, etc.) that we have in an incident that occurs when we are on a VPN.
  6. Let’s list our protection shields (EDR, EPP, DLP, etc.) that we have in an incident that occurs when we are not on a VPN.
  7. Let’s list the users who did not participate in the information security awareness training or failed the phishing tests.
  8. Let’s collect the status control reports of the in-house Phishing hotline daily.
  9. Let’s list the missing Agents on the clients.
  10. Let’s list the policies of the Agents installed on the clients.

Example INCIDENT

A phishing mail is sent to an organization called ACME at support@acmeit.com. This email is intended for users to click on a link and download and run a malicious file. A user working in Acme Ankara sees this e-mail as suspicious. And it notifies the suspicious event notification e-mail address (abuse@acme.com). The SOC team sees the email and starts examining it.

Impact: It turns out that the whole of Acme Ankara, a subsidiary of Acme Corporation, has been affected.

Our IR Team;

  • 3 Incident Handler
  • 2 Threat Hunter
  • 1 Malware Analyst
  • 1 DFIR Specialist

Let’s examine the event flow and the actions taken by the experts below.

Incident Handler 1: First, let’s check whether the suspicious support@acmeit.com is in our inventory and its reputation. (Let’s assume that this is a malicious mail) We learned the Mail technology the Acme Ankara team used from the 2nd, 3rd, and 4th lists we created above. This mail address is not on our lists!

Incident Handler 2: Let’s check who receives mail from support@acmeit.com from the mail service’s admin panel and whether the mail has been opened.

Incident Handler 3: Let’s get a copy of the mail for the IR team to review. Let’s move the mail from the users’ Inbox to the trash while the IR team reviews it.

Threat Hunter 1: Let’s check the agent for users who open mail from the 9th and 10th lists. Let’s check the DNS records from EDR and SIEM environment to see if they clicked on the link in the mail.

Threat Hunter 2: Let’s check if the users who clicked on the link are in the 1st, 5th, and 6th lists. Let’s isolate the suspicious group in a controlled manner and continue the control stages over EDR.

Threat Hunter 2: Let’s suspend the service accounts of these users.

Malware Analyst: Upon examination, it turns out that the malicious file in the mail is a rootkit.

Threat Hunter 1: When the institution’s DNS records are examined in SIEM, we see that there is no going to the relevant c&c. But some users clicked on the malware download link. But there are different users in the list of users infected by the malicious file. Therefore, it is suspected that they do not have VPN connections when they click on the malware. Make sure that the VPN logs are checked.

Incident Handler 2: We notify the abuse address of the hosting company for the server to which the malicious link is connected. And the process for a takedown is started.

Incident Handler 1: The malicious e-mail address is blocked in the institution’s mail service.

Threat Hunter 2: Affected computers should be given over to the IT team.

Incident Handler 3: Security Awareness training should be planned for users who click on the link.

DFIR Specialist: Provides DFIR Analysis on the relevant machine and completes the reporting.

Team: At the end of the Incident, the team holds a Lesson Learned meeting and evaluates the process. It finds the errors and deficiencies in the process and improves the IR processes.

Thank you for reading. In my next article, we will examine the Detection and Analysis section.

Next Article : https://alican-kiraz1.medium.com/incident-response-part-2-1-installation-of-detection-systems-en-5800d8fc4c46

https://tenor.com/view/keanu-reeves-thank-you-gif-18255532
Incident Response
Incident Management
Cyber Security Training
Blue Team

--

--

Alican Kiraz
Trendyol Tech

Written by Alican Kiraz

831 Followers

Head of Cyber Defense Center | CSIE | CSAE | CCISO | CASP+ | OSCP | eCIR | CPENT | eWPTXv2 | eCDFP | eCTHPv2 | OSWP | CEH Master | Pentest+ | CySA+ and more...

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams