IR Planning: The Critical 6 Steps of Cyber Security Incident Response
This post was last updated on August 27th, 2021 at 05:21 pm
Our data, services, and infrastructures are attacked constantly by ransomware, malware, cyber attackers…the list goes on. Despite our best efforts to stop them, most organizations will experience the dreadful outcomes of a data breach. When this happens, you initiate your (hopefully, updated and well-practiced) cyber security incident response plan.
The Incident Response Process
Your cyber security incident response process is the entire lifecycle (and feedback loop) of a security incident investigation. Following detection of an attack or an alert from one of your protection or detection tools (EDR, SIEM, AV, etc.) your security team should immediately undertake a well-defined IR process to verify and scope the issue.
In most cases, the protection tool (such as antivirus software or an endpoint detection and response platform) did its job. In other cases, it only caught part of a multi-stage attack or detected the use of a post-compromise tool like Mimikatz. Additionally, if the first security alert you receive is on a post-compromise tool, that is a concern because it means the original, remote-access trojan is probably still giving the attacker continued access to your network and IT environment.
NIST has a strong, basic IR process outlined in the following chart:
This cyber security incident response model is available from NIST in their Computer Incident Handling Guide (PDF). For small security teams (or single point shops), we offer a slightly more defined process that includes various technical options using tools and processes like Infocyte HUNT. Infocyte specializes in simplifying and optimizing steps two and three in the above IR process diagram — detection, analysis, containment, eradication, and recovery.
The Six Steps of the Cyber Security Incident Response Process
Step 1: Validate (Identification)
Security alerts need to be validated — especially if they come from a passive sensor like a network IDS. False positives (false alarms) [link to Infocyte “False Positives / False Negatives” blog] are a common occurrence and should be distinguished from actual threats. Infocyte customers will generally review the available data provided by the detection tool and/or perform a deep dive on the host using Infocyte HUNT.
Ask the following questions:
- Is this an actual attack?
- Was the attack attempt successful?
- What happened on the endpoint/server that was attacked?
- What is the severity of the malware or alerted activity? (Most general intel and products are poor at this as what is important for one company may not be important to another.)
With the answers to these four questions, your security team can proceed to step 2, Triage and Identification.
Step 2: Triage (Identification)
If a part of the attack successfully executed, then determining the scope of the incident is important as lateral movement is a common first step for attackers. You have to ask: Is this the only system affected? You’ll need a quick way to find your answer and, again, Infocyte can come to the rescue with a quick forensic triage on systems within the same subnet. Gather any ephemeral evidence such as logs at this time as well (some logs roll over quickly!) if you plan to investigate more later.
Note: This step is often skipped or never mentioned. If you aren’t triaging your network following a compromise, you are playing whack-a-mole which makes it easy for attackers to stay in your network.
Step 3: Containment
Once validated and scoped, you’ll want to stem the bleeding and remove attacker access. If your triage process does not include Infocyte, you may want to start this earlier as step 2 for the first system you found. Most antivirus products will have a malware quarantine capability but this generally only works on defined malware and may not quarantine every stage in the attack (modern trojans are multi-staged and may be able to recover from a stage being mitigated or caught).
The important thing is to contain the infected hosts and, if possible, block access to any attacker network addresses on your gateway if applicable.
Step 4: Recovery
You want to get back to business as soon as possible. If one employee was affected, get them back working. If the entire network or domain controller got owned, you’ll probably need to rebuild the domain. Most organizations still implement wipe and reload procedures because software remediation is not foolproof.
Step 5: Investigation (Optional)
Investigations determine the root cause and identify additional details if anything was stolen or affected. Unfortunately, investigations are expensive, time-consuming, and often require a very high level of skills. Nevertheless, you should inspect systems and gather various log sources to create a complete timeline of the attack. If you’re a small team with limited resources, carefully consider if this is an attack you need to investigate. In any case, you should finish your recovery as soon as possible and move on — there will be plenty more attacks in the future.
Note: Always recover and get back to business before you begin any lengthy investigation process.
Step 6: Hardening
Cyber security incident response investigations are helpful not just for the rare case that you find the attacker and are able to prosecute. They also provide an opportunity to discover how the attack occurred and harden your network against future security incidents.
Lessons learned from the incident can provide a foundation for developing additional defenses to help ensure better outcomes in the future. For instance, if email was the vector, you can probably justify phishing training for employees or an upgraded email filtering.
Finally, an often missed or forgotten task following an incident is revalidation or “certification.” Many organizations are hit multiple times following an incident because they failed to properly scope or the entry vector was still available for a repeat attack. Infocyte customers are recommended to perform the triage step again on their networks periodically (also called a compromise assessment) to ensure the network doesn’t have any lingering unauthorized access.
Request a demo of Infocyte to learn how our award-winning platform assists security teams during cyber security incident response.