Time
10 hours 19 minutes
Difficulty
Intermediate
CEU/CPE
12

Video Transcription

00:05
So if we go back to response in general, what are we trying to do
00:11
in the response process?
00:13
Well, toe come down to the very basics of it. We're tryingto halt or minimize the attack effects or the damage that can be caused to an organization's key critical assets and data.
00:27
But at the same time, we want to maintain the operational mission of the organization itself.
00:35
So if you're trying to respond to an attack, you don't want to completely take out of service
00:43
your operations, your systems and network.
00:47
Now there may be times in extreme situations where organizations have decided that they need to do that. But
00:56
basically we're trying to balance
00:59
um,
01:00
stopping the malicious activity and getting to full operational capability
01:07
in a timely manner.
01:11
We also want to ensure that if systems have been affected
01:15
that they can be cleaned
01:18
and re established
01:19
to their previous
01:23
and
01:23
operational capacity,
01:26
and that can include taking a look at the data
01:29
and ensuring that the data has not been
01:33
damaged in a way that is is replaceable.
01:40
Response can also look strategically at What do we need to do to improve our security posture and improve our ability to be ready for attacks and threats and an improve the defense is that we have in place.
01:57
So there's a short term we wanna hold or mitigate the attack. But there's the long term. We want to strengthen our ability to prevent these types of incidents from happening again and ensure that we're ready for other types of attacks took her.
02:13
We want to make sure also that the response activities
02:16
ah, current a manner that protects the data according to this level of sensitivity.
02:22
And we want to be able to, um,
02:25
do an attack or malicious activity characterization.
02:30
We need to understand what is going on, what is happening. And then can we express that characterization to management or to other external collaborators?
02:42
And in the long run, as we look to perform, response and plan, response and coordinate response
02:49
we're looking at what are our courses of action? What are our response steps? What are our response strategies? What are mitigations steps? What's our mitigation strategies? How is this all tied together to those courses of action or see always
03:09
now, when we look at
03:13
courses of action or CEO A's
03:15
and we think about
03:16
what is going to impact, how we develop those will. NIST has a guide out of computer Security Incident Handling guide that's available. It's all it's in revision to right now, and it gives it a list of criteria
03:32
or trying to help you determine what is inappropriate
03:37
course of action or strategy.
03:39
And some of the things that we it looks at, for example, are well, what's the pretend If there's malicious activity, if there's a threat that is a potential, what is the potential damage to resource is or what type of resource is might be lost or stolen?
03:58
What is the need for evidence preservation?
04:01
Because if you need to preserve evidence according to chain of custody rules in a forensically sound manner that can very much change the way you perform your analysis, data collection and response strategies,
04:18
Uh,
04:19
also what service is have to be available?
04:24
What can you take down what can come down for short periods of time, longer periods of time, no time at all,
04:31
So you have to understand the service's that are being provided, and the impact to those service is
04:39
even looking at the time and resource is needed to implement the course of action. Do you have the right staff?
04:48
With the time available and the skill sets needed?
04:53
Often organizations have tohave
04:56
some type of serge support, so there may be contracts to pull in. Others make might be contractors or other parts of the organization that can come in and help execute the response if needed.
05:10
And then
05:12
what is the effectiveness of the strategy itself?
05:15
Is it really going to
05:16
deal with the whole incident, or is it only going to deal with part of the ongoing activity? And they're going to be other steps that are being needed to?
05:26
And then what's the duration of the solution?
05:29
As far as the mitigation itself
05:31
eyes, this going to take a long time. Is this a short time? Are we gonna have to stay overnight? Are we gonna be working around the clock? So all those things are going to come into play as you plan your response and determine the response steps to take
05:48
or the the response strategy. There's those courses of action,
05:53
So those are all good questions. Toe Ask during an incident as you're planning that response and determine how these. The answers to these questions will impact when and how you implement your response and what additional support or additional resource is.
06:12
You might need to perform that response.
06:17
We want to take a look now at the three steps that we mentioned that are part of response now. These steps containment, eradication and recovery do not always occur in every single incident. It really depends on the incident itself that the, um
06:36
actual malicious
06:38
actions that have been taken
06:41
or the potential for future threats and it really depends on the environment that you have the infrastructure you have, the security tools and defense is that you have in place that can be used. But we're going to talk about each one of these, and then depending on the incident, you may perform
07:00
some or all of these steps.
07:02
So we often hear about containment.
07:05
When you look at response that there are containment actions as part of your courses of action, part of your response strategies.
07:15
So what do we mean by containment?
07:18
So containment really is, Ah, short term tactical action. So this is that peace, where you're trying to quote unquote stopped the bleeding so stopping intruders access to compromise systems or stop the intrusion from doing any more damage
07:38
on and make sure that you can limit
07:42
the compromise has occurred, so containment means literally contain the intruder or the malicious activity from spreading any further.
07:53
So the primary objectives that we're talking about for containment are regained control of the system
08:00
so that we know not the intruder
08:05
control the operation of the system so that we can collect evidence that we need. We can do the analysis we need and that we can recover, return them to normal operation.
08:16
And also on objective is to deny the intruder access or prevent them from continuing the malicious activity. Again, we're trying to halt that the damage that that's occurring
08:30
when we look at some of the common containment strategies we see out there. It of course, is going to be based on the type of incident. But but some of the things that we may see may involve doing some type of blocking of
08:48
malicious files coming in certain types of communications coming in or going out of your network infrastructure, and you need to determine at what level that blocking is going to be most effective and where you might actually put an additional strain
09:09
on your network capacity.
09:11
If you don't do any type of blocking or filtering at the at the right level so things could be done it that the border Gateway firewall they might be done but male on proxy levels. Or even you might do specific. You are Ellen domain blocks
09:28
to to stop people from going to certain murals
09:31
or domains to stop traffic from malicious girls or domains from entering into your infrastructure.
09:43
You may, as a containment strategy, do some isolation of any affected system on the network. So do some network isolation. You might disconnect the system from local network or from the Internet or other public networks,
10:00
or maybe do some type of
10:03
segmentation from the rest of the network.
10:05
Uh, there are other issues involved in choosing some of these containment strategies as far as,
10:13
um, what type of evidence you're able to collect
10:18
or if you want to actually watch what the intruders doing for a longer period of time, you have to think balance that with the containment strategy to kind of help the activity and regain control of the system
10:33
and UM, or extreme containment strategy might be to shut down a system, a server service, whatever it is, but a shutdown. So that is usually frowned upon. Unless that's the only option, because it can then again disrupt the evidence that your collecting
10:52
and change things on the system
10:54
stuff that's in memory can be lost. That might show indications of what an intruder was doing, so there are a lot of issues that need to be taken into account when you're choosing your containment strategies.
11:09
So when you're looking at an understanding what you're able to do in your infrastructure, you need to really have that approval from management as far as what containment activities can be taken in general. And you have to understand the mission criticality of your service is
11:28
and what kind of requirements they have for up time or production status, and have to understand what impact any of these short term in payment strategies might have on your business operations or on your network band with an incapacity.
11:50
Also within mists. Computer Security Incident handling guide They talk about some other containment strategies as far as eliminating the Attackers route into the environment by making sure that not only have you gained control of the system, but
12:09
stopping them from getting access to any nearby resource is that might be targeting similar systems
12:16
that maybe haven't been compromised yet but protecting them. Blocking transmission from blocking the transmission mechanisms for malicious code between infected systems. So whatever protocols are being used, or whatever mechanisms of being used to spread malicious cloak code,
12:35
can you Can you block that
12:37
if you have AH, situation where one of the systems on your network has been compromised and now has been taken over by intruder and software installed to make that system operators on a bought on a botnet, then you may wanna make sure that no activity from that system can
12:56
get out of your infrastructure so that can no longer participate
13:00
on. Then clean up that. But we'll talk about the cleanup part. When we talk about eradication,
13:07
there may be accounts that have been compromised that may be needed to be disabled, that because they've been used in the attack, so there's a lot of different containment strategies and do that short term tactical containment activities,
13:26
One of the
13:28
considerations that we have to take is the whole concept of leaving a system online.
13:35
Some organizations may want to watch what the intruder is doing toe understand how they've been operating, but also to understand what other parts of the operations of the organization may have been compromised, where else they may be in the systems. And so again, there may be circum
13:54
certain circumstances where
13:56
containment strategies are not put in place because you don't want to tip off the intruder that you know what they're doing and that you want to instead watch what they're doing the
14:09
when this decision is made, it it has to be made with the right authority and approval. And this again should be something that is talked about ahead of time. In what situation would you leave a system online? You don't want to be tracking down management and legal drink an incident
14:30
to say, Can we do this or not? You should know what the process is.
14:33
You should have the right people that need to be involved in the decision have them available and knowing that that they need to be involved in in that system in that decision
14:46
and this also is something that comes from miss provide. Some cautions that not containing the malicious activity could actually cause more malicious activity. Tow her, and so that's something that you have to take in mind. If you do leave a compromise system running,
15:03
more damage may be done on your systems.
15:07
Other systems could be compromised. Data could be released
15:11
into two unauthorized
15:16
organizations or people,
15:18
so you really have to think about
15:20
what could be done. There was one situation where an organization was tryingto understand that track what an intruder was doing,
15:28
and by leaving the system opened, they were actually able to delete data that did not have a backup and was not recoverable. So you really have to take into account if you're leaving that system online, leaving that system open what may be the consequences of that action.
15:50
Other caveats for can containment. When you put some of these containment strategies in place, you may destroy information required to really understand the what happened
16:04
within an intrusion. You may accidentally or purposefully because of the actions taken, change, change data and this ties into. When we were talking about shutting down a system and the information and evidence that might be lost. So ensure that you have the necessary data
16:25
that you need for analysis,
16:26
and it's been collected before making any system changes. We also see that as organizations look to do a more detailed analysis on a system, they will make images of the system if possible, or the affected parts of the system and
16:45
deuce deuce analysis on a copy of that keep
16:48
the original data intact in case they need to refer back to it.
16:57
The next step that we want to talk about is eradication. So how is eradication? Ah, different than containment,
17:04
So eradication really means
17:07
removal or eliminate. So it's the steps required to eliminate
17:12
the cause of an intrusion. Now, the slide says, the root cause of an intrusion
17:18
that may not completely always be the case. The root cause may end up being something different, but thio at least eliminate some of the causes of the malicious activity
17:32
or the threats and risks so all threats and risks you would like to have removed from systems and networks before returning them to service. So you really need to think about it, understand what has happened to ensure that you have taken the necessary precautions
17:51
and you have
17:52
ensured that any malicious activity malicious files have been removed from the systems and won't be easily reinstalled.
18:03
Because if you don't do complete
18:07
eradication of some of the malicious components, then the system as a set could easily be compromised again. Every reached again
18:18
when we look at the primary objectives of eradication, were really looking to ensure that the removal of the cause or causes of the malicious activity in any associated files and ensure that that any access methods that have been used by the intruder I've also been eliminated
18:38
so long term that
18:41
that can actually mean that vulnerabilities that were exploited by the intruder to allow them to gain access to a system in an unauthorized fashion are patched or remediated in some way
18:53
if they were able to get to equipment because the equipment wasn't physically secured or there what we're not
19:03
containing restrictions on access to areas that maybe something that also has to be removed. Also, it could be human error. So if people are performing actions that put the systems in danger,
19:22
ensuring through
19:25
training or through disciplinary actions that that type of action is removed or eradicated so they don't repeat those types of actions.
19:40
Now. Eradication after
19:45
usually comes after containment.
19:47
But if if containment is part of your response, strategy at a containment doesn't always have to be. But executing eradication is really kind of an interactive theater toast step, so you may do some information, do some
20:06
eradication steps and find out more information
20:08
and find out that there's more containment activities or eradication activities that that you have to perform. So it's not always clear the beginning until you do your various types of analysis. What actually caused the damage of
20:26
how an intruder was able to get in, and especially
20:30
what intruder has been able to modify?
20:37
And we want to understand, to the fullest effect possible what was done. So before we rebuild and reconnect any type of affected system so that we don't leave,
20:49
um,
20:52
a compromise system or we don't leave a system vulnerable to, uh, further damage an attack.
20:59
So some of the common eradication steps that we've we've seen again specifying that
21:06
are eradication. The actions taken themselves will depend on the type of incident it is, but just some of the common eradication Sze steps would be, if there's been mopped malware installed to remove that that malware,
21:21
if there has been files that have been replaced with possibly Trojan versions or that have been compromised in some way or modified in some way restoring the integrity of those files.
21:34
If ah system is in an unknown state
21:40
and has now had malicious
21:42
code installed on it, then rebuilding that system, ensuring that from trusted media ensuring that it's returned to a state that does not have that malware in. And it's not easy for the intruder to reinstall
22:00
that Mauer, which can be tricky sometimes with some of the new
22:04
techniques that are out there.
22:07
It can also be even eradication step convey be that as malware is maybe coming into your infrastructure
22:15
through email. Maybe you have some more preventative or proactive eradication strategies where there are systems that look for that malware and then either quarantine quarantine at some place.
22:32
Uh, so it does not come to the end user or just remove strip it off and remove it
22:37
and don't allow that type of malicious act
22:41
files to come into the end user system systems or email.
22:47
Another eradication strategist we mentioned on the previous slide
22:52
is to re mediator mitigate any vulnerabilities so again that be done by by patching or workarounds were needed if you have systems that can be easily patched. If work arounds are difficult to implement, sometimes you might be able to segment the
23:11
the affected host
23:12
to protect it from the intruder. Having access to to be able to make any more changes to the system and also modifying access controls could be seen as eradication strategies to updating the
23:30
what users and network access controls exists.
23:33
Removing any access mechanisms that were used by the intruder
23:38
and ensuring that the baselines off
23:41
you're operating system and configurations and application configurations are are updated to more secure configurations were possible.

Up Next