Lesson five mitigation and disconnect decisions. In this lesson, we will talk about the different containment strategies organizations may choose from. We will identify the risks versus the benefits of watch and learn vice disconnecting systems or networks during an incident
and discuss technology solutions available to assist during a containment such as remediation V lands. There are two main strategies for you to consider when looking at containment. One is disconnecting the system or the network or to watch and learn. I've introduced these concepts to you already,
but I didn't go into depth. Now we'll go into a little bit more depth as we work through this.
So a couple things to consider when you are making this decision one is what's the potential for additional damage or ex filtration of data?
What's the need to preserve evidence,
the criticality of the impacted systems to the mission and the effectiveness of your containment strategy and then the duration of the solution? So these are all things just toe. Think through in your mind about
what the risks versus benefits are when I say
disconnect. If you remember from before, it's really just I'm gonna pull this system off the network or if your entire network is compromised, it might just be we're going to disconnect from the public Internet until we get this figured out.
Watch and learn is more about sitting back observing the adversary on the network, finding out what they're procedures and protocols and tactics and techniques are and really trying to learn more about them so you can decide if they're elsewhere in the network or
perhaps provide intelligence. Tow other people.
So that's not something a lot of people are capable or have the ability to dio. But I will talk through the different scenarios just because we've got students on here from all sorts of sizes and capabilities of organizations.
Here's an example of a decision matrix. When you look at the am I going to just disconnect, or should we keep systems online? I recommend having something like this for your organization. You can see on the left hand side you've got what's the condition? So a single host being involved there, several hosts within the same business unit,
maybe the entire business unit is compromised. You have multiple hosts across the enterprise, or it's just a large scale advanced, persistent threat with active ex filtration and or data destruction.
So obviously we're going from really not a huge deal to. This is a really, really bad situation. Then what's the impact? You have an end user all the way down to extreme impact to the organization and then the approval.
So I mentioned before, These are not the kinds of decisions you want to make during a really incident. That's why doing playbooks and this IR plan that you're learning about in this course having those real discussions with leadership and doing table top exercises are so important because this should all be spelled out ahead of time.
So, for instance, if you have a single host
that you want to disconnect well, a certain member can make that decision.
But then, if you have several business units or several hosts in a business unit involved, that's going to require the certain manager and the cyst. So to talk about it and figure out if, in fact, that's the right move, and it just goes down from there all the way to assert manager Sisto, CEO, CFO general counsel and the CEO.
Now you could use the racy chart that I've taught you about already in the same framework. If you'd like, you could say,
for instance, the accountable person is the CEO or the C I. Oh, I'm sorry,
but you have to at least inform the CEO before you make that kind of a decision.
So this is a another good way to break these things up in this decision ability or matrix up. You don't have to use racy, but you certainly could. But you do want to have something documented like this.
Network isolation is a great way to handle some of these incidents that we've been talking about. This may be a simple is removing a single host from a network or disconnecting the entire enterprise that we've talked about already?
But this is why this plan that we're going through on this course is so important.
You wanna have a V Lana virtual local area network established, if you can on your network, have it pushed out to all of your switches across your infrastructure. That is known specifically as the remediation V land for the incident response team to use. And
this is ah, good way
to move systems that are on your affected host list to the remediation villian because it allows you to do all sorts of things. So, for instance,
one thing you have to be cautious of and I've mentioned this is if you just pull the plug to a host that's infected, that may notify the Attackers that you're onto them. They may all of a sudden pop up on other systems. You had no idea they were on and you start seeing massive amounts of data leaving your network. That is not a good day.
Or you might advise them because of your actions that you're onto them and they may move laterally and you don't even catch it and get on other systems. And then it's a game of whack a mole As you go through your incident response procedures.
A nice thing to do is, as you have identified hosts, you move them into this remediation villain. Now, you may not yet want to turn off their ability to
communicate out, but maybe you limit the amount of data that can flow out from that villain. So there may be C two the command control traffic, the check ins to the mother ship. If you Will those convey it through as faras the Attackers? No, they're still good to go. But if they tried toe dump
a gig worth of data, it's not going to happen.
But also you want to be able to get back into those systems with your forensic tools. So if you've got an ER tool and other tools available to you to grab images of the ram or to get files off the hard drive, you definitely want to still have that availability with you within that remediation villain.
And as we've talked about before that simultaneously cutting off all the systems at once is a really great plan. So if you have all of your hosts on that remediation villain that you feel are involved in the attack than at one time, you can just turn off the access from that villain out to the public Internet
and begin your remediation. And then everything's
stuck there. You can also turn off any type of East West traffic from there, so they're not allowed to talk to any other hosts, so that cuts off any type of lateral movement, and then while they're in there, you can remediate them. You can patch them. You can take completely, take him off line. If they're virtual machines,
just get rid of him and spin up new ones of their physical assets.
You could completely wipe the drives if that's necessary, but at least while they're in that V land, you can do things that you need to do on those devices.
There are risks involved and watch and learn. And a lot of times certain may not necessarily know all the capabilities of the adversary.
Sometimes they're extremely advanced, and you don't even of course, no. They're in your network. But once you've detected that they are, you might not know how advanced they really are. And if you're just watching what they're doing, they may be moving in areas that you have no visibility in.
There's also some legal liability. Potentially, if it's found out that you know there were Attackers on the network, you allow them to stay on the network because that was your strategy and because you allow them on the network, they were able to get in and breach P I I or P h I or P C. I data
or whatever the case may be so be aware of that, and your attack surface may increase in worsen. Make the eradication issues much more challenging by allowing them to be in the network.
All right, quiz question for this lesson. What are some risks associated with the watch and learn containment strategy?
A. The certain most likely will not know all of the capabilities of the attacker.
Be legal liability. If sensitive data is exposed, see, attack surface could increase in worse and eradication issues or d all of the above.
It's definitely d all the above, so you need to be aware of this. Have these discussions ahead of time with your legal folks and your executives and make sure that everyone's on the same page when it comes to remediation strategies.
Next question. What is one reason to be careful before simply disconnecting connective ity from a compromised host? A. If Sirte doesn't know the extent of the compromise, a disconnection may alert the attacker and cause mass ex filtration
be disconnecting too quickly may make the Ire team look weak,
or C. There is no reason to be careful disconnected Now
the answer here is definitely a If the CERT team doesn't know the extent of the compromise. Then once you pull the plug on one, it may be all hands on deck from the adversary, and it's just a mess. So it is definitely a strategy and something that needs to be well planned and well executed.
So to recap this lesson, we talked about some different containment strategies, some technology solutions available to assist like remediation, villains and the risks and benefits of watch and learn versus disconnecting systems during an incident.