Situational awareness throughout incident response activities is of paramount importance. As activities are conducted, new information is likely to emerge. New information may completely change the objectives of your exercise, and teams need to be in constant communication in order to coordinate activities.
Actions assigned to responders during an incident will be informed by the systems and data at risk, business continuity plans for these systems, and the objectives of the incident response exercise.
In terms of best practice, in an ideal world, evidential integrity would be maintained during every incident response exercise, and the preservation of evidential integrity should be a consideration for teams handling any incident. However, in some circumstances, preservation of evidential integrity may conflict with the necessary requirements of resumption of business, budgetary constraints or time constraints. If legal action, or a prosecution, is the likely end goal of the response, evidential integrity will be very important.
The Association of Chief Police Officers (ACPO) four principles related to Digital Evidence should be known to all members of the incident response team; decisions that may be made during the response operation should consider the wider implications for the integrity of the evidence in relation to these principles:
- Principle 1: No action taken by law enforcement agencies, persons employed within those agencies or their agents should change data which may subsequently be relied upon in court.
- Principle 2: In circumstances where a person finds it necessary to access original data, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
- Principle 3: An audit trail or other record of all processes applied to digital evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
- Principle 4: The person in charge of the investigation has overall responsibility for ensuring that the law and these principles are adhered to.
For most incidents, the first priority of activities is containment. This means stopping the incident from spreading to neighbouring systems or data, and limiting the damage.
Containment generally comprises a number of actions aimed at reducing the immediate exposure, whilst allowing the ability to continue analysis of the incident and plan longer term remediation. Containment activities tend to be fairly ‘quick and dirty’ fixes to the causes of an incident until further information is available.
If the primary objective of the response is to gather intelligence about the attacker’s actions in a covert manner for use elsewhere, containment may be delayed for a window of observation. More normally, containment actions will be conducted rapidly; the higher the urgency of the incident, the more pressing immediate containment actions will be.
In accordance with the ACPO principles above, it is important for incident responders to realise that containment activities may cause a change to ‘evidence’ that may be collected at a later date. With this in mind, any containment actions must be very carefully documented to ensure that these can be accounted for within evidence subsequently obtained.
Examples of ‘quick fix’ containment actions which may be relevant include:
- Disabling compromised accounts and blocking access to these
- Changing credentials thought to be compromised
- Blocking the sources of known malware (such as websites, or malicious email domains)
- Firewalling ports and services under attack
- Re-routing known-malicious traffic to a ‘black hole’
- Isolating systems from other networked devices, either locally or at a network perimeter
Containment strategies will differ depending on the objectives of the response, and the priority of the incident. Regular communications between the members of the incident handling team are vitally important, as will being mindful of the consequences to evidence of actions taken during the containment phase. Where prosecution and legal action are extremely likely, obtaining a forensically-sound image of the evidence will be a high priority before containment activities can commence.
If an active attack is ongoing, many containment options will alert the attacker to the detection of the attack. This may be required in order to minimise the damage caused by the cyber attack, but there is always a risk of an attacker escalating their activities as a result of attempted containment. These risks should be carefully considered.
Following immediate containment actions, the response will move to the eradication phase. During this phase, further deep analysis of the cyber security incident may be undertaken. These activities may include:
- Forensic acquisition of the affected device(s)
- Offline expert analysis of any malware identified
- Live analysis of the compromised systems
- Creating detective signatures for malware and techniques identified in use that may be deployed across the network to identify other affected systems if these exist
- Examining behaviour from available information sources to determine whether the attacker is continuing activities following containment, or escalating activities
Understanding the nature and extent of the cyber security incident is critical for eradication to be successful. An incomplete eradication will allow an adversary to retain access to systems and data. Again, chain of custody and preservation of evidence will be critical for any response exercises where prosecution is likely. Timestamped documentation of all activities, and decisions made, should be kept throughout.
As analysis progresses, further information about the nature of the attack may become clear. If new compromises are detected as part of this exercise, the priority of the incident should be reviewed, together with containment strategies and the objectives of the response.
For many incidents involving malware, rebuilding of all affected systems from scratch (or restoring from known-good backup) will be required. Where the root cause of the compromise is known, this should be rectified prior to recovery. Once eradication is thought to be complete, the response will move into recovery.
In this phase, systems are restored to normal operations. Temporary containment measures (such as temporary segregation of networks, or re-routing of traffic) may be rolled back to the normal state.
Systems which were affected will have been rebuilt, or restored from a known good backup in an ideal world. Where this has not been possible, residues of the attack will have been removed from the system.
Part of recovery will involve careful monitoring of behaviour and signatures for any signs of further malicious activity surrounding the affected systems or data, or connected areas. After a prolonged period of elevated monitoring, the incident may be considered closed.
It should be noted that when dealing with particularly sophisticated and targeted attacks, there may never be an end to the incident.