Essential Knowledge For Containing a Hack Pt. 1

uber hack
Posted by on | Featured

Essential Knowledge For Containing a Hack Pt. 1

uber hack

Illustration: Pexel, FreeStocks.org

Incident Response Definitions:

Trigger: Predefined threshold that can be configured on a technology or defined in policy for awareness

Alert: The notification delivered by the trigger system that the threshold has been met 

Event: An indicator of activity that has taken place. Events require sound analysis to be and must have an impact to the organization in order to be escalated

Incident: A confirmed on-going adverse situation which can cause harm to employees or to the confidentiality, integrity, or availability of the systems

Confidentiality: Ensuring that only authorized users are access data and prevent it disclosure to other parties

Integrity: The state in which the trustworthiness of data or systems have not been altered from its genuine form. 

Availability: Ensuring that resources are available for authorized individuals when they require access.

Malware: Malicious software that is crafted by a human to cause harm to an information system.

Backdoor: Remote access left in a system or software without it being explicitly authorized by the owner of the system.

Virus: A computer virus is one that requires human interaction for it to execute in order to infect a computer system or destroy files.

Worm: Self-propagating program that can take advantage of vulnerabilities in systems in order to cripple the resources of a system or entire network.

Trojan Horse: A computer program which masquerades itself as from its true purpose. 

Zero Day: A vulnerability in which zero days of notice have been given to the designer of the program or system to patch it. 

Insider Threat: Can be classified as an individual who has internal authorized access and misuses their permissions to inflict harm on the Confidentiality, Integrity, and Availability of the resources within the company.

Incident Response Strategies

When policies have been set in place by management to install an incident response team within a security program a strategy must be selected. There are instances where a company may respond differently depending on what assets are being targeted and the level of skill the professionals on staff possess. A common strategy that has been pursued is the protect and forget method. The perspective on this strategy is that attribution in the cyber space requires deep levels of intelligence and analysis as online threats can change their source in a matter of seconds. By properly following the incident response phases, teams are able to proactively respond to incidents when they happen and protect future instances from occurring again.

Containment 

Containment is the process and steps taken by the incident response team to prevent the spread of an incident which can bring damage to any of the assets within the company. The velocity in which data travels allows any strain of malware to infect entire networks at rapid speeds. The team handling these incidents must be highly trained and be familiar with responding to disruptive situations to make positive steps at regaining control of any event that can have legal ramifications if it’s not handled properly. 

Incident Classification

Based on the communication that has been escalated from the network security team or security operations center, determine whether this incident is High, Medium, or Low. Depending on the category assigned the incident response team will know how many team members should be allocated to contain. Certain attacks are staged in their approach, providing them a priority level will give structure to what needs to be remediated first.

Classification provides context on how the situation will be handled going forward. Certain systems could be brought offline or they may require an approach that does not inflict more damage to the company. Critical assets must be available at all times due to the revenue they bring or based on the contracts that exist bilaterally with customers. 

Initial Response 

Identifying incidents is a vital capability that must be put in place to recognize anomalous behaviors within different areas of the business. Attacks can be both physical and man-made which requires sensors to exist around the perimeter of facilities and within the assets that are used to transfer data within the facility. In the event that an internal employee notices the initial indicators the response team can begin posing non-technical questions to the operator or end user such as the following:

  • Provide date that the event or incident was noticed
  • Contact information of the end-user
  • Type of incident
  • Location
  • How was the incident detected
  • Does anyone else know about the incident

Incident Investigation

In order for the incident response team to begin to understand what needs to be contained, information needs to be derived from the technology that has been put in place such as the Intrusion Detection Systems, Logging systems, Endpoint software, and physical security devices that manage foot traffic of the individuals entering and leaving.

1. Data points needed from technology can include:

  • Files
  • System Calls
  • Processes
  • Network details
  • Ports
  • Protocols
  • IP Addresses
  • Host names

2. Review traffic on the network

  • Look at the logs on the systems affected
  • Replay packet captures collected from tools

3. Identify potential theft 

  • Only a packet capture of data transmitted can serve as sound evidence to understand whether exfiltration occurred
  • Identify whether traffic recovered is encrypted
  • Intellectual property
  • Sensitive information 

  4. What are the skills of the attacker?

  • How sophisticated is the attack?
  • What is the level of access they achieved
  • Have logs been deleted? 
  • Is it internal or external

  5. Identify legal consequences

  6. Can the affected systems be removed from the network? 

  • Are these systems mission critical?
  • When was the last time a backup took place?
  • Are failover systems available? 

Eradication

Once an incident has been detected and initial information has been gathered the incident response team must come to a determination of the cause and symptom. The containment phase provides information regarding the existing flaws that must be improved in order to prevent recurrences. Understanding what the business priorities are from the business will aid at understanding whether the systems need to be patched and brought back online. Further updates should be provided to management to determine if there will be any impact on disabling certain services. The existing policies and procedures in place need to be updated as current ones had defects which led to an incident taking place. 

Technical Eradication Steps: 

  • Change Passwords
  • Create new accounts
  • Seize infected systems
  • Inspect proxy traffic and close ports
  • Prohibit outbound encrypted traffic unless authorized
  • Apply patches to vulnerable systems
  • Remove malware
  • Segment critical data to more secure systems
  • Implement access control to systems that were impacted
In this post we covered many aspects on how to contain a malware outbreak and how to respond to anomalous activity on a network. In the next post we will go more in depth on how to respond in a cloud environment while being a remote worker. We will explore use cases from common scenarios that were suffered by Twillio, Uber, and Popular Crypto companies. These are meant to be informative and to help aspiring blue team members improve their ability to respond in a high stress situation. 
 
–Christian Galvan


Ready to Begin Your Cybersecurity Career?

Follow & Share a screenshot of our home page with the tag @thedukeofcyber & @themoderntechleaders on Instagram for a FREE Cybersecurity roadmap, tutorials, and career guidance

Contact Us
Tags: , , , ,
Comments are closed.