Recovery and Post Incident Response - Paiet/Tech-Journal-for-Everything GitHub Wiki

Containment techniques

• Segmentation
  • Create VLAN for quarantine
  • Firewall rules
• Isolation
  • Host isolation
    • No communication with other hosts on the network
      • Although not completely disconnected
    • Bypass firewall or just create rules to completely isolate
  • Attacker isolation
    • Honeypot
    • Sandbox
• Removal
  • Completely disconnect affected system
• Reverse engineering - Eradication techniques
• NIST SP 800-88
  • https://ws680.nist.gov/publication/get_pdf.cfm?pub_id=50819
• FBI Disposal of Media Policy and Procedures
  • https://www.fbi.gob/file-repository/disposal-of-media-policy-and-procedures.pdf/view
• Sanitization
  • Clear
    • Overwriting
    • Minimum 3x overwrite with 1's and 0's or both
    • Cryptographic overwrites
  • Purge
    • Degaussing
    • Strong magnetic fields
  • Destroy
    • Disintegration, Incineration, Pulverization, and/or Melting
    • Shredding
    • Typically outsourced
• Reconstruction/reimage
  • Reinstall the OS
  • Use imaging software to recover OS
  • Proper corrective steps must be taken if system was compromised by exploiting vuln in OS or app in image
• Secure disposal

Validation

• Patching

  • Start with directly affected systems and work your way out

• Permissions

  • Look for violation of least privilege
  • Do this for all accounts

• Scanning

  • Run vulnerability scans to verify that remediation steps have been successful

• Verify logging/communication to security monitoring

  • Check all logging systems for proper configuration
    • Test alerts as well

• Corrective actions

• Lessons learned report

  • Helps figure out...
    • What went right and what went wrong
    • How could incident have been prevented
    • How it could be prevented in the future
    • Changes the may need to be made in the incident response plan
    • Changes that may need to be made in everyday security policy

• Change control process

  • Revert to proper change control procedures
    • This is to document the incidence response actions
      • Change Controls may have been bypassed in favor of speed to action

• Update incident response plan

• Incident summary report

• Formal Incident Report

  • Tells the incident "story" in detail
  • Becomes a reference for future incidents and policy initiatives
  • Legal document

• Elements

  • Root Cause Analysis
  • Timeline of incident and responses
  • Evidence details
  • Fallout
    • Monetary
    • Reputation
  • Validation results
  • Discovered weaknesses in policy/procedures

• Remember to secure the report!!!

  • Sensitive information
  • Retain and destroy per policy