In this video, we covered the incident response lifecycle with all its stages covered and explained. Incident response phases start with planning and preparation, identification and scoping, containment, eradication and recovery and lastly it ends with lessons learned. In the practical scenario, we took the swiftspend scenario from TryHackMe incident respone track and analyzed the cyber attack that hit this organization by relating the steps taken according to the incident response process. At the end, we also covered the walkthrough and answers to the below rooms in TryHackMe:
- TryHackMe Threat Intel & Containment
- TryHackMe Eradication & Remediation
- TryHackMe Lessons Learned
- TryHackMe Preparation
- TryHackMe Identification & Scoping
Blue Team Cyber Security & SOC Analyst Study Notes
Definition of Incident Response in Cyber Security
Incident response, also known as incident handling, is a cyber security function that uses various methodologies, tools and techniques to detect and manage adversarial attacks while minimising impact, recovery time and total operating costs. Addressing attacks requires containing malware infections, identifying and remediating vulnerabilities, as well as sourcing, managing, and deploying technical and non-technical personnel.
Event vs Incident
- Event: This is an observed occurrence within a system or network. It ranges from a user connecting to a file server, a user sending emails, or anti-malware software blocking an infection.
- Incident: This is a violation of security policies or practices by an adversary to negatively affect the organisation through actions such as exfiltrating data, encrypting through ransomware, or causing a denial of services.
The Cyber Security Incident Response Phases
- Preparation: Ensures that the organisation can effectively react to a breach with laid down procedures.
- Identification: Operational deviations must be noted and determined to cause adverse effects.
- Analysis or Scoping: The organisation determines the extent of a security incident, including identifying the affected systems, the type of data at risk, and the potential impact on the organisation.
- Containment: Damage limitation is paramount, therefore, isolating affected systems and preserving forensic evidence is required.
- Eradication: Adversarial artefacts and techniques will be removed, restoring affected systems.
- Recovery & Lessons Learned: Business operations are to resume fully after removing all threats and restoring systems to full function. Additionally, the organisation considers the experience, updates its response capabilities, and conducts updated training based on the incident.
Identification & Scoping Phase
Security Alerts, also referred to as Event Notifications, are crucial signals that may hint at the presence of a potential threat or the occurrence of an actual security incident. These are pivotal in triggering the Incident Response Process and ensuring security and safety.Understanding the nature of these alerts, including their type and severity, is vital in guiding the incident response process. This understanding is nurtured through technical expertise, effective use of security tools, and a culture of continuous learning and vigilance.Following the proper procedures when handling these alerts ensures that the right individuals are alerted, bolstering incident response effectiveness.
Once an incident has been identified, the subsequent step is determining its scope.
Scoping involves grasping the extent of the incident, including which systems are affected, what data is at risk, and how the incident impacts the organisation.
The transition from identification to scoping is crucial in the Incident Response Process, demanding clear communication, effective collaboration, and a well-defined process. The insights gained from the identification phase will prove instrumental in facilitating this transition and strengthening the effectiveness of the incident response process.
Containment Phase
Containment might include quarantining a device or removing it from the network. This can be as simple as unplugging the system’s network interface card to ensure it can’t communicate on the network. Similarly, you can isolate a network from the Internet by modifying access control lists on a router or a network firewall.
Another way to contain or isolate a system is by following the controlled isolation strategy. This strategy involves the incidence response team closely monitoring the adversary’s actions. Rather than strictly isolating the infected system(s), the team would keep the system accessible to not tip off the adversary. An incident response team can gather vital information and intelligence about the adversary by allowing the adversary to continue.
However, the adversary isn’t given free-roam. For example, the incident response team can prevent access if the adversary is about to perform something destructive such as wiping or exfilling data. A good “cover story” can be made to convince the adversary why they’ve suddenly lost access. For example, an announcement could be made that routine maintenance is occurring.’
Eradication Phase
After containing the incident, it’s often necessary to remove components from the attack. For example, if attackers installed malware on systems, it’s important to remove all remnants of the malware on all hosts. Some malwares can be automatically quarantined, cleaned up, and removed by tools such as Anti-Viruses (AVs) and EDRs. However, keep in mind that this is most effective on less sophisticated threats that employ well-known malicious tooling. Unique or targeted threats employed by more sophisticated bad guys are usually purpose-built to bypass these automated detection and prevention systems and so relying solely on this method is not advised.
Another eradication approach which is the most straightforward way to eradicate attacker traces from a specific endpoint is to completely rebuild it. Wiping the system clean of everything ensures the system has a clean slate, however, the downside is that this approach is absolute. All of the ‘normal’ contents will be removed along with all of the bad ones and so it is necessary to reinstall all applications, revert all configurations, and restore all wiped data so it functions as good as it was before the compromise, if not better.
Take note that this approach entails downtime for the system.
When deciding which eradication technique fits the compromise scenario best, the decision is also influenced by the allowable downtime the resources in question have. Some organizations have ‘legacy’ resources where a downtime of a few minutes could cost the organization millions of dollars and so a complete rebuild may completely be out of the question.
Recovery Phase
We return all affected systems to normal operation and verify they are operating normally. This might include rebuilding systems from images, restoring data from backups, and installing updates.
Lessons Learned Phase
This phase of the IR process is essentially a sit-down with the data that you’ve gathered throughout the IR process and the learnings gained from them.
The incident may provide some valuable lessons, and we might modify procedures or add additional controls to prevent a reoccurrence of the incident.
During this phase, a technical summary and an executive summary are written.
A technical summary is a summary of the relevant findings about the incident from detection to recovery. The goal of this document is to provide a concise description of the technical aspects of the incident, but it can also function as a quick reference guide.
An executive summary may contain the below:
- A summary of the impact of the compromise
- Did we lose money?
- Did they steal it?
- Did we lose it due to downtime of sensitive servers / endpoints?
- Did we lose data?
- PIIs?
- Proprietary pieces of information that are top secret?
- Was it a high-profile case, and if so, what kind of reputational damage are we looking at here?
- A summary of the events and / or circumstances that led to / caused the compromise
- How did this happen?
- A summary of the actions already done, and actions planned in the near, mid, and long term to remediate and recover from it, and to prevent it from happening again in the future
Room Answers | TryHackMe Threat Intel & Containment
What does the acronym IDS mean?
Intrusion Detection System
What is the name of the containment strategy used when the responders closely monitor the adversary?
Controlled Isolation
What containment strategy is considered to be the most aggressive?
Entire Isolation
What is the term for a set of characters that can be used to give an attribution to a file?
Note: The answer is expecting the singular noun of this term.
Hash
What is the name of the classic arcade game that has been referenced in this task?
Whack-a-mole
What is the IP address of the adversary?
3.250.38.141
What is the name of the file that gets downloaded from the adversary’s infrastructure?
dropper.exe
What is the SHA-256 hash value of the value of the executable on the Desktop?
463F1B1E11D4CA4C7A0C9AAC540513FF7E681D9E5144BDA2AF24B86E438D3F4F
Room Answers | TryHackMe Eradication & Remediation
What is it that may cause an attacker to think that you already have a complex and detailed eradication plan in motion?
Premature eradication
What is an informal term used to describe the cycle wherein you keep discovering and identifying bad, eradicating it, finding it elsewhere, and doing it all over again?
whack-a-mole
Of the two main goals of this phase, what is the first one?
Eradicate the bad guys
What technique is most effective on less sophisticated threats that employ well-known malicious tooling?
Automated Eradication
What technique is the most straightforward way to eradicate attacker traces?
Complete System Rebuild
What downside does the complete system rebuild technique have? This approach entails what for the system?
Downtime
Success of a targeted system cleanup is heavily reliant on how well the what has been done?
Scoping
What should take place in conjunction with Eradication techniques in order for its effects to last? An effective what?
Remediation and Recovery strategy
What remediation step ensures only absolutely necessary communication takes place between computers and subnets?
Network Segmentation
What do you call the principle that posits that a user account should have access to only the absolutely necessary pieces of data, applications, or resources?
Principle of least privilege
Changes done during the remediation phase are geared towards strengthening the what of the organization?
Security Posture
What kind of tests should be employed to check if the remediation tactics actually work?
Penetration tests and attack simulations
Which account gave the threat actors a foothold on the server?
swiftspend_admin
What is the default password for the admin account of the Jenkins service?
f4fe137aeb154299ab1b7349952f6088
What is the email address of the other account within the Jenkins service?
infra_admin@swiftspend.finance
What is the command being invoked by the project found in the Jenkins dashboard?
/bin/bash /var/lib/jenkins/backup.sh
How many times has the project been run before?
0
You will find a suspicious IP address. Which country is it hosted in? (Use AbuseIPDB; answer as written)
Russian Federation
Based on the MITRE ATT&CK Matrix, which Tactic is being applied by the threat actor here?
Exfiltration
Based on the Lockheed Martin version of the cyber kill chain, in what phase is the threat actor already in on this server?
Actions on Objectives
Room Answers | TryHackMe Lessons Learned
What phase of the IR process focuses on people, documentations, and technological capabilities?
Preparation
What phase of the IR process is reliant on the effectivity and synergy of all the other phases?
Eradication, Remediation, and Recovery
What malicious file type has been found with two different versions?
Dropper
What’s the name of the malicious file found in the Jenkins server?
backup.sh
In the draft, it seems that the analyst included a number of technical details that are not necessarily needed in the Executive Summary. The first paragraph alone has two details that can be removed to look something like this:
On the 13th of July, 2023, Michael Ascot received an email with a URL that leads to a seemingly innocuous O365 page that requires the user to “re-authenticate”. Upon supplying his credentials, the page didn’t show anything; the user immediately became suspicious and upon asking for clarifications via email, he received an Outlook error prompting the user to report the incident to SOC.
What are the two technical details removed in the revised paragraph? (Separate them with a comma and a space; format: technical detail 1, technical detail 2)
alex.swift@swiftspend[.]finance, Ticket#2023012398704232
Depending on the audience, you can put as much or as little detail as you want in the Executive Summary but remember that it is imperative to stick to the essentials. For example, the second and third paragraphs can be condensed more while still retaining its essence.
What technical detail in the fifth paragraph of the draft can be removed? (The answer is the entire string that you will be removing to make the paragraph more concise.)
(i.e., SPF, DKIM, DMARC)
A Technical Summary must be concise while remaining effective in tracking the important artefacts, among other things.
In the draft, the third paragraph talks about the discovery of numerous artefacts via the review of a packet capture. What are those artefacts? (Separate them with a comma and a space; format: technical detail 1, technical detail 2)
3[.]250[.]38[.]141, Dropper.exe
The fourth paragraph talked about a swiftspend domain being hijacked to host the threat actor’s exfiltration IP. How did the investigators find out about this? (The answer is the entire string as described in the SoD)
Pivoting from backup.sh
What did we use to transform IOCs as detection rules in a vendor-agnostic format?
Sigma
In the Sigma Rule that we’ve created, what is the logsource category used by the author?
create_stream_hash
Full Video