A cybersecurity incident response plan (IRP) to help responders with the tactical aspects of incident response.
This document applies to all individuals (Personnel) responsible or involved with cybersecurity incident response activities. Personnel shall be informed of this document by the organization's Information Security Office or Officer(s) (ISO).
This document is designated as Traffic Light Protocol (TLP): AMBER. Recipients may share TLP: AMBER information with members of their organization who need to know, and only widely as necessary to act on that information.
This document contains confidential and privileged material. Any interception, review, retransmission, dissemination or other use of or taking any action upon this information by persons or entities other than the intended recipient(s) is prohibited by law and may subject them to criminal or civil liability. This document contains material that may have been commissioned by counsel in anticipation of litigation. It should be treated as confidential to avoid waiver of the attorney/client privilege, the work-product privilege, or another applicable privilege. It was prepared for the sole use of the named recipient, and must not be relied upon by any third party.
This document is a deliverable that meets or exceeds a standard of reasonable cybersecurity practices.
This document meets or exceeds the following standards, compliance and/or regulatory requirements:
Standards:
Compliance:
Regulation:
The words cybersecurity and security are synonymous and used interchangeably herein.
Cybersecurity is the state of being protected against the violation of computer security policies, acceptable use policies, or standard security practices, or the measures taken to achieve this.
The words asset, information asset, information technology resource, and other processing activities are synonymous and used interchangeably herein.
An event is an observable occurrence in a digital ecosystem or computer network. Event examples include a login, a user connecting to a file share, a server receiving a request for a web page, a user sending email, and a firewall blocking a connection attempt.
The words alert and alarm are synonymous and used interchangeably herein.
An alert is an event having a security context usually generated from threat detection assets or treat hunting routines. Alerts may be the result of a negative consequence and generally require subsequent inspection. Examples of alerts include system crashes, unauthorized use of system privileges, unauthorized access to sensitive data, execution of malware, and destruction of data.
The word incident and the term event of critical interest are synonymous and used interchangeably herein.
An incident is an event or alert that signifies a security control failure, or a violation, or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices that require critical triage and a more in-depth investigation known as incident response.
During disciplined cybersecurity operations, including investigating and analyzing alerts, it is common for information security professionals to label the resulting analysis in terms of risk of compromise. An incident, or event of critical interest, is an analysis that results in a declaration of real or imminent danger and significant risk of asset compromise or confirmation thereof.
As an example, take two classes of typical cybersecurity events: potentially unwanted program and ransomware. The latter, ransomware, represents an event of critical interest because its progression through the environment represents real and imminent danger and could result in a significant risk of compromise to critical assets.
Another example may be an individual receiving a phishing email and realizing that it has attached malware, is in of itself NOT an incident (detective controls worked). However, an individual downloading that attached malware IS possibly an incident (preventative or corrective controls did not work) dependent on subsequent control failures (defense-in-depth failures) or real or imminent danger and significant risk of asset compromise or confirmation thereof.
An analogy in the natural world might be the comparison of a misdemeanor vehicular moving violation to a felony armed robbery. The latter, armed robbery, would be considered an incident.
Implementers of this IRP use a PICERL model as guidance for organizing courses of action (COA):
- Preparation
- Identification
- Containment
- Eradication
- Recovery
- Lessons / Opportunities For Improvement
Implementers of this IRP use an OODA loop as guidance for conducting COA:
- Observe
- Orient
- Decide
- Act
- ISO
- The Information Security Office or Officer(s) or designated representative(s) shall be responsible for ensuring the strategic effectiveness of this IRP.
- CSIRT
- The Computer Security Incident Response Team or designated representative(s) shall be responsible for ensuring the tactical effectiveness of this IRP.
The ISO shall be responsible for establishing risk management strategies that meet or exceed a standard of reasonable cybersecurity practices. These activities protect information assets, controls, and processes against a violation of the organization’s computer security policies or acceptable use policies. The ISO is responsible for establishing controls and processes aligned with the five (5) core functions of Cybersecurity Risk Management as defined by the NIST Cybersecurity Framework (CSF).
- Identify
- Protect
- Detect
- Respond
- Recover
The CSIRT shall routinely conduct inspections of the cybersecurity technology controls (cyber weapon assets) used to detect and or prevent incidents to ensure cyberweapon readiness. The CSIRT shall own the responsibility of remediating defects, disruptions, or degradation of cyber weaponry assets and security controls. The ISO shall routinely request from the CSIRT a report of the state of cyber weaponry assets and security controls readiness. The CSIRT shall promptly comply with an ISO request for a report of the state of cyber weaponry assets, and security controls readiness and maintain the provided report for no less than one (1) year.
This IRP uses the priority levels defined in the US National Cybersecurity and Communications Integration Center (NCCIC) Cyber Incident Scoring System (CISS) as the model for rating the severity of an Information Security Incident. SEE NCCIC CISS Severity Rating Model
Severity rating levels shall be used to determine the necessary force and resource prioritization required to handle and respond to an incident. The CSIRT is responsible for declaring the initial severity rating. The ISO is responsible confirming and adjusting security ratings that meet or exceed a High rating.
The CSIRT and ISO shall use qualified Information Security Personnel, and cyber weapons, and security controls capable of defending and preventing adversaries from using specific tactics, techniques, and procedures as described by the MITRE ATT&CK Framework.
SEE the NOTES section for TTP examples including Protecting Against Ransomware and Protecting Against Phishing
The ISO shall be responsible for ensuring that log data transmitted by assets is properly preserved, protected, and maintained for a period of one (1) year.
The CSIRT shall respond to alerts generated by cyber weapons and security controls. The CSIRT shall routinely patrol (threat hunt) and audit log data and assets for indicators of compromise.
The CSIRT shall establish an electronic/virtual evidence locker to store and protect evidence collected during incident response. The CSIRT should maintain an electronic journal (manifest) of collection activities and their related evidence artifacts. The CSIRT shall maintain an electronic chain of custody ledger that includes the date, the evidence artifact, the transferrer, and the transferee for all activities involving the transfer of collected artifacts from the evidence locker to authorized recipients or electronic media. The ISO shall approve all transfers of evidence artifacts to authorized recipients or electronic media.
The ISO shall maintain and protect evidence locker artifacts collected during an Information Security Incident for one (1) year from the date of the initial detection. The ISO shall maintain and protect the Information Security Incident after-action incident report and any related communications for one (1) year from the date of the initial detection.
The ISO shall certify that assets impacted by a successful compromise are eligible for being restored to their normal operational state only after remediation activities have prevented the assets from further risk of intrusion.
The CSIRT shall produce an after-action report that provides the details of the incident. The CSIRT should produce content for the report iteratively during the response. The ISO shall approve all dissemination of the report.
The ISO shall be responsible for coordinating and sharing details of an incident to internal authorized Personnel, without undue delay on a need to know basis, when the ISO deems that sharing is beneficial to response activities and per the organization's data classification policies.
The ISO shall be responsible for coordinating and delivering notifications, without undue delay, to individuals, customers, and data subjects for the purposes of complying with statutes, regulations, or ordinances if the ISO determines the incident is likely to result in an infringement of, or high risk to, the rights and freedoms of those individuals, customers, and data subjects that have been impacted by the compromised assets.
The ISO shall be responsible for coordinating and delivering notifications, within seventy two (72) hours of identifying an incident, to the supervisory authority (when organization is acting as a controller) or the controller (when organization is acting as a processor) for the purposes of compliance with the EU GDPR regulation if the ISO determines the incident is likely to result in an infringement of, or high risk to, the rights and freedoms of those individuals, customers, and data subjects that have been impacted by the compromised assets and/or information technology resources.
The ISO shall be responsible for coordinating and delivering notifications, without undue delay, to various state authorities (SEE here and here) for the purposes of complying with statutes, regulation, or ordinances if the ISO determines the Information Security Incident is likely to result in an infringement of, or high risk to, the rights and freedoms of those individuals, customers, and data subjects that have been impacted by the compromised assets and/or information technology resources.
The ISO shall be responsible for notifying law enforcement to comply with statutes, regulation, or ordinances or threat actor prosecution if the ISO determines the incident meets the standard of a condition identified through discussions with law enforcement representatives provided such discussions have previously taken place. The ISO shall refrain from contacting multiple agencies when reporting an incident to avoid jurisdictional conflicts. The following is a list of law enforcement agencies:
- Federal Bureau of Investigation
- U.S. Secret Service
- District Attorney
- State Attorney General
The ISO shall be responsible for coordinating and sharing the relevant details of an incident, without undue delay on a need to know basis, with the media when the ISO deems that sharing is beneficial to response activities and per the organization's data classification policies.
The ISO shall be responsible for coordinating and sharing the relevant details of an incident, without undue delay on a need to know basis, with the organization's trusted 3rd party service providers when the ISO deems that sharing is beneficial to response activities and per the organization's data classification policies.
- Cybersecurity-as-a-Service Providers
- Incident Response Partners
- Legal Counsel
- Crisis Management Partners
- Cybersecurity Insurance Broker
- Use real world IOC-Negative scenarios as if they were IOC-Positive to train response personnel and gauge response effectiveness
- Become Familiar With Breach Notification Laws
- Breathe
- Think "smooth is fast"
- Inspect change logs to determine if activity is possibly the result of an authorized change
- Review system baselines to determine if activity is possibly the result of expected behavior
- Ask asset owners what they know in terms of Indicators Of Compromise (IOC) and record the results
- SEE Top Indicators of Compromise (TOP-IOC) below for hints
- SEE MITRE ATT&CK Framework for hints
- Ask asset owners "Was there a loss of data?" and record the results
- Ask asset owners "Was restricted data at risk?" and record the results
- Assign a severity rating
IMPORTANT - When possible encrypt communication - threat actors may be listening to the channel
- Make notes of actions you took during the assessment phase
- What you do, see, and hear will be used by investigators, after-action reporting, and maintained for posterity purposes
- Record times
- Communicate using 24HR/military time (e.g. 0900, 1330, 1845)
- Record atomic attributes
- Record behavioral attributes
- Make factual assertions backed by evidence
- Peer review observations and assertions with experienced personnel
- Mark email communication with "CONFIDENTIAL//ATTORNEY-CLIENT PRIVILEGE//TLP:AMBER" labels
- Use encryption or an alternative band of communication if the material is extremely sensitive
IMPORTANT - Keep a system POWERED ON prior to the collection of volatile media to preserve valuable evidence
(isolate the host by disconnecting its network connection or through the use of EDR)
- Journal collection activities
- Conduct log analysis
- Conduct system forensics
- Use a DFIR checklist
- Acquire volatile media
- Acquire non-volatile media
- Follow a consistent evidence process that achieves the objective of provenance
- Journal evidence activities
- Establish an evidence locker
- Preserve evidence
CONTAINMENT IS THE MOST IMPORTANT COA DURING INCIDENT RESPONSE
- Create a list of COA based on the nature of the threat
- Use the OODA loop method as guidance for COA
- Organize the COA by using the mnemonic: Inventory + 6-Ds
- Inventory
- Detect
- Deny
- Disrupt
- Degrade
- Deceive
- Destroy
- Force rank COA based on strategies that:
- Mitigate risk
- Create an advantage for the responders
- Preserve evidence
- Consider collateral damage
- Align with policies
- Respect the law
- Use the properly maintained cyber weapons to fortify the Inventory + 6-Ds
- Apply defensive and offensive force concentration tactics
- *NOTE: Force concentration does not guarantee relief from a flank of routine threat activity: watch the wire!
- *NOTE: Force concentration is useless if containment assets are idle: assign COA & put weapons to use
- Manage fatigue to avoid defective decision making and maintain consistent pressure on the adversary
- Avoid decision avoidance, solve the problem, embrace the challenge, and be fast-acting
- Get in the fight and regain control of the impacted assets!
- Inspect the asset to ensure the threat has been fully eradicated
- Remediate all known vulnerabilities
- Apply controls to prevent further intrusion
IMPORTANT - Restore only after remediation activities have prevented the assets from further risk of intrusion
- Restore to a normal state
- Recovery point objective (RPO)
- Recovery time objective (RTO)
- Develop OFI as gaps are discovered during the response
- Record the OFI in the after-action report
- Develop content for the report in an iterative manner as response activities are being conducted
- Supply detailed and factual statements and artifacts
- Summary
- Timelines (attack & response sequences)
- Indicators of Compromise (IOC) (the nouns of the attack)
- Intrusion Kill Chain (IKC) (threat actors activity - bad guy verbs)
- Courses of Action (COA) (reponders activity - good guy verbs)
- Opportunities for Improvement (OFI) (lessons learned)
- Disseminate the report
- Individuals, Customers, & Data Subjects
- Data Controllers
- Supervisory Authorities
- US State Authorities
- Law Enforcement
- Credit Reporting Agencies
- The Media
- Cybersecurity-as-a-Service Providers
- Incident Response Partners
- Legal Counsel
- Crisis Management Partners
- Insurance Brokerage
# IOC NEGATIVE
## TOP-IOC: Attack surface DOES NOT exist
## TOP-IOC: Attack surface vulnerability DOES NOT exist
## TOP-IOC: Mitigating controls DO EXIST and ARE currently protecting the asset
## TOP-IOC: Subsequent attack activity DOES NOT exist
## TOP-IOC: Corroboration from other assets DOES NOT exist
## TOP-IOC: NOT CONSISTENT with unusual egress network traffic
## TOP-IOC: NOT CONSISTENT with unusual lateral movement
## TOP-IOC: NOT CONSISTENT with login anomalies
## TOP-IOC: NOT CONSISTENT with suspicious domain controller activity
## TOP-IOC: NOT CONSISTENT with suspicious byte counts
----
# IOC POSITIVE
## TOP-IOC: Attack surface DOES exist
## TOP-IOC: Attack surface vulnerability DOES exist
## TOP-IOC: Mitigating controls DO NOT EXIST or ARE NOT currently protecting the asset
## TOP-IOC: Subsequent attack activity DOES exist
## TOP-IOC: Corroboration from other assets DOES NOT exist
## TOP-IOC: CONSISTENT with unusual egress network traffic
## TOP-IOC: CONSISTENT with unusual lateral movement
## TOP-IOC: CONSISTENT with login anomalies
## TOP-IOC: CONSISTENT with suspicious domain controller activity
## TOP-IOC: CONSISTENT with suspicious byte counts
- Analysts shall use a TAM similar to the TOP-IOC
- Analysts shall annotate cases using one or more TOP-IOC annotation statements
- All ticket annotation shall start with IOC-NEGATIVE -or- IOC-POSITIVE
- Evidence that intelligence assets were searched and analyzed is required
- Annotations should indicate the COA related to the specific activities conducted
- Attack Surface Vulnerability Exists
- Corroboration From Multiple Intelligence Assets
- Unusual Egress Network Traffic
- Unusual Ingress Network Traffic
- Anomalies In Privileged User Account Activity
- Geographical Irregularities
- Log-In Anomalies
- Volume Increase For Database Reads
- HTTP Response Size Anomalies
- Large Numbers Of Requests For The Same File
- Mismatched Port-Application Traffic
- Suspicious Registry Or System File Changes
- DNS Request Anomalies
- Unexpected Patching Of Systems
- Mobile Device Profile Changes
- Data In The Wrong Places
- Unusual Lateral Movement
- Velocity Increase For Share / Mount Activity
- Time Based Anomalies
- Suspicious Byte Counts
- Suspicious Domain Controller Activity
- Subsequent Activity By Attacker Address / GEO
- HTTP Response Code Success
- Logons To New Or Unusual Systems
- New Or Unusual Logon Session Types
- Unusual Time Of Day Activity
- Unusual GEO
- Unlikely Velocity
- Shared Account Usage
- Privileged Account Usage
- Unusual Program Execution
- New Program Execution
- High Volume File Access
- Unusual File Access Patterns
- Cloud-based File Sharing Uploads
- New IP Address Association
- Bad Reputation Address Association
- Unusual DNS Queries
- Bandwidth Usage
- Unusual Or Suspicious Application Usage
- Dark Outbound Network Connections
- Known Command And Control Connections
- Building Entry And Exits
- High Volume Printing Activity
- Unusual Time Period Printing
- Endpoint Indicators Of Compromise
- Sensitive Table Access
- Sensitive Data Movement Combined With Other Risk Indicators
- Known Signatures
- Reputation
- IP Addresses
- Domains
- DNS Queries
- DLP Indicators
- Anomalous Traffic Patterns
- Protocols
- Inconsistent Protocols
- Malformed Protocols
- Masquerading Protocols
- Prohibited Protocols
- Domain registered date is recent
- Domain registrant is anonymous or non-reputable
- Domain shares similar characteristics with prior known bad
- Domain has a suspicious email infrastructure
- Domain has a suspicious website infrastructure
- Domain has a disreputable history
- Domain has suspicious IP addresses / DNS data
- Privileged account logon from foreign address
- Creation of accounts in Azure AD
- Traffic restrictions loosened on Virtual Network
- Storage account accessed via stolen key from foreign address
- Subscription Administrator added
- Windows level intrusion of VM
- High priority target's mailbox is accessed
- Prioritize software updates for internet facing systems and systems having access to the internet
- Practice least privilege principles including role based access controls and access limitations
- Implement end point detection / host based intrusion technologies
- Maintain backups of mission critical data
- Educate the user community
- Create a response / MISSION plan and assign a strike force to execute that plan when it becomes necessary
- Conduct security awareness training
- Conduct phishing simulation tests
- Deploy Application Whitelisting (AWL)
- Deploy Endpoint Detection and Response (EDR) technology
- Inspect outbound URLs
- Ensure user accounts do not execute with elevated (admin) privileges
- Use inbound email sandboxing
- Deploy packet capture inspection technology with decryption capability
- Deploy HTTPS inspection technology that validates certificate chains
- /~https://github.com/guardsight/gsvsoc_mission-model
- https://www.nist.gov/cyberframework
- http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf
- https://nvd.nist.gov/800-53/Rev4/control/IR-8
- https://nvd.nist.gov/800-53/Rev4/family/INCIDENT%20RESPONSE
- https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
- https://www.us-cert.gov/NCCIC-Cyber-Incident-Scoring-System
- https://www.eugdpr.org/
- http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx
- https://www.bakerlaw.com/files/Uploads/Documents/Data%20Breach%20documents/Data_Breach_Charts.pdf
- https://attack.mitre.org
- https://zeltser.com/cheat-sheets
GuardSight® is a registered trademark of GuardSight, Inc. All other products and company names mentioned herein are trademarks or registered trademarks of their respective owners. © GuardSight, Inc.