33
Chris Taylor Taksati Consulting https://taksati.org INCIDENT RESPONSE PLAYBOOK CREATION
Chris TaylorTaksati Consultinghttps://taksati.org
INCIDENT RESPONSE PLAYBOOK CREATION
AGENDA
Incident Response Procedures
Components of a Playbook
Example Playbook• Spam / Phishing
Building a Playbook From Scratch
Resources
INCIDENT RESPONSE PROCEDURES
INCIDENT RESPONSE PROCEDURES
Preparation
Detection
Identification
Analysis
Containment
Eradication
Recovery
Post-Incident
INCIDENT RESPONSE PROCEDURES
Preparation
Detection
Identification
Analysis
Containment
Eradication
Recovery
Post-Incident
§ Write Policy & Procedures§ Build out CIRT, SOC, etc.§ Install/maintain tools§ Training
INCIDENT RESPONSE PROCEDURES
Preparation
Detection
Identification
Analysis
Containment
Eradication
Recovery
Post-Incident
§ Monitor endpoints, network traffic, logs, other data sources§ Look for anomalies - time of logins, spikes in network activity, etc.§ Raise alerts on suspicious events
INCIDENT RESPONSE PROCEDURES
Preparation
Detection
Identification
Analysis
Containment
Eradication
Recovery
Post-Incident
§ Not every “event” will be an “incident”§ Categorize and Triage Incidents
§ Malware, Hacker, PII, Spam, whatever
INCIDENT RESPONSE PROCEDURES
Preparation
Detection
Identification
Analysis
Containment
Eradication
Recovery
Post-Incident
§ Determine Indicators of Compromise (IOCs)§ Identify breadth and depth of incident§ Various forms of Forensics occur here
INCIDENT RESPONSE PROCEDURES
Preparation
Detection
Identification
Analysis
Containment
Eradication
Recovery
Post-Incident
§ Stop spread of malware, exfil of data, etc§ Can be concurrent with Analysis
§ Without proper analysis, you may not get proper containment§ Firewalls, Proxies, Routers, etc to block/redirect
INCIDENT RESPONSE PROCEDURES
Preparation
Detection
Identification
Analysis
Containment
Eradication
Recovery
Post-Incident
§ Remove malware from systems§ Remove backdoors, etc. used by attacker
INCIDENT RESPONSE PROCEDURES
Preparation
Detection
Identification
Analysis
Containment
Eradication
Recovery
Post-Incident
§ Harden systems/network to prevent reoccurrence§ Return business to “business as usual”§ Get workstations/servers back on line
INCIDENT RESPONSE PROCEDURES
Preparation
Detection
Identification
Analysis
Containment
Eradication
Recovery
Post-Incident § Lessons Learned / After Action Review§ Modify Policies, Procedures, etc
INCIDENT RESPONSE PROCEDURES
Preparation
Detection
Identification
Analysis
Containment
Eradication
Recovery
Post-IncidentFrom NIST SP 800-61
PLAYBOOKCREATION
COMPONENTS OF A PLAYBOOK
Flowcharts vs Checklists• Flowchart are good for decisions that lead to multiple paths• Checklist are good for monolithic lists of steps• Combination of the two is best
• Flowchart governs the big picture• Each block in flowchart has a checklist for how to execute it
RACI chart each step• Identify WHO (person or team) is Responsible / Accountable / Consulted / Informed• Knowing ahead of time who has each step removes pitfalls• Have contact info right in playbook to minimize time lost looking for it
Environmental Influences• Steps should be specific to your environment• New analyst can follow and learn how to operate in this environment• Must be constantly updated to follow changes in environment
COMMON FLOW CHART SYMBOLS
START
PROCESS
DECISION
• For processes that provide data that will feed into a decision or process
• For when a human needs to provide data that will feed into next block
PREVIOUS
INPUT
REPORT
MANUALINPUT
• Start here• Used to break bigger flowcharts into
smaller, more manageable segments
STOPNEXT
• End here• Used to break bigger flowcharts into
smaller, more manageable segments
• A fork in the flow based on a decision being made about how to proceed
• Can be any number of output paths
• Any step in the process• The most heavily used symbol
• Production of a report, email, or other documentation
• Older form of INPUT• Rarely used nowadays
MANUALPROCESS
• Process requires a human• Square Process block could
be manual or automated, this specifically needs a human
DELAY
• A waiting period, either timed or not• Sometimes used to denote pausing
for user acknowledgment
DATADATA OR
• Used to denote stored data• Either a local database or
feed from an intel provider• For example, could be
• DNS or WHOIS lookup• Threat Intel feed• Log aggregation store
EXAMPLEPLAYBOOK
SPAM / PHISHING
PHISHING – DETECT START
IDENTIFYTHREAT
INDICATORS
• Spam filter alerts• NIDS / HIDS alerts, if link followed• AV / EDR alerts, if attachment fires• Errors from bounced msgs
• Notification from user• Notification from recipients• Notification from external party• Notification from ISP or mail provider
IDENTIFYRISK
FACTORS
• Credential theft• Malware delivery• Criminal activity
• Financial losses• Blackmail / Ransom
• Financial losses• Reputational damage
NEXT
ALERTS
COMMON
NOTIFIED
ORGSPECIFIC
• Collect offending message• Query DNS / IP reputation
• Determine type• Phishing
• Spam• Phishing• Spear phishing• Whaling• BEC
CATEGORIZEDATACOLLECTION
• Determine Impact• Impact of msg type• Financial impact
• Determine Scope• Number of people received msg
TRIAGE
PHISHING – ANALYZE
VERIFY
• Double-check previous data• Rule out false positives
• Run attachments through sandbox• Run links through sandbox• ID subject, attachments, from addr• ID other addresses, domains, IPs• Search Threat Intel sources• Disk forensics on recipient’s endpoint
PREVIOUS
NEXT
IDENTIFYIOC
DATACOLLECTION
• Search mailboxes for IOCs• Search endpoints for IOCs
• Update spam filter• Update FW, IDS, etc. rules w/ IOCs• Search all mail folders for IOCs• Search endpoints for IOCs w/ EDR
SCANENTERPRISE
• Update lists of • affected recipient addresses• affected endpoints• affected enclaves• affected business units
ALLAFFECTEDENDPOINTS
ID’ed
YES
NO
UPDATESCOPE
PHISHING – CONTAIN / ERADICATE
BLOCKC2, EMAILTRAFFIC
• Update spam filters• Update FW, Proxy, etc. rules• Blackhole DNS
• Have emails been read• Have attachments been opened• Have links been clicked
PREVIOUS
NEXT
DETERMINEIF HOSTSINFECTED
DATACOLLECTION
• Monitor for related messages
• Delete from users’ inboxes• Spam tool• Email admin console
• Delete downloaded attachments• EDR, etc to scan enterprise
DELETEEMAILS
ALLAFFECTEDENDPOINTSCONTAINED
YES
NONEW IOCsDISCOVERED
YES
NO
ANALYSIS
MALWAREINFECTION
OCCURRED?
YES
NO
RUN MALWARE BOOK
PHISHING – RECOVER
PREVIOUS
NEXT
DATACOLLECTION
• Determine if • Spam filters blocking legit emails• Proxy, FW, etc. blocking legit sites
• Determine which Spam filter FW, Proxy, EDR, etc. rules can stay to prevent reinfection vs. which need removed to restore functionality
UPDATEDEFENSES
OPERATIONALCAPABILITYRESTORED
YES
NO
PHISHING – POST INCIDENT ACTIVITIES
• What worked• What didn’t work
PREVIOUS
INCIDENTREVIEW
• Update policies, procedures, playbooks, etc. as necessary
• Schedule review of newly introduced rules in 6 mo / 1 yr
• Are following still applicable• Spam filter rules• FW, Proxy rules for C2• AV / EDR custom sigs• IDS sigs
REVIEWDEFENSIVEPOSTURE
STOP
UPDATEPOLICY OR
PROCEDURES
BUILDINGPLAYBOOKFROM SCRATCH
WHAT INGREDIENTS DO YOU HAVE?
Tool InventoryWhat products, platforms, and/or processes do you have available to you?
Available PersonnelWho can/will assist in the process? RACI chart.
Problem to SolveWhat workflow are you trying to document? What is the goal?
Current StateAre you designing a new process or documenting an existing process?
PROCESS TO BUILD PLAYBOOKS
1. Identify the triggers
2. Identify the end state
3. List all possible actions3a. Categorize actions as ‘required’ or ‘optional’3b. Group actions by IR Phase, activity, and/or function3c. Identify actions with prerequisites or specific ordering requirements
4. Build playbook using only ‘required’ actions
5. Modify playbook to include ‘optional’ actions where appropriate5a. Insert into playbook based based on 3b and 3c
6. List next to all actions who will execute, compliance issues, or other notes as appropriate
EXERCISE
Problem
People Tools Actions
PHASE _____________ – PLAYBOOK ____________________
Flowchart Action By Who
Automation
SOC automation can lead to • Faster response times• More consistent responses with no missing steps• Keeps humans focused on human tasks, instead of simple tasks• Production of better metrics
Security orchestration, automation, and response (SOAR)• Category of tools that automates IR playbooks• Integrations to drive other security tools
FURTHERREADING
ONLINE RESOURCES
NIST SP 800-61 Computer Security Incident Handling Guide –• https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf• Documents incident response process
NIST SP 800-184 Guide for Cybersecurity Event Recovery –• https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-184.pdf• Documents planning process for how to plan for incident response
Integrated Adaptive Cyber Defense (IACD) –• https://www.iacdautomate.org• Open standard for security automation and orchestration
Incident Response Consortium –• https://www.incidentresponse.com/playbooks/• Has free example playbooks
BOOKS
Crafting the InfoSec Playbook: Security Monitoring and Incident Response Master Plan• by Jeff Bollinger, Brandon Enright, Matthew Valites
Blue Team Handbook: Incident Response Edition• by Don Murdoch
Blue Team Field Manual (BTFM)• by Alan White, Ben Clark
THANK YOU
ANY QUESTIONS?
Chris TaylorTaksati Consultinghttps://taksati.org
