I was recently asked to respond to the hypothetical situation “We just got hacked! Customer data is compromised. Build out a bulleted checklist of 10 things you need to do next.”
I could come up with only two.
- Take out your incident response checklist and start gathering information:
- What is the initial indicator of the event?
- When did the initial indicator occur?
- Who identified the initial indicator?
- Is the indicator continuing to occur?
- Has the initial indicator evolved?
- Have any additional personnel been notified? Are they working on the event presently?
- What business processes are affected?
- What assets are affected and to what degree? For example, is there a system outage? Has intellectual property been lost? Has personally identifiable information been lost?
You are in the Identification phase of your Incident Response Plan. Document the current situation and why (in the hypothetical situation described) you believe customer data may be compromised.
- Take out your incident response team contact list and start calling the team members.
You are in the Containment phase of your Incident Response Plan. Let your incident response team know that customer data may have been compromised. Pass along the information from your incident response checklist.
These two phases (Identification and Containment) should take minutes to complete. That requires preparation.
A take-away from this exercise: If you are the on-call person, you have an incident response checklist and you have an incident response contact list. These should be physical, paper objects; do not rely upon computer access for your incident response documents.
These documents were created as part of preparatory work you have done; that is, they are products of the Preparation phase of your Incident Response plan.
With Preparation, Identification, and Containment phases complete, you move on to the Eradication, Recovery, and Lessons Learned phases.
What happens during the Eradication, Recovery and Lessons Learned phases will vary. For example, if a thumb drive containing unencrypted customer data has been lost, then you have limited next steps. Inform the executive, consult with the legal and public relations teams, and (in all likelihood) contact customers promptly.
On the other hand, if you see that an unknown person has system access, your actions would be more involved. The Containment phase has taken the system with customer data offline. The Eradication phase has determined how access was obtained and taken measures to prevent access from being restored once the customer data is back online. The customer data would no longer be trustworthy. The Recovery phase would require restoration from a known good backup. Updates since the backup have been lost. The Lessons Learn phase would implement measures that prevent access in the future.
You want your Preparation phase to go through more than these two scenarios in order to flesh-out the contact list, containment measures, eradication measures, and recovery measures. The incident response checklist should be fairly complete, but table-top exercises may indicate that other questions should be asked as well.
Can we get Joe Gray’s presentation “Dear Blue Team: Forensic Advice for System Admins, Engineers, and other Blue non-forensicators” (RSA, April 18, 2016)? That would be appropriate here. YouTube, slides on Peerlyst.
As part of your “malware detected” playbook, include VirusTotal (the premium offering, VirusTotal Intelligence, is preferred). See the SANS Webcast “Advanced Malware Threat Hunting and Investigation with VirusTotal Intelligence” (Apr 24, 2018).