Incident Reseponse & Forensic

Boussad AIT SALEM

boussad.aitsalem@email.com

Efrei Paris Panthéon-Assas

February 9, 2025

Introduction

Suppose that a monitoring system (SOC) detects abnormal network behavior and tags the IP address or domain as suspicious and sends it to another system for verification in a database of malicious indicators of compromise (IoCs).

If this indicator is confirmed to be malicious, the Security Operation Center (SOC) operator opens a new case for a cybersecurity incident and notifies the IR team. The incident responder can then open a new case using the playbook related to this incident and start assigning tasks to the IR team.

If the IR system has integration with a threat intelligence system, you can search for additional information containing the details of a potential campaign, threat actors, affected industries, and related IoCs.

Once you have intelligence information and malicious indicators, you can begin with the investigation of the incident, focusing on identifying the compromised devices and the containment of any malicious activity.

show the differents teams : SOC team, CTI team and IR Team - CERT : Computer Emergency Response Team - CSIRT : Computer Security Incident Response Team - They can be public or private

Introduction

Security incident definition

Definitions

A security incident refers to any unauthorized or unexpected event that poses a threat to the confidentiality, integrity, or availability of an information system or its data. It involves a violation of security policies or practices by an adversary with the intention to negatively affect an organization. Examples of security incidents include data breaches, ransomware attacks, and denial of service attacks.

Incident response is a cyber security function that uses various methodologies, tools and techniques to detect and manage security incidents and thus adversarial attacks, while minimising impact, recovery time and total operating costs.

Distribution of the key COVID-19 inflicted cyber threats based on member countries’ feedback (source: Interpol’s Cybercrime COVID-19 Impact report)

• Event is an observed occurrence within a system or network. It ranges from a user connecting to a file server, a user sending emails, or anti-malware software blocking an infection.

• Incident is a violation of security policies or practices by an adversary to negatively affect the organisation through actions such as exfiltrating data, encrypting through ransomware, or causing a denial of services

• We can find this concept in differents methods related the risk management (SSI):

  • EBIOS
  • ISO 27001

Threat Landscape and Cybersecurity incidents

Supply chain attacks

• They have been increasing in recent years –> organizations have not considered these attacks within their threat modeling
• Usually, third-party services or tools are considered part of the company’s ecosystem and are reliable, having a high trust level
  • ShadowHammer (ASUS live utility)
  • SolarWinds tool (used by red team of FireEye company)

The ransomware

• Wanacry (exploited EternalBlue vulnerability - CVE-2017-0144,)
• Petya (None Financial objective)

Cyber attacks targeting IOT devices

• Mirai Botnet
• DDoS attacks on Dyn’s servers

Others

• Autonomous vehicles
• Electronic voting machines
• Drones & Cyber attacks on robots

Petya/ExPetr infections by country (source: Securelist.com)

Knowing the threat landscape

When a cybersecurity strategy is based solely on a defensive posture, without an understanding of current threats and the capabilities of adversaries to achieve their goals by evading security controls and avoiding detection, there is a risk of developing very limited capabilities that will rarely be efficient. It is the equivalent of being in a completely dark room, without being able to see anything, knowing that at some point, someone could try to hurt us, but without knowing the exact moment or the way in which this will happen. It’s like walking blind without seeing the way.

The increase in the number of cyber attacks in the world on major sectors such as government, finance, manufacturing, health, education, critical infrastructures, small and medium-sized enterprises, and individuals, finally turned on the alert for strategies and investments needed to raise the level of protection and response of organizations to the possibility of becoming the next target.

In that sense, one of the biggest challenges for cybersecurity professionals is first to evolve and create protection and response strategies at the same speed with which new threats appear and then go one step further using threat intelligence information. The threat landscape is changing every day, cyber threats are evolving and becoming more dangerous, and the forms of protection that worked before may not be efficient enough today, which is why organizations need to develop the ability to adapt and switch from a reactive posture to a proactive attitude. Any regional or global context or situation can generate new risks and change the threat landscape drastically. ### Supply chain ShadowHammer, where the ASUS live utility that comes pre-installed on that brand’s computers and serves to update various components such as firmware, UEFI BIOS, drivers, and some applications, was compromised.

Without a doubt, however, one of the supply chain attacks that has had the most impact was the attack on the SolarWinds company discovered in December 2020. On December 8, the FireEye company revealed that they had been the victims of a cyber attack. The attackers had stolen tools that their Red Team teams used to conduct security assessments, and the attack vector was a SolarWinds tool installed in the company.

The attack’s impact is unprecedented and affected even large technology companies such as Microsoft, Intel, Nvidia, Cisco, VMware, and at least 18,000 other companies worldwide and changed the threat level of this kind of attack for organizations.

Malware - Ransomware

In May 2017, the entire world was shocked when news broke that ransomware had disrupted the operations of several major companies in Spain, as well as the British health service. In a single day, more than 140,000 computers had been affected. It was the first time that malware of those features had self-replicated without control across networks:

This malware exploited a vulnerability known as EternalBlue related to a failure in the implementation of the Server Message Block (SMB) protocol labeled CVE-2017-0144, and particularly affected Microsoft Windows operating systems and could self-replicate without control and without the need for human interaction.

In the following days, this ransomware began to replicate around the world, becoming one of the most important threats of recent years. The most ironic thing is that by the time this ransomware appeared, there was already the patch that prevented the computers from being affected.

The world had not yet recovered from the impact caused by WannaCry when, the following month, a ransomware variant appeared that exploited the same vulnerability, but with different behavior, and with some similar aspects in terms of its code, to ransomware known as Petya, which had appeared just 1 year earlier:

A peculiarity of this ransomware discovered by my fellow researchers in Kaspersky’s GReAT team, and which they called Petya/ExPetr, was that in the information encryption routines, the creators of the ransomware themselves could not recover the information again, even if the victims paid the ransom.

This is completely unconventional because the reason a threat actor develops ransomware is to get a ransom payment in exchange for handing the key over to the victims to retrieve the information encrypted by the malware, so the motivation behind this campaign was not financial, but was aimed at interrupting business operations of the affected companies.

Another interesting fact about this campaign is that according to the detection telemetries, the most affected victims were companies from Ukraine, Russia, and Eastern Europe:

Nothing is what it seems

But what do these cyber attacks have in common? Clearly, the attribution points to different threat actors and both operations were carried out in different contexts and places. The key elements here are distraction and deception.

In the first case, the threat actors used the ransomware as a front to make the affected companies believe that they were being attacked by such malware, when the real reason was to completely remove the information from their computers without the possibility that it could be recovered; that is, what the attackers were looking for was an interruption of the company’s service and operations.

In the second case, the goal was the opposite. The threat actors had a purely financial interest, using malware that prevented computers from continuing to function normally while making money transfers from other computers undetected.

What were the threat actors looking for? Masking their attacks long enough to achieve their goals while confusing investigators to take longer to respond to these incidents.

But why is it so important for an incident response professional to try to find the true intent behind a cyber attack? This is quite simple. As we will see later, when an incident occurs, the nature of the attack must be identified according to the context, motivation, and key indicators to ascertain the type of attack, its characteristics, and scope. This can lead to several hypotheses and define the actions to take to contain the offensive actions and minimize the impact of the attack.

Cyber attacks targeting IOT devices

Years ago, few people would have imagined that a simple light bulb, our smart TV, or our toilet could become an attack vector from malicious actors. According to Gartner, there will be 25 billion global Internet of Things (IoT) connections by 2025. The problem is that many devices are manufactured at a low cost to achieve greater market penetration, regardless of the threats to which these devices will be exposed.

Moreover, the risks are not just for home users; in enterprise environments, these devices could be connected within the same network infrastructure of computers and servers, raising the risk of compromising the organization’s critical assets and information.

On October 21, 2016, DynDNS (Dynamic Network Services, Inc., a domain name system) was the target of an attack against the infrastructure of its systems. As a result, many Netflix, PayPal, and Twitter users, to name a few, could not access these services for hours.

The attackers provoked a Denial of Service (DoS) using a botnet known as Mirai, which turned millions of IoT devices into zombies that sent traffic in a coordinated manner against specific targets, which primarily affected the operational infrastructure in the United States. The estimated economic impact was $10 million:

Figure 1.5 – Live map of the massive DDoS attacks on Dyn’s servers (https://twitter.com/flyingwithfish/status/789524594017308672?s=20) Figure 1.5 – Live map of the massive DDoS attacks on Dyn’s servers (https://twitter.com/flyingwithfish/status/789524594017308672?s=20)

In November of the same year, several DSL service users in Germany reported problems with their internet connection devices due to traffic saturation on TCP port 7547 by Mirai that affected their access to the network. In January 2018, a variant of the same botnet appeared, targeting the financial sector and affecting the availability of its services.

In that year alone, the percentage of botnet-related traffic for deletions on IoT devices was 78%, according to a NOKIA study. In 2019, Kaspersky detected around 100 million attacks targeting IoT devices using honeypots.

In July 2020, Trend Micro found that Mirai’s botnet exploits the CVE-2020-5902 vulnerability on IoT devices, allowing it to search for Big-IP boxes for intrusion and deliver the malicious payload.

The digital evidence generated by these devices is essential to identifying promptly the origin of an attack and to be able to visualize its scope and impact.

Autonomous vehicles

More applications are being integrated with vehicles and can connect with users’ mobile devices. These apps often supply access to social networks or payment apps, such as Apple Pay, Samsung Pay, or Google Pay users.

On the other hand, autonomous vehicle manufacturers integrate capabilities that reduce the number of accidents and improve transport infrastructure efficiency. Using the OBD II and CAN bus access points, someone can perform a remote diagnosis of a vehicle’s operation or its location, carry out remote assistance, or obtain telemetry information collected from the vehicle.

These capabilities, however, open new attack surfaces, including the following:

System update firmware manipulation Installing malware on the vehicle system Interception of network communications Exploiting software vulnerabilities In 2013, security researchers Charlie Miller and Chris Valasek, along with journalist Andy Greenberg, showed how it was possible to hack a vehicle by taking control of the brakes or vehicle speed. In 2015, they met again, and on this occasion, they took control of a Jeep at 70 miles per hour using a zero-day exploit that allowed them to take control of the vehicle remotely over the internet.

These discovered vulnerabilities opened the door to new attack scenarios where sensitive user information can be compromised and even put human lives at risk.

In a short period following a traffic incident, and especially with the increase in the number of autonomous vehicles, it will be necessary to collect evidence from the vehicle’s digital devices to investigate the details that will help to identify what caused the accident.

Drones

The global drone market will grow from $14 billion in 2018 to over $43 billion in 2024, with a compound annual growth rate (CAGR) of 20.5%. Their non-military use has shown potential for multiple fields, including engineering, architecture, and law enforcement.

Unfortunately, in many cases, their use is not regulated. In several situations, they have been involved in incidents that have jeopardized the operation of airports or the same plane, as was the case at Heathrow Airport in London, where flights were suspended, causing significant financial losses and inconvenience to passengers.

Other risks relate to organized crime in carrying out drug transfers across the border undetected or even attacking rival groups. Drones can also pose a risk to people’s privacy, as a drone could record video, take pictures, or sniff conversations in the distance.

If a drone is used illegally, it is essential to collect the evidence necessary to carry out the investigation, using the appropriate procedures and tools.

Electronic voting machines The use of digital devices in several countries’ electoral processes around the world aims to ensure that the voter registration processes, as well as vote capture and counting, are efficient and reliable.

However, like all digital systems, there are attack surfaces on these systems that an attacker could use to compromise the results of an election and the reliability of the systems themselves. Security researchers have revealed that some voting systems could be vulnerable to distinct types of attacks.

In 2019, in the DefCon Voting Village, several security researchers analyzed more than 100 voting devices, some of them currently in use, and found that they were vulnerable to at least 1 type of attack.

Electoral processes are vital in ensuring not only democracy, but also political and social stability, so it is incredibly important to ensure its reliability and security.

In the event of a security incident occurring on a digital voting device in an election, the Digital Forensics and Incident Response (DFIR) professional’s role would be key to quickly and effectively discovering what happened and avoiding further damage to the electoral process.

Cyber attacks on robots Beyond science fiction, where movies or streaming series show an apocalyptic scenario with robots taking control of humanity, the reality is that robots are already everywhere, whether they are assembling components in a factory or performing high-precision surgeries.

However, the evolution of AI poses new security challenges. What if an attacker compromised a robot and could manipulate it?

There is a category of robots known as social robots; these robots’ role is to interact with humans in different ways, such as assisting them or serving as a companion. According to a study by IDLab – imec, University of Ghent, Belgium, regarding the abuse of social robots for use as a means of persuasion or manipulation, they identified the following risks when they performed several proofs of concept:

Gaining access to protected areas Extracting sensitive information Influencing people to take actions that put them at risk In 2018, researchers from the security company IOActive presented the first ransomware attack on robots at the Kaspersky Security Analyst Summit event. In the presentation, they talked about how it was possible to hack social robots known as Pepper and Nao, showing a proof-of-concept video where they modified the source code and made the robot ask for bitcoins (https://youtu.be/4djvZjme_-M).

Considering a robotic-oriented threat landscape, the same scenario could occur with other types of robots and affect a production line in a factory or even a medical surgery, putting people’s lives at risk.

For this reason, it is important to identify attack surfaces that could pose a security risk through threat modeling. Currently, there are several related documents with threat modeling for specific models of robots or even for the most well-known robotic operating systems, such as ROS 2: https://design.ros2.org/articles/ros2_threat_model.html.

A specialized device called Black Box was created by the Alias Robotics company to capture information relevant to robots’ activity (https://aliasrobotics.com/blackbox.php). In the event of a security incident, this information could be handy in responding and conducting forensic investigations.

Articles of law

• Related to offenses against automated data processing systems : Articles 323-1 à 323-8 du code pénal.

Les articles 323-1 à 323-8 du code pénal traitent des infractions liées aux systèmes de traitement automatisé de données. Ces infractions incluent notamment l’accès frauduleux à un système informatique, l’entrave au fonctionnement d’un système, la falsification de données, la diffusion de virus informatiques, et d’autres actions illégales liées à l’utilisation des technologies de l’information. Ces articles définissent les peines encourues pour ces infractions et visent à protéger la sécurité et l’intégrité des systèmes informatiques et des données.

Complaint

• https://www.ssi.gouv.fr/en-cas-dincident/
• OCLCTIC, C3N, BEFTI , DGSI.

Types of security incidents

• Sabotage –> Integrity and Availability

Exemples: • Sabotage des équipements du réseau de diffusion de la chaîne TV5monde en 2015. https://www.sstic.org/2017/presentation/2017_cloture/

• Sabotage du système industriel de distribution électrique en Ukraine en 2015. https://us-cert.cisa.gov/ics/alerts/IR-ALERT-H-16-056-01 Et plus récemment Hemeticwiper utilisé contre institutionsg ouvernementales ukrainiennes: https://www.cisa.gov/uscert/ncas/alerts/aa22-057a

• DoS –> Availability

Impacte la disponibilité. A traiter avec votre FAI/hébergeur/prestataire de CDN. https://www.ssi.gouv.fr/administration/guide/comprendre-et-anticiper-les- attaques-ddos/

Exemples:

• Le Botnet Mirai, DDoS avec IoT en 2016 (1 Tbps): https://blog.cloudflare.com/inside-mirai-the-infamous-iot-botnet-a- retrospective-analysis/

• MemCached, attaque par réflexion lié à une mauvaise configuration du service en 2018 (1,3 Tbps) https://blogs.akamai.com/2018/03/memcached-fueled-13-tbps-attacks.html

• Spying –> confidentiality and integrity

Exemples: • Exfiltration de courriels Microsoft Exchange à l’aide de vulnérabilités 0-day: https://www.microsoft.com/security/blog/2021/03/ 02/hafnium-targeting-exchange-servers/

• Espionnage via attaque de type « supply chain », piégeage de la solution « SolarWinds Orion »: https://us-cert.cisa.gov/ncas/alerts/aa20-352a

• Ransomware –> Impacts availability, integrity and possibly confidentiality

Impacte la disponibilité, l’intégrité et éventuellement la confidentialité (chantage divulgation de données). Chiffrement des données à l’aide d’une clef publique dans le rançongiciel, l’attaquant dédient la clef privée qui permet de déchiffrer les données. https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-001.pdf

Exemples: 192 attaques reportées en 2020 à l’ANSSI.

• Chiffrement de Métropole Aix-Marseille-Provence en 2020. https://www.nolimitsecu.fr/ransomware-retour-d-experience-sur-une- compromission/

• Chiffrement de Norsk Hydro en 2019. https://news.microsoft.com/transform/hackers-hit-norsk-hydro- ransomware-company-responded-transparency/ Types d’incident de sécurité: A

• Others : Website defacement, Cryptocurrency mining, Database corruption, Identity theft.

• Défiguration de sites Internet: Dans le but de faire passer un message ou nuire à la réputation. Impacte l’intégrité. • Minage de cryptomonnaie: Utilisation de ressources de calcul à l’insu de la victime. Impacte éventuellement la disponibilité. • Modification de bases données: Dans le but de dissimuler une activité frauduleuse. Impacte l’intégrité. • Usurpation d’identité: Dans une logique d’abus de droits, impacte la confidentialité. Par exemple typosquatting: https://www.sstic.org/2018/presentation/certificate_transpar ency_ou_comment_un_nouveau_standard_peut_aider_votr e_analyse_des_menaces/

Building an Incident Response Capability

• Security incidents can disrupt business operations, lead to information leaks and can impact the company’s image.
• Quick and appropriate response is crucial.
• Taking a proactive approach to incident response
  • Having a plan, defined procedures and sufficient resources (infrastructure and tools) is essential.
• Frameworks and Preparation:
  • Frameworks like NIST and SANS

Security incidents occur when you least expect them. In a moment, the operation of the business is interrupted, or news about the leak of company information is on social networks and the internet and goes viral. These are times of great uncertainty, and you need to respond quickly and appropriately.

It is a crucial moment, and the clock is ticking fast; there is no time for improvisation, and the only way to succeed is to have a plan and sufficient resources to deal with the security breach. Any organization must have the infrastructure, tools, and staff with the knowledge and skills to respond to and investigate security breaches.

Responding to a cybersecurity incident could be considered a reactive activity since it is done after an offensive action has been detected or identified. So, what does it mean to take a proactive stance? It means that even when you can’t avoid incidents, you can have defined procedures for acting in certain circumstances. Also, if you have an infrastructure that supports those activities and the necessary tools to work throughout the life cycle of the incident, you will be better prepared.

There are several frameworks, such as the National Institute of Standards and Technology (NIST) and SysAdmin, Audit, Network, and Security (SANS), that consider the importance of developing an incident response capability, with the first step identified as preparation.

Incident response standards and frameworks - NIST Handling Guide

Adopting frameworks and standards for creating your incident response plans will help you to respond more efficiently and adopt a more proactive posture in the face of cybersecurity incidents. It’s essential to adapt these frameworks to the organization’s needs because every organization has different business requirements, capacities, and maturity levels in this topic.

This is a practical guide for handling incidents effectively and efficiently, supplying the guidelines to mitigate cybersecurity incidents. This document focuses on these steps:

Preparation Detection and analysis Containment, eradication, and recovery Post-incident activity

These steps can be recurrent. For example, if you have detected an IoC on a device, such as a connection to a particular IP address categorized as malicious, you can apply containment actions by blocking communications or identifying all devices connected to that address. Then you could go back and look for new indicators, as shown in the following diagram

The document also includes guidelines and recommendations for developing an incident response capacity to create an incident response team, as well as develop policies, plans, and procedures, and the steps for communicating with third parties for coordination and sharing information with third parties

Incident response standards and frameworks - SANS handbook

The SANS handbook establishes a more detailed perspective

A particularity of the SANS six-step process focuses on the scope and contention of threats in an agile way. According to SANS, there are three critical time frames for responding successfully to a security breach:

Time to detect: The length of time between the initial compromise and its detection (How long does it take to find it?) Time to contain: The length of time between detection and containment (How long to limit or control the damage?) Time to remediate: The time between containment and remediation (How long to remove the threat?)

Benefits

• A reduction in the costs and the impact associated with the interruption of business operations of the company

• Faster identification of the nature of the attack, discovery :

• Indicators of Compromise (IoC)

• Indicators of Attack (IoA)

• improvement the organization’s ability to protect against future threats

Better management of activities, processes, and documentation improves the organization’s ability to protect against future threats

IoC - IoA - Artifacts

Indicators of Compromise (IoC)

IoC is the detailed information stored in the forensic artifact and, from the forensics point of view, could be used to identify the presence of malicious activity.

Indicators of Attack (IoA)

The goal is to identify the attacker’s potential intentions, regardless of the tool they used

HKLM\Software\Microsoft\KxtNet
HKLM\Software\Microsoft\HlqNet
HKLM\Software\mthjk

In this example of research performed by Kaspersky’s GReAT regarding a malicious campaign that used a multi-platform targeted malware called Mata, document several interesting IoCs as registry keys

HKLMHKLMHKLM

The Mata malware uses the lsass.exe Windows process on infected victims, loads the encrypted configuration data from a registry key, and decrypts it with the AES algorithm –> image

This means that if you find those registry keys in a system, indeed the computer was compromised by this malware. Also, if you can decode the content there, you will get other indicators, such as C2 IP addresses and malware configuration data.

An excellent way to identify IoAs is by using the MITRE ATT&CK framework. This framework describes Tactics, Techniques, and Procedures (TTP) that an attacker might follow when performing a malicious operation. You can find details of this framework on the MITRE ATT&CK official website: https://attack.mitre.org/

Developing organizational incident response capabilities

According to the consulting firm Deloitte, the basis for the development of an incident response capacity consists of a strategy developed specifically for the company that includes the following:

• Involvement of different areas of the organization.
• The technologies necessary to perform the triage and investigations.
• Operational resilience to guarantee business continuity and enable recovery from a disaster.
• Risk management and compliance that considers legal and regulatory aspects.
• The remediation of incidents must be related to business processes.

Creating IRP

IRP

An IRP is a document that describes the procedures to follow in case of a security incident. The IRP generally defines a route to follow when a security incident occurs. This plan must be consistent with existing organizational capacity, resources, and infrastructure.

The elements of an IRP

• Mission
• Objectives and strategies
• Management approval
• The organization’s position on IR
• Metrics to measure the capacity and efficiency of the plan
• Path to raise the maturity levels of the organization’s IR capability
• Definition of alignment of the plan with the organization

Different roles and responsibilities are defined, as follows

• Security operations center (SOC): This is the first line of defense, whereby staff are responsible for threat detection and triggering security alerts.
• Incident manager: Responsible for coordinating activities between stakeholders and determining the best plan of action.
• Computer IR team: They are responsible for following procedures and providing technical expertise.

This last point is crucial since one of the objectives of IR is to help in the BC process and the organization’s operations.

This plan, as with any plan or policy, should be reviewed periodically (according to National Institute of Standards and Technology (NIST) recommendations, at least annually); this would allow procedures to be kept in place, considering that the circumstances of the environment and the threat landscape are highly dynamic and changing.

Another essential point to consider is that the affected organization needs to report incidents or interact with third parties outside the organization at any given time.

This communication may involve customers, providers of different services, regulatory or governmental entities, or even law enforcement, depending on the nature of the incident, as shown in the following screenshot

These roles could be different depending on the size, characteristics, posture, and maturity level of the organization.

The structure of an IRP is fundamental as it should describe in general how to handle cybersecurity incidents.

Who does incident response?

• CERT : Computer Emergency Response Team
• CSIRT : Computer Security Incident Response Team
• They can be public or private

Exemples: https://cert.societegenerale.com/ https://www.renater.fr/en/CERT_RENATER

Ou une entité proposant des services de réponse à incidents (privé ou public). Exemples: https://www.wavestone.com/en/capabilities/cybersecurity- digital-trust/cert-w/ https://www.cert.ssi.gouv.fr/

• Communities :
  • France : CERT-FR
  • European : TF-CSIRT
  • International : FIRST

Le CSIRTs Network pour les agences d’état: https://csirtsnetwork.eu/

CERT-FR

Provides 24/7 incident management support to:

• Public sector (ministries, institutions, independent authorities, hospitals, local authorities…)

• Operators of vital importance (OVI).

• Essential Service Operators (ESOs).

CERT-FR

It’s also:

• A vulnerability watch service.

  • Vulnerability researchers protected by article L. 2321-4.

• The preferred international point of contact for all cyber incidentsincidents affecting France. This is achieved through participation in communities.

CERT-FR

They communicate trouh thier web site and X @CERT_FR:

• On the security alerts

• On the the knowledge related to the threat analysis

IR playbooks

IR playbooks

IR playbooks are detailed action plans that describe actions to be taken in specific security incidents. Unlike IRPs, these playbooks are more of the checklist type of actions for specific types of attacks such as phishing, information leaks, ransomware, denial-of-service (DoS) attacks, defacement of a website, and so on.

The components of an IR playbook could comprise the following

• The condition that initiates an incident
• Workflow of steps to follow
• The incident completion status

Incident Playbook

• aligned with the MITRE ATT&CK framework, and the playbooks are classified by tactics.
• Phishing example
• you can find specific tasks to be performed in the different stages of IR (investigate, remediate, contain, eradicate).
• The integration with Atomic Red Team for attack emulation is considered within its roadmap to test the playbooks.

Public Playbook

There are several websites from where you can download IR playbook templates; these templates can be very useful, and you can use them as a basis to create your own playbooks.

Incident Playbook : This project is under development and considers the creation of catalogs for rare incidents, exercise scenarios, use of tools, process automation, and integrations with different platforms through application programming interfaces (APIs).

Public Playbooks (https://gitlab.com/syntax-ir/playbooks) is a project that includes repositories of tasks and workflows and is based on the NIST 800.61 r2 guide.

The playbooks are organized into categories such as IRP-Malware and IRP-Ransom and have references to products and tools.

To follow a playbook, proceed like so:

Select the category of the playbook—for example, IRP-Malware (https://gitlab.com/syntax-ir/playbooks/-/tree/main/IRP-Malware). Click on a specific phase of the IR process. In this case, we will select 1. Preparation, as shown in the following screenshot:

Select Expand to see specific tasks of this process. Scroll down to see the different stages of the playbook (Preparation, Detect, Analyze). You will see the associated workflows—for example, in this case, the workflow to analyze malware, as shown in the following diagram:

Testing IRPs and playbooks

• Once you have created an IRP and playbooks for different scenarios, it is advisable to carry out periodic evaluations
• It is recommended to use NIST Special Publication 800-84 Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities to create a formal testing plan.
• The results of these tests should lead to improved quality and effectiveness of the plans

Once you have created an IRP and playbooks for different scenarios, it’s time to validate them. The plans will always look spectacular on paper, but it is very important to check them to make sure they work, and it is best to test them before an actual incident happens.

Additionally, it is advisable to carry out periodic evaluations to identify possible gaps and make the corresponding adjustments; remember that threats evolve very quickly, and you probably need to adjust how to respond to new techniques or tools used by attackers.

I recommend you consider using NIST Special Publication 800-84 Guide to Test, Training, and Exercise Programs for IT Plans and Capabilities to create a formal testing plan. You can download it from here: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-84.pdf.

Testing IRPs is critical; otherwise, there is a risk that they will not work correctly.

The results of these tests should lead to improved quality and effectiveness of the plans.

Simulation of attacks to measure response programs

• CALDERA
• Atomic Red Team

Incident simulation exercises are an analogy of simulations that are carried out as part of preparations in case of natural disasters or fires and seek to measure the level of response of the organization to certain incidents.

The validation of plans must be performed at different levels by both executives and the IR team. https://github.com/redcanaryco/atomic-red-team/wiki/Getting-Started

TP - Conducting an atomic test - Chapter 9

Digital Forensic

• Responding to an incident within 72 hours of a security breach is essential for making decisions and taking actions to identify and collect useful information to assist inthreat containment.

  • it is crucial to coordinate incident response and digital forensic investigation activities.

• Tradeoff between the urgency of returning to business operations and collecting the evidence necessary for the investigation and align business continuity goals with incident response plans.

A typical posture following a cybersecurity incident focuses primarily on ensuring business continuity and acting within the Recovery Time Objective (RTO). If the company disrupts its operations, it could be significantly affected economically and reputationally. Unfortunately, this can affect the procedures for collecting evidence and reduces the chance of finding indicators and artifacts to help identify attack vectors and activities performed by attackers.

Identification and Scoping

Event Notification

The loop begins when an issue has been reported. It triggers the incident response process and sets the stage for the subsequent steps.

Documentation

The underlying issue is documented in detail, including information about the nature of the incident, the systems affected, and any potential threats or vulnerabilities. Documentation is a critical step that provides a foundation for the rest of the process.

Evidence Collection

Evidence of the incident is collected, including log files, network traffic data, and other relevant information. The collected evidence provides valuable insights into the incident and helps identify potential threats.

Artefact Identification

The collected evidence is analysed to identify artefacts related to the incident. These artefacts can provide clues about the threat’s nature and the damage’s extent.

Pivot Point Discovery

Based on the identified artefacts, new areas of investigation may be discovered. These pivot points can lead to new insights and help further refine the incident’s scope. After this step, the process loops back to the documentation phase, incorporating the new findings.

The Identification and Scoping phase of the Incident Response Process is not a linear progression but a feedback loop continually refining our understanding of the incident and its scope.

This loop becomes intelligence-driven when it leverages current investigation data, enriching it with information from past incidents, correlated logs from various data sources, advanced analytics and machine learning to enhance awareness by adding more context to a developing situation.

The Power of an Intelligence-Driven Feedback Loop

A feedback loop driven by intelligence in the Identification and Scoping phase encourages a proactive and dynamic method towards incident response.

This proactive approach facilitates an ongoing education and exchange of information, enabling organisations to respond to security incidents and safeguard their systems efficiently.

It also ensures compliance with legal obligations for privacy and data protection.

Organisations can boost their incident response prowess and efficiently counteract security incidents by capitalising on real-time data concerning emerging threats, cultivating an environment of ongoing education and exchange of information, and guaranteeing privacy and data protection.

First response guidelines

• Evaluating the context and the scene
• Securing the scene
• Identifying the sources of the evidence
• Establishing the legal admissibility of the evidence
• Chain of custody
• Triage
• First response toolkit (TP)

Example of a chain of custody form

One of the basic principles of incident response is to preserve and protect the evidence’s integrity, so the first responder must identify and evaluate the context of the incident and the environment around the scene to define the best approach to get the necessary information to investigate the incident without compromising the evidence:

Evaluating the context and the scene: Before taking any action, the first responder must know the nature and context of the incident; there are differences between the procedures to follow when responding to an incident related to an information leak to another where the attackers exploit a vulnerability that can compromise the organization’s infrastructure. The environment around the scene is also relevant for defining the procedures to follow; for instance, in a production environment, sometimes you need to be careful to not interrupt the business process or take away the devices.

Securing the scene: As mentioned, the integrity of the evidence must always be ensured, even before its acquisition. It is vital to secure the scene and prevent, as much as possible, anyone, even employees of the company, from using suspicious devices unless it is indispensable. When you respond to a cybersecurity incident, you must act similarly to what would be done at a crime scene. Police secure the area and control all access to where the evidence is located.

This procedure must prevent someone from intentionally or accidentally contaminating the evidence, causing evidence to be lost. If the incident requires law enforcement intervention, this evidence could not be valid in court.

Identifying the sources of the evidence: Like a crime scene, the first responder must identify which elements can be useful as evidence based on the incident type. For example, if you respond to an incident where an insider is involved and their workspace is being insured, you should consider collecting information from their computer, USB devices, external hard disks, and everything that could contain relevant evidence for the investigation. Volatile and non-volatile information: As I mentioned earlier, most digital information is volatile by nature, so you should try to recover as much evidence as you can before it is lost. The prioritization at this point is essential; you must first acquire the evidence considered volatile, such as RAM, and then what is stored in files or databases. RFC 3227 defines the Guidelines for Evidence Collection and Archiving and describes how the evidence must be acquired following a particular order according to its volatility (https://tools.ietf.org/html/rfc3227).

Fortunately, some tools collect numerous pieces of evidence at once, reducing the chance of making mistakes or losing relevant evidence.

Establishing the legal admissibility of the evidence: Depending on the case’s nature, sometimes cybersecurity incidents require following legal procedures. If this is the case, it is necessary to act following the procedures established by international laws or the country’s laws where the incident happened; in some cases, it is even necessary to notify the judicial authorities to continue the procedure. However, many cybersecurity incidents do not follow legal courses of action, sometimes for reputational reasons or to maintain the case’s confidentiality, and do not require judicial handling.

Chain of custody: Part of the procedure to ensure the integrity of the evidence is related to chronological documentation of each part of the evidence transportation process, from the moment of the evidence acquisition until it is stored or until the investigation is completed. This is known as the chain of custody:

The goal of the chain of custody is to prevent the tampering or contamination of evidence.

Triage – concept and procedures The amount of evidence around a cybercrime scene can be overwhelming, and the time available to perform first response procedures is limited. We also need to consider containment of the attack, and ensuring business continuity is vital for organizations. That’s why the incident responder needs to identify and prioritize which forensic artifacts can provide useful information to the case.

The process of classification and prioritization is known as triage, and according to Oxford Languages, triage (from the French trier, which means to separate out) is defined as the action of sorting items according to quality. This term is used regularly in some professional fields such as healthcare.

In digital forensics, this prioritization is known as forensic triage. It refers to identifying, classifying, prioritizing, and acquiring evidence relevant to investigate the case. Doing it properly can be the difference between an investigation being successful or unsuccessful.

In first response procedures, the triage begins at the time when potential sources of evidence are identified; for example, in an incident related to information leakage, the data sources could be database servers, computers that might contain files with sensitive information, active directory servers with user activity logs, network traffic captured at any given time, network devices, or even USB devices or external hard drives.

Once the sources of information have been identified, it should be determined which techniques and tools to use to make the evidence acquisition as efficient as possible, reducing the risk of loss or contamination.

The triage process ends when the acquisition of images or forensic artifacts is completed and delivered for investigation.

First response procedures in different scenarios The incident response professional plays a key role in supporting organizations in developing first response processes to address cybersecurity incidents. These processes cannot be developed generically and must be based on an evaluation and analysis of the organization where they need to be implemented.

This is a basic example of what the general steps might be in a first response procedure for a particular case of a ransomware attack:

The incident is reported via the help desk platform, by email or by phone. The information provided by the user is evaluated to confirm the incident. A ticket is generated on the incident response platform. The device is requested to be secured. First response staff is assigned to respond to the incident. The chain of custody process begins. Photos of ransom messages are taken on the screen. Acquisition of the RAM on the affected computer or computers is carried out. Forensic copying of the hard drive is made. If making a forensic copy of the disc is not possible, the main artifacts are extracted from the device. The scope of the incident is evaluated to validate whether more equipment is affected. The evidence obtained is delivered for investigation.

Using Cyber Threat Intelligence in Incident Response

CTI

Cyber Threat Intelligence (CTI) is crucial when responding to security incidents. The knowledge you have about threat actors and malicious campaigns gives you a strategic advantage to identify Indicators of Attack (IoAs) or Indicators of Compromise (IoCs) associated with a security breach faster and more efficiently.

Every incident is unique and can be approached differently, depending on the context and nature of the attack. You will work in a scenario regarding a fictitious company but use the intelligence information of actual attacks. Surely some colleagues could propose different work paths, and I do not mean to say that there is a unique way to do this. My only interest is to provide you with the means to apply what you have learned.

Cyber Threat Intelligence (CTI) is crucial when responding to security incidents. The knowledge you have about threat actors and malicious campaigns gives you a strategic advantage to identify Indicators of Attack (IoAs) or Indicators of Compromise (IoCs) associated with a security breach faster and more efficiently.