“If you can’t decipher our data, then why are you here?”
This is a common reaction when our team arrives. Now, let me explain everything while covering:
- The stages of incident response and what they look like in practice
- The main mistakes that benefit hackers
- Basic tips on how to respond to incidents
- How to play Russian roulette with a cryptographer
- Some controversial conclusions
What is an Incident?
An incident can be defined differently by various companies. Some consider incidents as power supply failures or hard drive crashes, while others focus on malicious actions.
In theory, an incident is when unwanted events occur. In practice, companies decide what constitutes an “undesirable event.” For instance, one company may investigate a phishing email, while another may ignore it if it occurs in an insignificant branch.
For serious incidents, these often involve an attacker penetrating the corporate network, which concerns most clients. However, there are unique cases, like traders who consider a minor drop in exchange interaction speed a serious incident.
Stages of Incident Response
The perception of incidents varies based on context and threat models, but we usually follow the SANS (SysAdmin, Audit, Network, and Security) standard, which includes six stages:
- Preparation
- Detection
- Containment
- Removal
- Recovery
- Learning Lessons
As an external response team, we don’t immediately get involved in these stages.
1. Preparation
Preparation involves setting up processes correctly, including:
- Inventorying networks
- Correctly distributing subnets
- Installing appropriate software and security controls
- Hiring the right personnel
This stage is crucial for our work. Effective preparation influences the success of the response, such as log retention policies.
2. Detection
Detection relies on the effectiveness of the preparation stage. Basic steps, like hiring a good third-party SOC and establishing network coverage and monitoring, can lead to early threat detection.
Ideally, the response process should start at this stage. However, often incidents are detected only after significant damage has occurred due to poor preparation and detection.
3. Containment
Containment requires close cooperation between the response team and the customer team. Clients may reboot their computers, attempting containment, but this can erase crucial data. Joint analytics helps differentiate legitimate connections from malicious ones, forming effective containment strategies.
4. Removal
By this stage, the response team provides analysis, malware identification, and indicators of compromise. The network is thoroughly scanned, and anomalies are removed.
5. Recovery
Recovery involves restoring IT systems accurately, including reactivating and checking security measures. Attackers usually bypass protective equipment, gaining administrative privileges to disable security systems. While rare, some attackers leave backdoors for future attacks, which we also check for.
6. Learning Lessons
The final stage involves understanding:
- How the attack began
- The entry points used by hackers
- The attack’s progression
- Prevention methods for future incidents
This stage is crucial for developing recommendations and improving future incident responses.
How to Increase Security
Our reports are a mix of organizational and technical aspects - and this is always an individual story, but general recommendations can be identified from them.
“Obvious” Advice is Important
Basic things that you probably already know are already cool and very useful. Every year, thousands of companies become victims of attacks for the most trivial reasons. The most common cases are the exploitation of unpatched vulnerabilities in software from the Internet, for example, in mail servers. The second common option is phishing. So, if you strive for competent patch management and infrastructure inventory, if you have trained your staff in digital hygiene, then this already covers a lot of potential problems.
However, we have customers who have already done all the basic things, but this does not guarantee a complete absence of incidents. We can recommend teachings to them - for example, Purple Teaming, but, of course, you need to grow into such a thing. There is no point in conducting detection exercises when 20% of the infrastructure is covered by attack detection tools. First, we cover most of the infrastructure, and then we conduct exercises. The only exception is events related to digital hygiene. They can and should always be carried out.
Read Public Reports
They tell you what tools and attacks the attackers use - this way you will be aware of events and formulate up-to-date security criteria for yourself. The reports often provide specific recommendations on how to protect yourself from a particular attack. Conventionally, you see what is happening, how you defend yourself, and what needs to be improved. One of the best sources of such information is MITER ATT&CK Matrix for Enterprise, but you should not take it as the only correct one. He’s not perfect. Someday we will find time and describe interesting cases from practice, but for now there are, for example, reports from Group-IB and Kaspersky Lab.
Don’t Panic and Demolish Everything Before Our Arrival
A typical mistake is to reload all the computers involved in the attack, and only then call the response team. There are urgent situations when this is vitally necessary, but if possible, please make copies of infected machines. This will help preserve evidence for the investigation.
Don’t Turn Off the Electricity Without Thinking
In general, you should not act impulsively. The following situation occurred several times: upon seeing that the files were being encrypted, company employees pulled the plugs from the sockets. So, this is just Russian roulette.
On the one hand, encryption stops and you save files that are still untouched. On the other hand, such an abrupt stop damages the data affected by the encryption process. Even if security specialists develop a decryptor or you pay a ransom (which we do not approve), it may not be possible to restore files whose encryption was interrupted. In general, I recommend thinking hard. There are pros and cons here; cutting off power is not always a good idea.
Contact Specialists as Needed
Is it possible to manage on your own in the event of an attack? Yes, if you have your own SOC with well-built lines. In this case, you can most likely conduct an investigation with the help of a third-line SOC. Otherwise, outside help will be needed. However, when we are talking about a small company with limited resources, then you may not need it. This opinion somewhat compromises security professionals like us, but for small businesses, at least on the Russian market, there is a non-zero chance that the response will be too expensive and not very profitable.
In a small company, it is much easier to set up processes in such a way as to achieve a high level of security. There it is not so difficult to implement two-factor authentication everywhere and organize effective patch management. Buy poppies for everyone, after all. It is quite possible that it is more rational to invest in this. As a last resort, you can focus on mitigation. Taking risks and maximizing the speed of recovery from reliable backups is not the worst strategy from a financial point of view. However, if you urgently need to stop the invasion, know exactly what happened, who is to blame, and what to do - there are no alternatives - call the response team.
