It’s been a long night and you finally get to bed only to be woken up 30 minutes later to the sound of your phone alerting you that there’s an alert that fired and needs to be triaged immediately. Crawling out of bed you’re thinking this has to be a false positive because you’ve gone through this same routine each of the past 5 nights you were on call. Not bothering to turn the lights on for something that’s sure to be random noise, you peer into the ids console and see an alert that you have never seen before. You automatically think to yourself, being the tired analyst that you are, “who was the a$$hole that added this new rule”, and you’re sure it was added intentionally just to keep you awake, but you know you can’t get back to bed until the alert is validated. So you begin sifting through the data and it quickly becomes apparent that this isn’t a false positive, but rather it’s the real deal and alerted to the fact that there’s an intruder in your network attempting to move laterally. You double check your initial analysis and you come to the realization that you’re not going to feel the comfort of your bed for a long long time to come. As the adrenaline begins to rush, your mind starts racing, thinking about everything that needs to happen and you know you need to act immediately. Keeping focus at this point is critical.
This blog post may be old hat to some, but for others I think it may help keep focus on different aspects of an incident that may need attention.
Quickly gather all of the relevant data that is in front of you. Things such as ip addresses, ports, hostnames, usernames, attacker activity observed are a few of the critical ones. Having this initial data you will be able to pivot, and with any luck be able to find additional compromised hosts fairly quickly. You will also need this information so you can communicate it to others for response, containment and detection purposes.
Locating the entry point or points during any incident should be one of your top priorities. You can contain all the hosts you want, but until the point at which the attacker gained access to your network is identified and contained the incident cannot be contained.
As hosts are identified and contained ensure that you maintain some level of access to the device so data can be collected. Many times you may find that you will require additional files after the volatile data has been collected and analyzed so maintaining access to the machine until the host analysis is complete may be a good idea.
As the incident progresses you will begin to gather indicators such as ip addresses (both internal and external), domain names, usernames, filenames, backdoor type and hostnames to name a few. These indicators should be fed into the various detection technologies that your organization has. Being able to alert on these new found indicators in realtime and act immediately is critical when trying to contain an incident. Also being able to feed these indicators into the hosts that you are analyzing will speed up your analysis.
Advanced adversaries don’t infiltrate your network for the fun of it. There is always a goal to each attack and it is your job to stop them before they accomplish that goal or at a minimum be able to identify what was taken. Be aware of assets that may contain sensitive data or areas of adversary movement that may have data that they would be interested in. Look for indications of rapid file access that can be correlated to the time they were on the machine. Look for any large file transfers, where they went and over what port.
Accurate documentation of your analysis and findings is needed for several reasons:
1. If multiple responders are working the incident it helps prevent double analysis when working multiple hosts.
2. Helps focus analysis especially if you are coming in late to the response efforts.
3. Several parties will be wanting frequent updates to the compromise.
4. Eventually someone will need to tell the story of what happened.
Investigate All Suspicions
It’s better to investigate and analyze hosts that you’re not sure about then to just discount them because you don’t have enough data to say one way or the other.
Intrusions can be very stressful if you let them be. Keeping focus on priorities can alleviate much of this stress and allow you to settle in and hopefully have some fun.