FIA – 5010
INCIDENT RESPONSE PLAYBOOK
SUBMITTED BY:
AISHWARYA AGARWAL
1. Phishing email with malware in attachment
Identification(indicators of compromise (IoC)):
Phishing email with malware in the attachment is usually a threat to the system if the attachment is downloaded.The authenticity of the sender can be verified by the content of the mail.In the case where personal information is requested it there is a high chance of it being a phishing attack as legitimate companies and banks do not ask for such information over email usually.
The common indicators of compromise in this case are theft of identity of the victim after the attacker gains information such as their names and other resources, locked account in which case the attacker locks the victim out from their own system by deploying a malware or a different form of attack through the attachment.In some cases if there are unfamiliar transactions, missing files/information stored on the system, spam email originating from the victim account there is a possibility of a phishing attack as the attacker may have gotten backdoor access to the system.
Notification:
In the case of identification of a phishing attack the Incident Response Manager,Security Analyst team, CIO and the CISO should be informed.The Incident response manager along with the team would immediately act to mitigate the impact of the attack and restore the system in the case of a compromise.
Containment:
In the case of an identity theft or any personal information that the victim has entered containment should be done as soon as possible.In the case of the victim having entered his banking information the cancel/block the debit/credit card and alert the bank before any transactions can be made by the attacker.In the case that the attacker has gained system access through a malware in the downloaded attachment scan the system for virus or reset the system and take the computer offline.Change all passwords for the email address in use and choose to logout from all devices and login with the new password to prevent phishing emails leaking to the rest of the associated attacks in the case of identity theft.
Eradication:
To prevent such incidents from recurring set up a phishing email blocker at the firewall that blocks suspicious or copycat URLs.Use disposable Virtual Machines preferably with a container(for better execution speed) to open attachments.An good suggestion for this is Vagrant has enabled direct integration with Docker.
Recovery:
Bring the systems back online and restore locked out accounts after taking the steps for containment and scanning the system for any suspicious activity.
2. Phishing email with credential harvesting web link.
Identification(indicators of compromise (IoC)):
Phishing email with credential harvesting web link is a common form of attack where the web link directs the victim to a login/bank related page and tries to capture personal information.The authenticity of the sender can be verified by the content of the mail.The common indicators of compromise in this case are theft of identity of the victim after the attacker gains information such as their names and other resources, locked account in which case the attacker locks the victim out from their own system by deploying a malware or a different form of attack through the attachment.In some cases if there are unfamiliar transactions, missing files/information stored on the system, spam email originating from the victim account there is a possibility of a phishing attack as the attacker may have gotten backdoor access to the system.Attacks can be detected through inspection of the URL in the message traffic and identify login forms or any other such input pages.
Notification:
In the case of identification of a phishing attack the Incident Response Manager,Security Analyst team, CIO and the CISO should be informed.The Incident response manager along with the team would immediately act to mitigate the impact of the attack and restore the system in the case of a compromise.
Containment:
In the case of an identity theft or any personal information that the victim has entered containment should be done as soon as possible.In the case of the victim having entered his banking information the cancel/block the debit/credit card and alert the bank before any transactions can be made by the attacker.In the case that the attacker has gained system access through a malware in the downloaded attachment scan the system for virus or reset the system and take the computer offline.Change all passwords for the email address in use and choose to logout from all devices and login with the new password to prevent phishing emails leaking to the rest of the associated attacks in the case of identity theft.Block all end points from visiting the domain in the case of the attack through IP address filtration.
Eradication:
To prevent such incidents from recurring set up a phishing email blocker at the firewall that blocks suspicious or copycat URLs.Use disposable Virtual Machines preferably with a container(for better execution speed) to open attachments.An good suggestion for this is Vagrant has enabled direct integration with Docker. Multi-factor authentication is a good way to control such attacks by adding extra layers of security.
Recovery:
Bring the systems back online and restore locked out accounts after taking the steps for containment and scanning the system for any suspicious activity.
3. Lost Laptop incident from an employee
Identification(indicators of compromise (IoC)):
Employee notifies that the laptop is lost through an incident report.This is a problem especially in the case of Highly sensitive data on the laptop at risk.
Notification:
Incident Response Manager , Security Analyst ,CISO,CIO/CTO,Human Resources should be notified as company data could be at risk.The HR should be notified for the case where they can track the laptop to any other employee or if someone mistakenly takes it and informs HR.
Containment:
Try to track down the laptop and find any recent activity.Block the accounts that would be accessed and report the missing laptop especially in the case of highly sensitive data at risk.Also remote wipe-off the data from the targeted system.
Eradication:
Full Disk Encryption on employee laptops along with laptop location services through which it can be tracked down.Also by encrypting the disk the sensitive information of the company cannot be accessed.Multi factor authentication for login purposes would prevent the attacker from gaining access to the system in the case where he does attempt to.
Recovery:
Set up a new system after deleting the old data for the victim login and report the lost laptop.Also the victim should reset all passwords.Configure screen lockout mechanisms as well as theft alarm systems.
4. System alert for USB inserted on employee machine
Identification(indicators of compromise (IoC)):
The alert message for the USB inserted through SIEM for the network to ensure authenticity of the action of the input device.The logs can be identified throughout he SIEM to evaluate the IP address, time, actions performed to ensure no misuse of company information and no compromise occurring. Transfer of sensitive data or insertion of a virus/malware into the system viewed in logs is the indicator of compromise in this case.
Notification:
Incident Response Manager , Security Analyst,CISO,CIO/CTO should be informed.
In the case of a system compromise attempt or an insider trying to store information sensitive to the company the department head as well as the legal counsel should be notified as it is unlawful.HR should be notified to take necessary action on the employee.
Containment:
Remove the system from the network to prevent the virus/malware propagating through the systems connected.Document the steps for future reference and setup SIEM(Security Information and Event Management) to correlate logs from all security
control systems and use this to check for logs.Keep a timeline of events and save server logs, web logs, email logs, any packet capture, network graphs, reports, etc.
Eradication:
Establish the rules for employee accessing the system clearly and mention laws related to the same.Full Disk Encryption on employee laptops.Also by encrypting the disk the sensitive information of the company cannot be accessed.Multi factor authentication for login purposes would prevent the attacker from gaining access to the system in the case where he does attempt to.
Recovery:
Reconnect the machine to the network after running all scans and examining the logs to ensure the system is safe.Take necessary action on the employee.
5. Ransom note received in email with threat of DDOS attack on company
Identification(indicators of compromise (IoC)):
This is a high level security attack that should be handled with great expertise and caution.The note received that threatens for DDOS attack is the indicator of compromise.
Notification:
The entire company should be notified to prevent any system compromise.In this case the Incident Response manager, Security Analyst team, CISO, CIO/CTO, Technology and Operations Team Lead, Senior Management, Business Line Head of Departments, Human Resources, Legal / General Counsel, Public Relations Officer.
Containment:
Contact the internet service provider, or hosting provider if there is one in use and inform that there is an attack and help is required.Delete all the emails and track the sender address.Assess and analyze the information at risk and perform system hardening to block the attacker.
Eradication:
Implement firewall rules to block access to sensitive information as well as mails such as these.Intrusion Prevention Sensors on internal network to notify any sign of attempt at intrusion into the system.
Recovery:
After making sure system hardening is done and the network is safe from an external attack such as DOS restart the entire network and inform employees about good security practices to further protect the system from user faults.
6. Resources:
"How To Stop Ddos Attacks: 6 Tips For Fighting Ddos Attacks". 2018. Esecurityplanet.Com. https://www.esecurityplanet.com/network-security/5-tips-for-fighting-ddos-attacks.html.
2018. https://www.researchgate.net/publication/224592922_PhishCatch_-_A_Phishing_Detection_Tool.