Containment in Incident Handling

Containment in Incident Handling

In the military when a fellow service member is injured the goal for a combat medic is to stop the bleeding. In information security the containment phase is no different we want to isolate the threat to prevent the attack from spreading to other systems or causing more damage.

The containment phase has four main steps to be a successful containment. They are preparation, short-term containment, back-up, and long-term containment.

Preparation

Upon declaring an incident assign an incident handler to assess the situation. Secure the area and have incident forms on hand on site. Survey the area for wires, telephones, and wireless devices. Incidents start before you arrive onsite so survey what everyone saw, heard, and did. Threats can rapidly change and so don't treat things as time zero. As an incident handler validate the Category, Criticality, and Sensitivity of the threat.

Category

  • Denial of Service
  • Compromised information
  • Compromised assets
  • Unlawful Activity
  • Internal/ External hacking
  • Malware
  • Email
  • Policy Violations

Criticality & Response times

  • Incident impacts critical systems / 1 hour
  • Incident impacts non-critical systems / 4 hours
  • Possible incident, non-critical / 24 hours

Sensitivity & Who to inform

  • Extremely Sensitve / CSIRT & managment
  • Sensitive / CSIRT, managment, system owners, & operations
  • Non-sensitve / Employees

Company policy may advise different response times or who to inform of an incident

Always

  • Notify your management
  • Decide form of communication (email, phone, or in person)
  • Assign a minimum of two people
  • Create an entry in the incident tracking system
    • CyberSPR is a great tool (Enforces need-to-know and all data is hashed and encrypted)

Tips

  • Keep a low profile

    • Don't use tools like ping, traceroute, or nslookup
  • Don't tip your hand to the attacker

  • Maintain standard procedures

  • Document

Short-Term

The goal here is to isolate the threat as quickly as possible without changing the compromised data on the system. We want to keep the systems drive image intact until a backup of the image can be performed. This image allows us to validate the threat and have evidence of the incident. Some quick solutions may be to disconnect the network cable, kill the power, applying filters on network devices like firewalls or by isolating the machine on the switch port. Because most attackers are targeting a particular IP address a more complexed solution would be to change the DNS name to another IP address pointing to a secure system, so your users are not affected. This machine could also serve as honeypot so you can gather more evidence and possibly use something like WordWebBugs to track the attacker. However, if you can not contain the threat without denying access to legitimate users then make sure to advise someone in the business unit that is responsible for the system.
In some cases, the business unit may not approve your request to drop the system. When disapproval happens, it's then your job to provide the owner of the risk and reasons why it's wise to cut the system from the network. However, the business has the final say in this matter so look for other avenues in containing the threat. Deploying a new secure system or whitelisting access to the system may be some options. For external attacks like packet floods, bot-nets, worms, or spam consult with your ISP in assisting you in identify and containing the attack. ISPs often keep network and system logs that can add to your evidence. ISP most of the time are willing to help you so they can make improvements to protect other customers on their network so keep a close relationship with them.

Creating images

One of the most common errors in this phase is not creating working forensic images. The initial model should have both memory and the filesystem. Sometimes system administrators fail to perform regular backups of the system and data on these systems could be irreplaceable and mission critical. If you must perform actions on the system before backing it up then document everything you do such as commands and the responses to those commands. In an ideal situation, you want a binary image of the system as this gets everything including deleted or fragmented files. DD is a favorite tool in UNIX operating systems and most cases preinstalled. For windows, there are many free alternatives at your disposal like FAU. For analyzing memory Rekall, a google maintained project is a great solution.

Best practice is to use hardware tools like a drive duplicator. These tools allow you to make copies with ease and you can even introduce write blockers to create read-only copies that will be more valuable in court. When using hardware tools make sure that the copies are in binary and the drive used as the copy has at least 10% more space than is needed for the image.

Afterward, acquire logs and other source information to determine how far the attacker may have gotten. Review logs of neighboring systems and ultimately make recommendations for longer-term containment. The business will always have the final say if the system stays down or if it is to continue operation. Sometimes, the risk may be worth it to the business but include your recommendations in a signed memo to the business inforcing them to acknowledge the risk of the continued operation. Suggest a longer-term containment until the eradication of the threat.

Long-Term Containment

The idea here is to apply a temporary band-aid to stay in production while you build a clean system during eradication. There are many avenues for approach here, but the most common is only to patch the system if the attack was from using an exploit. If patching is not the best option then using an IPS or snort rule may be a practical option. Remember to remove any accounts and kill all processes used by the attacker. Before moving forward apply firewall rules and or modify your access control list to the system. You may have patched the system and initiated some additional security like firewall rules your job is still not yet complete. You still need to eradicate the threat entirely. Keep system administrators informed on your progress and never fault anyone during the investigation as this may ruin avenues in your research, and your assumptions may be wrong. Assuming makes an ass out of you(them) and me(you).

Takeaways

The next step after containing the threat is to eradicate it but let us review the process of containment.

  • Prepare for containment
    • Determine the category, criticality, and sensitivity of the system.
    • Contact your managers and support
    • Don't let the attacker know you're on to them
  • Get the system offline if possible
    • Unplug the power source
    • Disconnect the network cable
    • Apply firewall rules
    • Modify your DNS
  • Create system images
    • Create binary images of the system
    • Use hardware tools if you have them
    • Use tools like rekall if the system can not be taken offline
    • Record logs from neighboring systems
  • Long-term containment
    • Apply patches
    • Patch neighboring systems
    • Apply firewall & ACL rules
    • Remove user accounts
    • Kill processes
    • Insert IDS systems

Eradication

If this has been helpful to you, please support this blog by buying a coffee