Sunday, October 9, 2016

SANS 504 Notes - Containment/Eradication/Recovery

  • Containment
    • need to stop the bleeding
    • phase after an incident is declared
    • consists of short-term containment, system back-up, and long-term containment
    • First step, record incident details
      • category
      • criticality
      • sensitivity
    • Follow notification procedures based on incident details
      • notify IR team
      • notify management
      • notify business units
      • create / log IR ticket in appropriate system
    • Initial Analysis
      • remember, attacker might be watching for signs of IR, so be stealthy if you can
    • Short-Term Containment
      • prevent further damage, but try to keep the system intact
      • best case, network changes to isolate the system
      • worst case, pull the power (lose volatile memory)
      • Deploy tracking files (WordWebBugs) to track data transit
      • Might need to coordinate with ISP
    • System back-up
      • If possible, create a forensic image
      • acquire logs and review, check neighboring systems 
    • Long-term Containment
      • generally required if you cannot turn off / repair / patch machine in a timely manner
      • lots of techniques, mostly around changing trust relationships, etc of the running system
    • During containment, be careful to jump to conclusions on who/what/when happened
      • take detailed notes, but don't make assumptions
  • Eradication
    • two main goals
      • remove attacker artifacts
      • determine entry point
    • virus scanning, rootkit detection, rebuild from a zeroed drive
    • Improve defenses based on understanding the entry point
    • perform vulnerability analysis
  • Recovery
    • decide when to restore, keep in mind business priorities
    • monitor systems once they are put back in production
    • build a script to check for initial attack vector (or for artifacts of the attacker) to return
Some thoughts on Azure

From an Azure point of view, at least in the IaaS sense, most of the techniques described here are similar.  Of course, there is limited access to the networking logs, so one would have to get creative with that part. NSGs offer some diagnostic logs, but not as detailed as we would require.  Windows firewall logs might be of use, but once again, doesn't show enough information regarding successful connections.

Containment could be as simple as deleting the NIC from an IaaS machine, or placing a NSG around that particular VM limiting it's access to the network.

Eradication and Recovery for IaaS are almost the same as on-prem.  In certain cases, depending on how you have your systems configured, a better approach is to rebuild from latest image + DSC for the application.  You could also be restoring from Azure Backup or a 3rd party backup tool.