Imagine it’s 3 AM and you're eating pizza. You're wearing earmuffs because the data center you're working in is so cold. You're part of an incident response team working round the clock to help a transportation company that’s been hit with a nasty case of ransomware.
While you're running dynamic and static tests on infected endpoints and analyzing the malware variant, others are determining how much access the attackers still have, looking for the best recovery point, and communicating with the national CERT (Computer Emergency Response Team), customers, and the media.
...attackers have told the victim that the price doubles if the ransom is not paid within two days
It’s a noisy madhouse and the clock is ticking. As time goes by, more systems can become infected, and more data stolen. As is common, attackers have told the victim that the price doubles if the ransom is not paid within two days. You must work fast to determine the business impact and the best way to recover.
It's a story worth sharing because it’s likely that at some point in your career you may be in a similar situation. When you recognize that identity-related incidents are becoming ubiquitous, with 80% of organizations experiencing at least one annually, it’s safe to assume that you may well be a victim of an attack.
Incident response is one of the most stressful scenarios an IT or security leader can encounter. It’s like fighting a fire, albeit a digital one. You have to make a lot of decisions quickly, without complete information.
In this blog, you’ll learn a framework for structured incident response, known as the incident response lifecycle, that can make you more resilient, remove some of the stress, and help you get back to business as soon as possible.
The incident response lifecycle is a six-part framework that covers each stage of response to a cyber incident. It can apply to any type of identity-related attack, such as a data breach, ransomware, extortion, credential theft, lost laptop, etc.
I’ll use a common incident scenario—ransomware—to walk through each stage of the incident response lifecycle. In each stage, I’ll outline recommended security controls, policies, and processes. I’ll also take you back to the night of our hypothetical ransomware attack against the transportation company so you can see how steps within each stage of the incident response lifecycle apply to a real-world attack.
At the Preparation stage of the incident response lifecycle, the goal is two-fold: 1) lay the groundwork so you can respond quickly and confidently should an incident occur, and 2) practice the incident response lifecycle so you are incident response ready.
One of the most critical aspects of your incident response lifecycle is to have a clear plan for what to expect when an incident occurs. Not all incidents are equal, so you will likely have different workflows depending on the scenario, such as ransomware, a lost laptop, or compromised credentials.
| Incident Response Plan/Checklist | |
| 1. Ownership | 5. In-house capability and 3rd party responsibility |
| 2. Communications | 6. Containment (evidence) |
| 3. Contact list | 7. Press Statement |
| 4. Clear definition of threat | 8. Legal assessment |
| a. Confidentiality - data loss | 9. Eradication |
| b. Integrity - data poisoning | 10. Recovery |
| c. Availability - DDOS | 11. Lessons learned |
For a more detailed checklist, check out our Cyber Incident Response Checklist. Plus, Delinea’s Incident Response Template can help you outline policies, systems, roles and responsibilities to help with the preparation stage of the incident response lifecycle.
The incident response lifecycle isn’t an IT or security team-only responsibility. Response to a cyber incident involves many parts of an organization. Having clearly defined roles is essential to ensuring the team knows what they should be doing when the incident response is activated.
Figure out who will be responsible for:
Outside of this list, there are some teams you don’t want to forget.
Include your help desk in the preparations. They can become overwhelmed if an attack goes public and they start getting calls from suppliers, customers, and partners. They need to be prepared and have a process for response, tested and ready.
Decide if you’re going to include any third parties, such as data aggregators, or external incident response teams. Your hosting provider should be involved as part of your extended team. Your cyber insurance provider may require you to work with a third party of their choosing.
There are numerous processes and workflows you’ll want to prepare, so you don’t have to make them up on the spot during a live incident. For example:
There are numerous resources and sources of information that you’ll rely on during incident response. For example, you’ll need resources such as:
Now, let's dig into how you use each of these in later stages of the incident response lifecycle.
For identity and privilege-related attacks, Identity Detection and Response (ITDR) solutions reduce risk with continuous monitoring of all identities, their access, and behaviors. They identify anomalous behavior, understand the most vulnerable identities, determine the potential impact if compromised, and take appropriate action.
Many people don’t go through the incident response lifecycle until they experience a live incident. This leads to lots of confusion and stress. That’s why it’s so important to practice as part of the Preparation stage.
When the incident response lifecycle is practiced and simulated, you will typically find things that didn’t get covered in your checklist. Make sure your team practices the incident response lifecycle a few times each year. Simulate different incident types so that when the real incident happens you can respond effectively.
At this stage of the incident response lifecycle, you find out an attack has occurred and must confirm before moving forward with your response.
Unfortunately, it’s likely that that you won’t discover an attack on your own but will be notified by an outsider. For example:
You may find out when employees login to their systems. For example, they may be met with a prompt message that tells them your organization has been attacked:
|
In our transportation ransomware example: Attackers contacted the IT team by email to inform them about the attack. The main reason for contacting IT directly is to speed up the incident response process in an attempt to get the victim to pay the ransom quickly. Being contacted directly can be quite scary as attackers might know your employment history, including personal details or recent performance reviews. |
Ideally, your systems will be able to track signals that indicate an attack is likely underway. Then, you can send alerts automatically to your Security Operations Center (SOC), who can investigate further. For example, you’ll want to keep your eyes open for:
Once you determine the threat is credible, you can evaluate its severity. Consider how the attack has impacted the CIA triad. Determine what type of data is impacted.
If the attack has impacted PII, protected customer or employee data, you may be dealing with a data disclosure situation.
You might find you’re dealing with multiple attackers specialized in different aspects of the ransomware attack.
Especially when you’re going back through multiple years of logs, you might find evidence of previous incidents you didn’t know about, unrelated to the active incident you’re currently investigating.
|
In our transportation ransomware example: The investigation found that an employee had installed crypto mining software on company resources and was making money on the side. |
The quicker you respond to an incident, the better you’ll be able to contain the damage. At this stage of the incident response lifecycle, you need to determine if attackers are still accessing your systems and determine what you’re dealing with. Then you can respond appropriately to contain the blast radius so you can continue to operate.
Digital forensics is like trying to complete a 1000-piece jigsaw puzzle when you only have 200 pieces.
Ransomware is a very effective tool for attackers to erase puzzle pieces. With the remaining pieces you must put together a full picture. You’re trying to rebuild the attack path and determine exactly what the attacker did and how.
The first rule is “Do No Harm”. You don’t want your responses to further infect systems. Do things with intention. Activities in this stage include:
For example, in an identity-related attack, in which attackers are in control of privileged accounts or credentials, you can automatically trigger password rotation via your PAM vault. You can also add layers of identity assurance with MFA and approval requirements. Or you can remove privileges entirely so they can’t be used at all.
As you conduct digital forensics and root cause analysis, make sure you gather and store evidence.
Look for first evidence of attack:
Find out what the attackers have access to:
Learn what tools and techniques they used:
Attack path mapping can help you understand the full identity attack path. Reviewing the MITRE ATT&CK Framework and the identity attack chain can help you walk through typical stages of an attack so you can see how attackers commonly enter and move around.
|
In our transportation ransomware example: Attackers had gained domain-level access. Luckily, this incident was limited to on-prem systems. Crucially, the company was still able to use email via Microsoft 0365 for communications. |
If your attack involved malware, you could conduct static analysis using tools like IDA Pro or ghidra.
Dynamic analysis is more powerful because it allows you to infect a sandboxed machine with the malware variant and see how it responds.
You need visibility into how long the attack has been happening so you can understand and compare it with historical information. It’s common that attackers will delete evidence, remove log files and events, to cover their tracks. You will likely need to review log and event files from numerous systems and correlate them.
Plaso (Plaso Langar Að Safna Öllu), or super timeline all the things, is a Python-based engine used by several tools for automatic creation of timelines. It will allow you to create a history of logs and events across systems so you can put the puzzle together.
The SIFT Workstation is a collection of free and open-source incident response and forensic tools designed to perform detailed digital forensic examinations in a variety of settings.
For identity or privilege-related attacks you can leverage session recordings and reports.
Delinea’s AI-Driven Auditing (AIDA) transforms privileged session monitoring by seamlessly analyzing recorded sessions to detect and highlight early indicators of potential cyber incidents automatically. This advanced feature identifies suspicious activity, such as authorization and privilege elevation failures and unexpected deletions and downloads. Sessions with anomalous activity are flagged in a dashboard, enabling administrators to prioritize critical events quickly.
With the ability to analyze a full 10-minute session recording in one minute, AIDA significantly reduces the time teams spend on manual reviews, allowing them to focus on critical anomalies. By summarizing activity and alerts, AIDA accelerates investigations, helping teams proactively mitigate risks before they escalate into serious threats.
|
In our transportation ransomware example: The attackers had about 15 days (about 2 weeks) of hands-on keyboard access to corporate systems before they deployed the ransomware. |
At this stage of the incident response lifecycle, you’ll need to decide your go-forward plan. You have several decisions to make:
Decide how you’ll make the decision. You may have legal or insurance requirements to consider. If you do decide to pay, you may need access to cryptocurrency.
To answer this question, you need to consider:
|
In our transportation ransomware example: In this case, the internet plug was pulled to regain control of the network and make sure the attacker didn’t have persistent access. Some operations reverted to manual processes. This was crucial to stop the attacker from continuing to exfiltrate sensitive data. |
At this stage of the incident response lifecycle, the focus is on removing the threat and getting to “all clear” with all systems clean.
For ransomware, it’s rare, but possible that security researchers have encountered the type of threat you’re battling and made a decryption key available. More likely, you’ll need to use the information you gather to figure out the best strategy to eradicate the threat. Many of the systems noted below were used in the transportation ransomware example.
Joe Sandbox
Create a sandbox, a separate lab environment where you can test malware without doing any damage. Joe Sandbox is a helpful tool to look at other people’s analysis of the malware itself. You can upload a sample of the Cryptor from the infected system and hopefully find what types of capabilities it has and get some recommendations on things you can do to contain it. It looks at signatures, executables, classifications, a process tree of how it spawns, and much more.
Virus Total
You can upload the malware to Virus Total and find out if other tools out there are detecting it. If the malware you’re dealing with is new, it may not yet have been detected.
Flare from Mandiant (Now part of Google)
With this tool you can transfer Cryptor samples (make sure you use an encrypted, password-protected file) and run process hacker, capa, find hashes, and run against immunity debugger.
Threat intelligence
As part of the Eradication phase of the incident response lifecycle, you want to make sure to close the door so attackers can’t come back—at least not the same way. Look at the Dark Web to see if there’s any chatter. Check if anyone is selling data, credentials, or other sensitive information from your organization.
At this stage of the incident response lifecycle, the focus is on getting back to business as quickly as possible.
You need to evaluate:
Ideally, you can look at old systems that can help you piece data back together. However, it’s essential to find out if your recovery systems have been compromised as well. For example, if you’ve got backup systems in Active Directory, not segregated, using same credentials as other systems, they are also vulnerable to ransomware and may well have been infected.
|
In our transportation ransomware example: Unfortunately, their backup systems had also been encrypted by the ransomware attack. Luckily, they had a server that was migrated about a year before, and were able to use that as a baseline to restore the environment. It took two to three months to restore one year of lost data, at high cost, (though much less than the ransom demand) and tremendous team effort. |
At this stage of the incident response lifecycle, you do a retrospective with the goal of continuous improvement.
Ask yourself:
For a retrospective to be effective, make sure you document everything you do as part of the incident response so you can report on it later. Note when your responses occurred, so you can measure how long it took to act at each stage of the incident response lifecycle, from Discovery to Eradication.
Based on your lessons learned, you can refine the lifecycle to suit your needs, execute faster, and ensure seamless transitions from phase to phase for a coordinated response.
An ounce of prevention is worth a pound of cure.
Do all you can to force attackers to do extra work and make noise, so they attract attention making it difficult for them to stay hidden. Deploy identity security controls and best practices, including:This is a lifecycle approach to incident response precisely because what you learn in stage 6 (Lessons Learned) should feed back into stage 1 (Preparation).
It’s essential to be incident response-ready. The last thing you want to be doing is testing your incident response lifecycle in the middle of an incident. You need to know what security processes and solutions you have, where they are, and how to use them.
Run practice drills for a variety of simulated scenarios. Do tabletop exercises to help you plan your response. Involve other teams in practice too, including your executives, legal, communication, compliance, and help desk.
Third-party companies specialize in gamification or simulations of incident response, including ransomware incidents. They can help you include things you might not have thought about in your practice scenarios.
As mentioned, having clearly defined roles and responsibilities is essential. So is having a central repository for all your evidence gathering, and a Slack channel or Wiki for rapid communication.
The more context you can provide all parties involved in incident response, the better. For example, in an identity-related incident, you’ll want your detection engineers and SOC to know the history of an identity, expected access, and related and dependent systems for service accounts. An integrated identity security platform can help you make sure data is available, with context, for all parties involved in incident response.
Here are some often overlooked pitfalls that are often overlooked and can create friction or roadblocks.
Non perishable food or energy bars
Sanitized disks
Ear plugs for working in loud places
The aforementioned earmuffs
Expect that it will be a long, stressful day and week. Incident response can lead to extremely high stress and burnout. Please take care of your mental health and your teams during an incident response.
Delinea can help you make the incident response lifecycle actionable. Please reach out to talk with our team about how we can help.