Explore

4.0 Operations and Incident Response

4.4 Given an incident, apply mitigation techniques or controls to secure an environment

Last edited 737 days ago by Makiel [Muh-Keel].

An active incident can cause disruptions throughout an organization. The organization must act to mitigate the incident and then work to recover from it without creating new risks or vulnerabilities.

At the same time, the organization may want to preserve incident data and artifacts to allow forensic analysis by internal responders or law enforcement.

🖥️Reconfigure Endpoint Security Solutions

In many cases, one of the first mitigation techniques will be to quickly block the cause of the incident on the impacted systems or devices.

That means you may need to reconfigure endpoint security solutions:

✅Application Allow Listing

Application allow listing (sometimes referred to as whitelisting), which lists the applications and files that are allowed to be on a system and prevents anything that is not on the list from being installed or run.

❌Application Deny Lists or Block Lists

Application deny lists or block lists (sometimes referred to as blacklists), which list applications or files that are not allowed on a system and will prevent them from being installed or copied to the system.

😷Quarantine Solutions

Quarantine solutions, which can place files in a specific safe zone.

Antimalware and antivirus often provide an option to quarantine suspect or infected files rather than deleting them, which can help with investigations.

Quarantine can be a great way to ensure that you still have access to the files, but it does run the danger of allowing the malicious files to still be on the system, even if they should be in a safe location.

⌨️Configuration Changes

Configuration Changes are also a common remediation and containment. They may be required to address a security vulnerability that allowed the incident to occur, or they may be needed to isolate a system or network.

Configuration changes are one of the most frequently used tools in containment and remediation efforts.

They need to be carefully tracked and recorded, since responders can still make mistakes, and changes may have to be rolled back after the incident response process to allow a return to normal function

The specific configuration changes you should consider for the Security+ exam are as follows:

Firewall rule changes, either to add new firewall rules, modify existing firewall rules, or in some cases, to remove firewall rules.

Mobile device management (MDM) changes, including applying new policies or changing policies; responding by remotely wiping devices; locating devices; or using other MDM capabilities to assist in the IR process.

Data loss prevention (DLP) tool changes, which may focus on preventing data from leaving the organization or detecting new types or classifications of data from being sent or shared.

DLP changes are likely to be reactive in most IR processes, but DLP can be used to help ensure that an ongoing incident has a lower chance of creating more data exposure.

Content filter and URL filtering capabilities, which can be used to ensure that specific sites are not able to be browsed or accessed.

Content filter and URL filtering can help prevent malware from phoning home or connecting to C2 sites, and it can also prevent users from responding to phishing attacks and similar threats.

Stops users from visiting malicious or suspicious websites.

Updating or revoking certificates, which may be required if the certificates were compromised, particularly if attackers had access to the private keys for the certificates.

At the same time, removing certificates from trust lists can also be a useful tool, particularly if an upstream service provider is not responding promptly and there are security concerns with their services or systems.

Revoking certificates from devices is removing access.

It is important to bear in mind the operational impact and additional risks that the changes you are considering may result in, and to ensure that stakeholders are made aware of the changes or are involved in the decision, depending on the urgency of the situation.

🏝️Isolation

At times, broader action may also be necessary. Removing systems, devices, or even entire network segments or zones may be required to stop further spread of an incident or when the source of the incident cannot be quickly identified.

The following techniques support this type of activity:

Isolation is a powerful mitigation technique used to secure an environment by separating or segmenting resources to prevent the spread of threats and limit the potential impact of a security incident.

Here's how it works:

Application Isolation: This involves running applications in a separate, restricted environment to prevent them from affecting other applications or the underlying system.

Techniques include using containers, virtual machines, or sandboxing. If an application is compromised, the threat is contained within that isolated environment.

User/Process Isolation: This involves separating different user processes or sessions from each other.

In a multi-user system, this prevents one user's activities from affecting others.

It also means that if a user's session is compromised, the threat can't access processes running under other user accounts.

Network Segmentation: This involves dividing a network into smaller parts or segments, often using VLANs (Virtual Local Area Networks).

Each segment operates independently, so if one segment is compromised, the threat is contained and can't easily spread to other parts of the network.

This is particularly useful for isolating sensitive systems or data.

🫙Containment

Containment is a crucial step in the incident response process where actions are taken to prevent the spread of an incident and limit its impact. The goal is to isolate the affected systems or network segments to prevent further damage while maintaining business operations.

Containment leaves the system in place but works to prevent further malicious actions or attacks.

Network-level containment is frequently accomplished using firewall rules or similar capabilities to limit the traffic that the system can send or receive.

System and application-level containment can be more difficult without shutting down the system or interfering with the functionality and state of the system, which can have an impact on forensic data.

Isolation and containment are two related concepts in incident response, but they serve different purposes and are used in different contexts:

Isolation is like putting a sick person in a separate room so they don't spread their illness to others.

In the context of cybersecurity, it means separating a compromised computer or network from others to prevent a cyber threat from spreading.

Containment is a broader action. It's like the entire process of managing the sick person's illness - not only do you isolate them, but you also give them medicine to control their symptoms, clean the areas they've been to prevent further spread, and so on.

In cybersecurity, containment includes isolation, but it also includes other actions like removing the threat, fixing the vulnerability that allowed the threat in, and restoring any damaged systems or data.

So, isolation is a part of containment. It's one of the actions you take when you're trying to contain a cybersecurity incident.

🦑Segmentation

Segmentation is a security practice that involves dividing a network into multiple segments or subnetworks, each acting as its own small network. This can be done physically, with separate hardware, or virtually, using software tools.

Segmentation is often employed before an incident occurs to place systems with different functions or data security levels in different zones or segments of a network.

Segmentation can also be done in virtual and cloud environments.

Segmentation is the process of using security, network, or physical machine boundaries to build separation between environments, systems, networks, or other components.

Incident responders may choose to use segmentation techniques as part of a response process to move groups of systems or services so that they can focus on other areas.

You might choose to segment infected systems away from the rest of your network or to move crucial systems to a more protected segment to help protect them during an active incident.

This also reduces the attack surface in the scenario that a subnetwork is compromised, it reduces the hacker’s potential reach,

🪁SOAR

SOAR stands for Security Orchestration, Automation, and Response. It's a term coined by Gartner to describe the convergence of three distinct technology markets: security orchestration and automation, security incident response platforms (SIRP), and threat intelligence platforms (TIP).

SOAR tools allow organizations to collect data about security threats from multiple sources and respond to low-level security events without human intervention.

The goal of a SOAR platform is to improve the efficiency of physical and digital security operations.

Here's how SOAR works:

Orchestration: This involves integrating various security technologies and systems, and coordinating automated incident response actions across them.

Automation: This involves automating repetitive and manual tasks, allowing security teams to focus on higher-level strategy and decision-making.

Response: This involves managing, responding to, and mitigating cyber threats based on predefined processes and workflows.

Runbooks and playbooks are both important tools used in incident response and IT operations management.

They provide structured, documented procedures for handling various situations.

However, they are used in slightly different contexts and serve different purposes.

♻️Runbook

Runbook: A runbook is a set of routine operations that are followed to maintain a system or network.

These operations are usually repetitive and can often be automated. Runbooks are typically used in IT operations to ensure that systems are maintained consistently and efficiently.

They provide detailed, step-by-step instructions for routine tasks such as system backups, server restarts, or hardware installations.

The goal of a runbook is to standardize these procedures, reduce human error, and make it easier to delegate tasks.

🏈Playbook

Playbook: A playbook, on the other hand, is used in more complex or unpredictable situations, such as incident response.

It provides a framework for decision-making and action in response to specific events or scenarios.

Playbooks often include decision trees or flowcharts to guide the response to different situations.

They are typically used in cybersecurity to guide the response to various types of security incidents, such as a data breach or a malware infection.

The goal of a playbook is to ensure a consistent and effective response to these incidents, even under pressure.

In summary, while both runbooks and playbooks provide structured procedures for handling various situations, runbooks are typically used for routine, repetitive tasks (often automated), while playbooks are used for more complex, event-driven scenarios that require decision-making and may involve manual intervention.