Fahd Aomari

tryhackme
Blog
Fahd Aomari Last Edit : September 12, 2024 10:56 PM

Incident Response

Incident response is a critical part of a SOC analyst’s role. In well-structured teams, there might be a dedicated incident responder, but often, incident response is just one of the many skills a SOC analyst needs to possess. While each team structure has pros and cons, our focus here is on the incident response process itself. In essence, incident response is about addressing and mitigating security incidents when they occur. To illustrate this, let’s explore a scenario.

TechNova Industries: A Security Breach

TechNova Industries, a mid-sized software development company, recently fell victim to a serious security incident. The attacker, known as “ShadowFox”, exploited a SQL injection vulnerability in their customer support portal. This initial foothold allowed them to deploy a custom backdoor on the web server. From there, they moved deeper into the network by exploiting a zero-day vulnerability in TechNova’s VPN software.

Once inside, ShadowFox gained access to a developer’s workstation with elevated privileges, enabling them to exfiltrate valuable source code and customer data to a command and control (C2) server over an encrypted channel. To ensure continued access, they created several fake admin accounts and installed a rootkit on critical servers.

now this is an incident, is there any models to handle it? yes there PICERL which stands for Preparation, Identification, Containment, Eradication, Recovery and lesson learned.

PICERL MODEL

its an easy model, i will explain each phase for you. but before that, dont u notice the similarity of this model with one usually used in software engineering? yes, waterfall :D what do we remember of it? rigid, static and too linear. it focus too much on completion and lacks feedback loops. I’m sure u dont wanna miss any process the attacker have u did miss in the identification phase, and if miss the attacker can just keep being in ur nest. ah and obviously ur recovery plans falls too. and here comes a better model :

DIAR (Dynamic Approach To Incident Response)

A rocketship in space.

Preparation

You gotta know what your company cares about, right? Like, what’s the big deal to them? Their policies? You can’t just yank the plug on some crucial network without asking first. And imagine going after some regular HR person’s computer issue when the database is melting down – if data’s your company’s bread and butter, that’s where you need to be.

Next up, keep an eye on what’s happening in your company’s network. Think of it like having security cameras everywhere. You need to see what’s going on, both on the network itself and on individual computers. There’s a whole debate about which is better to watch, but the truth is, you need both. And remember, collecting logs is useless if no one looks at them!

Another thing companies mess up on is not having a plan for when things break. Like, if you get a nasty computer virus, sometimes the fastest way to fix it is to wipe the whole computer and start fresh. But you can’t do that if you don’t have backups and a plan!

Lastly, don’t forget about your incident response team. They need training, practice runs (like those tabletop exercises), and they gotta know the rules of the game – you know, ethics and all that.

So, basically, being prepared means knowing your company, watching your network, having a backup plan, and making sure your team is ready for anything.

Detection

So, figuring out if something’s fishy – that’s detection, right? It’s like your firewall or network alarm going off, or someone spotting something weird happening. Maybe you got an alert from your IDS, or something looks off in your Windows logs. A user from Morocco logging in from China? That’s definitely suspicious. Sometimes, it’s obvious, like a website getting messed up. Other times, you might need to dig deeper, like a full-on detective investigation. Or maybe some good threat intelligence tipped you off. Worst-case scenario? A buddy tells you your company’s data is all over some dark web forum.

Once you know something’s up, you gotta check if it’s the real deal or a false alarm. That’s verification. Then comes triage – figuring out what kind of mess you’re dealing with. This helps you decide what to do and how important it is to the higher-ups.

There are fancy tools to keep track of everything, but a lot of folks still use good old spreadsheets. Oh, and there’s this cool CrowdStrike ( it can be ironic sometimes tho ) thing that helps too!

Scoping

the bad guys are already inside your network, past the firewall. They’re not just gonna sit there, they wanna explore and cause trouble. They’ll try to jump from one computer to another, like hopping across stepping stones, looking for valuable stuff or ways to cause more damage. That’s called “lateral movement”, and they’ve got tons of sneaky ways to do it, often looking like normal work stuff.

That means you gotta figure out where they are, which can be tricky, especially if they’ve been hopping around for a while. And things can change! You might find more infected computers or realize some were just misbehaving, not actually hacked. New clues can pop up too, so you gotta keep scanning.

Use all your tools: firewalls, alarms, anything that can help spot their movements. And don’t be afraid to write some code to sniff out those bad guys. It’s like a detective game, but the stakes are high!

Containment

you found where they are so now you need to stop them, or lock them up. here you should have done proper scoping other ways it will leads to improper containment.

Examples :

  • isolation, either physically unplug the network cable ( AND PLUG IT TO ANOTHER SWITCH, i will explain why later :D ) or just add it to an empty private VLAN.
  • patching the system.
  • Removing backdoors, accounts or other c2 mechanisms.
  • add rules to firewall/router…

some of these activities may coincide with other phases, like eradication. thats why go dynamic rather than linear.

Containment can be done in steps. Maybe you lock them out of the living room first, then the kitchen, and so on. Sometimes you gotta do it this way because the boss needs the TV to work, even if it means the bad guys can still mess with the fridge for a bit. Or maybe you need to catch them red-handed, so you gotta be sneaky and not tip them off.

Eradication

Imagine the bad guys ransacked your house. Containment was about locking them out of the rooms they were still in. Eradication is about cleaning up the mess they made.

It’s like going back in time, undoing all the damage. You might restore your computer from a backup, delete their secret accounts, or even fix those leaky windows they might have used to sneak in later. It’s about making sure they can’t come back and cause more trouble.

Sometimes, you gotta do more than just clean up. Maybe they stole some money, so you gotta deal with that. Or maybe they messed with your computer programs, so you gotta fix those too.

And hey, some of this cleaning up might even help you get back to normal life faster! It’s like fixing the broken window so you don’t have to freeze at night. Remember, the main goal is to get your house back to how it was before those bad guys showed up!

Recovery

So, containment and eradication were all about kicking out the bad guys and cleaning up the mess. But now it’s time to get your house back in order – that’s recovery. It’s all about getting back to normal life as quickly as possible.

You might think it’s easier to just fix the broken stuff, but sometimes it’s most cost-effective to start fresh. Imagine the bad guys hid a secret key somewhere in your house. You could spend forever looking for it, or you could just change all the locks and be done with it. That’s what rebuilding a compromised system is like. It’s faster and safer.

Of course, you can’t always just shut down your whole house while you rebuild. So, you might need some temporary fixes, like changing passwords or blocking certain rooms, to buy you some time.

And when you’re ready to restore things, try to do it when everyone’s asleep. It’s easier to keep an eye on things when there’s less activity, but it also means your house will be out of commission for longer. So, if that’s gonna mess up everyone’s schedule too much, they might not listen to your advice. It’s all about finding the right balance!

Remediation

Containment was stopping the water from coming in, eradication was getting rid of the water already inside. Remediation is fixing the leaky pipe that caused the flood in the first place.

Sometimes, the fix is easy, like changing a weak password. But you gotta ask yourself, “Why was that password so weak in the first place?” Was it someone’s mistake, or is the whole system messed up?

Finding the root cause can be tricky, like figuring out why the pipe burst. Maybe it was old, maybe someone hit it with a hammer, or maybe it was installed wrong from the start. You gotta dig deep and ask lots of questions to figure it out.

Once you’ve fixed the problem and your house is dry again, you gotta keep an eye on things. If the bad guys left a secret entrance, they might try to come back. So, watch your security cameras, check your logs, and be on the lookout for anything suspicious.

Post-Incident

now its time for the closing and make the report.

Ah the best time to ask ur stakeholders for an upgrade is now, right after an incident.

See Also

Incident Response - Windows Live Examination