Segmentation

Cybersecurity analysts often use network segmentation as a proactive strategy to prevent the spread of future security incidents. For example, the network shown in Figure 14.2 is designed to segment different types of users from each other and from critical systems. An attacker who is able to gain access to the guest network would not be able to interact with systems belonging to employees or in the datacenter without traversing the network firewall.

You learned how network segmentation is used as a proactive control in a defense-in-depth approach to information security in Chapter 7, “Infrastructure Security and Controls.”

In addition to being used as a proactive control, network segmentation may play a crucial role in incident response. During the early stages of an incident, responders may realize that a portion of systems are compromised but wish to continue to observe the activity on those systems while they determine other appropriate responses. However, they certainly want to protect other systems on the network from those potentially compromised systems.

Figure 14.3 shows an example of how an organization might apply network segmentation during an incident response effort. Cybersecurity analysts suspect that several systems in the datacenter were compromised and built a separate virtual LAN (VLAN) to contain those systems. That VLAN, called the quarantine network, is segmented from the rest of the datacenter network and controlled by very strict firewall rules. Putting the systems on this network segment provides some degree of isolation, preventing them from damaging systems on other segments but allowing continued live analysis efforts.

Isolation

Although segmentation does limit the access that attackers have to the remainder of the network, it sometimes doesn't go far enough to meet containment objectives. Cybersecurity analysts may instead decide that it is necessary to use stronger isolation practices to cut off an attack. Two primary isolation techniques may be used during a cybersecurity incident response effort: isolating affected systems and isolating the attacker.

Isolating the Attacker

Isolating the attacker is an interesting variation on the isolation strategy and depends on the use of sandbox systems that are set up purely to monitor attacker activity and that do not contain any information or resources of value to the attacker. Placing attackers in a sandboxed environment allows continued observation in a fairly safe, contained environment. Some organizations use honeypot systems for this purpose. For more information on honeypots, see Chapter 1, “Today's Cybersecurity Analyst.”

Removal

Removal of compromised systems from the network is the strongest containment technique in the cybersecurity analyst's incident response toolkit. As shown in Figure 14.5, removal differs from segmentation and isolation in that the affected systems are completely disconnected from other networks, although they may still be allowed to communicate with other compromised systems within the quarantine VLAN. In some cases, each suspect system may be physically disconnected from the network so that they are prevented from communicating even with each other. The exact details of removal will depend on the circumstances of the incident and the professional judgment of incident responders.

Evidence Gathering and Handling

The primary objective during the containment phase of incident response is to limit the damage to the organization and its resources. Although that objective may take precedence over other goals, responders may still be interested in gathering evidence during the containment process. This evidence can be crucial in the continuing analysis of the incident for internal purposes, or it can be used during legal proceedings against the attacker.

Chapter 7 provided a thorough review of the forensic strategies that might be used during an incident investigation. Chapter 1 also included information on reverse engineering practices that may be helpful during an incident investigation.

If incident handlers suspect that evidence gathered during an investigation may be used in court, they should take special care to preserve and document evidence during the course of their investigation. NIST recommends that investigators maintain a detailed evidence log that includes the following:

• Identifying information (for example, the location, serial number, model number, hostname, MAC addresses, and IP addresses of a computer)
• Name, title, and phone number of each individual who collected or handled the evidence during the investigation
• Time and date (including time zone) of each occurrence of evidence handling
• Locations where the evidence was stored

Failure to maintain accurate logs will bring the evidence chain-of-custody into question and may cause the evidence to be inadmissible in court.

Identifying Attackers

Identifying the perpetrators of a cybersecurity incident is a complex task that often leads investigators down a winding path of redirected hosts that crosses international borders. Although you might find IP address records stored in your logs, it is incredibly unlikely that they correspond to the actual IP address of the attacker. Any attacker other than the most rank of amateurs will relay their communications through a series of compromised systems, making it very difficult to trace their actual origin.

Before heading down this path of investigating an attack's origin, it's very important to ask yourself why you are pursuing it. Is there really business value in uncovering who attacked you, or would your time be better spent on containment, eradication, and recovery activities? The NIST Computer Security Incident Handling Guide addresses this issue head on, giving the opinion that “Identifying an attacking host can be a time-consuming and futile process that can prevent a team from achieving its primary goal—minimizing the business impact.”

Law enforcement officials may approach this situation with objectives that differ from those of the attacked organization's cybersecurity analysts. After all, one of the core responsibilities of law enforcement organizations is to identify criminals, arrest them, and bring them to trial. That responsibility may conflict with the core cybersecurity objectives of containment, eradication, and recovery. Cybersecurity and business leaders should take this conflict into consideration when deciding whether to involve law enforcement agencies in an incident investigation and the degree of cooperation they will provide to an investigation that is already underway.

Reconstruction and Reimaging

During an incident, attackers may compromise one or more systems through the use of malware, web application attacks, or other exploits. Once an attacker gains control of a system, security professionals should consider it completely compromised and untrustworthy. It is not safe to simply correct the security issue and move on because the attacker may still have an undetected foothold on the compromised system. Instead, the system should be rebuilt, either from scratch or by using an image or backup of the system from a known secure state.

Rebuilding and/or restoring systems should always be done with the incident root cause analysis in mind. If the system was compromised because it contained a security vulnerability, as opposed to through the use of a compromised user account, backups and images of that system likely have that same vulnerability. Even rebuilding the system from scratch may reintroduce the earlier vulnerability, rendering the system susceptible to the same attack. During the recovery phase, administrators should ensure that rebuilt or restored systems are remediated to address known security issues.

Patching Systems and Applications

During the incident recovery effort, cybersecurity analysts will patch operating systems and applications involved in the attack. This is also a good time to review the security patch status of all systems in the enterprise, addressing other security issues that may lurk behind the scenes.

Cybersecurity analysts should first focus their efforts on systems that were directly involved in the compromise and then work their way outward, addressing systems that were indirectly related to the compromise before touching systems that were not involved at all. Figure 14.6 shows the phased approach that cybersecurity analysts should take to patching systems and applications during the recovery phase.

Sanitization and Secure Disposal

During the recovery effort, cybersecurity analysts may need to dispose of or repurpose media from systems that were compromised during the incident. In those cases, special care should be taken to ensure that sensitive information that was stored on that media is not compromised. Responders don't want the recovery effort from one incident to lead to a second incident!

Generally speaking, there are three options available for the secure disposition of media containing sensitive information: clear, purge, and destroy. NIST defines these three activities clearing in NIST SP 800-88: Guidelines for Media Sanitization:

• Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple noninvasive data recovery techniques; this is typically applied through the standard Read and Write commands to the storage device, such as by rewriting with a new value or using a menu option to reset the device to the factory state (where rewriting is not supported).
• Purge applies physical or logical techniques that render target data recovery infeasible using state-of-the-art laboratory techniques. Examples of purging activities include overwriting, block erase, and cryptographic erase activities when performed through the use of dedicated, standardized device commands. Degaussing is another form of purging that uses extremely strong magnetic fields to disrupt the data stored on a device.
• Destroy renders target data recovery infeasible using state-of-the-art laboratory techniques and results in the subsequent inability to use the media for storage of data. Destruction techniques include disintegration, pulverization, melting, and incinerating.

These three levels of data disposal are listed in increasing order of effectiveness as well as difficulty and cost. Physically incinerating a hard drive, for example, removes any possibility that data will be recovered but requires the use of an incinerator and renders the drive unusable for future purposes.

Figure 14.7 shows a flowchart designed to help security decision makers choose appropriate techniques for destroying information and can be used to guide incident recovery efforts. Notice that the flowchart includes a Validation phase after efforts to clear, purge, or destroy data. Validation ensures that the media sanitization was successful and that remnant data does not exist on the sanitized media.

Validating the Recovery Effort

Before concluding the recovery effort, incident responders should take time to verify that the recovery measures put in place were successful. The exact nature of this verification will depend on the technical circumstances of the incident and the organization's infrastructure. Four activities that should always be included in these validation efforts follow:

• Validate that only authorized user accounts exist on every system and application in the organization. In many cases, organizations already undertake periodic account reviews that verify the authorization for every account. This process should be used during the recovery validation effort.
• Verify the proper restoration of permissions assigned to each account. During the account review, responders should also verify that accounts do not have extraneous permissions that violate the principle of least privilege. This is true for normal user accounts, administrator accounts, and service accounts.
• Verify that all systems are logging properly. Every system and application should be configured to log security-related information to a level that is consistent with the organization's logging policy. Those log records should be sent to a centralized log repository that preserves them for archival use. The validation phase should include verification that these logs are properly configured and received by the repository.
• Conduct vulnerability scans on all systems. Vulnerability scans play an important role in verifying that systems are safeguarded against future attacks. Analysts should run thorough scans against systems and initiate remediation workflows where necessary. For more information on this process, see Chapter 4, “Designing a Vulnerability Management Program,” and Chapter 5, “Analyzing Vulnerability Scans.”

These actions form the core of an incident recovery validation effort and should be complemented with other activities that validate the specific controls put in place during the Containment, Eradication, and Recovery phase of incident response.

Managing Change Control Processes

During the containment, eradication, and recovery process, responders may have bypassed the organization's normal change control and configuration management processes in an effort to respond to the incident in an expedient manner. These processes provide important management controls and documentation of the organization's technical infrastructure. Once the urgency of response efforts pass, the responders should turn back to these processes and use them to document any emergency changes made during the incident response effort.

Conducting a Lessons Learned Session

At the conclusion of every cybersecurity incident, everyone involved in the response should participate in a formal lessons learned session that is designed to uncover critical information about the response. This session also highlights potential deficiencies in the incident response plan and procedures. For more information on conducting the post-incident lessons learned session, see the “Lessons Learned Review” section in Chapter 11.

During the lessons learned session, the organization may uncover potential changes to the incident response plan. In those cases, the leader should propose those changes and move them through the organization's formal change process to improve future incident response efforts.

During an incident investigation, the team may encounter new indicators of compromise (IOCs) based on the tools, techniques, and tactics used by attackers. As part of the lessons learned review, the team should clearly identify any new IOC and make recommendations for updating the organization's security monitoring program to include those IOCs. This will reduce the likelihood of a similar incident escaping attention in the future.

Developing a Final Report

Every incident that activates the CSIRT should conclude with a formal written report that documents the incident for posterity. This serves several important purposes. First, it creates an institutional memory of the incident that is useful when developing new security controls and training new security team members. Second, it may serve as an important record of the incident if there is legal action that results from the incident. Finally, the act of creating the written report can help identify previously undetected deficiencies in the incident response process that may feed back through the lessons learned process.

Important elements that the CSIRT should cover in a postincident report include the following:

• Chronology of events for the incident and response efforts
• Root cause of the incident
• Location and description of evidence collected during the incident response process
• Specific actions taken by responders to contain, eradicate, and recover from the incident, including the rationale for those decisions
• Estimates of the impact of the incident on the organization and its stakeholders
• Results of postrecovery validation efforts
• Documentation of issues identified during the lessons learned review

Incident summary reports should be classified in accordance with the organization's classification policy and stored in an appropriately secured manner. The organization should also have a defined retention period for incident reports and destroy old reports when they exceed that period.

Evidence Retention

At the conclusion of an incident, the team should make a formal determination about the disposition of evidence collected during the incident. If the evidence is no longer required, then it should be destroyed in accordance with the organization's data disposal procedures. If the evidence will be preserved for future use, it should be placed in a secure evidence repository with the chain of custody maintained.

The decision to retain evidence depends on several factors, including whether the incident is likely to result in criminal or civil action and the impact of the incident on the organization. This topic should be directly addressed in an organization's incident response procedures.

Activity 14.1: Incident Containment Options

Label each one of the following figures with the type of incident containment activity pictured.

________________________________________

________________________________________

________________________________________

Activity 14.2: Incident Response Activities

For each of the following incident response activities, assign it to one of the following CompTIA categories:

• Containment
• Eradication
• Validation
• Postincident Activities

Remember that the categories assigned by CompTIA differ from those used by NIST and other incident handling standards.

• Patching  ___________________
• Sanitization  ___________________
• Lessons learned  ___________________
• Reimaging  ___________________
• Secure disposal  ___________________
• Isolation  ___________________
• Scanning  ___________________
• Removal  ___________________
• Reconstruction  ___________________
• Permission verification  ___________________
• User account review  ___________________
• Segmentation  ___________________

Activity 14.3: Sanitization and Disposal Techniques

Fill in the flowchart with the appropriate dispositions for information being destroyed following a security incident.

Each box should be completed using one of the following three words:

• Clear
• Purge
• Destroy

1. Which one of the phases of incident response involves primarily active undertakings designed to limit the damage that an attacker might cause?
   1. Containment, Eradication, and Recovery
   2. Preparation
   3. Postincident Activity
   4. Detection and Analysis
2. Which one of the following criteria is not normally used when evaluating the appropriateness of a cybersecurity incident containment strategy?
   1. Effectiveness of the strategy
   2. Evidence preservation requirements
   3. Log records generated by the strategy
   4. Cost of the strategy
3. Alice is responding to a cybersecurity incident and notices a system that she suspects is compromised. She places this system on a quarantine VLAN with limited access to other networked systems. What containment strategy is Alice pursuing?
   1. Eradication
   2. Isolation
   3. Segmentation
   4. Removal
4. Alice confers with other team members and decides that even allowing limited access to other systems is an unacceptable risk and decides instead to prevent the quarantine VLAN from accessing any other systems by putting firewall rules in place that limit access to other enterprise systems. The attacker can still control the system to allow Alice to continue monitoring the incident. What strategy is she now pursuing?
   1. Eradication
   2. Isolation
   3. Segmentation
   4. Removal
5. After observing the attacker, Alice decides to remove the Internet connection entirely, leaving the systems running but inaccessible from outside the quarantine VLAN. What strategy is she now pursuing?
   1. Eradication
   2. Isolation
   3. Segmentation
   4. Removal
6. Which one of the following tools may be used to isolate an attacker so that they may not cause damage to production systems but may still be observed by cybersecurity analysts?
   1. Sandbox
   2. Playpen
   3. IDS
   4. DLP
7. Tamara is a cybersecurity analyst for a private business that is suffering a security breach. She believes the attackers have compromised a database containing sensitive information. Which one of the following activities should be Tamara's first priority?
   1. Identifying the source of the attack
   2. Eradication
   3. Containment
   4. Recovery
8. Which one of the following activities does CompTIA classify as part of the recovery validation effort?
   1. Rebuilding systems
   2. Sanitization
   3. Secure disposal
   4. Scanning
9. Which one of the following pieces of information is most critical to conducting a solid incident recovery effort?
   1. Identity of the attacker
   2. Time of the attack
   3. Root cause of the attack
   4. Attacks on other organizations
10. Lynda is disposing of a drive containing sensitive information that was collected during the response to a cybersecurity incident. The information is categorized as a high security risk and she wishes to reuse the media during a future incident. What is the appropriate disposition for this information?
    1. Clear
    2. Erase
    3. Purge
    4. Destroy
11. Which one of the following activities is not normally conducted during the recovery validation phase?
    1. Verify the permissions assigned to each account
    2. Implement new firewall rules
    3. Conduct vulnerability scans
    4. Verify logging is functioning properly
12. What incident response activity focuses on removing any artifacts of the incident that may remain on the organization's network?
    1. Containment
    2. Recovery
    3. Postincident Activities
    4. Eradication
13. Which one of the following is not a common use of formal incident reports?
    1. Training new team members
    2. Sharing with other organizations
    3. Developing new security controls
    4. Assisting with legal action
14. Which one of the following data elements would not normally be included in an evidence log?
    1. Serial number
    2. Record of handling
    3. Storage location
    4. Malware signatures
15. Sondra determines that an attacker has gained access to a server containing critical business files and wishes to ensure that the attacker cannot delete those files. Which one of the following strategies would meet Sondra's goal?
    1. Isolation
    2. Segmentation
    3. Removal
    4. None of the above
16. Joe would like to determine the appropriate disposition of a flash drive used to gather highly sensitive evidence during an incident response effort. He does not need to reuse the drive but wants to return it to its owner, an outside contractor. What is the appropriate disposition?
    1. Destroy
    2. Clear
    3. Erase
    4. Purge
17. Which one of the following is not typically found in a cybersecurity incident report?
    1. Chronology of events
    2. Identity of the attacker
    3. Estimates of impact
    4. Documentation of lessons learned
18. What NIST publication contains guidance on cybersecurity incident handling?
    1. SP 800-53
    2. SP 800-88
    3. SP 800-18
    4. SP 800-61
19. Which one of the following is not a purging activity?
    1. Resetting to factory state
    2. Overwriting
    3. Block erase
    4. Cryptographic erase
20. Ben is responding to a security incident and determines that the attacker is using systems on Ben's network to attack a third party. Which one of the following containment approaches will prevent Ben's systems from being used in this manner?
    1. Removal
    2. Isolation
    3. Detection
    4. Segmentation