Picking up where we left off in the last blog, we will cover the next two steps in our breach response process: preserving artifacts and stopping the bleeding of data from your environment.
This blog features excerpts from our upcoming white paper, Oh #@$%! You’ve Been Breached.
Step Two: Preserve Artifacts
Once you have the team up to speed, you can begin the “cycle of investigation.” It’s thorough and long process, sometimes taking several weeks to complete discovery.
This is where the second step occurs, preserving artifacts as part of the investigation. Each team will investigate the breach through their relevant data streams and log their findings. This information is time sensitive and should be preserved as quickly as possible.
What each team* will be looking for:
- Firewall team – Consult existing policy vs what it should be
- Security Architecture – Determine if network was altered
- NOC – Inflow data, inbound vs outbound during estimated time of breach
- Network Admins – Anomalous accounts
*These teams were discussed as step two, Assemble Your Team, of our last blog.
Step Four: Stop the bleeding
This is essentially the “remediation” part of this process and will vary the most from the steps in this process since IT systems, processes and resources vary amongst organizations.
Excerpt from our upcoming white paper:
Stop the bleeding
In order to stop the exfiltration of data, it may be necessary to shut down one or more applications. Whether or not you take this action depends on how the breach occurred and the extent of remedial action required. When you believe you have stopped the exfiltration of data, continue monitoring to assure that your efforts were completely successful before returning to normal operations. If exfiltration continues, you will need to repeat your remedial measures. You must also close the door that the threat actors used to gain access. Once you have shut down this vulnerability, once again, monitor for continued exfiltration and repeat this step if necessary.
The power of backups
Another thought on preserving the evidence: backups. Remember that, at this early stage, you don’t have a reliable idea of what is going on. You, therefore, must assume the worst and it means that attackers may have planted various kinds of malware into your systems.
To preserve the evidence, you’ll want to back everything up. However, because of possible malware, you’ll want to set up an isolated server that is not at all connected to your LAN. This will prevent malware from working further into your network and across your enterprise.
You can share your completed backups with your investigators. Wait for them to say that they have everything they need. Only then can you begin plugging any holes and getting things back to “normal”.
This is where we’ll pick up things next time: cutting off the exfiltration of data and locking out the attackers for good.