Step 2: Define objectives and investigate the situation
Objectives and scope will be formulated based on identification factors and information gathered to date. These will be directed by client requirements in-line with business continuity and concerns.
Investigation will be an on-going effort from initial identification through to containment and eradication. The main focus of investigation at this stage is to return normal operation rather than in-depth analysis and will triage by:
7Safe will use cyber threat intelligence to clearly understand the tactics, techniques and procedures of the attacker/s to assist with the definition of objectives and scope and better remediate.
Any changes to scope or objectives will be clearly discussed and agreed with the client with written authorisation where additional work is needed above or beyond the initial scope. These changes will be communicated in a timely fashion with the incident team where required.
CSIR consultants will conduct such CSIR services as detailed in Stage 3.2 and 3.3 of the 7Safe CSIR Framework.
Once the incident response team is sure that they have identified a cyber security incident, they will determine the objectives for the response activities that will follow.
7Safe’s approach is to ask the following key questions to build up a better picture of the attacker and their modus operandi, as well as evaluate the likely threat vectors – the paths or tools that a threat actor (attacker) uses to attack the target (which may be an entire corporate IT system, a user device like a PC or iPad, your online bank account… or you if they are stealing your identity.
- Who has attacked us?
- What are the scope and the extent of the attack?
- When did the attack occur?
- What did the attackers take from us?
- Why did they do it?
It is not always immediately obvious what information has been disclosed to unauthorised parties, stolen, deleted or corrupted. The incident responder’s role takes on that of a forensic investigator at this point, finding out who did it (i.e. which threat agent or agents) and why (e.g. financial gain, hactivism, espionage, revenge, challenge, or just for fun. They also have the task of identifying what systems, networks and information assets have been compromised, quantifying the damage.
Working out how the hacker gained entry to the system will help you to prevent it happening again and may form part of the evidence in a subsequent prosecution.
Cyber threat intelligence
Research conducted into the attackers to determine their capabilities, motives and likely actions can be invaluable in responding to incidents. This can be provided by the government, CERTS, collaborative groups or through the use of our experts, whose work includes building up detailed profiles of cyber attackers to understand their methodologies, intentions/motivations in carrying out their attacks, and focus – i.e. is their target a person, the organisation, a market sector, or the government?
Knowing who as well as what you are dealing with improves your response tactics.
The early part of a cyber investigation is often called triage. It consists of:
- Classifying the incident as critical, significant, normal or negligible impact
- Prioritising the incident as high, medium or low
- Assigning incidents to appropriate team members
This is important in determining the correct, proportionate level of incident response.
Many organisations do not have the right tools, systems or knowledge to conduct a suitable investigation in the case of a critical or significant cyber security incident. When the scope and severity is beyond in-house skills, it is a wise move to hire in experts as this can save your organisation time, money and potentially its reputation.
7Safe’s CSIR team will aim to conduct their first response within a few hours of their engagement, before decisions are made by the client organisation that may adversely affect an investigation. It is a natural reaction on the part of an IT manager to shut down systems that are thought to be infected with malware. This can be a costly mistake as it will alert the hacker that you have identified the infection and could compromise the investigation.
Initial analysis of the incident
Our responders will examine important alerts or suspicious events in logs or technical security monitoring systems (e.g. IDS, IPS, DLP or SIEM), correlate these with network data including data from cloud service providers, and then compare these findings with threat intelligence. In the process, each possible trigger event will be thoroughly investigated, including:
- Internet protocol (IP) address (internal or external)
- Port (source or destination), domain and file (e.g. exe, dll)
- System information including hardware vendor, operating system, applications, purpose, and location.
In this way, our first responders will build up clear picture of what caused the alerts.
Step 3: Take appropriate action to contain the incident
An important step in the process is containment. That is, stopping the infection from spreading to other networks and devices both within your organisation and beyond.
At 7Safe, we prioritise actions that are aimed at reducing the immediate impact of the cyber security incident, primarily by removing the attacker’s access to your systems. This does not always mean returning to business as usual, but to make best efforts to return to functionality as normal, while continuing to analyse the incident and plan longer term remediation.
We will contain the incident and isolate any compromised nodes or devices to prevent further infection or lateral movement and allowing the business to resume normal functions. We will also monitor for responses in attack vector or escalation as a result of containment and ensure no further compromises to the infrastructure are made, ensuring that tools introduced to assist are verified and malware free.
Once the incident has been contained, we will eradicate the suspect material from the network while preserving evidence to the required evidential standards for more detailed investigation and/or possible future prosecution.
7Safe follows the ACPO Good Practice Guide for Digital Evidence, which we helped to create.
CSIR consultants will conduct such CSIR services as detailed in Stage 3.3 and 3.5 of the 7Safe CSIR Framework.
Our team will look at different containment strategies for different types of major cyber-attack, and produce documented criteria that will facilitate decision-making.
Documented Containment Criteria Report
The output from our reporting process will help your organisation to evaluate the following:
- Potential damage to and theft of resources
- Need for evidence preservation
- Service availability (e.g. network connectivity)
- Time and resources needed to implement the strategy
- Effectiveness of the strategy (e.g. partial containment, full containment)
- Duration of the proposed solution (e.g. emergency workaround to be removed in ‘x’ hours, temporary workaround to be removed in ‘x’ weeks, permanent solution).
Actions necessary to contain the incident
Based on our report of the containment criteria, we will recommend a course of action and, where required, provide the technical services to support this action.
One of your chief priorities in the event of a cyber security incident is to contain the damage, for example, by stopping the malware in your system from spreading to other networks and devices both within your organisation and to any third parties.
Our expert consultants can carry out the following tasks or provide remote or on-site support to enable your IT team to perform any of the following containment actions:
- Blocking (and logging) of unauthorised access
- Blocking malware sources (e.g. email addresses and websites)
- Closing particular ports and mail servers identified as compromised
- Changing system administrator passwords where compromise is suspected
- Firewall filtering
- Relocating website home pages
- Isolating systems.
Business as usual may not be possible in the short-term while efforts are made to analyse the incident and plan longer term remediation. The main consideration here is a proportionate first response to the severity of the cyber incident, as delaying any containment action due to uncertainty or over-compensating by closing down ports, mail servers, etc, when the risk factors identified do not justify such action can make the problems faced by the organisation worse in a given situation. The overriding objective of a containment strategy is to make best efforts to return to functionality as normal.
Eradicating the cause of the incident
Once the cyber incident has been identified and the causes contained, our team can help you to eradicate the key components of the incident. This can involve removing the attack from the network, deleting malware found on the system, and disabling breached user accounts. Again, these are tasks that are best performed by expert consultants rather than by IT personnel using standard tools such as AV scanners, etc, since advanced technical tasks form an integral part of the eradication process; namely:
- Identifying all the hosts affected within and sometimes beyond your organisation and remediating
- Carrying out malware analysis to better understand the threats posed
- Checking for any response from the attacker to your actions
- Using a risk-based approach, developing a response to future actions by the attacker in the form of preventive actions designed to address the threats
- Allowing sufficient time to ensure that the network is secure and that there is no response from the attacker (evidence from malware analysis and the experience of the incident responder need to be taken into account when deciding timescales)
- Forensic requirements – gathering and preserving evidence.
In order to investigate the cyber incident from the perspective of law enforcement, it is necessary to preserve the evidence and maintain a chain of custody. 7Safe’s expert digital investigation consultants carry out work of this kind for clients in both the public and private sectors, gathering the evidence necessary to bring about a successful prosecution and taking account of the following le.g.al requirements:
Admissibility of evidence: whether or not evidence can be used in court
Weight of evidence: the quality and completeness of evidence.
They will also help to ensure that the evidence complies with relevant laws, such as:
- Police and Criminal Evidence Act (PACE)
- Data Protection Act 1998
- General Data Protection Regulation (GDPR)
- Computer Misuse Act 1990
- Regulation of Investigatory Powers 2000 (RIPA).
Our team includes former police officers who collect both paper-based and electronic information at the scene. They maintain logs of every action that they take during an investigation so that it can be referred to at a later date and the sequence of events and actions taken can be repeated by opposition experts, if this is a requirement.
We only perform detailed forensic analysis work on copies of evidential material obtained using imaging technology in order to protect the integrity of that material.