August 7, 2019 Detection and response
Julie Brown

Exploring the phases of incident response: visibility, containment, & response

Detection engineer Julie Brown breaks down the three phases of incident response: visibility, containment, and response.

A surge in Emotet outbreaks in recent months has sparked a lively dialog around lateral movement. While Emotet is the hot topic of the summer, many different malware families utilize lateral movement to spread within an environment. If you’ve identified lateral movement in your own organization, what do you do next?

At Red Canary, we have classified three phases of remediating lateral movement: visibility, containment, and response. Let’s break down each phase and see how you can apply the methodology to your own environment.

Phase 1. Visibility

Before you can remediate lateral movement or an Emotet infection, you need to know what’s going on in your environment. If you can’t access endpoint data, it is infinitely harder to clean up an Emotet infection entirely.

Malware like Emotet tends to gain persistence through scheduled tasks, Windows registry entries, and Windows services—three pieces of data that reside entirely on the endpoint. To ensure the best chances of fast remediation during an outbreak, make sure that you have endpoint and process auditing in place before an incident occurs. Don’t wait until you’re in the middle of an outbreak to get visibility into your environment!

In addition to Windows services and registry, endpoint visibility will also give you a lens into other metadata, such as process auditing, command-line parameters, network connections, and file modifications. All of these data points are invaluable when scoping and remediating a malware infection involving lateral movement.

There are both free and paid tools to access this data for your environment. Free tools such as Sysmon, OSQuery, and Windows native logging capabilities offer a good toolset for organizations with restrictive IT security budgets. However, these savings are often offset at the cost of administrators spending more time and frustration during set up and operation. Community support forums are helpful for troubleshooting the system and getting things moving.

Unfortunately, free tools usually don’t include a user interface for querying data. For example, Windows Event Logs are valuable for auditing user activity, but ingesting and parsing the data is up to the security professional. Paid tools such as Carbon Black, CrowdStrike, and Endgame cost an organization more upfront, but long term maintenance is simpler and a hunting interface is included with each platform.

Whether a free or paid tool suite makes more sense for your organization, ensure that you have endpoint data collection in place before an incident occurs. Cleaning up an incident without endpoint visibility is much harder, and you’ll lose valuable time setting up new security solutions before you can start remediation. Set up visibility first, before you need it.

Phase 2. Containment

Once you have visibility into your environment and know where an infection has taken hold, you need to keep the malware from spreading. Many Emotet and other malware infections spread aggressively via unsecured network drives or shared administrator credentials. It can be difficult to contain an infection to a small area.

Start by ensuring that you are using all of your existing security tools to their fullest potential. Many host-based antivirus clients allow you to ban certain binary hashes from executing. Use an automation tool to prevent the malware from executing and spreading further into your environment.

On a network level, ensure that you have firewall rules in place to prevent command-and-control (C2) communication to malicious servers outside of your environment. Blocking C2 traffic will prevent malware from receiving instructions or updates from an outside source, which helps with cleaning up an infection.

Phase 3. Response

This is the time to undo the damage caused by a malware outbreak in your environment. Start your response phase by identifying the issues that caused lateral movement to occur in the first place. If nothing changes in your security posture, the same incident could occur again in the future. Lateral movement often occurs due to inherent security issues, many of which are a tradeoff between security and convenience.

Are your administrative rights properly restrictive? Some organizations choose to give all users local administrator privileges on their endpoints. While this will cut down on the software installation tickets sent to your sysadmin desk, it’s a huge security risk to the organization. Consider restricting local and domain administrator privileges to your system administrators to reduce the risk that an Emotet infection could use common credentials to spread across your environment. Once you have identified any accounts used to spread malware, change those credentials as soon as possible. Out of date software and firmware can also be abused by malware, so check that all of your systems are properly patched.

Beyond Remediation

Responding to an Emotet infection is a valuable time when infosec professionals can improve their organization’s security posture to better prevent against another incident in the future. Tracking metrics throughout the incident response process will allow you to look back on the process and improve efficiency in the future.

At Red Canary, we focus on improving our use of automation to detect and respond to Emotet outbreaks in customer environments. Our time-to-detect and time-to-remediate have notably improved with advances in our automated response capabilities. Find the metrics that make sense for your security team to track over time. If visibility is a challenge, track the percentage of your organizational footprint with endpoint visibility. If you have high value assets that cannot be taken offline in the event of a malware outbreak, monitor the patching levels for those assets on a regular basis. Define your goals as they relate to the incident response process, and monitor accordingly. You cannot improve what you cannot measure. Furthermore, documenting improvement in key security metrics is a great way to prove the value added by your security team when you communicate with other parts of your organization.

We have partnered with Kroll to help many customers contain and remediate Emotet outbreaks that use lateral movement to spread aggressively throughout their environments. We have been able to track progress as we improve our time to detect and remediate an infection. To hear more about our partnership with Kroll and lessons learned from the trenches of incident response, tune in to our webinar on Shutting Down Lateral Movement.

 

Black Hat: Detecting the unknown and disclosing a new attack technique

 

Frankenstein was a hack: the copy/paste cryptominer

 

Hijack My, Hijack My, Hijack My DLL

 

LSASS behaving badly

Subscribe to our blog