Your Incident Response Plan: Start Here

Build upon these tried-and-true basic response actions as you design a cyber security incident response plan catered to your organization’s unique environment.

Figuring out an incident response plan for your organization can be a daunting item on your to-do list. Whether it’s a malware infection or an unauthorized user discovered on your system, every security incident requires a unique response. So where to begin?

Mature incident response plans may consist of comprehensive flowcharts and detailed playbooks for an exhaustive list of eventualities. These are typically built through experience—compiled by outsourced incident response experts or by internal teams who, over time and across multiple incidents, meticulously document which response actions work and which don’t.

But there’s a problem with this approach. As an incident response plan becomes more sophisticated, it also becomes more specific to the organization that developed it and less applicable to others. Consider this your starting point.

Basic response actions: a handy checklist

The aftermath of a breach or other incident can be chaotic, and the last thing you want is to be making up an incident response plan on the fly. The incident handlers on Red Canary’s Cyber Incident Response Team (CIRT) have seen it all, and after reflecting upon their customer successes, landed on some basic response actions that could make all the difference at any targeted organization, whether you’re a tiny startup or a Fortune 500 mainstay.

Security teams can reference this list as they respond to and remediate incidents. From here, teams can iterate and work toward their own custom and comprehensive incident response plans. Whether you’re dealing with a strain of ransomware like LockerGoga or a trojan like Emotet, you’ll often end up following a lot of the same response and remediation actions.

How to use this guide

Below, you will find basic response actions for the following categories of incidents:

  • High criticality: Initiate response within 2 hours
  • Medium criticality: Initiate response within 4 hours
  • Low criticality: Initiate response within 24 hours

Keep in mind that responding to a security incident requires nuance, and the best incident response plans consider an organization’s tooling, internal expertise, and other factors. The guidance listed here is not comprehensive, as it lacks critical organizational context. Use these checklists as a building block to create a brand new response process or improve your existing plan.

CATEGORYDESCRIPTIONEXAMPLES
CATEGORY:

HIGH MALICIOUS

DESCRIPTION :

Active and/or successful deployment of malware that poses a direct threat to confidentiality, integrity, or availability of data or systems

EXAMPLES:

Successful exploitation of a known vulnerability or exploit, including the use of core system binaries in a known malicious fashion

CATEGORY:

HIGH SUSPICIOUS

DESCRIPTION :

Activity that is not directly attributable to malware but that is indicative of an immediate and/or active threat or compromise

EXAMPLES:

Including but not limited to account manipulation, potential exfiltration of data, or remote access to or from an untrusted external source.

Common Steps for Response and Remediation

Within 2 hours:

  • Assess the scope of the incident. Investigate alerts from active security tools and acknowledge any new detections.
  • Isolate affected endpoint(s) from the network to prevent malware from moving laterally throughout the environment.
  • Kill running process(es) associated with malware.
  • Delete malicious binaries.
  • Block command-and-control IP addresses at network perimeter.
  • Ban malicious MD5 or SHA2 hashes with whitelisting tool or other relevant product.
  • Remove persistence mechanisms (Scheduled Tasks, AutoRun keys, etc.).
  • Minimize risk of a future attack by assessing administrative controls. Review account usage and reset passwords, limit administrative access where possible, and disable unnecessary file-sharing access.
  • Patch vulnerable systems.
  • Mark relevant detections and alerts as remediated.

Escalation Procedure

  • Contact appropriate incident responder(s), who will initiate pre-defined response plan specific to the severity and type of incident.
  • Complete initial scoping assessment to determine which systems and data were affected by the incident.
  • Notify appropriate personnel if scoping assessment determines that the sensitive data was affected by the incident.
  • Notify relevant stakeholders when the incident has been successfully remediated.
  • Prepare after-action report documenting response process and distribute to appropriate personnel.
CATEGORYDESCRIPTIONEXAMPLES
CATEGORY:

MEDIUM MALICIOUS 

DESCRIPTION:

Malware identified on an endpoint that does not represent an immediate threat (e.g., no direct execution, indication of activity, or use of core system binaries)

EXAMPLES :

Activity not directly attributable to malware that still poses a security risk or raises suspicion due to context (or lack thereof). This can include abnormal activity that requires additional context from the customer, such as environment or domain information

CATEGORY:

MEDIUM SUSPICIOUS

DESCRIPTION:

Direct download of malware (not resulting from exploit or prior compromise) that has not executed, or delivery of a malicious document wherein the the embedded payload has not executed. This classification includes aggressive adware behaving in a manner more consistent with malware, such as changing core system properties and performing system reconnaissance

EXAMPLES :

Remote access to internal domains (such as SSH to Dynamic DNS domains) and the use of accessibility tools to bypass Windows login requirements. Also includes dual-use tools or other activities that are not obviously malicious

Common Steps for Response and Remediation

Within 4 hours:

  • Assess the scope of the incident.
  • Investigate alerts from active security tools and acknowledge any new detections.
  • Isolate affected endpoint(s) from the network to prevent malware from moving laterally throughout the environment.
  • Kill running process(es) associated with malware.
  • For suspicious activity, investigate details within endpoint data and determine if behavior is legitimate or malicious.
  • Delete any malicious binaries present within the environment.
  • Ban malicious MD5 or SHA2 hashes with whitelisting tool or other relevant product.Mark relevant detections and alerts as remediated.

Escalation Procedure

  • Primary responder will initiate remediation within 4 hours.
  • Document response actions and notify relevant stakeholders as needed upon remediation.
CATEGORYDESCRIPTIONEXAMPLES
CATEGORY:

ADWARE

DESCRIPTION:

These applications use deceptive techniques to ensure installation, including masquerading as other known software, claiming to benefit the user, and bundling additional unwanted software. Adware is often bundled with known applications in order to add the appearance of legitimacy

EXAMPLES:

Unwanted software that surreptitiously changes browser settings and homepages, redirects search results, and displays advertisements to the user

CATEGORY:

RISKWARE

DESCRIPTION:

Tools that are typically installed intentionally but are designed to circumvent security policy and controls. Some have legitimate use cases in certain scenarios, but on a broader scale introduce additional risk due to their nature and method of use

EXAMPLES:

Programs designed to prevent an endpoint from sleeping, as well as proxy software used to evade internet content filtering

CATEGORY:

PEER-TO-PEER (P2P)

DESCRIPTION:

Ad hoc and uncontrolled use of a decentralized distributed computing architecture

EXAMPLES:

P2P software is commonly used for sharing digital content (i.e., movies, games, music, etc.). This introduces risk via pirated content, resource consumption (network and computer), data exposure, and malware downloads.

Common Steps for Response and Remediation

Within 24 hours:

  • Acknowledge detection(s).
  • Kill running process(es).
  • Contact affected end user.
  • Uninstall unwanted programs.
  • Mark as remediated.

Escalation Procedure

  • Primary responder will remediate detection within 24 hours.
  • Document response actions and notify relevant stakeholders as needed upon remediation.
 
Seeking an Ally to Accelerate Incident Response
 
Shutting Down Lateral Movement
 
Break through the noise: take control of your incident response program
 
An Analyst’s Tale of Incident Response Retainers: “It’s All About the Benjamins”