SANS 504-8 Incident Response Cycle: CheatSheet v1.0, 11.52016-K/USCW Preparation - Identification — Containment — Eradication — Recovery — Lessons Learned (PICERL) = People Cc = Notes Relationships Awareness Need ta Know Unusual processes Es Ea == stop Bleeding Categorize Notify Met Remove LAN Col Memory Captures Che Pswds Del Artifacts Apply All Patches Black Hole I's Unusual Security ves = Pees ‘ods = Tang oe ee ones - et arly riary Harder Unamales ee008Conms —Pesivemontorng “Aree tops “newnece/PetOadsaant chamerCasody ss pi aie “Gacy © sry! Docker Actions Sentra th Low Profle fected Vn fwmstats Secor Fore imags eto“ Packenoma en) ral boos toot cause fesoreBadcop Remove Manne | A715 ters _ Che DNs Homes _Rexannetwo setothertortisctoli wpefornt/ead J = Test /Doe Baseline - + Return to Ops Cory ‘Monitor (signs/shells/artifacts/events) ere eri) 7: Finalize Report Document incident Seek Required Changes Immediately upon recovery Phase ‘Allaffected parties review / comment on draft ~ Provide Exec Summary Seek Funding = Move to Production (Approval) ~ Script searches for attacker artifacts asseno onsen) feochReponcomnaus LL causation _f Ups Posture - rectaSANS 504-8 Incident Response Cycle: Cheat-Sheet v1.0, 11.52016-K/USCW Enterprise-Wide Incident Response Considerations Data Points to Collect: Web Proxies ‘DNS Cache (Int / Ext / Hosts) + Netflow Data (Incl FW/IPS) Web Proxy: DNS Cache: (Often not reviewed due to + Look-ups reveal which HR concerns systems talking to known bad Helps uncover compromised IP's / Domains hosts and C2 server *+ Helps identify previously connections | unknown impacted hosts ‘Many malicious URL's are * Dns-blacklist.py can correlate long or contain unintelligible logs to know bad IP's portions + Many sources for bad domain (Often malware uses older lists on internet User-Agent strings ‘Tools for Enterprise IR ‘+ Cyber-CPR: Commercial Tool; Free use for limited IR Team members — Beaconing (repeated connection e.g. 30sec; 4 hrs; etc.) Repeated invalid connect ‘attempts to abruptly stop Connections to sites off-hours Large file transfers outbound (e.g.> 20MB) WMIC Scripting (e.g. wmic /node@systems.txt get (values) /format:csv > output.csv ) SCCM Reporting (e.g. Inventory reports, drivers installed, services, etc... ‘+ Kansa Powershell: (e.g. load targets into txt file, launch desired pre-canned scripts, review output) Google Rapid Response (GRR): Free; Nix/OSX/Win Clients; Python-based; Collects data from targets; central met Page 2ot2