Once you have a clear understanding of what the attacker has done, you need to contain the attack to prevent the situation from getting any worse. This is known as the containment phase.
Prevent the Incident From Spreading
To block the attacker, you need to prevent them from using their means of accessing the network. Their access may come in the form of compromised accounts they use to connect remotely or perhaps malicious software or processes that they can control remotely.
Remember the diagram showing the relationship between the investigation and response that we presented earlier?
Block the Attacker at the Level of the Compromised Asset
The action to be taken depends on the type of asset being compromised:
For domain accounts (i.e., accounts managed in the directory), you can block them in the directory.
The attacker may also use local accounts. These are accounts that exist only on a particular machine, such as the
Administratoraccount on a Windows computer or the admin account for a router or printer. In this situation, the attacker may have hidden a backdoor to the machine, so you’ll need to treat the whole machine as if it is compromised.When facing a malicious program, you don’t have time to process each action. Here again, you have to treat the machine as compromised.
To contain a compromised machine, you need to isolate or disconnect it. You can do this either by physically unplugging its cables or by disconnecting it through the network equipment (NDRs, firewalls, or routers) or the EDR.
Adopt an Appropriate Response Level
If I understand correctly, our priority is to contain compromised assets as quickly as possible. But doesn’t this impact the organization’s business?
Yes, it does! That’s the tricky part of the containment phase. Your priority is to block the attacker as quickly as possible, but by doing that, you’ll also be blocking all the people who work with these assets.
There’s always a delicate balance between blocking assets and securing the organization.
For example, if you only block part of the attacker’s access, they may realize that they have been detected. They may then decide to immediately inflict damage on the organization. If you’re worried about this scenario, restart the investigation to be certain of your plan of action.
Rest assured, it’s not up to you to make these choices. There are internal guidelines that we follow. These guidelines are based on the criticality of the incident.
Monitor Actions Implemented in the SIRP
The SIRP is a project monitoring platform. It will allow you to monitor the state of the incident with the IS department’s various teams. You can assign tasks to each team in order to get the whole system back up and running.
To understand the difference between SIRP and SOAR, it is important to realize that they are not used by the same teams:
| SOAR | SIRP |
users | The SOC and technical security teams | The teams the SOC interacts with |
access | Reserved for the SOC | Open to members of the organization |
interface | Security software | Organization software |
utility | - Organize the detection and response - Exchange technical information on investigations | - Communicate about SOC actions |
The distinction between SIRP and SOAR may vary between organizations.
More than anything, SIRP is a space for organization and project management. This functionality can be fulfilled by a variety of tools, as long as it’s relevant to communicate within the organization. In some organizations, this may be the same tool.
These tools include Jira, ServiceNow, and GLPI. These are project management tools that can be used throughout the IS department, but it’s important to use a separate instance dedicated to security.
Since these are two very different functions, we will distinguish between them in the following section.
Use the Investigation Data to Respond Quickly
Leverage the Data From the Investigation
Another way of directly blocking the attacker is to use information gathered during the investigation.
The identified IP addresses and domain names must be blocked at the network level.
The techniques used by the attacker must be blocked by security tools.
The files they use must be blocked by the antivirus software.
Use the Tools at Your Disposal
You can use the tools at your disposal to implement these actions:
You can enter all IoCs into the EDR so that it automatically detects and isolates all machines where these IoCs are present.
VPN configuration settings allow you to block access to certain accounts.
The firewall allows you to automatically block all incoming and outgoing traffic for identified IP addresses/domain names.
The web proxy lets you block web requests from malicious programs.
IPS allows you to block the attack techniques that you have identified at the network level, such as logins or vulnerability exploitation.
WAF allows you to block web attacks by the attacker.
Cyber Crisis: Triggering the Crisis Management System
In some situations, the incident is so critical that the organization simply can’t continue working as normal.
In the event of a crisis, you need to establish priorities and a battle plan that needs to be constantly re-evaluated. We organize ourselves into small groups (crisis units), where it’s easier to share information and make effective decisions.
Over to You!
You have to manage an incident following the compromise of a critical server in the backup infrastructure of Méditronique, the medical tool manufacturing company. The following compromise path has been identified:
The attacker retrieved the eve.lefevre@meditronique.com account credentials from a public data breach.
They logged into the VPN with this account.
They exploited a vulnerability on an obsolete server and stole the backup server’s local admin password.
In your opinion, what measures should be implemented to limit the compromise?
“Over to You!” Quiz Answer Key
******
*****
****
***
**
*
Your goal is to block the attacker as quickly and thoroughly as possible.
Temporarily disable accounts: This is necessary while the incident is being managed. It’s better to block accounts temporarily than to reset the password, because the attacker may have other ways of accessing the system.
Blocking the attacker’s IP address is necessary, but not enough on its own, as the attacker may return from another IP address. In the case of Méditronique, whose business is primarily industrial, you can justify completely disabling the VPN while you manage a major incident.
Quarantine the affected servers, but avoid shutting them down. It may be best to discuss this with a more senior analyst or the IS department, to check the impact on the business.
These measures are effective, but they are not enough. In this particular case, you can also intervene at the EDR level. More importantly, you can continue to investigate simultaneously to determine the attacker’s access level.
Let’s Recap!
Once you have a clear understanding of what the attacker has done, you need to block them to prevent the situation from getting any worse. This is the containment phase.
The measures you need to take depend on the type of asset compromised by the attacker:
Accounts must be disabled in the directory.
Machines must be physically isolated or disconnected, either at the network equipment level or from the EDR.
The information gathered during the investigation reduces your response time:
The identified IP addresses and domain names must be blocked by the firewall.
The techniques used by the attacker must be blocked by the EDR.
Blocking these will affect the way the organization operates. That’s why it is essential to introduce incident response procedures, so you can quickly decide on the level of blocking to apply.
Containment keeps the attacker out of the IS, but it doesn’t mean the incident is over. The attacker may have already caused damage that needs to be repaired.
How can we be sure they won’t come back? We’ll be looking into this in the next chapter!
