Incident Response Plan and Data Breach Monitoring for River Run Solutions LLC

Author: support@riverrunsolutions.com

Revision 1, Released August 13, 2024

Incident Response Plan and Data Breach Monitoring for River Run Solutions LLC

Author: support@riverrunsolutions.com

Revision 1, Released August 13, 2024

It was last reviewed on August 13, 2024. It was last tested on August 13, 2024.

Assess

  1. Stay calm and professional.
  2. Gather pertinent information, e.g., alarms, events, data, assumptions, intuitions (observe).
  3. Consider impact categories, below (orient), and determine if there is a possible incident (decide):
  4. Initiate a response if there is an incident (act). If in doubt, initiate a response. The incident commander and response team can adjust upon investigation and review.

Assess Functional Impact

What is the direct or likely impact on your mission? (e.g., business operations, employees, customers, users)

Assess Information Impact

What is the direct or likely impact on your information/data, particularly anything sensitive? (e.g., PII, proprietary, financial, or healthcare data)

Every team member is empowered to start this process. If you see something, say something.

Initiate Response

Name the Incident

Create an simple two-word phrase to refer to the incident—a codename—to use for the incident file and channel(s).

Assemble the Response Team

  1. Page the on-duty/on-call Incident Commander.
  2. Do not discuss the incident outside the response team unless cleared by the Incident Commander
  3. Launch and/or join the response chat at Message.
  4. Launch and/or join the response call at [Private] and/or Message.
  5. Prefer voice call, chat, and secure file exchange over any other methods.
  6. Do not use primary email if possible. If email is necessary, use sparingly or use N/A. Encrypt emails when any participant is outside the riverrunsolutions.com domain.
  7. Do not use SMS/text to communicate about the incident, unless to tell someone to move to a more secure channel.
  8. Invite on-duty/on-call responders to the response call and response chat.
  9. OPTIONAL: Establish an in-person collaboration room (“war room”) for complex or severe incidents.

Reference: Response Team Structure

Reference: Response Team Contact Information

Response Team RoleContact Information
Incident Commander pager[Private]
Incident Commander pager url[Private]
Incident Commander roster[Private]
Security team roster[Private]
Team SME roster[Private]
Executive roster[Private]

Establish Battle Rhythm

Conduct Initial Response Call

  1. Conduct initial call using the initial response call structure
  2. Follow instructions from the Incident Commander. If the on-duty/on-call Incident Commander does not join the call within 30 minutes and you are a trained incident commander, take command of the call.
  3. Follow the instructions for your role.
  4. Follow the call and chat, and comment as appropriate. If you are not a SME, filter input through the SME for your team if possible.
  5. Keep the call and chat active throughout the incident for event-driven communication.
  6. Schedule updates every 4 hours on the active bridge.

Reference: Initial Response Call Structure

Reference: Call Etiquette

Conduct Response Update

Reference: Response Update Call Structure

Monitor Scope

Create Sub-Teams

Split Incident

If an incident turns out to be two or more distinct incidents:

Investigate

Investigate, remediate, and communicate in parallel, using separate teams, if possible. The Incident Commander will coordinate these activities. Notify the Incident Commander if there are steps the team should consider.

Create Incident File

  1. Create a new incident file at https://www.riverrunsolutions.com/incident-response-plan.html using the incident name. Use this file for secure storage of documentation, evidence, artifacts, etc.
  2. Document the functional and information impact, if known (see Assess).
  3. Document the vector, if known (e.g., web, email, removable media).
  4. Document the incident summary: a brief overview of the vector, impact, investigation, and remediation situation, if known.
  5. Document the incident timeline, including attacker activity and responder activity.
  6. Document investigation, remediation, and communication steps. Document activities independently so they can be combined and reused, if possible.
  7. Track significant information such as:

Collect Initial Leads

  1. Interview incident reporter(s).
  2. Collect initial supporting data (e.g., alarms, events, data, assumptions, intuitions) in the incident file.
  3. Interview SME(s) with domain or system expertise, to understand technical detail, context, and risk.
  4. Interview SME(s) in affected business unit, to understand mission/business impact, context, and risk.
  5. Ensure leads are relevant, detailed, and actionable.

Reference: Response Resource List

ResourceLocation
Critical information listhttps://www.riverrunsolutions.com/incident-response-plan.html
Critical asset listhttps://www.riverrunsolutions.com/incident-response-plan.html
Asset management databaseAWS
Network mapAWS
SIEM consoleAWS
Log aggregatorAWS

Update Investigative Plan and Incident File

  1. Review and refine incident impact.
  2. Review and refine incident vector.
  3. Review and refine incident summary.
  4. Review and refine incident timeline with facts and inferences.
  5. Create hypotheses: what may have happened, and with what confidence.
  6. Identify and prioritize key questions (information gaps) to support or discredit hypotheses.
  7. Identify and prioritize witness devices and strategies to answer key questions.
  8. Refer to incident playbooks for key questions, witness devices, and strategies for investigating common or highly damaging threats.

The investigative plan is critical to an effective response; it drives all investigative actions. Use critical thinking, creativity, and sound judgment.

Reference: Attacker Tactics to Key Questions Matrix

Attacker TacticThe way attackers …Possible Key Questions
Reconnaissance… learn about targetsHow? Since when? Where? Which systems?
Resource Development… build infrastructureWhere? Which systems?
Initial Access… get inHow? Since when? Where? Which systems?
Execution… run hostile codeWhat malware? What tools? Where? When?
Persistence… stick aroundHow? Since when? Where? Which systems?
Privilege Escalation… get higher level accessHow? Where? What tools?
Defense Evasion… dodge securityHow? Where? Since when?
Credential Access… get/create accountsWhich accounts? Since when? Why?
Discovery… learn our networkHow? Where? What do they know?
Lateral Movement… move aroundHow? When? Which accounts?
Collection… find and gather dataWhat data? Why? When? Where?
Command and Control… control tools and systemsHow? Where? Who? Why?
Exfiltration… take dataWhat data? How? When? Where?
Impact… break thingsWhat systems or data? How? When? Where? How bad?

See the MITRE ATT&CK page for more insight and ideas.

Create and Deploy Indicators of Compromise (IOCs)

Emphasize dynamic and behavioral indicators alongside static fingerprints.

Identify Systems of Interest

  1. Validate whether they are relevant.
  2. Categorize the reason(s) they are “of interest”: has malware, accessed by compromised account, has sensitive data, etc. Treat these as “tags”, there may be more than one category per system.
  3. Prioritize collection, analysis, and remediation based on investigative needs, business impact, etc.

Collect Evidence

Consider collecting the following artifacts as evidence, either in real time (_e.g., via EDR or a SIEM) or on demand:

Example Useful Artifacts

Analyze Evidence

Example Useful Indicators

Iterate Investigation

Update the investigative plan and repeat until closure.

Remediate

Investigate, remediate, and communicate in parallel, using separate teams, if possible. The Incident Commander will coordinate these activities. Notify the Incident Commander if there are steps the team should consider

Update Remediation Plan

  1. Review the incident file at https://www.riverrunsolutions.com/incident-response-plan.html using the incident name
  2. Review applicable playbooks.
  3. Review the Response Resource List).
  4. Consider which attacker tactics are in play in this incident. Use the MITRE ATT&CK list (i.e., Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Execution, Collection, Exfiltration, and Command and Control), or similar framework.
  5. Develop remediations for each tactic in play, as feasible given existing tools and resources. Consider remediations to Protect, Detect, Contain, and Eradicate each attacker behavior.
  6. Prioritize based on timing strategy, impact, and urgency.
  7. Document in incident file.

Use information security (infosec) frameworks as inspiration, but do not use incident remediation as a substitute for an infosec program with an appropriate framework. Use them to supplement one another.

Protect

“How can we stop tactic X from happening again, or reduce risk? How can we improve future protection?”

Use the following as a starting point for protective remediation:

Detect

“How can we detect this on new systems or in the future? How can we improve future detection and investigation?”

Use the following as a starting point for detective remediation:

Contain

“How can we stop this from spreading, or getting more severe? How can we improve future containment?”

Use the following as a starting point for containment remediation:

Eradicate

“How can we eliminate this from our assets? How can we improve future eradication?”

Use the following as a starting point for eradication remediation:

Choose Remediation Timing

Determine the timing strategy—when remediation actions will be taken—by engaging the Incident Commander, the system SMEs and owners, business unit SMEs and owners, and the executive team. Each strategy is appropriate under different circumstances:

Execute Remediation

Iterate Remediation

Update the remediation plan and repeat until closure.

Communicate

Investigate, remediate, and communicate in parallel, using separate teams, if possible. The Incident Commander will coordinate these activities. Notify the Incident Commander if there are steps the team should consider

All communication must include the most accurate information available. Display integrity. Do not communicate speculation.

Communicate Internally

Notify and Update Stakeholders

Notify and Update Organization

Create Incident Report

Communicate Externally

Notify Regulators

Notify Customers

Notify Vendors and Partners

Notify Law Enforcement

Contact External Response Support

Share Intelligence

Recover

Recovery is typically governed by business units and system owners. Take recovery actions only in collaboration with relevant stakeholders.

  1. Launch business continuity/disaster recovery plan(s): e.g., consider migration to alternate operating locations, fail-over sites, backup systems.
  2. Integrate security actions with organizational recovery efforts.

Playbooks

The following playbooks capture common investigation, remediation, and communication steps for particular types of incident.

Playbook: Website Defacement

Investigate, remediate (contain, eradicate), and communicate in parallel!

Assign steps to individuals or teams to work concurrently, when possible; this playbook is not purely sequential. Use your best judgment.

Investigate

  1. Immediately take the defaced server offline for further investigation
  2. Determine the system’s source of vulnerability that was used by the attacker. Common exploits include:
  3. Collect any clues as to who the hacker is or what organization they are working for. Consider the following questions:
  4. Collect other important information from the page that has been defaced such as:
  5. There are also tools available to aid in both detection and log analysis. A few are listed below:

Remediate

Contain

  1. Backup all data stored on the web server for forensic purposes.
  2. As previously mentioned, make sure to take the defaced page’s server down temporarily while investigation occurs.
  3. Once the source of the attack has been determined, apply the necessarily steps to ensure this will not happen again. This may include modifying code or editing access rights.

Recover

  1. Remove the hacker’s message and replace with original, legitimate content. If data was lost in the attack, reference backups and restore the original page as much as possible.
  2. Consider asking users to change their login credentials if the web server has user authentication.
  3. After implementing risk avoidance measures (as recommended below), restore your server showing the original page content.
  4. If necessary and/or applicable, prepare an apology/explanation of the attack that occurred for users or anyone who witnessed the defacement. Ensure that is it clear that the defacement content does not reflect your organization in any way.

Risk Avoidance

  1. Use as few plug-ins as necessary. Hackers target websites that are vulnerable and have many sources of entry. You can limit these sources of entry by only using what you need and removing any unused or old plug ins and software. It is also important to update these as soon as possible.
  2. Closely monitor and mandate access to administrative content. Only allow individuals access to what they need access to. This will reduce the chance of human error leading to cyber attacks. There are more DIY methods of prevention mentioned in this article (steps 6-12) and in resource #4 at the end of this playbook.
  3. Regularly check for malware on your site by scanning the source code. Look for scripts, iframes, or URLs that look unfamiliar and make sure to also scan URLs that do look familiar.
  4. There are many highly reputable automated website scanners that will not cost any of your time and will thoroughly scan your site for vulnerabilities regularly. Here is a link to popular scanners.
  5. Defend against common points of exploitation such as SQL injections and XSS attacks. This article includes best practices to defend these attacks.
  6. Install defacement detection programs so that if an attack were to occurr again, you would be prepared and respond quickly. Here is an article that summarizes some of 2020’s best monitoring services.
  7. Discuss with your employees the importance of keeping administrative access limited and confidential and inform them of these steps to avoid incidents including regular cybersecurity awareness training.

Communicate

  1. Escalate incident and communicate with leadership per procedure
  2. Document incident per procedure (and report if applicable)
  3. Communicate with internal and external legal counsel per procedure, including discussions of compliance, risk exposure, liability, law enforcement contact, etc.
  4. Communicate with users (internal)
    1. Communicate incident response updates per procedure
    2. Communicate impact of incident and incident response actions (e.g., containment: “why is the file share down?”)
    3. Communicate requirements: “what should users do and not do?”
  5. Communicate with customers
    1. Focus particularly on those whose data was affected
    2. Generate required notifications based on applicable regulations (particularly those that may consider defacement a data breach or otherwise requires notifications)
  6. Contact insurance provider(s)
    1. Discuss what resources they can make available, what tools and vendors they support and will pay for, etc.
    2. Comply with reporting and claims requirements to protect eligibility
  7. Consider notifying and involving law enforcement.
    1. Local law enforcement
    2. State or regional law enforcement
    3. Federal or national law enforcement
  8. Communicate with security and IT vendors
    1. Notify and collaborate with managed providersper procedure
    2. Notify and collaborate with incident response consultants per procedure

Resources

Reference: User Actions for Suspected Defacement Attack

  1. Stay calm, take a deep breath.
  2. Disconnect your system from the network
  3. Take pictures of the page you see using your smartphone showing the things you noticed: the defacement message and any other changes to the usual site.
  4. Take notes about the problem(s) using the voice memo app on your smartphone or pen-and-paper. Every little bit helps! Document the following:
    1. What did you notice?
    2. When did it first occur, and how often since?
    3. What data do you typically access?
    4. Who else have you contacted about this incident, and what did you tell them?
  5. Contact the help desk and be as helpful as possible.
  6. Be patient: allow the IT personnel get it under control, you may be protecting others from harm! Thank you.

Reference: Help Desk Actions for Suspected Defacement Attack

  1. Stay calm, take a deep breath.
  2. Open a ticket to document the incident, per procedure.
  3. Use your best judgement on which steps to prioritize (i.e. if the defacement left harmful or triggerring content, prioritize taking down the server immediately).
  4. Ask the user to take pictures of their screen using their smartphone showing the things they noticed.
  5. Take notes about the problem(s) using the voice memo app on your smartphone or pen-and-paper. If this is a user report, ask detailed questions, including:
    1. What did you notice?
    2. When did it first occur, and how often since?
    3. What data do you typically access?
    4. Who else have you contacted about this incident, and what did you tell them?
  6. Ask follow-up questions as necessary. You are an incident responder, we are counting on you.
  7. Get detailed contact information from the user (home, office, mobile), if applicable.
  8. Record all information in the ticket, including hand-written and voice notes.
  9. Quarantine affected users and systems.
  10. Contact the security team and stand by to participate in the response as directed: investigation, remediation, communication, and recovery.

Additional Information

  1. A helpful and detailed paper on defacement detection
  2. 10 tools for better website monitoring and security
  3. 2019 Website Threat Research Report with helpful statistics
  4. Article including DIYs and Best practices to prevent website defacement

Playbook: Phishing

Investigate, remediate (contain, eradicate), and communicate in parallel!

Assign steps to individuals or teams to work concurrently, when possible; this playbook is not purely sequential. Use your best judgment.

Investigate

  1. Scope the attack Usually you will be notified that a potential phishing attack is underway, either by a user, customer, or partner.
  2. Analyze the message using a safe device (i.e., do not open messages on a device with access to sensitive data or credentials as the message may contain malware), determine:
  3. Analyze links and attachments
  4. Categorize the type of attack.
  5. Determine the severity. Consider:

Remediate

Contain

Communicate

  1. Escalate incident and communicate with leadership per procedure
  2. Document incident per procedure (and report)
  3. Communicate with internal and external legal counsel per procedure, including discussions of compliance, risk exposure, liability, law enforcement contact, etc.
  4. Communicate with users (internal)
    1. Communicate incident response updates per procedure
    2. Communicate impact of incident and incident response actions (e.g., containment: “why is the file share down?”)
    3. Communicate requirements: “what should users do and not do?”
  5. Communicate with customers
    1. Focus particularly on those whose data was affected
    2. Generate required notifications based on applicable regulations (particularly those that may consider phishing a data breach or otherwise requires notifications)
  6. Contact insurance provider(s)
    1. Discuss what resources they can make available, what tools and vendors they support and will pay for, etc.
    2. Comply with reporting and claims requirements to protect eligibility
  7. Consider notifying and involving law enforcement
    1. Local law enforcement
    2. State or regional law enforcement
    3. Federal or national law enforcement
  8. Communicate with security and IT vendors
    1. Notify and collaborate with managed providers per procedure
    2. Notify and collaborate with incident response consultants per procedure

Recover

  1. Launch business continuity/disaster recovery plan(s) if compromise involved business outages: e.g., consider migration to alternate operating locations, fail-over sites, backup systems.
  2. Reinforce training programs regarding suspected phishing attacks. Key suspicious indicators may include:
  3. Ensure that IT and security staff is up to date on recent phishing techniques.
  4. Determine if any controls have failed when falling victim to an attack and rectify them. Here is a good source to consider following a phishing attack.

Resources

Reference: User Actions for Suspected Phishing Attack

  1. Stay calm, take a deep breath.
  2. Take pictures of your screen using your smartphone showing the things you noticed: the phishing message, the link if you opened it, the sender information.
  3. Take notes about the problem(s) using the voice memo app on your smartphone or pen-and-paper. Every little bit helps! Document the following:
    1. What did you notice?
    2. Why did you think it was a problem?
    3. What were you doing at the time you detected it?
    4. When did it first occur, and how often since?
    5. Where were you when it happened, and on what network? (office/home/shop, wired/wireless, with/without VPN, etc.)
    6. What systems are you using? (operating system, hostname, etc.)
    7. What account were you using?
    8. What data do you typically access?
    9. Who else have you contacted about this incident, and what did you tell them?
  4. Contact the help desk using the phishing hotline and be as helpful as possible.
  5. Be patient: the response may be disruptive, but you are protecting your team and the organization! Thank you.

Reference: Help Desk Actions for Suspected Phishing Attack

  1. Stay calm, take a deep breath.
  2. Open a ticket to document the incident, per procedure.
  3. Ask the user to take pictures of their screen using their smartphone showing the things they noticed: the phishing message, the link if you opened it, the sender information, etc. If this is something you noticed directly, do the same yourself.
  4. Take notes about the problem(s) using the voice memo app on your smartphone or pen-and-paper. If this is a user report, ask detailed questions, including:
    1. What did you notice?
    2. Why did you think it was a problem?
    3. What were you doing at the time you detected it?
    4. When did it first occur, and how often since?
    5. What networks are involved? (office/home/shop, wired/wireless, with/without VPN, etc.)
    6. What systems are involved? (operating system, hostname, etc.)
    7. What data is involved? (paths, file types, file shares, databases, software, etc.)
    8. What users and accounts are involved? (active directory, SaaS, SSO, service accounts, etc.)
    9. What data do the involved users typically access?
    10. Who else have you contacted about this incident, and what did you tell them?
  5. Ask follow-up questions as necessary. You are an incident responder, we are counting on you.
  6. Get detailed contact information from the user (home, office, mobile), if applicable.
  7. Record all information in the ticket, including hand-written and voice notes.
  8. Quarantine affected users and systems.
  9. Contact the security team and stand by to participate in the response as directed: investigation, remediation, communication, and recovery.

Additional Information

  1. Anti-Phishing Attack resources
  2. Methods of Identifying a Phishing attack
  3. Phishing Email Examples
  4. Anti-Phishing best practices

Playbook: Ransomware

Investigate, remediate (contain, eradicate), and communicate in parallel! Containment is critical in ransomware incidents, prioritize accordingly.

Assign steps to individuals or teams to work concurrently, when possible; this playbook is not purely sequential. Use your best judgment.

Investigate

  1. Determine the type of ransomware (i.e., what is the family, variant, or flavor?)[1]
    1. Find any related messages. Check:
      • graphical user interfaces (GUIs) for the malware itself
      • text or html files, sometimes opened automatically after encryption
      • image files, often as wallpaper on infected systems
      • contact emails in encrypted file extensions
      • pop-ups after trying to open an encrypted file
      • voice messages
    2. Analyze the messages looking for clues to the ransomware type:
      • ransomware name
      • language, structure, phrases, artwork
      • contact email
      • format of the user id
      • ransom demand specifics (e.g., digital currency, gift cards)
      • payment address in case of digital currency
      • support chat or support page
    3. Analyze affected and/or new files. Check:
      • file renaming scheme of encrypted files including extension (e.g., .crypt, .cry, .locked) and base name
      • file corruption vs encryption
      • targeted file types and locations
      • owning user/group of affected files
      • icon for encrypted files
      • file markers
      • existence of file listings, key files or other data files
    4. Analyze affected software or system types. Some ransomware variants only affect certain tools (e.g., databases) or platforms (e.g., NAS products)
    5. Upload indicators to automated categorization services like Crypto Sheriff, ID Ransomware, or similar.
  2. Determine the scope:
    1. Which systems are affected?
      • Scan for concrete indicators of compromise (IOCs) such as files/hashes, processes, network connections, etc. Use endpoint protection/EDR, endpoint telemetry, system logs, etc.
      • Check similar systems for infection (e.g., similar users, groups, data, tools, department,configuration, patch status): check IAM tools, permissions management tools, directory services, etc.
      • Find external command and control (C2), if present, and find other systems connecting to it: check firewall or IDS logs, system logs/EDR, DNS logs, netflow or router logs, etc.
    2. What data is affected? (e.g., file types, department or group, affected software)
      • Find anomalous changes to file metadata such as mass changes to creation or modification times. Check file metadata search tools.
      • Find changes to normally-stable or critical data files. Check file integrity monitoring tools.
  3. Assess the impact to prioritize and motivate resources
    1. Assess functional impact: impact to business or mission.
      • How much money is lost or at risk?
      • How many (and which) missions are degraded or at risk?
    2. Assess information impact: impact to confidentiality, integrity, and availability of data.
      • How critical is the data to the business/mission?
      • How sensitive is the data? (e.g., trade secrets)
      • What is the regulatory status of data (e.g., PII, PHI)
  4. Find the infection vector. Check the tactics captured in the Initial Access tactic of MITRE ATT&CK[4]. Common specifics and data sources include:

Remediate

Contain

In ransomware situations, containment is critical. Inform containment measures with facts from the investigation. Prioritize quarantines and other containment measures higher than during a typical response.

Quarantines (logical, physical, or both) prevent spread from infected systems and prevent spread to critical systems and data. Quarantines should be comprehensive: include cloud/SaaS access, single-sign-on, system access such as to ERP or other business tools, etc.

Eradicate

Communicate

  1. Escalate incident and communicate with leadership per procedure
  2. Document incident per procedure
  3. Communicate with internal and external legal counsel per procedure, including discussions of compliance, risk exposure, liability, law enforcement contact, etc.
  4. Communicate with users (internal)
    1. Communicate incident response updates per procedure
    2. Communicate impact of incident and incident response actions (e.g., containment: “why is the file share down?”), which can be more intrusive/disruptive during ransomware incidents
    3. Communicate requirements: “what should users do and not do?” See “Reference: User Actions for Suspected Ransomware,” below
  5. Communicate with customers
    1. Focus particularly on those whose data was affected
    2. Generate required notifications based on applicable regulations (particularly those that may consider ransomware a data breach or otherwise requires notifications (e.g., HHS/HIPAA))
  6. Contact insurance provider(s)
    1. Discuss what resources they can make available, what tools and vendors they support and will pay for, etc.
    2. Comply with reporting and claims requirements to protect eligibility
  7. Communicate with regulators, including a discussion of what resources they can make available (not just boilerplate notification: many can actively assist)
  8. Consider notifying and involving law enforcement
    1. Local law enforcement
    2. State or regional law enforcement
    3. Federal or national law enforcement
  9. Communicate with security and IT vendors
    1. Notify and collaborate with managed providers per procedure
    2. Notify and collaborate with incident response consultants per procedure

Recover

We do not recommend paying the ransom: it does not guarantee a solution to the problem. It can go wrong (e.g., bugs could make data unrecoverable even with the key). Also, paying proves ransomware works and could increase attacks against you or other groups.[2, paraphrased]

  1. Launch business continuity/disaster recovery plan(s): e.g., consider migration to alternate operating locations, fail-over sites, backup systems.
  2. Recover data from known-clean backups to known-clean, patched, monitored systems (post-eradication), in accordance with our well-tested backup strategy.
  3. Find and try known decryptors for the variant(s) discovered using resources like the No More Ransom! Project’s Decryption Tools page.
  4. Consider paying the ransom for irrecoverable critical assets/data, in accordance with policy.

Resources

Reference: User Actions for Suspected Ransomware

  1. Stay calm, take a deep breath.
  2. Disconnect your system from the network.
  3. Take pictures of your screen using your smartphone showing the things you noticed: ransom messages, encrypted files, system error messages, etc.
  4. Take notes about the problem(s) using the voice memo app on your smartphone or pen-and-paper. Every little bit helps! Document the following:
    1. What did you notice?
    2. Why did you think it was a problem?
    3. What were you doing at the time you detected it?
    4. When did it first occur, and how often since?
    5. Where were you when it happened, and on what network? (office/home/shop, wired/wireless, with/without VPN, etc.)
    6. What systems are you using? (operating system, hostname, etc.)
    7. What account were you using?
    8. What data do you typically access?
    9. Who else have you contacted about this incident, and what did you tell them?
  5. Contact the help desk and be as helpful as possible
  6. Be patient: the response may be disruptive, but you are protecting your team and the organization! Thank you.

Reference: Help Desk Actions for Suspected Ransomware

  1. Stay calm, take a deep breath.
  2. Open a ticket to document the incident, per procedure.
  3. Ask the user to take pictures of their screen using their smartphone showing the things they noticed: ransom messages, encrypted files, system error messages, etc. If this is something you noticed directly, do the same yourself.
  4. Take notes about the problem(s) using the voice memo app on your smartphone or pen-and-paper. If this is a user report, ask detailed questions, including:
    1. What did you notice?
    2. Why did you think it was a problem?
    3. What were you doing at the time you detected it?
    4. When did it first occur, and how often since?
    5. What networks are involved? (office/home/shop, wired/wireless, with/without VPN, etc.)
    6. What systems are involved? (operating system, hostname, etc.)
    7. What data is involved? (paths, file types, file shares, databases, software, etc.)
    8. What users and accounts are involved? (active directory, SaaS, SSO, service accounts, etc.)
    9. What data do the involved users typically access?
    10. Who else have you contacted about this incident, and what did you tell them?
  5. Ask follow-up questions as necessary. You are an incident responder, we are counting on you.
  6. Get detailed contact information from the user (home, office, mobile), if applicable
  7. Record all information in the ticket, including hand-written and voice notes
  8. Quarantine affected users and systems.
  9. Contact the security team and stand by to participate in the response as directed: investigation, remediation, communication, and recovery

Additional Information

  1. “Ransomware Identification for the Judicious Analyst”, Hahn (12 Jun 2019)
  2. No More Ransom! Project, including their Crypto Sheriff service and their Q&A
  3. ID Ransomware service
  4. MITRE ATT&CK Matrix, including the Initial Access and Impact tactics

Roles

The following are the descriptions, duties, and training for each of the defined roles in an incident response.

Structure of Roles

This is a flexible structure: every role will not be filled by a different person for every incident. For example, in a small incident the Deputy might act as the Scribe and Internal Liaison. The structure is flexible and scales based on the incident.

Wartime vs. Peacetime

On incident response calls (“wartime”), a different organizational structure overrides normal operations (“peacetime”):

Role: All Participants

Description

All participants in an incident response have the responsibility to help resolve the incident according to the incident response plan, under the authority of the Incident Commander.

Duties

Exhibit Call Etiquette

Reference: Common Voice Procedure

Standard radio voice procedure is not required, however you may hear certain terms (or need to use them yourself). Common phrases include:

Do not invent new abbreviations; favor being explicit over implicit.

Follow the Incident Commander

The Incident Commander (IC) is the leader of the incident response process.

Training

Read and understand the incident response plan, including the roles and playbooks.

Role: Incident Commander (IC)

Description

The Incident Commander (IC) acts as the single source of truth of what is currently happening and what is going to happen during an major incident. The IC is the highest ranking individual on any incident call, regardless of their day-to-day rank. They are the decision maker during an incident; they delegate tasks and listen to subject matter experts to resolve the incident. Their decisions made as commander are final.

Your job as an IC is to evaluate the situation, provide clear guidance and coordination, recruiting others to gather context/details. Do not perform any investigation or remediation: delegate these tasks.

Duties

Resolve the incident as quickly and as safely as possible using the incident response plan as a framework: lead the team to investigate, remediate, communicate. Use the Deputy to assist you, and delegate to relevant liaisons and experts (SMEs) at your discretion.

  1. Help prepare for incidents,
  2. Drive incidents to resolution,
  3. Facilitate calls and meetings,
  4. Post Mortem,

The Incident Commander uses some additional call procedures and lingo:

Use clear terminology, and avoid acronyms or abbreviations. Clarity and accuracy is more important than brevity.

Training

Prerequisites

There is no seniority or business-unit prerequisites to become an Incident Commander, it is a role open to anyone with the training and ability. Before you can be an Incident Commander, it is expected that you meet the following criteria:

Deep technical knowledge is not required! Incident Commanders do not require deep technical knowledge of our systems. Your job as Incident Commander is to coordinate the response, not make technical changes. Don’t think you can’t be an Incident Commander just because you’re not in the engineering department.

Graduation

Upon completion of training, add yourself to the Incident Commander roster.

Role: Deputy Incident Commander (Deputy)

Description

A Deputy Incident Commander (Deputy) is a direct support role for the Incident Commander (IC). The Deputy enables the IC to focus on the problem at hand, rather than worrying about documenting steps or monitoring timers. The deputy supports the IC and keeps them focused on the incident. As a Deputy, you will be expected to take over command from the IC if they request it.

Duties

  1. Bring up issues to the Incident Commander that may otherwise not be addressed (keeping an eye on timers that have been started, circling back around to missed items from a roll call, etc).
  2. Be a “hot standby” Incident Commander, should the primary need to either transition to a SME, or otherwise have to step away from the IC role.
  3. Manage the incident call, and be prepared to remove people from the call if instructed by the Incident Commander.
  4. Monitor the status of the incident, and notify the IC if/when the incident escalates in severity level.
  5. Monitor timers:
  6. Monitor task deadlines (e.g., “IC, be advised the timer for [TEAM]’s investigation is up.”)

Training

Prerequisites

Role: Scribe

Description

A Scribe documents the timeline of an incident as it progresses, and makes sure all important decisions and data are captured for later review. The Scribe should focus on the incident file, as well as follow-up items for later action.

Duties

  1. Ensure the incident call is being recorded.
  2. Note in chat and in the file timelines: important data, events, and actions, as they happen. Specifically:
  3. Update the chat with who the IC is, who the Deputy is, and that you’re the scribe (if not already done).

Scribing is more art than science. The objective is to keep an accurate record of important events that occurred, Use your judgement and experience. But here are some general things you most definitely want to capture as scribe.

Training

Read and understand the incident response plan, including the roles and playbooks.

Prerequisites

Training Process

Role: Subject Matter Expert (SME)

Description

A Subject Matter Expert (SME) is a domain expert or designated owner of a team, component, or service (an “area”). You are there to support the incident commander in identifying the cause of the incident, suggesting and evaluation investigation, remediation, and communication actions, and following through on them as tasked.

Duties

  1. Diagnose common problems within your area of expertise.
  2. Rapidly fix issues found during an incident.
  3. Concise communication:
  4. Participate in the investigation, remediation, and/or communication phases of the response.
  5. Announce all suggestions to the incident commander, it is their decision on how to proceed, do not follow any actions unless told to do so.

If you are on-call for any team, you may be paged for an incident and will be expected to respond as a subject matter expert (SME) for your team, component, or service. Anyone who is considered a “domain expert” can act as a SME for an incident. Typically the team’s primary on-call will act as the SME for that team.

Prepare for On-Call Period

  1. Be prepared, by having already familiarized yourself with our incident response policies and procedures.
  2. Make sure you have set up your alerting methods in accordance with our on-call procedure.
  3. Check you can join the incident call. You may need to install a browser plugin.
  4. Be aware of your upcoming on-call time and arrange swaps around travel, vacations, appointments, etc.
  5. If you are an Incident Commander, make sure you are not on-call for your team at the same time as being on-call as Incident Commander.

During On-Call Period

  1. Have your laptop and Internet with you at all times during your on-call period (office, home, a MiFi, a phone with a tethering plan, etc).
  2. If you have important appointments, you need to get someone else on your team to cover that time slot in advance.
  3. When you receive an alert for an incident, you are expected to join the incident call and chat as quickly as possible (within minutes).
  4. You will be asked questions or given actions by the Incident Commander. Answer questions concisely, and follow all actions given (even if you disagree with them).
  5. If you’re not sure about something, bring in other SMEs from your team that can help. Never hesitate to escalate, if necessary.
  6. Do not blame. This incident response process is completely blameless: blaming is counter productive and distracts from the problem at hand. After-action review will identify places we can all improve.

Training

Role: Liaison

Description

Liaisons interact with other teams or stakeholders, outside the incident response team. These often include:

Duties

External or Customer Liaison

  1. Post any publicly facing messages regarding the incident (Twitter, etc).
  2. Notify the IC of any customers or media coverage reporting affects of the incident.
  3. Provide customers with the external message from the post-mortem once it is completed.
  4. Contact or interact with external stakeholders such as vendors, partners, law enforcement, etc.
  5. Do not feel responsible for creating every message: work with the Incident Commander and other stakeholders.
  6. As appropriate, keep customers informed during an incident.
  7. Act as a voice for our customers to the Incident Commander, as this is useful for IC decision making.
  8. Gaining message approval after you have crafted the public message: copy the message into chat and wait for verbal/written confirmation from the IC before proceeding.
Tips for Public Messages

Internal Liaison

  1. Page SME’s or other on-call personnel as instructed by the Incident Commander.
  2. Notify or mobilize other teams within the organization (e.g. Finance, Legal, Marketing), as instructed by the Incident Commander.
  3. Track and anticipate SMEs on the call.
  4. Interact with stakeholders and provide status updates as necessary.
  5. Interact with internal stakeholders to answer their questions, to keep the primary call distraction free.
  6. Provide regular status updates to the executive team, giving an executive summary of the current status.

Training

Read and understand the incident response plan, including the roles and playbooks.

Prerequisites

Conduct an After Action Review (AAR)

  1. Schedule an After Action Review (AAR) meeting within https://www.riverrunsolutions.com/terms.html and invite the attendees listed at [Private]. Always include the following:
  2. Designate an AAR owner who will investigate the incident in advance of the meeting to prepare, looking into the incident process itself including reviewing notes and reports.

Conduct the AAR Meeting

Document answers to the following key questions:

  1. What happened? Create a timeline, supported with data or other artifacts. Avoid blame. Find facts.
  2. What was supposed to happen?
  3. What were the root causes? Find root cause to things that happened and to things that should have happened.
  4. How can we improve? Capture action items with assignees and due dates. Consider:

Communicate AAR Status and Results

The AAR owner, in coordination with the Internal Liaison, will communicate the status of the AAR (see below)

Status Descriptions

StatusDescription
DraftAAR investigation is still ongoing
In ReviewAAR investigation has been completed, and is ready to be reviewed during the AAR meeting.
ReviewedAAR meeting is over and the content has been reviewed and agreed upon.
If there are additional “External Messages”, the communications team will take action to prepare.
ClosedNo further actions are needed on the AAR (outstanding issues are tracked in tickets).
If no “External Messages”, skip straight to this once the meeting is over.
If there are additional “External Messages”, communications team will update AAR Closed once sent.

Communicate the results of the AAR internally and finalize the AAR documentation.

References and Additional Reading