Skip to main content

Containment Strategery

One of the key metrics Computer Incident Response Teams (CIRTs) often measure is time to containment. This is often seen as a way to guage the performance of the team as it tracks how long it takes to contain a compromised or infected computer from the time of reporting or detection. This number varies widely accross the companies and many simply do not have the capability or desire to record this information. I think this metric often indicates how well the CIRT team knows their environment and the maturity of their processes. So I highly recommend it be a key performance indicator in your CIRT program.

Today however I would like to specifically talk about an appropriate goal for this metric in relation to compromise by advanced external threats. So I will be excluding non-targeted malware and insider scenarios. I believe on one end of the spectrum you have teams that like to contain as soon as possible to limit any possible impact, whereas on the opposite end you have teams that like to wait a long time (weeks/months, usually contracted responders) to fully scope an incident prior to making any major containment efforts. And before we proceed further containment can mean many things, however I will define it here as isolation or removal of the compromised computer from the network. That being said, why would you choose either of those extreme options? One strategy is to quickly deny the adversary any asset before they can conduct further operations inside your network. The big pitfall being here, that you don't have enough time to figure out exactly how they compromised the system and what other systems they control in such a short time span. Whereas, waiting longer allows you to fully scope out the extent of the breach where the hope is that the investigation doesn't alert the intruders that the defenders are on to them. This routinely fails as advanced intruders, know to mix up their backdoor tools and maintain several entry and exit points. To me rather then being time focused, I prefer a process flow that scopes the incident for you.

Questions like the following are key to this flow:
What method was used to compromise the system?
How long have they been active in the environment and are they still active?
Which system was ground zero for the intrusion?
What accounts have been compromised and can they be reset in a timely manner?
What ingress and egress points are the intruders using?
What systems have been touched by the intruders?
What command and control (C2) method are the intruders using and can you decipher it?
Have you seen this group in your environment before?
Have you documented the indicators of compromise (IOCs)?
Do you have the ability to scan your environment for these IOCs?
Do you have the capability to take the system offline without a disasterous business outage?
Has the scope of the breach and/or data loss been determined?
Has senior security leadership been briefed on the incident?
Is data exfiltration actively occurring?

These are just some intial questions you need to add into your containment decision process flow. I can tell you that being on either end of the spectrum is not sucessful in large companies where you don't have good system inventory and a full internet gateway registry. It's possible to do either if you have full mastery of your computing infrastructure, but this is a rarity. I think based on your capabilities and the questions above you can create a plan that gets the system contained as quick as possible with out tipping off the intruder and/or allowing them to continue to develop their foothold on your network.

Stay secure my friends.

Comments

Popular posts from this blog

SANS Cyber Threat Intelligence Summit 2013

     I recently attended the first SANS CTI Summit in Washington DC. While there was plenty of brain power in the room, and good discussions were to be had, overall it was just ok. There was a big focus on what CTI is and why you should be doing it, or at least consuming it. There wasn't enough discussion, aside from one talk, on how you should be doing it. It basically reinforced my beliefs that this is still very much a small, closed off club of insiders, where nobody is sharing tradecraft. I love that SANS is getting involved in this space though, and it sounds like Mike Cloppert will be writing a SANS course on Threat Intelligence in the future. I would very much be interested in that and I expect it would sell out quickly.      Mike Cloppert opened the day by discussing the old vulnerability centric approach focused on reducing attack surface as opposed to the new threat centric model focused on reducing the risk of the actual threats affecting your ...

2020 SANS CTI Summit Notes

Unfortunately due to some back surgery I was not able to attend the SANS CTI summit this year, however I always try to take advantage of the great content SANS makes available. To help me out in synthesizing the information, I combined the context provided by those that were live tweeting which is useful when reviewing the slide decks. Hope you find this useful and well done @rickholland , @PDXbek , and @likethecoins , another great year of great content! Day 1 Secret Squirrels and Flashlights: Legal Risks and Threat Intelligence https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1579535253.pdf @CristinGoodwin Assistant General Counsel for Customer Security and Trust, Microsoft Boundaries and strategies to help analysts identify and manage legal risks while hunting, investigating, and responding "Have a principled approach to sharing, so when the crisis comes you don’t have to panic.” "What we call common in #threatinel sharing is what a l...

European DFIR Summit 2018 Review

On Monday October 1st, I attended the European edition of the SANS DFIR Summit in Prague. Normally I try to attend this in Austin, however this year I couldn't make it so attended this one later in the year instead. I took a couple days PTO just to spend some time seeing the sights and it was cool getting to take time visiting the historical sights, instead of my typical shut in routine. If you have time, I would highly recommend this and definitely book a night time river cruise. Also worth noting, the new Spiderman movie was filming last week which was kinda cool. A few other recommendations I would make, would be to stay closer to the city center and take the subway daily. This has the added benefit of staying at a nicer, more western hotel (eg Marriott, Hilton), but also being near the old town square. I'm staying at the Angelo Hotel, but the training is actually split between two hotels and I don't get the benefit of being able to quickly jet up th...