9.1 Containment | Vicky's Page

Section 9.1 Containment

As you study this section, answer the following questions:

What is the main objective of the containment phase?
Why is evidence preservation important?
What is sanitization?
Which steps are included in the recovery phase?

In this section, you will learn to:

Utilize the appropriate containment strategy
Sanitize and reconstitute resources
Properly dispose of assets
Retain as much evidence as possible
Review and update controls

The key terms for this section include:

Key Terms and Definitions

Key Terms and Definitions
Term	Definition
Segmentation	Divides the network into sub-networks that are not able to communicate with each other directly.
Isolation	Separates a device, VLAN, or network segment from the rest of the network.
Sanitization	The act of destroying a device to ensure no data is left behind.
Remediation	The corrective actions taken to address a problem or issue permanently.

This section helps you prepare for the following certification exam objectives:

Exam	Objective
CompTIA CySA+ CS0-003	1.4 Compare and contrast threat-intelligence and threat-hunting concepts Threat Hunting Focus areas Isolated networks 2.4 Given a scenario, recommend controls to mitigate attacks and software vulnerabilities Cryptographic failures 3.2 Given a scenario, perform incident response activities Detection and analysis Evidence acquisitions Containment, eradication, and recovery Scope Impact Isolation Remediation Re-imaging Compensating controls 3.3 Explain the preparation and post-incident activity phases of the incident management life cycle Post-incident activity Forensic analysis
TestOut CyberDefense Pro	4.1 Manage security incidents Eradicate Advanced Persistent Threats (APT)

Exam

Objective

CompTIA CySA+ CS0-003

1.4 Compare and contrast threat-intelligence and threat-hunting concepts

Threat Hunting
- Focus areas
  - Isolated networks

2.4 Given a scenario, recommend controls to mitigate attacks and software vulnerabilities

Cryptographic failures

3.2 Given a scenario, perform incident response activities

Detection and analysis
- Evidence acquisitions
Containment, eradication, and recovery
- Scope
- Impact
- Isolation
- Remediation
- Re-imaging
- Compensating controls

3.3 Explain the preparation and post-incident activity phases of the incident management life cycle

Post-incident activity
- Forensic analysis

TestOut CyberDefense Pro

4.1 Manage security incidents

Eradicate Advanced Persistent Threats (APT)

9.1.1 Containment

Click one of the buttons to take you to that part of the video.

Containment 00:00-01:05 In this video, I'm going to discuss incident response containment. Due to the wide variety of incidents you might encounter, it can be challenging to preplan a response for every scenario. The containment phase's primary goal is to isolate an incident and quickly limit the amount of damage that can be done. Containment can be a bit of a balancing act. You want to take the necessary actions to contain an incident, but you don't want to lose valuable time by getting too caught up in the small procedural details.

There are two basic steps to the containment phase. First, you select an appropriate containment strategy, and then you implement it. While this might seem simple, there's not a one-size-fits-all solution. When selecting a strategy, you want to consider the impact it could have on business operations. While there's a good chance there'll be some disruption, you want to weigh the potential side effects against the organizational benefit. You have two general strategies to choose from—segmentation-based containment and isolation-based containment. Let's take a look at each one.

Segmentation-Based Containment 01:05-01:47 With segmentation-based containment, you break apart the network into subnetworks that aren't able to communicate with each other directly.

For example, here's a simple network layout. Notice that there are separate subnetworks for guests, employees, and data, and they're all separated from the internet by a firewall. When creating a separate contained network, you want to place it outside of your firewall to make it harder to access your other internal networks. Segmentation-based containment helps to ensure that any compromised systems are restricted. Depending on network configurations, it still could be possible for traffic to cross from one segment to another, but segmentation does provide an extra layer of security that helps with containment.

Isolation-Based Containment 01:47-02:41 With isolation-based containment, you disconnect a device, VLAN, or network segment from the rest of the network.

Let's look back at our network diagram. Instead of connecting the segmented network outside the firewall, we completely isolate the targeted network segment so that it has no connection point into the network.

Isolation can help ensure that the incident's impact can't be spread to any other devices or subnetworks. The response team can safely observe system activities without compromising outside networks. Closed environments also allow testing. Testing is beneficial because it can help determine indicators of compromise and eradication methods that we can share with other organizations. We share this information through online security trackers, such as the Information Sharing and Analysis Center, or ISAC, and the Community Emergency Response Team, or CERT.

Containment Considerations 02:41-03:32 When you determine a response, your primary consideration should be for your employees. Is your employees' safety or security at risk? If an action places them at further risk, you shouldn't take that

action. Is there an active threat? Is there an existing intrusion or data breach? Does the attacker know that the intrusion has been discovered? You probably won't know the full extent of their presence, and if they find out that you've detected them, you don't want them to quickly implement damaging attacks before you can stop them. Additionally, you don't want them to remove evidence that they were there. You might need that evidence to fully determine the attack's intent and impact. You also want to consider the incident's full extent. Is the incident a single attack or is it part of a more complex campaign? If it's a larger campaign, you might need to work with various departments to resolve it.

Summary 03:32-03:49 That's it for this lesson. In this lesson, we talked about incident response containment. First, we discussed segmentation-based and isolation-based containment strategies. We also discussed a few containment considerations.

9.1.2 Containment Facts

This lesson covers the following topics:

Containment phase
Isolation
Containment considerations

Containment Phase

The primary goal of the containment phase is to isolate an incident and to quickly and effectively limit the amount of damage. Containment can be a balancing act. You want to take the necessary actions to contain the incident, but you do not want to lose valuable time by getting too caught up in the small details of the procedure.

There are two basic steps to the containment phase:

Select an appropriate containment strategy.
Implement the containment strategy.

Isolation

Isolation is a mitigation strategy applied to many incident types. Isolation involves removing an affected component from the environment in which it participates—for example, removing a server from the network after it has been attacked or disabling a router interface to prevent the spread of malware outside of a department. Isolation could also refer to disabling a user account or application service.

The chosen isolation method directly impacts forensic analysts and can potentially violate established policies or SLAs. Selecting the right approach to containment depends upon balancing these requirements with the risks associated with inaction. Incident responders must carefully document and timestamp all actions to support post-incident investigations.

Segmentation-Based Isolation

Segmentation divides a network into smaller sub-networks to improve performance, security, and more. Segmentation is also an effective isolation technique to contain incidents, especially if the system cannot be completely isolated due to business-critical operations or other requirements. Segmentation-based containment can help ensure that compromised systems are restricted to a local segment. Depending on network configuration and an attacker’s knowledge, it may still be possible for traffic to cross from one segment to another. However, segmentation provides an extra layer of security that helps with containment.

Physical Isolation

Whenever possible, the affected systems should be physically isolated to prevent additional issues. This containment method can involve disconnecting a device, VLAN, or network segment from the rest of the network. Isolation can help ensure that the impact of the incident cannot spread to other devices or subnetworks.

When devices are physically isolated, the response team can safely perform the following without compromising outside systems or networks:

Observe the activities and behaviors of the system.
Study and test the system to ensure it is safe to use.
Share findings of indicators of compromise, behavior, and eradication methods with other organizations through online security trackers such as the ISAC and the CERT.

Containment Considerations

There is no one-size-fits-all answer to most containment scenarios. The annual Verizon Data Breach Investigations Report ( verizon.com/business/resources/reports/dbir/ ) demonstrates the scale of the problem faced by breach investigators. Many successful attackers were able to exfiltrate sensitive data within minutes. A small percentage of attacks took days to discover, while most took months. Only a fraction of breaches took less than an hour to discover.

Incident responders must make quick decisions regarding the most effective containment technique when a system is compromised. The course of action depends on several factors:

Ensure the safety and security of all personnel. The first concern of all managers involved with the security response is the safety and security of personnel.
Prevent further damage. This will be the overriding priority after the identification of the compromise.
Identify whether the intrusion is a primary or a secondary attack (part of a more complex campaign).
Avoid alerting the attacker that they have been discovered. Two main reasons to avoid this are:
- You may not know the full extent of the attacker's presence. You do not want the attacker to quickly implement additional damaging attacks before you can stop the attacks.
- You do not want the attacker to remove any evidence of the attack. You may need that evidence to fully determine the impact and intent of the attack.
Preserve forensic evidence of the intrusion. While waiting for the forensics analyst to arrive, treat the system like any crime scene by preventing anyone from further compromising the system or destroying evidence.

9.1.3 Eradication

Click one of the buttons to take you to that part of the video.

Eradication 00:00-00:49 After an incident has been contained, your next step is eradication. The eradication phase's primary purpose is to eliminate all traces of an incident while carefully preserving evidence that might be used in a criminal investigation. In this lesson, I'll go over how to properly perform eradication and preserve any necessary documentation.

Let's say that you've isolated an infected portion of your network to keep the problem from spreading. Now, it's time to completely remove the problem so you can get that isolated network portion back up and running. It's important to note that you don't want to simply cover up the problem with a new image and hope the problem goes away. You haven't fixed anything if you simply reimage the operating system but leave the compromised firmware untouched.

Sanitization 00:49-02:00 If you plan on using a compromised device after an incident, that device must be completely sanitized to ensure eradication. A cryptographic erase basically involves throwing away the proverbial key. Data is deemed useless and can be overwritten if the device it was on was encrypted and you destroy the key. If a cryptographic erase isn't an option, you can use forensic tools to sanitize a storage device. These tools bypass the operating system and overwrite the entire storage device with 0s. To ensure sanitization, the original content should be overwritten with 1s and 0s numerous times before the 0s are applied.

If you've ever tried to erase a word on paper, you know that sometimes you can still read what was there. And simply writing new letters over old ones doesn't always hide what you wrote. But if you keep writing random letters over and over again, eventually you can't tell what the original meaning was.

It's the same thing with cybersecurity. If you overwrite 1s and 0s with random 1s and 0s, you reduce the chance that the old content can be read. When you eventually replace everything with 0s, you have a fresh slate.

Reconstitution of Resources 02:00-02:58 In some instances, sanitization and reimaging isn't an option and you might need to manually reconstitute a resource. To do so requires several steps. First, ensure that the system has been contained. Second, use a combination of software tools and manual searches to find any signs of malware. After that, terminate any processes that appear suspicious and delete all traces of the source software from the system. Next, disable any autostart locations in your file system, registry, and task scheduler to prevent these processes from executing. Once you think you've cleared everything out, reinstall any contaminated software, including the operating system or impacted applications. Finally, restart the system in a contained environment and reanalyze it for signs of malware or suspicious activity. If the infection seems to have been removed, you could then return the system to a live environment. Just be sure to monitor it closely.

Secure Disposal 02:58-03:38 The best way to ensure that nothing is left behind is to physically destroy and dispose of the device. Degaussing involves the use of a powerful magnetic force to wipe data completely from the drive. This process usually destroys the motors that operate the platters so the drive can't be used again. Shredding involves slicing the drive into tiny pieces with the use of large amounts of force. Crushing involves punching a hole into the hard drive. This hole destroys the platters and fractures all other surfaces. It's important to note that these activities should be completed by a licensed destruction service for compliance, security, and safety purposes.

Evidence Retention 03:38-03:51 Before you destroy a device, you should gather any evidence that might be present. If legal issues come up in the future, you do want to be prepared. To be safe, just assume that all incidents could lead to an investigation.

Summary 03:51-04:13 That's it for this lesson. In this lesson, we discussed eradication. Eradication is a phase that eliminates all traces of a security incident using sanitization, reconstitution of resources, or secure disposal, all while also preserving evidence that could be used in a criminal investigation.

9.1.4 Eradication Facts

This lesson covers the following topics:

Evidence preservation
Sanitization
Secure disposal
Reconstitution of resources

After an incident has been contained, your next step is eradication. The primary purpose of the eradication phase is to eliminate all traces of the incident, including advanced persistent threats (APTs), while carefully preserving evidence that may be used in a criminal investigation.

Evidence Preservation

Before you destroy a device, you should gather any evidence that may be present. If any legal or compliance issues come up in the future, you want to be prepared. To be safe, you will want to assume that all incidents could lead to an investigation.

Sanitization

The best way to ensure that nothing is left behind is to destroy the device. Here are a few methods that are used:

Method	Description
Cryptographic erase	A cryptographic erase destroys the device's cryptographic key. If the device is encrypted and you destroy the key, the data is deemed useless and can be overwritten.
Forensic tools	Numerous forensic tools can be used to sanitize a storage device. These tools bypass the operating system and overwrite the entire storage device with 0s. To ensure total sanitization, the original content may be overwritten with 1s and 0s numerous times before the final 0s are applied to the entire disk.

Secure Disposal

The best way to ensure that nothing is left behind is to destroy the device. Additional methods you can use are:

Degaussing involves the use of a powerful magnetic force to wipe the data completely from the drive. This process usually destroys the motors that drive the platters so the drive cannot be used again.
Crushing involves punching a hole into the hard drive with a large amount of force. This hole destroys the platters and fractures all other surfaces.
Shredding involves slicing the drive into tiny pieces.

These disposal activities should be completed by a licensed destruction service for compliance and safety purposes.

Reconstitution of Resources

In some instances, sanitization and reimaging may not be an option, and you need to manually reconstitute a resource. To do so requires the following steps:

Ensure that the system has been contained.
Use a combination of software tools and manual searches to find any signs of malware.
Terminate any processes that appear suspicious and delete all traces of the source software from the system.
Disable any autostart locations in your file system, registry, and the task scheduler to prevent these processes from executing.
Reinstall the operating system and applications with new, clean versions from trusted sources.
Restart the system in a contained environment and reanalyze for signs of malware or suspicious activity.
Return the system to a live environment only if the infection seems to have been removed.
Monitor the system closely.

9.1.5 Recovery

Click one of the buttons to take you to that part of the video.

Recovery 00:00-01:31 Having a good incident response plan is essential to protect your company. This plan should include what to do in any one of the several incident response life cycle stages.

The stages include detection and analysis, containment, eradication and recovery, and post-incident activity. In this lesson, I'm going to discuss the recovery phase.

After you isolate and remove an incident's cause, you'll need to recover all required systems and services. During the recovery phase, your primary objective is to restore all system capabilities so that business can return to normal. Specific recovery actions will differ based on the type of attack and its extent into the system.

For example, let's say your co-worker opened an email they shouldn't have and now has malware on their desktop. What would the recovery steps be? In the end, it could be a simple fix that your anti-malware software handles on its own, it could require you to do manual removal, or you might even have to completely erase the hard drive and reinstall the operating system.

Once you remove the problem, you might be tempted to just walk away. But to truly recover from an incident, you need to make sure that the employee in question receives additional security training to make sure the same thing doesn't happen again. This extra step is called vulnerability mitigation. Let's look at that more closely.

Vulnerability Mitigation 01:31-02:19 Vulnerability mitigation means that you make sure you've considered all the incident's details and have taken action to keep it from happening again. Although system hardening usually occurs during installation, a security incident can provide new insight into a network's vulnerabilities, so this is a good time to harden your system again to avoid future problems. Let's look at some more recovery actions that don't just restore your system but also make it more secure than it was before. First, you need to reconstruct the disks on any sanitized devices. You can restore the operating system and necessary software applications manually or with a configuration template or script. Either way, be sure to obtain the image from a trusted source.

Restore User Permissions 02:19-02:52 Next, verify that user access has been restored and that everyone has access to the resources they need. This includes file access, firewall ACLs, user groups, and system access. During this time, you should review all accounts and privileges. Make sure no one has access to resources they shouldn't, and remember to use the principle of least privilege to ensure that only authorized user accounts exist on each system. Finally, remove or disable all unused user accounts.

Logging and Monitoring 02:52-03:14 You also want to verify that all scanning, monitoring, and logging systems are back up and running. If an attacker was able to avoid these systems, you should verify that nothing was disabled. If you find that these systems weren't disabled, use this opportunity to review settings and configurations to determine why you didn't receive a warning for the attack.

Patching 03:14-03:39 If an incident involved a weakness in a piece of hardware or software, you want to review the vendor documentation to determine whether it's a known vulnerability and if a patch exists for it. If a patch does exist, test it out first before installing it. After that, figure out why it wasn't installed in the first place. And while you're at it, check other systems to ensure that their patches are up to date as well.

Summary 03:39-03:55 That's it for this lesson. In this lesson, we discussed the incident response recovery phase and the importance of vulnerability mitigation as you restore system capabilities and services.

9.1.6 Recovery Facts

This lesson covers the following topics:

Recovery
Remediation
Compensating Controls

Recovery

Eradicating malware, backdoors, and compromised accounts from individual hosts is not the last step in incident response. You should also consider a recovery phase (or sub-phase) where the goal is the restoration of capabilities and services. This means that hosts are fully reconfigured to operate the business workflow they were performing before the incident. The steps you take to recover from an incident will depend greatly on the nature and the extent of the impact of the incident, as well as the ways in which you prepared for such an incident. The following are some examples of incident recovery:

If an employee accidentally downloads malware onto their workstation, you can attempt to remove it with antimalware software. If the malware persists, you may need to wipe the entire hard drive and reinstall the operating system. You can only truly recover once the malware is completely gone from the system and the user is trained to be more security aware.
- One method of restoring a system after a breach or infection is reimaging it using a known clean backup or disk image created before the incident. A "clean" backup or image has appropriate secure baseline configurations, is fully patched, and does not contain malware. Depending on when the system was initially breached, backups may contain malware, backdoors, or other artifacts which would allow the attacker to regain access quickly. Any system infected with malware should be reimaged instead of trusting that antimalware tools can effectively "clean the infection." Malware is complicated and stealthy, and removal is often a complex task.
If a malicious user deletes data from a database, you can restore that data if you have been creating backups. A continuous 1:1 replication of that data will require minimal effort on your part, but backups made in time intervals may leave some data incomplete or irrecoverable. If possible, identify what you can about the data lost in the period since the last backup was performed.
If a distributed denial of service (DDoS) takes down your web servers, you may need to manually reboot them and perform a health check before pushing them back to live status. They should accept incoming connections gradually rather than all at once to prevent the servers from overloading again. If you identify the source or sources of the malicious traffic, you can also have the servers filter them.
If an employee lost access during the incident response to contain or stop the attack. Verify that user access has been restored and everyone has access to the resources they need. This can include:
- File access
- Firewall ACLs
- User groups
- System access

An essential part of recovery is the process of ensuring that the system cannot be compromised through the same attack vector (or, failing that, that the vector is closely monitored to provide advance warning of another attack).

Remediation

Remediation describes the corrective actions taken to address a problem or issue permanently. This often involves replacing faulty hardware or software or implementing new procedures to prevent similar issues from occurring in the future. Remediation requires using the outputs of root cause analysis to correctly identify the fix that prevents the issue from happening again. This is significantly different from "fixing," which focuses on simply making things work again.

For example, if an attack used a software or firmware exploit, the target system (and other systems with the same vulnerability) must be patched (if a patch exists). Root cause analysis would seek to determine why the systems were unpatched in the first place and how the attack was able to access the vulnerable systems. Remediation could include changes to the system hardening process to include additional steps. So while recovery efforts focus on restoring things to normal, remediation describes how lessons learned and root cause analysis is incorporated into policies, procedures, and technological improvements to ensure the problem does not reoccur.

Verify that all scanning, monitoring, and logging systems are running. If an attacker avoided these systems, verify that nothing was disabled. If you find out that these systems were not disabled, use this opportunity to review settings and configurations to determine why you did not receive a warning of the attack. Depending on the result of the root cause analysis, it may also require a review of accounts and privileges.

Compensating Controls

The PCI DSS standard ( https://listings.pcisecuritystandards.org/documents/PCIDSS_QRGv3_1.pdf ) identifies that a compensating control is needed when an overriding business or technical reason prevents deploying the primary control recommended by the standard. A compensating control serves the same purpose as the recommended control and affords the same (or better) level of protection but uses a different methodology or technology. Leadership must approve the control's deployment and require detailed documentation to show that the compensating control is deployed as part of the process, is applied consistently by employees, and is monitored for effectiveness.

The need for a compensating control may be because the primary control is too expensive, needs more qualified staff to operate it, or is incompatible with a critical application or platform.