Scribd
Upload
223 views17 pages

Incident Response Playbook

Uploaded by

miltonyamada
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
223 views17 pages

Incident Response Playbook

Uploaded by

miltonyamada
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 17

Incident Response Playbook

Business Email
Compromise
Responding to Data Ex-filtration Incidents
Incident
Detection
Common indicators of BEC:
Unusual email activity
Unexpected password changes
Suspicious login attempts
Data access anomalies
Monitoring tools and techniques
Incident Detection
Indicators of Compromise (IoCs)

01 UNUSUAL EMAIL
ACTIVITY 02 ACCOUNT
ANOMALIES 03 DATA ACCESS
PATTERNS
Unexpected out-of-office Failed login attempts from Large data transfers to
replies unrecognized IP addresses external email addresses
Emails sent at odd hours Password resets not Accessing sensitive files
Increase in email volume to initiated by the user outside business hours
external domains MFA challenges from Unusual database queries
unfamiliar locations or bulk data exports
Incident Detection
Monitoring Tools

01 EMAIL SECURITY
GATEWAY 02 SIEM TOOL
03 DATA LOSS
PREVENTION TOOL
Create correlation rules to
Configure alerts for Set up policies to flag:
detect:
Emails with similar display Emails containing specific
Multiple failed logins
names but different keywords (e.g., "wire
followed by a successful
domains transfer", "urgent
login from a new IP
Sudden increase in email payment")
Unusual access to systems
forwarding rules
during non business hours
Initial
Response
Activate the Incident Response Team
Establish a secure communication channel
Document all actions and findings
Perform initial assessment:
Scope of compromise
Data potentially affected
Systems involved
Initial Response

Incident Response Team Activation Secure Communication Channel Initial Assessment Checklist

Incident Commander: Call the


Compromised email accounts: [ ]
emergency response number
Identify affected user(s) [ ] List all
email addresses involved [ ] Determine
Use the secure messaging app
time of initial compromise
"SecureComm" to notify team
Use encrypted chat platform
members
"SecureChat" for all incident-related Potential data exposure: [ ] Review
communications email forwarding rules [ ] Check for
Convene in the designated war room
bulk downloads from cloud storage [ ]
Invite only essential personnel, use Analyze recent large file transfers
Implement a dedicated email address:
role-based access control.
[email protected]
System access: [ ] List all systems
accessed by compromised account(s)
Create a web-based reporting form
[ ] Identify any elevated privileges used
accessible from the company intranet
[ ] Check for newly created accounts
or changed permissions
Establish a 24/7 security hotline
Incident
Containment
Isolate affected systems
Block malicious IP addresses and email
addresses
Disable compromised accounts
Implement additional access controls
Preserve evidence for forensic analysis
Initial Containment
NETWORK SEGREGATION:
MAINTAIN LIST OF QUARANTINED IP ADDRESSES
COMMAND TO ISOLATE AFFECTED SUBNET: FIREWALL-CMD --ZONE=ISOLATED --CHANGE-INTERFACE=ETH1

ACCOUNT SUSPENSION :
ACTIVE DIRECTORY: DISABLE-ADACCOUNT -IDENTITY "USERNAME"
GOOGLE WORKSPACE: GAM UPDATE USER USERNAME SUSPENDED ON
OFFICE 365: SET-MSOLUSER -USERPRINCIPALNAME "[email protected]" -BLOCKCREDENTIAL $TRUE

EMAIL QUARANTINE :
NEW-TRANSPORTRULE -NAME "QUARANTINE COMPROMISED ACCOUNT" -SENDERADDRESSCONTAINS
"[email protected]" -SETSCL 9

FIREWALL RULE TO BLOCK MALICIOUS IPS :


IPTABLES -A INPUT -S 192.168.1.100 -J DROP
IPTABLES -A OUTPUT -D 192.168.1.100 -J DROP

UPDATE DNS BLACKLISTS:


ADD MALICIOUS DOMAINS TO INTERNAL DNS SINKHOLE
SUBSCRIBE TO REPUTABLE THREAT INTELLIGENCE FEEDS
Incident
Eradication
Remove malware and unauthorized access tools
Close security gaps:
Patch vulnerabilities
Update firewall rules
Strengthen email filters
Reset all passwords for affected and related accounts
Implement additional security measures (e.g., MFA)
Initial Eradication
MALWARE REMOVAL
RUN FULL SYSTEM SCAN: CLAMSCAN -R --BELL -I /
REMOVE IDENTIFIED THREATS: MALWAREBYTES_CLI.EXE -REMOVE -ALL
CHECK FOR AND REMOVE UNAUTHORIZED SCHEDULED TASKS:
SCHTASKS /QUERY /FO LIST /V | FINDSTR /I "TASKNAME AUTHOR"
SCHTASKS /DELETE /TN "SUSPICIOUSTASK" /F

OTHER SECURITY MEASURES

FORCE PASSWORD RESET FOR ALL USERS: GET-ADUSER -FILTER * -SEARCHBASE


"OU=USERS,DC=COMPANY,DC=COM" | SET-ADUSER -CHANGEPASSWORDATLOGON $TRUE

UPDATE FIREWALL RULES:


UFW DEFAULT DENY INCOMING
UFW ALLOW FROM 192.168.1.0/24 TO ANY PORT 22
UFW ENABLE

ENABLE MFA FOR ALL ACCOUNTS:


GET-MSOLUSER -ALL | SET-MSOLUSER -STRONGAUTHENTICATIONREQUIREMENTS @("ENABLED")
Incident Eradication
ENHANCE EMAIL FILTERS (POSTFIX):
# /ETC/POSTFIX/MAIN.CF
SMTPD_SENDER_RESTRICTIONS =
REJECT_NON_FQDN_SENDER,
REJECT_UNKNOWN_SENDER_DOMAIN,
REJECT_AUTHENTICATED_SENDER_LOGIN_MISMATCH,
PERMIT_SASL_AUTHENTICATED,
REJECT_UNAUTH_DESTINATION
OTHER SECURITY MEASURES

IMPLEMENT DMARC POLICY:


_DMARC.COMPANY.COM. IN TXT "V=DMARC1; P=REJECT; RUA=MAILTO:DMARC-
[email protected]"

ENABLE DETAILED LOGGING:


AUDITCTL -W /ETC/PASSWD -P WA -K IDENTITY
AUDITCTL -W /ETC/GROUP -P WA -K IDENTITY
System
Recovery
Restore systems from clean backups
Verify data integrity
Implement enhanced monitoring
Gradually restore services with continuous monitoring
Conduct security scans before full restoration
System Recovery
STEP 1 : RESTORE FROM CLEAN BACKUPS

IDENTIFY LAST KNOWN CLEAN BACKUP

# LIST AVAILABLE BACKUPS


RESTIC SNAPSHOTS --REPO /PATH/TO/BACKUP/REPO

RESTORE CRITICAL SYSTEMS:

# RESTORE ENTIRE SYSTEM


RESTIC RESTORE LATEST --TARGET /MNT/RESTORE

# RESTORE SPECIFIC DIRECTORIES


RESTIC RESTORE LATEST --TARGET /MNT/RESTORE --INCLUDE /VAR/WWW --INCLUDE /ETC

VERIFY RESTORED DATA INTEGRITY:

# COMPARE RESTORED FILES WITH CURRENT FILES


DIFF -R /MNT/RESTORE/VAR/WWW /VAR/WWW
System Recovery
STEP 2: IMPLEMENT ENHANCED MONITORING

CONFIGURE ENHANCED LOGGING: IMPLEMENT NETWORK TRAFFIC ANALYSIS:

# EDIT RSYSLOG CONFIGURATION # INSTALL AND CONFIGURE ZEEK (FORMERLY


VIM /ETC/RSYSLOG.CONF BRO)
APT-GET INSTALL ZEEK
# ADD THE FOLLOWING LINES TO ENABLE MORE
DETAILED LOGGING # EDIT ZEEK CONFIGURATION
AUTH,AUTHPRIV.* /VAR/LOG/AUTH.LOG VIM /ETC/ZEEK/NETWORKS.CFG
*.*;AUTH,AUTHPRIV.NONE -/VAR/LOG/SYSLOG
DAEMON.* -/VAR/LOG/DAEMON.LOG # ADD YOUR NETWORK RANGE
KERN.* -/VAR/LOG/KERN.LOG 10.0.0.0/8 PRIVATE IP SPACE
MAIL.* -/VAR/LOG/MAIL.LOG 172.16.0.0/12 PRIVATE IP SPACE
USER.* -/VAR/LOG/USER.LOG 192.168.0.0/16 PRIVATE IP SPACE
Post- Incident
Analysis
Conduct a comprehensive forensic analysis
Determine the root cause
Assess the full extent of data exfiltration
Identify and document lessons learned
Update incident response procedures based on
findings
Post Incident Analysis
EMAIL ANALYSIS

# USING PYTHON TO PARSE EMAIL HEADERS


IMPORT EMAIL
FROM EMAIL IMPORT POLICY
WITH OPEN('SUSPICIOUS_EMAIL.EML', 'RB') AS F:
MSG = EMAIL.MESSAGE_FROM_BYTES(F.READ(), POLICY=POLICY.DEFAULT)
PRINT("FROM:", MSG['FROM'])
PRINT("DATE:", MSG['DATE'])
PRINT("SUBJECT:", MSG['SUBJECT'])
PRINT("RECEIVED PATH:")
FOR I, HEADER IN ENUMERATE(MSG.GET_ALL('RECEIVED')):
PRINT(F"{I + 1}: {HEADER}")

NETWORK TRAFFIC ANALYSIS:

# USING WIRESHARK CLI (TSHARK)


TSHARK -R CAPTURE.PCAP -Y "HTTP.REQUEST.METHOD
== GET" -T FIELDS -E HTTP.HOST -E HTTP.REQUEST.URI
Thank You
For Reading!
Follow us for more such creative infosec contents

LINKEDIN MINISTRYOFSECURITY.CO

WEBSITE WWW.MINISTRYOFSECURITY.CO

You might also like