1 00:00:00,000 --> 00:00:00,960 In this lesson, 2 00:00:00,960 --> 00:00:03,780 we're going to discuss incident response playbooks. 3 00:00:03,780 --> 00:00:05,700 Now, incident response playbooks are used 4 00:00:05,700 --> 00:00:08,189 to describe the specific actions taken in response 5 00:00:08,189 --> 00:00:10,620 to emergency scenarios of different types. 6 00:00:10,620 --> 00:00:12,639 A playbook acts as a checklist of actions 7 00:00:12,639 --> 00:00:14,340 that should be performed to detect 8 00:00:14,340 --> 00:00:16,740 and respond to a specific type of incident. 9 00:00:16,740 --> 00:00:18,960 By preparing for an incident response ahead of time 10 00:00:18,960 --> 00:00:20,880 and creating these playbooks, you can ensure 11 00:00:20,880 --> 00:00:22,860 that your team has documented their procedures 12 00:00:22,860 --> 00:00:25,800 and that they're ready to respond when an incident occurs. 13 00:00:25,800 --> 00:00:28,230 Now, most organizations have incident response plans 14 00:00:28,230 --> 00:00:30,930 that are documented for each major type of incident. 15 00:00:30,930 --> 00:00:33,030 When a triage analyst sees something suspicious 16 00:00:33,030 --> 00:00:35,040 or malicious, they can categorize it 17 00:00:35,040 --> 00:00:37,181 and then assign it to an incident handler for remediation 18 00:00:37,181 --> 00:00:39,810 based on your organization's procedures. 19 00:00:39,810 --> 00:00:42,330 The incident handler can then look up the type of incident 20 00:00:42,330 --> 00:00:44,940 and follow the playbook to respond accordingly. 21 00:00:44,940 --> 00:00:47,280 For example, if your organization is suffering 22 00:00:47,280 --> 00:00:50,730 from a DDoS attack, a virus, a worm, a phishing attack, 23 00:00:50,730 --> 00:00:52,260 or data exfiltration, 24 00:00:52,260 --> 00:00:54,090 each of those should have a playbook created 25 00:00:54,090 --> 00:00:55,920 with the different responses and procedures 26 00:00:55,920 --> 00:00:57,570 to mitigate their effects. 27 00:00:57,570 --> 00:00:58,890 Your playbooks are going to serve 28 00:00:58,890 --> 00:01:00,450 as a standard operating procedure 29 00:01:00,450 --> 00:01:01,650 to tell your junior analysts 30 00:01:01,650 --> 00:01:03,330 and incident handlers exactly 31 00:01:03,330 --> 00:01:04,800 what they should be doing in response 32 00:01:04,800 --> 00:01:06,540 to different situations. 33 00:01:06,540 --> 00:01:08,460 If your organization doesn't already have a set 34 00:01:08,460 --> 00:01:09,930 of incident response playbooks, 35 00:01:09,930 --> 00:01:11,460 you can find playbook galleries 36 00:01:11,460 --> 00:01:14,280 that contain several playbooks already created for you. 37 00:01:14,280 --> 00:01:16,439 For example, if you click on the phishing playbook, 38 00:01:16,439 --> 00:01:18,690 we can then see that we can open it up 39 00:01:18,690 --> 00:01:21,043 and get a 10-page document that tells us exactly 40 00:01:21,043 --> 00:01:24,150 what an organization should do in each of the four steps 41 00:01:24,150 --> 00:01:26,250 of the NIST incident response process 42 00:01:26,250 --> 00:01:28,320 in responding to a phishing attack. 43 00:01:28,320 --> 00:01:29,700 This playbook is going to detail 44 00:01:29,700 --> 00:01:31,440 how you can automate your responses, 45 00:01:31,440 --> 00:01:33,150 how you can detect and analyze it, 46 00:01:33,150 --> 00:01:35,610 what actions you take to contain it, eradicate it, 47 00:01:35,610 --> 00:01:37,770 and recover from it, and more. 48 00:01:37,770 --> 00:01:40,830 In each of these phases, the playbook also has a flow chart 49 00:01:40,830 --> 00:01:42,630 that has the relevant actions in it. 50 00:01:42,630 --> 00:01:44,163 In the preparation phase, for example, 51 00:01:44,163 --> 00:01:47,340 you can see how to determine the core team and their roles, 52 00:01:47,340 --> 00:01:50,190 how to review the timeline, how to train your personnel, 53 00:01:50,190 --> 00:01:52,050 and the internal and external path to use 54 00:01:52,050 --> 00:01:53,640 for that organization. 55 00:01:53,640 --> 00:01:55,770 In the detection phase, there's a flow chart 56 00:01:55,770 --> 00:01:56,940 that documents the different ways 57 00:01:56,940 --> 00:01:58,320 to detect this phishing attack 58 00:01:58,320 --> 00:02:00,330 by defining threat indicators. 59 00:02:00,330 --> 00:02:01,710 In the analysis phase, 60 00:02:01,710 --> 00:02:04,290 the flow chart shows you how to define the risk factors 61 00:02:04,290 --> 00:02:05,760 that are involved with the phishing attack, 62 00:02:05,760 --> 00:02:06,810 so you can better triage 63 00:02:06,810 --> 00:02:08,820 and categorize a phishing attack. 64 00:02:08,820 --> 00:02:10,139 In the containment phase, 65 00:02:10,139 --> 00:02:12,390 the flow chart also shows different steps used 66 00:02:12,390 --> 00:02:15,240 to determine how widespread the attack might be. 67 00:02:15,240 --> 00:02:16,740 In the eradication phase, 68 00:02:16,740 --> 00:02:19,740 we can see how the report is going to be triaged and confirmed, 69 00:02:19,740 --> 00:02:21,523 and then the steps taken to remove any malware 70 00:02:21,523 --> 00:02:22,890 that could have been installed 71 00:02:22,890 --> 00:02:24,900 during the successful phishing attack. 72 00:02:24,900 --> 00:02:27,060 This phase also shows the communications 73 00:02:27,060 --> 00:02:30,118 and notifications that could be made based on the severity. 74 00:02:30,118 --> 00:02:33,240 In the recovery phase, we see the steps used to recover 75 00:02:33,240 --> 00:02:34,770 and remediate the systems. 76 00:02:34,770 --> 00:02:37,290 And finally, in the post-incident activity phase, 77 00:02:37,290 --> 00:02:38,580 we can see the required steps 78 00:02:38,580 --> 00:02:41,017 of conducting the incident review or root cause analysis, 79 00:02:41,017 --> 00:02:43,140 the lessons uncovered and applied, 80 00:02:43,140 --> 00:02:44,970 together known as the lessons learned, 81 00:02:44,970 --> 00:02:46,320 and then the response workflows 82 00:02:46,320 --> 00:02:49,140 that are going to be updated based on what we discovered. 83 00:02:49,140 --> 00:02:52,260 Now, as you can see, these playbooks are pretty generic, 84 00:02:52,260 --> 00:02:54,540 but they do provide you with a great starting point 85 00:02:54,540 --> 00:02:55,770 for creating tailored playbooks 86 00:02:55,770 --> 00:02:57,780 within your own organization. 87 00:02:57,780 --> 00:02:59,940 These playbooks can really help a junior analyst 88 00:02:59,940 --> 00:03:02,190 to do their work quickly and more efficiently 89 00:03:02,190 --> 00:03:04,650 by following the flowcharts and knowing exactly what to do 90 00:03:04,650 --> 00:03:06,870 in response to any given threat. 91 00:03:06,870 --> 00:03:08,250 Another great resource in terms 92 00:03:08,250 --> 00:03:10,560 of playbooks is the Microsoft provided playbooks 93 00:03:10,560 --> 00:03:11,910 on their website. 94 00:03:11,910 --> 00:03:14,130 Their playbooks include more technical descriptions 95 00:03:14,130 --> 00:03:16,080 of non-automated response activities 96 00:03:16,080 --> 00:03:17,910 that you can conduct for a phishing attack, 97 00:03:17,910 --> 00:03:19,110 a password spraying attack, 98 00:03:19,110 --> 00:03:21,630 or an authentication bypass attack. 99 00:03:21,630 --> 00:03:23,490 When it comes to responding to a particular indicator 100 00:03:23,490 --> 00:03:26,264 of compromise or incident, you can also automate a lot 101 00:03:26,264 --> 00:03:29,760 of these responses for you in a myriad of different ways. 102 00:03:29,760 --> 00:03:32,610 To do this, our security operation centers will often 103 00:03:32,610 --> 00:03:33,870 implement a SOAR, 104 00:03:33,870 --> 00:03:37,470 or security orchestration automation and response system. 105 00:03:37,470 --> 00:03:39,421 Now, a SOAR is a class of security tools 106 00:03:39,421 --> 00:03:42,420 that helps facilitate incident response, threat hunting, 107 00:03:42,420 --> 00:03:44,640 and security configurations by orchestrating 108 00:03:44,640 --> 00:03:47,790 and automating runbooks and delivering data enrichment. 109 00:03:47,790 --> 00:03:50,400 A SOAR system can be used in incident response 110 00:03:50,400 --> 00:03:53,250 to automate many of your response actions by partially 111 00:03:53,250 --> 00:03:55,410 or fully automating your playbooks. 112 00:03:55,410 --> 00:03:57,810 A SOAR has the capability to scan security 113 00:03:57,810 --> 00:03:59,580 and threat data from your systems, 114 00:03:59,580 --> 00:04:01,350 analyze it using machine learning, 115 00:04:01,350 --> 00:04:03,780 and then automate the process of doing data enrichment 116 00:04:03,780 --> 00:04:04,890 to make that data available 117 00:04:04,890 --> 00:04:07,320 inside your SIEMs to your analysts. 118 00:04:07,320 --> 00:04:09,120 A SOAR can also respond to different threats 119 00:04:09,120 --> 00:04:11,430 and incidents by provisioning new resources, 120 00:04:11,430 --> 00:04:13,920 creating new accounts, disabling old accounts, 121 00:04:13,920 --> 00:04:15,450 starting up new virtual machines, 122 00:04:15,450 --> 00:04:18,660 and fully re-imaging a client using automated playbooks. 123 00:04:18,660 --> 00:04:20,550 For example, you might have a playbook 124 00:04:20,550 --> 00:04:22,290 for a successful phishing campaign 125 00:04:22,290 --> 00:04:24,390 that says you need to perform steps one through nine 126 00:04:24,390 --> 00:04:27,150 anytime somebody clicks a link in a phishing email. 127 00:04:27,150 --> 00:04:29,820 This might include deleting the email from the user's inbox, 128 00:04:29,820 --> 00:04:32,370 determining if the other users received that email, 129 00:04:32,370 --> 00:04:33,960 isolating workstations from the network 130 00:04:33,960 --> 00:04:35,160 that opened the email, 131 00:04:35,160 --> 00:04:37,290 conducting a virus scan of those machines, 132 00:04:37,290 --> 00:04:39,390 conducting a registry scan of those workstations 133 00:04:39,390 --> 00:04:40,770 to confirm infection, 134 00:04:40,770 --> 00:04:42,930 backing up the user's data from those machines, 135 00:04:42,930 --> 00:04:45,600 re-imaging the workstation, restoring the user's data, 136 00:04:45,600 --> 00:04:48,270 and then reconnecting the newly restored workstation 137 00:04:48,270 --> 00:04:49,440 to the network. 138 00:04:49,440 --> 00:04:51,420 That would be a lot of work to do manually, 139 00:04:51,420 --> 00:04:54,540 but by automating this, using a playbook inside of SOAR, 140 00:04:54,540 --> 00:04:56,850 I can create what is known as a runbook. 141 00:04:56,850 --> 00:04:59,400 Now, a runbook is an automated version of a playbook 142 00:04:59,400 --> 00:05:00,233 that can partially 143 00:05:00,233 --> 00:05:02,940 or fully automate the incident response process. 144 00:05:02,940 --> 00:05:05,700 For example, in the phishing example I just described, 145 00:05:05,700 --> 00:05:08,550 we can have the runbook perform the first five steps. 146 00:05:08,550 --> 00:05:09,840 Then it can pause 147 00:05:09,840 --> 00:05:10,980 and wait for the analyst 148 00:05:10,980 --> 00:05:13,380 to confirm the workstation should actually be re-imaged 149 00:05:13,380 --> 00:05:14,760 in step five. 150 00:05:14,760 --> 00:05:16,800 Then, the runbook can take over again, 151 00:05:16,800 --> 00:05:19,260 once the analyst confirms they want that machine re-imaged, 152 00:05:19,260 --> 00:05:21,510 and it'll perform steps six through nine. 153 00:05:21,510 --> 00:05:24,420 By using these runbooks, we can gain a lot of efficiencies 154 00:05:24,420 --> 00:05:26,730 and allow a single analyst to do a lot more work 155 00:05:26,730 --> 00:05:28,470 than they could do singly on their own, 156 00:05:28,470 --> 00:05:30,030 doing everything manually. 157 00:05:30,030 --> 00:05:31,590 This allows us to free up our analysts 158 00:05:31,590 --> 00:05:33,690 for higher level work without wasting their time 159 00:05:33,690 --> 00:05:35,853 on minor things that could easily be automated. 160 00:05:35,853 --> 00:05:37,950 So, what types of playbooks 161 00:05:37,950 --> 00:05:40,470 and runbooks should you have in your organization? 162 00:05:40,470 --> 00:05:43,473 Well, most organizations face at least three common threats 163 00:05:43,473 --> 00:05:47,070 that can be proceduralized using runbooks and playbooks. 164 00:05:47,070 --> 00:05:49,620 This includes ransomware, data exfiltration, 165 00:05:49,620 --> 00:05:51,540 and social engineering attacks. 166 00:05:51,540 --> 00:05:53,173 First, we have ransomware. 167 00:05:53,173 --> 00:05:56,250 A ransomware playbook should be used to describe the people, 168 00:05:56,250 --> 00:05:58,530 processes, and tools that are going to be employed 169 00:05:58,530 --> 00:06:00,240 during a ransomware event. 170 00:06:00,240 --> 00:06:03,030 Ransomware playbooks need to also have considerations 171 00:06:03,030 --> 00:06:05,010 for determining which systems are impacted, 172 00:06:05,010 --> 00:06:06,990 the methods used to impact those systems, 173 00:06:06,990 --> 00:06:08,490 how to isolate those systems, 174 00:06:08,490 --> 00:06:10,320 and which key stakeholders to work with 175 00:06:10,320 --> 00:06:11,910 for different ransomware scenarios 176 00:06:11,910 --> 00:06:14,130 based on the data being held for ransom. 177 00:06:14,130 --> 00:06:16,740 In general, ransomware playbooks should stress the need 178 00:06:16,740 --> 00:06:18,480 to isolate and disconnect networks 179 00:06:18,480 --> 00:06:20,460 and systems as quickly as possible 180 00:06:20,460 --> 00:06:21,420 to prevent the ransomware 181 00:06:21,420 --> 00:06:23,160 from spreading across your network. 182 00:06:23,160 --> 00:06:25,080 The system should not be powered off, though. 183 00:06:25,080 --> 00:06:26,200 They should only be disconnected 184 00:06:26,200 --> 00:06:28,860 because ransomware works through encrypting the data 185 00:06:28,860 --> 00:06:30,780 and those encryption keys could be found 186 00:06:30,780 --> 00:06:33,030 in the random access memory of that system 187 00:06:33,030 --> 00:06:34,710 by a skilled forensic technician 188 00:06:34,710 --> 00:06:37,980 if those systems remain powered on during the entire attack. 189 00:06:37,980 --> 00:06:40,380 Second, we have data exfiltration. 190 00:06:40,380 --> 00:06:42,600 A data exfiltration playbook should be used 191 00:06:42,600 --> 00:06:43,650 to describe the specific 192 00:06:43,650 --> 00:06:45,750 and necessary tasks that are needed to stop 193 00:06:45,750 --> 00:06:48,480 or mitigate ongoing data exfiltration attack, 194 00:06:48,480 --> 00:06:51,480 such as notification requirements, the system analysis, 195 00:06:51,480 --> 00:06:52,740 and the forensic analysis needed 196 00:06:52,740 --> 00:06:55,890 to determine what was accessed and possibly exfiltrated. 197 00:06:55,890 --> 00:06:58,403 Forensic analysis can often determine what data was read 198 00:06:58,403 --> 00:07:01,470 and what data was transmitted out of the network too. 199 00:07:01,470 --> 00:07:02,824 Data exfiltration can be tricky 200 00:07:02,824 --> 00:07:05,880 because it can occur from many different types of exploits, 201 00:07:05,880 --> 00:07:08,730 including SQL injections, password compromises, 202 00:07:08,730 --> 00:07:10,440 and lateral movement across the network 203 00:07:10,440 --> 00:07:12,060 into other data stores. 204 00:07:12,060 --> 00:07:14,220 Your playbooks and runbooks should always focus 205 00:07:14,220 --> 00:07:15,690 on mitigating known instances 206 00:07:15,690 --> 00:07:17,640 and protecting the data stores first, 207 00:07:17,640 --> 00:07:20,310 then identifying any other potential compromises 208 00:07:20,310 --> 00:07:22,110 that may exist in the network. 209 00:07:22,110 --> 00:07:24,240 Third, we have social engineering, 210 00:07:24,240 --> 00:07:26,610 which usually involves some form of phishing. 211 00:07:26,610 --> 00:07:28,260 Now, a phishing playbook should involve 212 00:07:28,260 --> 00:07:31,230 the necessary responses to identifying the phishing emails, 213 00:07:31,230 --> 00:07:33,570 determining which users clicked on or opened links 214 00:07:33,570 --> 00:07:35,010 or files in those emails, 215 00:07:35,010 --> 00:07:37,740 and then identifying the extent of the exploitation. 216 00:07:37,740 --> 00:07:39,960 Your playbook or runbook may also include a notification 217 00:07:39,960 --> 00:07:42,824 to the larger user base to be wary of suspicious emails 218 00:07:42,824 --> 00:07:45,690 if your organization is currently being targeted 219 00:07:45,690 --> 00:07:47,730 using a spear phishing attack. 220 00:07:47,730 --> 00:07:50,820 Now your playbook should focus on identifying all users 221 00:07:50,820 --> 00:07:52,230 who have received that email, 222 00:07:52,230 --> 00:07:54,000 identifying how many have opened, read, 223 00:07:54,000 --> 00:07:55,140 or clicked on the email, 224 00:07:55,140 --> 00:07:56,460 and then resetting their passwords 225 00:07:56,460 --> 00:07:58,320 and re-imaging their workstations. 226 00:07:58,320 --> 00:07:59,820 From an analysis standpoint, 227 00:07:59,820 --> 00:08:02,190 you should open the email in a sandbox environment 228 00:08:02,190 --> 00:08:03,840 as a form of dynamic analysis 229 00:08:03,840 --> 00:08:06,540 in order to determine any IP addresses, URLs, 230 00:08:06,540 --> 00:08:08,280 or other indicators of compromise 231 00:08:08,280 --> 00:08:11,040 that you can use to identify that phishing campaign 232 00:08:11,040 --> 00:08:12,993 once you open it inside the sandbox.