Innovative Incident Response Framework

This article is one of a series of articles revealing our Incident Response Framework, including juicy examples from past scenarios. 

Click to follow us

This article in a minute

In this article, we share our experiences handling cyber incidents, and the sweeping effects our intervention has had on our partners’ organizations. In so doing we differentiate between the traditional incident handling state-of-mind and the continuing evolution of our innovative IR framework approach. 

This article covers:

• Key stakeholders in cyber incident response.
• The key stakeholders you didn’t realize you really need on your side. 

The key takeaway from this article is “If you want peace, prepare for war”.

Tradition: Incident Response the old fashioned way

We often meet organizations that are not prepared for the incident that’s hit them. Their approach is what we like to call “old fashioned”. It is like putting someone in the cockpit of a 737 full of passengers, cruising at 36,000 ft and expecting to land it. Without the requisite preparation, practice, scenario knowledge and experience, they have very little chance of responding successfully. You cannot predict what cybersecurity incidents are going to target your organization but you can plan and prepare for the inevitable with an effective response strategy. 

Despite huge investment in new cybersecurity technologies, procedures and certification for the human capital, offensive cyber campaigns keep evolving. WFH (Work from Home) during the COVID-19 crisis presents additional challenges for the organizations and new opportunities for the cyber criminals. 

Here are a few mind blowing numbers: 

Innovative IR Framework

OP Innovate – Who are we? 

Established in 2014 to defend global enterprises from the increasing challenges of organizational cybersecurity. We bring extensive experience in the field with unmatched expertise in cyber research, incident response (IR), penetration testing, training and forensics. On any given day our team could be handling several incidents simultaneously, developing and integrating IR solutions for our customers, while drilling and training for IR scenarios. 

At OP innovate, we’ve used our experience in the field to develop an IR framework that allows us to handle an incident in the most efficient way for the organization, both from the technical and cost-benefit perspective.

Traditional key stakeholders

In many cases, the incident response is managed by an internal crisis manager appointed by the organization’s management, rather than a cyber specialist. Incident response has not been practiced and the organization wastes valuable time reinventing the wheel. With any luck the decision taker will find the business card of an IR specialist they once ran into at a conference. But under the ticking clock of an unfolding incident, there is no chance to validate their level of expertise or to benchmark the pricing of their services. 

Some specialist responders you might come across:

• IT specialists such as firewall experts, EPP (endpoint protection) experts, etc.
• Cyber security researchers focused on Windows and Linux forensics
• Malware analysts 

The key stakeholders you didn’t realize you really need on your side

Our innovative framework includes more than just the technical specialists. In our war room you’ll find a variety of disciplines represented:

The Technical Experts

-IR Manager – We do not enter into an incident without assigning an IR manager to lead from the front. This position is occupied by a certified specialist with vast experience in both cyber security, as well as business analysis. The IR manager is the focal point for the customer’s decision taker. We highly recommend assigning a C-level stakeholder from the organization itself to work closely with the incident manager to facilitate swift decision making without unnecessary delay. Future articles will elaborate on the communication challenges that the organization POC (point of contact) may face during an incident – Click to follow us and be among the first to receive our latest articles. 

-Threat Hunter – Another highly specialized technical role in our response team is the threat hunter. This is an offensive specialist with a background in managing offensive campaigns who can hunt down the attacker’s steps. Some incidents, such as where a victim just fell for an arbitrary phishing campaign may not benefit from hunting. However we have worked on several high profile incidents which involved tracking down well organized APTs (Advanced Persistent Threat). In these cases the threat hunter is key in helping put together seemingly unrelated pieces of the puzzle in a comprehensive and logical manner. 

-CTI Specialist – The cyber threat intelligence (CTI) specialist is a stalwart of our incident handling team. A team’s chances of successfully responding to an incident increases dramatically with an intelligence specialist onboard. This expert has two main objectives:

A. Gaining knowledge about the attacker – this means determining whether the attacker is simply a lucky opportunist, a state-funded advanced persistent group with resources and motivation to cause significant and widespread damage. The response is different in each case.

We were called in to handle a case in which the attacker proceeded to negotiate over email. In so doing they unintentionally left a timestamp fingerprint trail which enabled our CTI specialists to notice a disparity between the time the email message was sent from our time zone and received at the attacker’s local time zone. This temporal anomaly revealed that the attacker was located at GMT + 3. In addition, the attacker’s default “re” and “fw” subject line prefixes revealed their operating system’s native language, revealing the attacker used a Cyrillic keyboard.

Taken together these snippets of information and others enabled us to reach a conclusion:

– GMT + 3 and a Cyrillic keyboard pointed to an attacker based in the Ukraine, most likely an opportunist with no real familiarity of the business they were targeting.

Another means of assessing the attacker’s awareness of the business is who receives the email with demands? Is it the top-3 C-levels (“Whaling”) found in your organization’s “About us” webpage? Or some real decision makers (“Spear phishing”) that have no web presence? 

In another case we handled, our CTI found that the attackers had put the organization’s stolen data up for sale on the dark web. This introduced another dimension to the attack where the victim organization had to keep in mind that if they didn’t negotiate they would eventually get hit with a second wave of data exposure, this time including a public shaming.

B. Gain knowledge about the customer – is anyone trying to sell the customer’s privileged data artifacts in the wild? Are there any secret forums discussing this attack? These will provide leads regarding the attack penetration point as well as the impact the attacker may have accomplished.

The Humanities Experts

-Crisis Negotiator – When an organization is hit with ransomware, deploying specialised ransom negotiation skills is essential. Each campaign has its own unique characteristics and in each case the negotiator objectives could differ. The obvious objective is to reduce the ransom costs. A lesser known objective is to acquire knowledge about the attacker. A good negotiator will set the path from kick off to end-game, along with all the potential tipping points along the way. Even if your organization has no intention of paying ransom, the negotiator should engage the attacker as early in the timeline as possible with a goal of mitigating damage, gaining intelligence on the attacker and slowing down their actions, and therefore buying time. Communication with the attacker can provide valuable intelligence on their intentions, capabilities, objectives, identity and location. The best negotiators often may have a background in security agencies with experience in hostage and terrorist negotiation. Our negotiator is a senior clinical psychologist with years of real life experience. In one case we handled, the attacker made fundamental errors during the attack. With the help of local law enforcement police we were able to track him down. After we figured out he was a recently fired disgruntled sysadmin (with still applicable admin privileges), the negotiator’s intervention was very fruitful, eliciting a full confession.

-PR – Another specialty to bring onboard in a cyber incident response is the public relations (PR) specialist. Communicating the situation with your customers may be crucial for maintaining the trust, and taking the time and care to convey the message that the organization has been attacked without causing a rapid drop in the stock is a delicate process.

Benjamin Franklin, “It takes many good deeds to build a good reputation, and only one bad one to lose it.”

An example for good PR can be found in the Reddit (link) data leakage incident. The template includes the following:

We had a security incident. Here’s what you need to know:

TL;DR – Because who wants to read a full page if you can summarize it in 20 words.

1. What happened? Bring the facts first, some ideas later, make your readers feel you’re in charge. Be honest and sincere. Accept responsibility and apologies if the organization was at fault. Customers entrusted you with their information so they are entitled to an apology.
2. What information was involved? Don’t forget to mention critical information like what was accessed and how to tell if your customers information was included.
3. What are we doing about it? Emphasize that you’re taking the incident very seriously and explain the steps you’ve taken; prove your response has been comprehensive enough to ensure the damage is contained and this type of incident will never happen again.
4. What can you do? Calls to action – provide simple instructions to affected stakeholders on how to mitigate their risk of loss.

Back to the humanities experts:

-Legal specialist – In your defense, companies have the same rights, privileges and responsibilities as individuals. The laws pertaining to acts of self-defense, trespass and theft of private property apply no less in the cyber realm and there exist a range of lawful measures in response to a cyberattack, data theft, extortion etc. It is important to note that the shift from passive to more active defense brings with it increased risk of misstep. Our team’s legal adviser assists in mounting such a robust defense. Further considerations to be made revolve around location and geographic legislation. For example, in a recent incident we handled, the customer was an Israeli entity, hosting servers that were under attack in the US, while the attacker was using jump boxes in Africa to mask their identity as most likely from the far east.

Future articles will elaborate on the communication challenges during an incident. 

We should also keep in mind additional resources we may consider approaching during an incident. While some might not be able to provide immediate assistance to our crisis, they will provide insight into the attacker’s identity, the scope of the campaign unfolding, etc. This will shape the incident’s response.

1. Approach local law enforcement / federal police.
2. Approach the governmental CERT / Sector CERT who may provide insights regarding the scope of the attack. e.g. in one incident we got a tip that our attacker was targeting the entire finance sector and was motivated by geopolitical gain.
3. Approach the ISAC (Information Sharing & Analysis Center) with IOCs (Indicator of compromise) of your own which could add further data enrichment.
4. Approach your insurance agency to check if your policy covered the scenario. If covered, the insurance company may provide help and guidance in dealing with the incident. 

-SME (Subject Matter Expert) – in some cases we found it necessary to recruit experts to our war room that can provide insight about the specific fields of interests and business logic. For example, our knowledge of the food industry is limited so we invited an expert in the field to join us for that incident.

-Customer Success – the last team member we suggest in big cases is a focal point to communicate the technical items to the management, and in some way, translate the detailed technical status of the incident into a business language the customer can benefit from. In minor cases this will be part of the IR manager role. 

You might be asking if we need all these staff for each and every incident we handle? The answer is, of course not! Our minimal engagement requirement is a two-day response window with a team that includes an IR manager and two technical specialists. The rest of the team will join according to the needs of the incident, and after the initial triage. 

Conclusion

During this journey into cyber incident handling we laid out our viewpoint regarding the staff to involve in cyber incident handling, with some highlights and tips gleaned from incidents we have handled in recent months. 

In the final analysis, the cost-benefit of using an experienced incident handling team is clear. Incident response is what we do so you don’t need to learn on the job. If you’re hit with an incident and need experienced professionals at your side, contact OP Innovate. If you’re not facing an incident at this time and want the benefit of being prepared ahead of time, contact us too. Preparation can save your company from financial, legal and reputational damage. 

Contact OP Innovate to prepare your organization teams and technologies. Know your weaknesses and vulnerabilities in order to remain aware of the threats out there and retain the best cybersecurity team on your side whenever required.

Written by Omer Pinsker, the founder & CEO of OP Innovate, Certified Incident Handler (GCIH).

[email protected]