What Is an Incident Response?
The scenario and what we’ll be learning
Imagine you are joining as a Cybersecurity Analyst in the Federal Reserve Bank of New York (New York Fed). The New York Fed, on behalf of the Federal Reserve System, offers correspondent banking and custody services to central banks, monetary authorities, and certain international organizations to facilitate their official financial operations.
Recently, someone stole $81 million from a foreign central bank that uses the Society for Worldwide Interbank Financial Telecommunication (SWIFT) system. The New York Fed CISO wants your team to be part of a review of the existing IR playbook and submit an IR report of the SWIFT system hack.
We will deep dive into the IR playbook that provides a standardized response process for confirmed malicious cybersecurity incidents. This playbook describes the process through the IR phases defined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-61 Rev 2, including:
- Detection and Analysis
- Eradication and Recovery
- Post-Incident Activities
Incident Response (IR) methodologies emphasize both prevention and preparation. Prevention is fundamental to the success of IR efforts. In contrast, preparation for major incidents will minimize any impact on the organization.
Prevention activities could include the following:
- Conducting periodic risk assessments to prioritize risks and putting control measures according to the organization’s risk appetite.
- Establishing internal and external monitoring.
- Providing regular user awareness and training.
Preparation activities could include:
- Updating the alert roster regularly.
- Maintaining a fly-away/jump kit.
- Working with current network, system, and application baselines.
- Keeping network diagrams up to date; ports, protocols, and application list.
- Ensuring security of IR tools and communications.
In our scenario, the foreign central bank had minimal prevention efforts. There was no firewall to protect its computer system, and they used second-hand $10 switches to connect to the SWIFT global payment system.
Detection and analysis
The most challenging task in the IR process is accurately detecting and analyzing incidents. We can detect incidents through automated capabilities such as network/host-based IDPS or manual means, such as suspicious activity reported by the users.
In our scenario, an employee at New York Fed detected the hackers because of a typo. The hackers indicated one of the transfers should go to Skalka Foundation, but they misspelled “foundation” as “fundation.”
Detection is the most difficult task in incident handling. The best solution is to form a team of experts who can analyze the indicators effectively and take appropriate actions. ~ Computer Security Incident Handling Guide
Detection activities could include:
- Profiling networks and systems.
- Understanding normal behaviors.
- Performing event correlation.
Numerous news articles report the lack of profiling or understanding of normal behaviors by the NY Fed officials. Normal behaviors were:
- The foreign central bank in the scenario had issued payment instructions to the Fed fewer than 2 per day for the last eight months.
- None of these payments were to an individual.
The concerning behaviors were:
- The hackers sent 35 payment instructions in one weekend.
- Most of these payments were to individuals.
The hackers successfully sent four payment instructions worth $81 million to offshore false individual accounts.
Containment is an important step in IR that involves decision-making to prevent further damage or to gain knowledge about the attacker’s activity. We do not recommend delayed containment. This strategy is more suitable for agencies with mature SOCs.
Key containment activities could include:
- Redirecting the attacker to a sandbox.
- Capturing forensic images for legal evidence.
- Closing specific ports and services.
- Discussing legal implications.
Organizations should develop appropriate strategies with criteria documented clearly to facilitate decision-making.
Criteria could include:
- Service availability (e.g., service provided to external parties).
- Time and resources needed to implement the strategy.
- Effectiveness of the strategy.
In our scenario, the hackers timed the attack so that when New York Fed tried to contact the officials in the foreign central bank, it was a weekend in that country, and no one was working. Then, when the foreign central bank discovered the theft, it was the weekend in New York, and the Fed was closed.
Both organizations did not have a containment strategy with appropriate service availability criteria. But since then, the Fed has started a 24-hour hotline for emergency calls from the central banks around the world.
Eradication and recovery
Eradication and recovery is an iterative process that allows the return of normal operations by remediating all infected systems. Here we should mention that remediation is “The process of fixing a security issue.” Remediation can happen without an incident, but IR requires remediation.
Some eradication activities could include:
- Re-imaging affected systems.
- Replacing compromised files with clean versions.
- Installing patches.
- Changing passwords.
- Monitoring for adversary re-entry.
- Discuss legal implications.
Some recovery activities could include:
- Tightening perimeter security by updating firewall and boundary router access controls lists.
- Validating that the eradication and recovery was successful.
After successfully eradicating the adversary, we may have to continue with detection and analysis activities to observe any re-entry. Continue recovery if no new adversary activity is found.
Eradication activities are not fully known for our scenario. But to recover $81 million, the foreign central bank contacted the second foreign bank where the money was transferred. Unfortunately, the second foreign bank was closed due to New Year celebrations. Also, under the banking laws of the second foreign country, funds can not be frozen until a criminal case is lodged. In the meantime, the stolen $81 million disappeared into the second country’s casino industry, which is exempted from anti-money laundering laws.
The objective of this phase is to document the incident, share it with others, and apply the lesson learned to improve the security posture of the organization ultimately.
Post-incident activities could include:
- Emulating adversary TTPs in close coordination with the blue team to ensure the effectiveness of the implemented countermeasures.
- Conducting lessons-learned meetings.
- Finalizing the IR report.
Final Incident Response report
The final IR report should capture lessons learned, initial root cause, problems executing courses of action, and any missing policies and procedures. We recommend that the report start with an executive summary and include a separate section with technical details and images.
A victim organization of cyber incidents can report to federal law enforcement agencies who have highly trained investigators specialized in responding to cyber incidents.
Reporting formats and methods vary by organization. Reporting activities could include:
- Providing artifacts.
- Closing tickets.
- Conducting followups.
- Publishing CVEs responsibly.
- Producing the final report.
Key resources and points of contact for reporting cyber incidents include the following:
- Key Federal Points of Contact for Cyber Incident Reporting
- CISA Incident Reporting System
- US-CERT AMAC Malware Analysis Submissions
In this article, we covered the IR playbook that provides standard response actions through the phases of IR phases defined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-61 Rev 2.
We recommend organizations build their IR plans and capabilities based on their risk appetite and threats common to them. Predetermined strategies, techniques, and procedures for handling incidents will make decision-making easy, thus reducing the impact on the organization’s missions and ongoing operations.