Incident Response Playbook (High Level)

Having a plan for how you will respond to common incidents is key. It’s a good idea to have procedural level “playbooks” (we used to just call these procedures, maybe I’m old!) but let’s get taktic00l and call them:

Playbooks/Runbooks/Aide-mémoire etc.

That aside (words are fun right!) they key part here is to identify the people, roles and responsibilities and the systems/actions/decisions you will need to take. To start with let’s look at a common incident of Phishing with credential harvesting, this may lead onto business email compromise (BEC) and attempted or successful fraud or downstream supply chain attacks.

Scenario Office 365 Compromise (E5/M5/Security E5 Licensing Available)

  • Log Ticket
  • Assess and Triage Scenario
  • Run Sample in Sandbox Environment
  • Hunt for People who have received the email
  • Hunt for people who have clicked the link
  • Hunt for people who have provided creds
  • Hunt for unauthorised mailbox access
    • Look for mailbox rules
    • Remove rules if in place
    • Look for new MFA methods added
    • Look for new OAUTH approvals etc. (Thanks Drew!)
  • Revoke Sessions
  • Change Passwords
  • Remove suspicious MFA devices
  • Remove suspicious OAUTH approvals
  • Enforce MFA/Enforce Conditional Access Policies if required
  • Enable Litigation Hold on Mailboxes
  • Report Domain/IP
  • Report domain to registrar
  • Report domain to cloud provider
  • Report URL to NCSC (SERS)
  • Block Domain/IP
    • Proxy
    • MDE
    • Protective DNS
    • Egress Firewall
  • Impact analysis on affected mailboxes
    • Who was affected?
    • What data was accessed?
    • Do we need to conduct detailed mailbox forensic analysis?
      • Information Classification & Data Analysis
      • Detailed Mailbox Access Logs
      • Trace Logs
      • UAL
      • PST to Mailbox Access Log Analysis
    • Do we need to contact ICO?
    • Was customer/supplier data accessed?
    • Do we have contractual breach reporting requirements?
  • Raise with CISO
    • Speak to Legal?
    • Speak to PR?
    • Speak to HR?
    • Raise with Law Enforcement?
    • Raise with NCSC?
  • Conduct Post Event/Incident/Breach Activities (outside of SecOps)
  • Share IOCs with Threat Intel Sharing Partners/Platforms/Community
  • Look at Root Causes
  • Conduct Lessons Learnt
    • How could we prevent this in the future?
    • How do we detect this?
    • How do we response?
    • Do we need to change our response approach?
    • Do we need additional controls?
    • Do we need additional training?
    • Do we need additional tabletops?
    • Do we need additional assurance?
    • Do we need additional solutions?
    • Do we need additional resources?
  • Write up Incident Report

Clearly this is not a mandatory nor exhaustive list, you should be creating the relevant and appropriate artefacts to support your business, your processes, your policies, team and toolsets. But hopefully it makes people think and gives some people inspiration and a starting point!

What tools are useful?

Again, this is not an exhaustive list but consider the following tools/services as useful for analysing phishing incidents.

  • Virus Total
  • Domain Tools
  • Censys
  • Shodan
  • DNS Trails
  • AbuseIPDB
  • UK NCSC Report a suspicious website
  • Microsoft Abuse Reporting API
  • Namecheap Twitter Reporting
  • AlienVault OTX
  • IP and Domain Reputation Center – Cisco Talos
  • GreyNoise
  • GCHQ CyberChef
  • Binary Edge
  • The F12 Key in a Sandbox
  • Burp Suite
  • Fiddler
  • MX Toolbox

and then we can think about some packets:

  • sslyze
  • jarm
  • nmap
  • curl

If you are in a mailbox compromise scenario you also may want to look at a mailbox analysis tool. There’s tons of other tools as well? If you can think of any major ones I’ve missed, give me a nudge on twitter!