Incident Response for Real

Organizations are finally beginning to implement some type of incident response plans. Most of these plans revolve around NIST 800-61 Computer Security Incident Handling Guide. This guide is an amazing framework to help your organization get something in place, however, just referencing it won’t help you in an actual incident. The publication even mentions in its abstract that although it provides guidelines for incident handling, incident handling itself is a complex undertaking.

Compass IT Compliance has started to develop incident playbooks to help our engineers during the detection and analysis phase. These playbooks are not meant to be generic, as we design them understanding that no two systems are the same. Here are some typical actions (developed by Compass IT Compliance engineers Peter Fellini and Jesse Roberts) one might take investigating a Windows host compromise.

Incident Response Compromised Windows Host – Playbook

1. Isolate the host
   1. Disconnect from internet
   2. Segment to its own network
2. *RAM imaging (review forensics procedures) (needs to be run as local administrator)
   Many VM software instances will automatically save memory to disk when the VM is paused. VMWare saves memory to a .vmem file in the VM’s directory; If this is not a Virtual Machine, memory will need to be dumped using FTK Imager. (RAM imaging sequence depends heavily on the incident that is being investigated)
3. Preserve log files
   1. Windows (C:\Windows\System32\winevt\Logs\*.evtx
      1. System.evtx
      2. Application.evtx
      3. Security.evtx
      4. Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx
      5. Windows PowerShell.evtx
      6. Windows IIS Logs (inetpub)
4. Preserve ntuser.dat file in each user’s profile
   1. C:\Users (example Administrator)
      
      
       
5. Export Registry Keys (SAM, Security, Software, SYSTEM)
   1. reg SAVE HKLM\SAM sam.hive
   2. reg SAVE HKLM\SECURITY security.hive
   3. reg SAVE HKLM\SOFTWARE software.hive
   4. reg SAVE HKLM\SYSTEM system.hive
6. Preserve Registry Autorun information – regedit and select (export) for each
   
   
   
   
   1. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
   2. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
   3. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
   4. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
7. Capture Network information
   1. Netstat -antb > netstat-out
   2. Route print > route-out
8. Disk imaging (review forensics procedures)

This checklist gives our engineers a good starting point in analyzing an incident. We then take the information gathered by this base checklist and use it to identify the who, what, and how of an intrusion incident. We also treat this checklist as a living document. We add to it for every similar incident we handle. Having a general incident response framework is crucial to any organization. Build upon what you know to develop playbooks so that you truly know how to respond to an incident.

For the past decade Compass IT Compliance has partnered with organizations in all sectors to assist not only in the development of incident response plans, but also in assisting in live incident response after the incident has occurred. Our incident response engineers are always available to chat should you have any questions regarding these solutions. Contact us today to learn more!