Objectives of Response Planning
Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity events.
- RS.RP-1: Response plan is executed during or after an event
Active Attack Response Plan
- Take notes at every step of this process. You will need them later for evidence and for Lesson’s Learned.
- Identify the network address of the attacker by the NAT translation through the firewall. You may lose it after the session timeout happens, so get it now.
- Communication and Notifications go out to the Incident Response Team (IRT) members.
- Escalate to the ISP if you have to, especially in the event of a DDoS attack. Have the contact info handy.
- Contain the compromised machine, by killing the network connection to it. If that’s not possible do an instant HARD shutdown. Yank the power cord or perform the 1 finger salute to not allow it to clean up after itself with a gentle shutdown sequence.
- Block the attacker’s path to it into the network on the firewall, via access-lists, shunning, blacklisting, etc.
- Prepare for counter-attack. The attacker might change source IP via a different TOR Exit Node and hit another target inside the network.
- Backup/image the affected machines for evidence and forensics. This step should be handled by a different IRT member that is not decisively engaged in the fire fight.
- Another member of the IRT should check other machines for signs of compromise (a.k.a. damage assessment).