August 9, 2020

Response Planning (RS.RP)

Objectives of Response Planning

Response processes and procedures are executed and maintained, to ensure timely response to detected cybersecurity events.

  • RS.RP-1: Response plan is executed during or after an event

Active Attack Response Plan

  1. Take notes at every step of this process.  You will need them later for evidence and for Lesson’s Learned.
  2. Identify the network address of the attacker by the NAT translation through the firewall.  You may lose it after the session timeout happens, so get it now.
  3. Communication and Notifications go out to the Incident Response Team (IRT) members.
  4. Escalate to the ISP if you have to, especially in the event of a DDoS attack.  Have the contact info handy.
  5. Contain the compromised machine, by killing the network connection to it.  If that’s not possible do an instant HARD shutdown.  Yank the power cord or perform the 1 finger salute to not allow it to clean up after itself with a gentle shutdown sequence.
  6. Block the attacker’s path to it into the network on the firewall, via access-lists, shunning, blacklisting, etc.
  7. Prepare for counter-attack.  The attacker might change source IP via a different TOR Exit Node and hit another target inside the network.
  8. Backup/image the affected machines for evidence and forensics.  This step should be handled by a different IRT member that is not decisively engaged in the fire fight.
  9. Another member of the IRT should check other machines for signs of compromise (a.k.a. damage assessment).

Incident Response Playbooks