1. Incident Handler Communications and Facilities: It’s vital to gather contact information of everyone involved with incident response to facilitate contact during an incident. Compile contact information of incident response (IR) team members, external IR teams, and eventually law enforcement, with primary and backup contacts. Determine the escalation and de-escalation criteria and incident reporting mechanisms, such as phone numbers, email addresses, and secure instant messaging. 
2. Roles and Responsibilities: Details of the roles and responsibilities of key individuals and teams responsible for incident response and decision-making should also be gathered at this stage.
3. Training and awareness: Train the incident response (IR) team to identify common MITRE ATT&CK techniques used by adversaries in conjunction with anonymization technologies, and study possible mitigations:
1. T1090.003 - Proxy: Multi-hop Proxy: Adversaries can chain multiple proxy servers together to hide the origin of malicious traffic.
2. T1071.001 - Application Layer Protocol: Web Protocols: Attackers may use web protocols like HTTP/S through anonymization services.
4. Tools and Resources: It refers to the correct configuration of the technologies and infrastructure necessary to gain visibility, detect, analyze, and respond effectively to incidents.

Lumu provides the ability to illuminate the blind spots in your network by providing coverage of your entire infrastructure, namely on-premises, public and private clouds, and roaming devices.

1. To gain full visibility into your network, set up collectors such as Virtual Appliances, Gateways, and API to ensure that all your network metadata is ingested in the Lumu platform. Learn more in our deployment guide.
2. Ensure you cover remote users in your compromise assessment. Learn more about Lumu Agent and VPN and SDP configuration.
3. Identify your vital assets (clients, IoT, clouds, remote devices, etc.) and assign labels to your traffic to help quickly identify the compromise distribution across your infrastructure in a way that makes sense for your organization.
4. Control your attack surface by ensuring that services and connections exposed to external environments are governed by strict policies and controls. Verify that only essential services are exposed, and access is restricted to specific roles via secure, authenticated channels. Regularly monitor and enforce these measures to minimize vulnerabilities. 
5. Lumu provides an extensive list of threat intelligence knowledge including Tor nodes, proxy, and VPN IPs that allow visibility into anonymization activity on your network.
6. Conduct regular awareness campaigns on security policies and risks employees face, and what actions to take when faced with a cyberattack.
7. Keep your endpoint protection and operating systems updated.
8. Implement best practices for Identity and Access Management (IAM).

1. Lumu Continuous Compromise Assessment technology provides real-time monitoring over the network and correlates network metadata information to identify anomalies and contact with malicious infrastructure, providing your organization with multiple tools to determine adverse activity on your network.
2. Identify activity related to anonymizer incidents and attack patterns. Look for details, such as date, time, number of contacts, IPs, and domains. You have that information at a glance in the Activity section of the Lumu Portal.
3. Check the type of anonymization activity and understand how attackers could leverage it to hide their activities on your network.
4. Use the IoC information provided by Lumu to check if the log files of your defensive infrastructure (e.g. endpoint protection, firewall, UTM gateway) contain this malicious communication.
5. Analyze whether communications with TOR nodes, proxy, or VPN IP addresses could make sense for your organization's operations and rule out any potential false positives.
6. Identify the endpoints contacting the anonymization infrastructure, and then match these with affected users. Use the Attack Distribution feature of the Lumu Portal to see how the compromise spreads inside your network.
7. Identify how your assets are communicating with the adversarial infrastructure. You can use Lumu’s Compromise Radar feature to find out the frequency and behavior of malicious communication, so you can differentiate occasional contact from persistent and automated compromises that have the power to cause harm to the organization.
8. Use the threat intelligence information provided in each IOC in the Lumu Portal to enrich the context of the activity your organization is observing and, if an incident is confirmed, use it in incident documentation and analysis.
9. Lumu provides an initial classification that helps your organization determine the type of anonymous communications that are present in your infrastructure.
10. If possible, reverse-engineer the malware in a secure environment (or sandbox) to understand its behavior and the functionality it implements.
    

Malicious actors could use Tor, Proxy reverse, or VPN nodes in corporate networks to anonymize their activities, making it difficult to trace their origin. They may route malicious traffic, such as command-and-control (C2) communications or data exfiltration, through these networks to evade detection. This helps them maintain persistence and avoid attribution during their attacks.

Containment, Eradication & Recovery

This phase has two key goals: stopping the spread of the threat, and preventing further damage within the network. Organizations should implement strategies and procedures based on the risk level of the detected compromise. Containment strategies will vary depending on the type of incident and must consider potential damage or theft of resources, the need for evidence preservation, service availability, and the time and resources required for effective response. Below are some steps to follow in this phase:

With Lumu Insights and Defender you have visibility into the detailed malicious activity of each private IP address in your network in real time. To know more about illumination options, consult Lumu Offerings.

1. Lumu Defender integrates with your security stack and gives your organization the ability to orchestrate an effective automated response to contain any cyber threat, in line with your policies.
2. Lumu orchestration can assist you in the containment process by blocking connections to IPs identified as anonymization nodes within your perimeter security infrastructure.
3. Use the threat Intelligence information, Mitre ATT&CK TTPs, and IoCs details from Lumu Portal to configure your security infrastructure scheme (firewalls, IDS, IPS, email gateways, etc) to avoid similar malicious activity.
4. Lumu Portal provides your organization with information and details about the devices or IP addresses involved in the incident to initiate targeted investigations into the related internal devices. 
5. Based on your containment strategy, consider isolating the affected devices to prevent lateral movement and limit the spread of the incident within the network
6. Identify related services and users and reset the credentials of all involved systems. 
7. If you suspect the initial attack vector was via email, check the details in the organization's mail server log files.
8. Remove threats, and replace or restore the compromised assets to their previous state. Wipe and baseline affected systems if needed. 
9. Use Lumu technology to establish monitoring to detect further suspicious activity. The incident and its effects need to be remediated across the entire network.
10. Complete malware scanning of all systems across the affected network.

Post-Incident Activity

This phase is designed to incorporate the lessons learned from each incident and to evaluate future improvements.

1. Use Lumu Continuous Compromise Assessment to monitor continuously any communication between your assets and anonymization infrastructure to make sure that no additional contacts are reported. 
2. Use the context information in the Lumu Portal for details on how the adversary works. Conduct root cause analysis and evaluate the habits of the users.
3. Explore the related sources, Mitre ATT&CK Matrix, and articles provided by Lumu in the Context area to understand more about the Tactics, Techniques and Procedures used by adversaries and document the incident.
4. Use the incident information to adjust your security policies and Mitre Matrix context to evaluate your security strategy. This may involve changing the configuration of the company's assets and conducting awareness campaigns, focusing on the users that own those devices.
5. Coordinate with your endpoint protection technology vendor’s updates if needed.
6. Document and share with the stakeholders all the lessons learned from the incident and recommendations of any aspect that could be improved to help prevent a similar cyber incident from reoccurring.