Lumu General Incident Response Playbook

General Incident Response Playbook

The Lumu General Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61, the incident response life cycle has four main phases, as described below.

This playbook should be considered a guideline and needs to be adapted according to the specific requirements of each organization.

Preparation

This is the initial phase where organizations plan measures to respond effectively to incidents when they are discovered.

How Lumu Helps

Unlocking the value of your own network metadata to provide enhanced compromise visibility.

Recommended Actions
  1. Be sure that all the network metadata is ingested in the Lumu platform.
  2. If you have remote users be sure that you are covering those users in your compromise assessment. Learn more.

Detection & Analysis

Organizations should work to detect and validate incidents as quickly as they can. Early detection helps organizations to control the number of infected systems and makes the next phase easier.

How Lumu Helps

Providing the ability to illuminate the blind spots in your network, by implementing the concept of Continuous Compromise Assessment.

Recommended Actions
  1. Search for spoofed emails with the context information provided by Lumu.
  2. Identify the machines that are contacting the adversarial infrastructure using the activity section in Lumu Portal.
  3. Use Lumu to find out from which devices the connections to the malicious site were made.
  4. With the information provided by Lumu, you should identify affected endpoints and then match these with affected users.

Containment, Eradication & Recovery

This phase has two key goals, stop the spread of the threat and prevent more damage inside the network. Organizations should have strategies and procedures according to the level of risk of the detected compromise.

How Lumu Helps

Confirmed compromise intelligence about the compromised device helps security analysts to understand where and how to contain and eradicate the compromise.

Recommended Actions
  1. Identify the IOCs with Lumu and configure your security infrastructure to block it. E.g. If you have a firewall or proxy you can deny access to a specific domain or IP.
  2. Reduce any further malicious activity by preventing malicious activity, quarantining affected systems, and removing them from the network.
  3. Identify compromised or at-risk user credentials. Request password changes if needed.
  4. Reset the credentials of all involved system(s) and users’ account details.
  5. Establish monitoring to detect further suspicious activity.

Post-Incident Activity

This last phase is designed to incorporate the lessons learned about the incident and be better prepared in the future.

How Lumu Helps

Lumu helps to monitor continuously that the compromise has been eradicated and to refine the current defense and response infrastructure for the future.

Recommended Actions
  1. Use Lumu to detect the devices that contacted the malicious sites and make sure that no additional contacts are reported. In addition, you can also conduct awareness campaigns focusing on the users that own those devices.
  2. Conduct root cause analysis, use context information from the Lumu platform for details.
  3. Identify details of the cyber incident, including timing, type, and location. The incident and its effects are to be remediated across the entire network.

        • Related Articles

        • Phishing Incident Response Playbook

          The Lumu Phishing Incident Response Playbook is based on the  Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61, the incident response life cycle has ...
        • Malware Incident Response Playbook

          The Lumu Malware Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61, the incident response life cycle has ...
        • Spam Incident Response Playbook

          The Lumu Malware Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61, the incident response life cycle has ...
        • Mining Incident Response Playbook

          The Lumu Malware Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61, the incident response life cycle has ...
        • Network Scan Incident Response Playbook

          The Lumu Network Scan Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61, the incident response life cycle ...