Lumu General Incident Response Playbook

General Incident Response Playbook

Lumu’s Incident Response Playbooks are based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST) and provide essential recommendations for responding to information security incidents.

Consider this playbook as a guideline to improve the effectiveness of the incident response and adapt it according to your specific requirements.

This document contains general guidelines for an incident response using Lumu. If you are looking for specific playbooks, check out our documentation:

  1. Malware Incident Response Playbook
  2. Phishing Incident Response Playbook
  3. Spam Incident Response Playbook
  4. Mining Incident Response Playbook
  5. Network Scan Incident Response Playbook

Attack and Incident Response Lifecycle

An attacker follows a structured set of actions when performing a cyber attack. The Cyber Kill Chain is one of the models that identify the sequence of actions adversaries follow to achieve the objective. The following is a simplified graph of the process:

Attack lifecycle (cyber kill chain) Attack lifecycle (cyber kill chain)

The cybersecurity team must base the defensive strategy on information about the current attack stage and the sequence of actions, as the further the attacker goes in the kill chain, the greater the physical and reputational damage can be. The goal should be to prevent the adversary from progressing at any stage, eradicating the attack.

Incident response (IR) is a process of approaching and managing computer security-related incidents. According to NIST special publication 800-61, the incident response life cycle has four main phases, as described n the following illustration:

Based on the source: NIST special publication 800-61

Preparation

This is the initial phase where organizations take defensive measures to respond effectively to incidents.

How Lumu Helps

Lumu provides the ability to illuminate the blind spots in your network by providing coverage of your entire infrastructure, namely on-premises, public and private clouds, and roaming devices.


Recommended Actions
  1. Set up collectors such as Virtual Appliances, Gateways, and API to ensure that all your network metadata is ingested in the Lumu platform. Learn more in our deployment guide.
  2. Set up Lumu Email Intelligence to understand who adversaries are attempting to compromise in your organization and how they are being targeted.
  3. Ensure you cover remote users in your compromise assessment. Learn more about Lumu Agent and VPN and SDP configuration.
  4. Identify your vital assets (clients, IoT, clouds, remote devices, etc) and assign labels to your traffic to help quickly identify the compromise distribution across your infrastructure in a way that makes sense for your organization.
  5. Conduct regular awareness campaigns on security policies and risks employees face, and what actions to take when faced with a cyberattack.
  6. Keep your endpoint protection and operating systems updated.

Detection & Analysis

Organizations should work to detect and validate incidents as quickly as they can. Without proper analysis, you may not get appropriate containment or eradication. Early detection helps organizations control the number of infected systems and makes the next phase easier.

How Lumu Helps

Lumu unlocks the value of your own network metadata by implementing the concept of Continuous Compromise Assessment that provides comprehensive and detailed visibility into your network infrastructure. Lumu illuminates the various activities associated with indicators of compromise (IoCs) detected on your network and provides all the contextual information needed for in-depth analysis through the Lumu Portal.

Recommended Actions
  1. Identify attack patterns. Look for details, such as date, time, number of contacts, and domains. You have that information at a glance in the Activity section of the Lumu Portal.
  2. Use the IoC information provided by Lumu to check if the log files of your defensive infrastructure (e.g. endpoint protection, firewall, proxy, UTM gateway) contain this malicious communication. 
  3. Define priorities based on the specifics of your organization. For example, compromises that have multiple contacts detected should be prioritized, as they have more chances of having been successful in compromising your infrastructure. The importance of the potentially compromised asset should also be considered.
  4. Identify the endpoints contacting the adversarial infrastructure, and then match these with affected users. Use the Attack Distribution feature of the Lumu Portal to see how the compromise spread inside your network.
  5. Identify how your assets are communicating with the adversarial infrastructure. You can use the Lumu’s Compromise Radar feature to find out the frequency and behavior of malicious communication, so you can differentiate occasional contact from persistent and automated compromises that have the power to cause harm to the organization.
  6. Search for spoofed emails with the context information of the IoC provided by Lumu.

Containment, Eradication & Recovery

This phase has two key goals: stop the spread of the threat and prevent more damage inside the network. Organizations should have strategies and procedures according to the level of risk of the detected compromise.

With Lumu Paid subscriptions you have visibility into the detailed malicious activity of each private IP address in your network in real time. To know more about illumination options, consult Lumu Offerings.

How Lumu Helps

Confirmed compromise intelligence about the compromised device helps security analysts to understand where and how to contain and eradicate the compromise.

Recommended Actions
  1. Download the IoCs and threat trigger details from Lumu Portal and configure your security infrastructure (e.g. firewalls, email gateways, etc) to block the malicious URLs, email senders, or IPs.
  2. If the threat was delivered as an email attachment, check for details in the log files of the organization's mail server.
  3. Reduce any further malicious activity by quarantining affected assets or removing them from the network.
  4. Reset the credentials of all involved systems. 
  5. Identify compromised or at-risk user credentials and request password changes if needed.
  6. Remove threats, replace or restore the compromised assets to their previous state. Wipe and baseline affected systems if needed. 
  7. Establish monitoring to detect further suspicious activity. The incident and its effects need to be remediated across the entire network.

Post-Incident Activity

This phase is designed to incorporate the lessons learned from each incident and to evaluate future improvements.

How Lumu Helps

Lumu helps refine the current and future defense and response by continuously monitoring that the compromise has been eradicated.

Recommended Actions
  1. Use Lumu to detect continuously any communication between your assets and the adversary to make sure that no additional contacts are reported. 
  2. Conduct root cause analysis and evaluate the habits of the users. Use the context information in the Lumu Portal for details on how the adversary works, which users are falling for spam or phishing messages, and if they are visiting dangerous websites.
  3. Explore the related sources and articles provided by Lumu in the Context area to understand more about the detected malicious activities.
  4. Adjust your security policies. This may involve changing the configuration of the company's assets and conducting awareness campaigns, focusing on the users that own those devices.
  5. Coordinate with your endpoint protection technology vendor’s updates if needed.
  6. Document and share with the stakeholders all the lessons learned from the incident and recommendations of any aspect that could be improved to help prevent a similar cyber incident from reoccurring.

        • Related Articles

        • Mining Incident Response Playbook

          Lumu Mining Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61, the incident response life cycle has four ...
        • Spam Incident Response Playbook

          Lumu SPAM Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61, the incident response life cycle has four main ...
        • Malware Incident Response Playbook

          Lumu Malware Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61, the incident response life cycle has four ...
        • Phishing Incident Response Playbook

          Lumu Phishing Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61, the incident response life cycle has four ...
        • Anonymizer Incident Response Playbook

          The Lumu Anonymizer Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61, the incident response life cycle has ...