Every organization has external assets that are necessarily exposed—not only to customers and users but also, unfortunately, to malicious actors. Lumu Discover provides insights into newly discovered infrastructure in contact with your external surface. However, handling those assets requires action. In this playbook, we will explore the steps you can take to rapidly secure and assess risks associated with newly discovered infrastructure.

This playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61 R2, the incident response life cycle has four main phases, as described in the following illustration.

Preparation Phase

How Lumu Helps

• Deploy Lumu Integrations: Deploy any available Lumu Integrations to enhance the detection capabilities of your cybersecurity stack. This will come in very handy in later steps.

Recommended actions:

1. Map Out your Network:
1. Map out your network and how it connects with the Internet, this will be useful when detecting new infrastructure. You must also create an asset inventory to identify all the assets that should make up your network. This way, you will be able to more easily place a newly detected asset on your network map.

Detection & Analysis Phase

How Lumu Helps

• Lumu Discover displays any potentially compromised IPs, open ports and domains. This information, when combined with a conscientious mapping and inventory, will aid you in identifying any discovered assets, as well as determining whether they were deployed by your organization or not.

Recommended Actions

1. Identify Exposed Infrastructure:
   
1. Make use of your external cybersecurity tools to scan any newly discovered exposed IPs, domains, and/or services. If your cybersecurity stack is integrated with Lumu, your detection capabilities will be boosted.
2. Correlate the findings from these scans with your network’s deployment logs and with your asset inventories to track down and map out the position of the newly discovered asset.
2. Classify Exposure:
1. Ascertain whether exposure was deliberate (e.g., public-facing API). or not. If exposure was deliberate, it was the result of a previously established process and investigation may not be necessary.
2. If the exposure wasn’t deliberate, then you must flag any instances for immediate investigation as you may be dealing with a cybersecurity incident.

Containment, Eradication & Recovery Phase

How Lumu Helps

• Lumu Discovery’s DNS Recon Mapping feature assists you in mapping out your organization’s exposed assets, this is then displayed visually in a simple and easy-to-understand fashion. Make the best use of this feature to understand how your organization connects to the internet and the path the adversary may to take to reach vital assets.

Recommended Actions

• Restrict Access:
  
  • Apply Firewall rules on your cybersecurity stack to limit the contact and exposure of the newly detected infrastructure.
  • Remove any sensitive data from public-facing assets to prevent data leaks.
• Verify Ownership:
  
  • Validate whether the newly detected and exposed resources belong to your organization. Your map and inventory will come in very handy for this step.
  • If the asset remains unidentified at this point, escalate it for further investigation. Remember that escalation procedures depend on your organizational structure.
• Secure Infrastructure:
  
  • Strengthen your identity validation protocols and restrict access. For example, if your organization uses default credentials for any sort of access, disable or change them.
  • Apply any pending security updates to your infrastructure. Remember that assets with outdated operating systems also possess additional security weaknesses that can be exploited.
• Decommission Misconfigured Systems:
  
  • If during your mapping and identification efforts you find any unauthorized and/or unnecessary infrastructure, deactivate it. Unauthorized assets will very likely ignore any security protocols and will pose a risk to the rest of the network.
  • Reassign any potential workload carried out by the deactivated equipment to secure assets and environments within your network. Scan any transferred files to prevent infection.
• Validate Security Posture:
  
  • Conduct scans and security validations on your remaining infrastructure. It is common for affected assets to attempt lateral movements to scout the network for weaknesses, and infect other assets.
  • Ensure that the rest of your network is in compliance with your organization's security policies.
• Enhance Detection Mechanisms:
  
  • Update the monitoring tools of your cybersecurity stack so they are capable of detecting any similar types of exposure.
  • Make the best use of the tools in your stack and configure them to continuously detect and discover new assets.

Post-Incident Activity

How Lumu Helps

Lumu Discovery provides you with an array of features that you can use to identify all of your organization’s assets and to ascertain which of them require special attention, as well as additional security measures due to its specific conditions. This data can also be used to improve your training, security and infrastructure deployment policies.

Recommended Actions

• Study your organization’s deployment processes and improve them to prevent any future misconfigurations and “rogue” devices within your network as these represent a risk for the rest of your organization.
• Optimize the procedure for asset discovery within your organization to detect any unknown devices faster and more efficiently.