Mining Incident Response Playbook

Mining Incident Response Playbook

Lumu Mining Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61, the incident response life cycle has four main phases, as described in the following illustration.

Based on the source: NIST special publication 800-61
This document contains guidelines for mining incident response using Lumu. Consider this playbook as a guideline to improve the effectiveness of the incident response and adapt it according to your specific requirements.
Mining malware is typically a very stealthy malware that farms the resources on a system (computers, smartphones, servers, and IoT devices) to generate revenue (cryptocurrency) for the cyber attackers controlling it.

Preparation

This is the initial phase where organizations take defensive measures to respond effectively to incidents.

How Lumu Helps

Lumu provides the ability to illuminate the blind spots in your network by providing coverage of your entire infrastructure, namely on-premises, public and private clouds, and roaming devices.

Lumu‌ ‌metadata‌ ‌collection‌
Recommended Actions
  1. Set up collectors such as Virtual Appliances, Gateways, and API to ensure that all your network metadata is ingested in the Lumu platform. Learn more in our deployment guide.
  2. Set up Spambox analysis to understand who adversaries are attempting to compromise in your organization and how they are being targeted.
  3. Ensure you cover remote users in your compromise assessment. Learn more about Lumu Agent and VPN and SDP configuration.
  4. Identify your vital assets (clients, IoT, clouds, remote devices, etc.) and assign labels to your traffic to help quickly identify the compromise distribution across your infrastructure in a way that makes sense for your organization.
  5. Conduct regular awareness campaigns on security policies and risks employees face, and what actions to take when faced with a cyberattack.
  6. Keep your endpoint protection and operating systems updated.

Detection & Analysis

Organizations should work to detect and validate incidents as quickly as they can. Without proper analysis, you may not get appropriate containment or eradication. Early detection helps organizations control the number of infected systems and makes the next phase easier.

How Lumu Helps

Lumu unlocks the value of your own network metadata by implementing the concept of Continuous Compromise Assessment that provides comprehensive and detailed visibility into your network infrastructure. Lumu illuminates the various activities associated with indicators of compromise (IoCs) detected on your network and provides all the contextual information needed for in-depth analysis through the Lumu Portal.

Recommended Actions
  1. Identify attack patterns. Look for details, such as date, time, number of contacts, and domains. You have that information at a glance in the Activity section of the Lumu Portal.
  2. Drill down into detailed, factual data about the attack campaigns targeting your organization’s spambox using the data provided by the Campaigns section.
  3. Analyze proxy server events to determine if malicious software was downloaded from the reported IoCs.
  4. Identify the endpoints contacting the adversarial infrastructure, and then match these with affected users. Use the Attack Distribution feature of the Lumu Portal to see how the compromise spread inside your network.
  5. Identify how your assets are communicating with the adversarial infrastructure. You can use the Lumu’s Compromise Radar feature to find out the frequency and behavior of malicious communication, so you can differentiate occasional contact from persistent and automated compromises that have the power to cause harm to the organization.
  6. Search for spoofed emails with the context information of the IoC provided by Lumu.

Containment, Eradication & Recovery

This phase has two key goals: stop the spread of the threat and prevent more damage inside the network. Organizations should have strategies and procedures according to the level of risk of the detected compromise.

With Lumu Paid subscriptions you have visibility into the detailed malicious activity of each private IP address in your network in real time. To know more about illumination options, consult  Lumu Offerings.
How Lumu Helps

Confirmed compromise intelligence about the compromised device helps security analysts to understand where and how to contain and eradicate the compromise.

Recommended Actions
  1. Download the IoCs and threat trigger details from Lumu Portal and configure your security infrastructure (e.g. firewalls, email gateways, etc.) to block the malicious URLs, email senders, or IPs.
  2. If the threat was delivered as an email attachment, check for details in the log files of the organization's mail server.
  3. Reduce any further malicious activity by preventing phishing activity, quarantining affected assets, or removing them from the network.
  4. Reset the credentials of all involved systems.
  5. Identify compromised or at-risk user credentials and request password changes if needed.
  6. Remove threats, replace or restore the compromised assets to their previous state. Wipe and baseline affected systems if needed.
  7. Remove threats, replace or restore the compromised assets to their previous state. Wipe and baseline affected systems if needed. 
  8. Establish monitoring to detect further suspicious activity. The incident and its effects need to be remediated across the entire network.

Post-Incident Activity

This phase is designed to incorporate the lessons learned from each incident and to evaluate future improvements.

How Lumu Helps

Lumu helps refine the current and future defense and response by continuously monitoring that the compromise has been eradicated.

Recommended Actions
  1. Use Lumu to detect continuously any communication between your assets and the adversary to make sure that no additional contacts are reported. 
  2. Conduct root cause analysis and evaluate the habits of the users. Use the context information in the Lumu Portal for details on how the adversary works, which users are falling for spam or phishing messages, and if they are visiting dangerous websites.
  3. Explore the related sources and articles provided by Lumu in the Context area to understand more about the detected malicious activities.
  4. Adjust your security policies. This may involve changing the configuration of the company's assets and conducting awareness campaigns, focusing on the users that own those devices.
  5. Coordinate with your endpoint protection technology vendor’s updates if needed.
  6. Document and share with the stakeholders all the lessons learned from the incident and recommendations of any aspect that could be improved to help prevent a similar cyber incident from reoccurring.
        • Related Articles

        • General Incident Response Playbook

          Lumu’s Incident Response Playbooks are based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST) and provide essential recommendations for responding to information security incidents. ...
        • Malware Incident Response Playbook

          Lumu Malware Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to  NIST special publication 800-61, the incident response life cycle has four ...
        • Phishing Incident Response Playbook

          Lumu Phishing Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to  NIST special publication 800-61, the incident response life cycle has four ...
        • Spam Incident Response Playbook

          Lumu SPAM Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61, the incident response life cycle has four main ...
        • Network Scan Incident Response Playbook

          The Lumu Network Scan Incident Response Playbook is based on the Computer Security Incident Handling Guide by the National Institute of Standards and Technology (NIST). According to NIST special publication 800-61, the incident response life cycle ...