Preparation
One of the first things to do and to properly prepare for a cyber crisis. For this, we will see several points of attention to prepare upstream.
Inventory of your resources
It is important to have a list of your available resources in the event of a crisis, both material and personal.
Do you have dedicated positions for incident response?
Do you have trained staff?
Do the personnel who will be called upon have any requirements (such as children brought and brought from school)?
Communication channels
If your infrastructure is compromised, it is necessary to provide a secure exchange channel unrelated to your infrastructure. A good example of the risk of using compromised infrastructure for your crisis unit: LDLC
It is possible to rent dedicated rooms for discussions over short periods of time.
Insurance
One of the crucial points often referred to at the end of remediation is insurance.
Are you protected?
The first thing to know is if you are covered for crises of cyber origins, and if so, how high.
Maximum support?
Another important point to validate with your insurance is to define what is covered. Very often, the insurer will only cover the costs for a return to normal and not the costs of improvements, special charges (staff overtime, purchase of equipment, etc.)
Partners
Finally, see with your insurance if it has dedicated partners for dedicated responses to cyber crises. This is a crucial point, some insurance may not be activated if your service providers are not partners with your insurance.
Tools
In order to respond effectively, it is necessary to have the tools available (USB key, on a dedicated workstation outside the network). Here is a non-exhaustive list of tools that can help you.
Hardware
Having write blockers available is a plus.
CAINE Linux
Italian live Linux distribution managed by Giovanni "Nanni" Bassetti. The project started in 2008 as an environment supporting digital forensics and incident response, with several related tools pre-installed.
TSURUGI Linux
Tsurugi Linux is a DFIR open source project that is and will be totally free, independent, without involving any commercial brand Our main goal is share knowledge and "give back to the community"
Scripts
Forensicator
This script automates the collection of information using tools like winpmem and more.
Netstat with timestamps
This script allows you to see the connections but with the indication of the timestamps. A must have!
Mandiant RedLine
Mandiant's free Redline tool enables rapid RAM analysis by integrating indicators of compromise (IOC) performed using Mandiant's free IOC Editor tool.
Velociraptor
Velociraptor is a far too underrated tool. It allows, among other things, to retrieve information on workstations such as CPU and RAM consumption, but also to carry out investigations from its interface in order to check the content of prefetches, event log, extract RAM, etc.
Translation of business processes into IT processes
A point often discovered during a crisis is the inability to translate a business need into an IT process. For example, if you have to rebuild the billing department urgently, do you know what the prerequisites are for your software, where are your servers installed, in what order should they be reassembled, ports used? It is important to carry out this part at least on the key activities of your company.
Take the case of a factory, it is always possible to deliver the components via trolleys pulled by a human while managing the robots will necessarily require a server, its database, its administration network.
Last updated