Containment actions

What are appropriate actions?

We will examine scenarios for common actions and see what the positive and negative impacts of each may be

Shutdown

Once had a customer do this before we arrived

  • Lost all memory evidence

  • Lost some hard drive evidence

  • Lost a lot knowledge of what the threat actors were doing

Same situation, different outcome

  • Threat actors were done exfiltrating and had planted a self-destruct piece of malware

  • Shutting down immediately stopped it from executing and allowed for a backup of the hard drive, etc, before the logic bomb could kick off

Disconnect from the network

Once had a customer do this ahead of time

  • Killed a critical company-wide global trading application

  • CFO said amount of money lost was unimaginable

Same situation, different outcome

  • Threat actors had begun an exfiltration operation

  • Appeared to be getting everything

  • The act of disconnecting that group of servers stopped them before they got to any customer data

Leave connected and observe

Advised customer to allow us to observe and hunt for 72 hours

  • Discovered that the "compromised" machines were only compromised to distract

  • Real objective was data on a completely different segment of the network previously unkown to be accessed

  • End result: We found the threat actor's true objective, which led to more complete eradication

One organization followed this process for two weeks

  • It was during that two weeks that the threat actors took the most important data

Scope and assessment importance

Previous examples show how varied specifics can be

Proper assessment and scoping helps

  • Discourages minimizes heroics and shotgun decisions

  • Keeps the whole team focused and on-mission

Last updated