The Lumu General Incident Response Playbook is based on the Computer Security
Incident Handling Guide by the National Institute of Standards and Technology (NIST). This playbook should be considered a guideline and needs to be adapted according to the specific requirements of each organization.
According to NIST special publication 800-61, the incident response life cycle has four main phases, as described below.
Preparation
This is the initial phase where organizations plan measures to respond effectively to incidents when they are discovered.
Unlocking the value of your own network metadata to provide enhanced compromise visibility.
- Be sure that all the network metadata is ingested in the Lumu platform.
- If you have remote users be sure that you are covering those users in your compromise assessment. Learn more
Detection & Analysis
Organizations should work to detect and validate incidents as quickly as they can. Early detection helps organizations to control the number of infected systems and makes the next phase easier.
Providing the ability to Illuminate the blind spots in your network, by implementing the concept of Continuous Compromise Assessment.
- Search for spoofed emails with the context information provided by Lumu.
- Identify the machines that are contacting the adversarial infrastructure using the activity section in Lumu.
- Use Lumu to find out from which devices the connections to the malicious site were made.
- With the information provided by Lumu, you should identify affected endpoints and then match these with affected users.
Containment, Eradication & Recovery
This phase has two key goals, stop the spread of the threat and prevent more damage inside the network. Organizations should have strategies and procedures according to the level of risk of the detected compromise.
Confirmed compromise intelligence about the compromised device helps security analysts to understand where and how to contain and eradicate the compromise.
- Identify the IOCs with Lumu and configure your security infrastructure to block it. E.g. If you have a firewall or proxy you can deny access to a specific domain or IP.
- Reduce any further malicious activity by preventing malicious activity, quarantining affected systems, and removing them from the network.
- Identify compromised or at-risk user credentials. Request password changes if needed.
- Reset the credentials of all involved system(s) and users’ account details.
- Establish monitoring to detect further suspicious activity.
Post-Incident Activity
This last phase is designed to incorporate the lessons learned about the incident and be better prepared in the future.
Lumu helps to monitor continuously that the compromise has been eradicated and to refine the current defense and response infrastructure for the future.
- Use Lumu to detect the devices that contacted the malicious sites and make sure that no additional contacts are reported. In addition, you can also conduct awareness campaigns focusing on the users that own those devices.
- Conduct root cause analysis, use context information from the Lumu platform for details.
- Identify details of the cyber incident, including timing, type, and location.
