The Lumu Mining Incident Response Playbook is based on the Computer Security
Incident Handling Guide by the National Institute of Standards and Technology (NIST). This playbook should be considered a guideline and needs to be adapted according to the specific requirements of each organization.
According to NIST special publication 800-61, the incident response life cycle has four main phases, as described below.
Preparation
This is the initial phase where organizations plan measures to respond effectively to incidents when they are discovered.
Unlocking the value of your own network metadata to provide enhanced compromise visibility.
- Be sure that all the network metadata is ingested in the Lumu platform.
- If you have remote users be sure that you are covering those users in your compromise assessment. Learn more
- Control the installation of unknown toolbars in your organization.
Detection & Analysis
Organizations should work to detect and validate incidents as quickly as they can. Early detection helps organizations to control the number of infected systems and makes the next phase easier.
Providing the ability to Illuminate the blind spots in your network, by implementing the concept of Continuous Compromise Assessment.
- Identify the machines that are contacting the mining infrastructure using the activity section in Lumu.
- Use Lumu to find out from which devices the connections to mining sites were made.
- Monitor the increase of processing on your machines.
- With the information provided by Lumu you should identify affected endpoints and then match these with affected users.
Containment, Eradication & Recovery
This phase has two key goals, stop the spread of the threat and prevent more damage inside the network. Organizations should have strategies and procedures according to the level of risk of the detected compromise.
Confirmed compromise intelligence about the compromised device helps security analysts to understand where and how to contain and eradicate the compromise.
- Identify the IOCs with Lumu and configure your security infrastructure to block it. E.g. If you have a firewall or proxy you can deny access to a specific domain or IP.
- Clean and quarantine with your endpoint protection technology.
- Use a malware removal tool if needed.
- Establish monitoring to detect further suspicious activity.
- Wipe and baseline affected systems if needed.
Post-Incident Activity
This last phase is designed to incorporate the lessons learned about the incident and be better prepared in the future.
Lumu helps to monitor continuously that the compromise has been eradicated and to refine the current defense and response infrastructure for the future.
- Use Lumu to detect the devices that contacted the malicious sites and make sure that no additional contacts are reported. In addition, you can also conduct awareness campaigns focusing on the users that own those devices.
- Conduct root cause analysis, using context information from the Lumu platform for details.
- Identify details of the cyber incident, including timing, type and location. The incident and its effects are to be remediated across the entire network.
- Coordinate with your endpoint protection technology vendor updates if needed.
