Incident Response Process Phase 1 – Preparation

This phase is open-ended, you will always be tweaking and fiddling policies and technologies to make the environment as secure as you can. Just as you think it’s fixed, a zero day comes along and ruins your picnic.

So what can we do?

Start by thinking ‘what would an attacker do?’. Chances are a good one wouldn’t bang on your firewall for days on end with NMAP hoping you get bored and open a port just to shut them up. A good attacker starts out with:


That’s where you should start.

There are way too many tools out there  to list fully. However a very intelligent guy named Cedric did pretty much most of the hard work on the Airbus Defence & Space blog  he goes into far more depth than I will regarding how to defend yourself against reconnaissance by doing reconnaissance on your own company. This is not a small task and is one of the parts which will always change.

A couple of additions to Cedric’s post. Shodan-HQ which is hailed as “Google for devices”. Have a play, but stay off the webcam section, some things CANNOT be un-seen!!

The other is pastebin this is where a lot of generic attackers will post details about sites or servers they have compromised. Mostly though it can be useful for seeing if your company is listed on either a password dump list or a Hacktivism hate list.

Other preparation techniques are more straight from the IT Admin book, change passwords regularly, have monitoring in place…. and actually look at it!!

Internet Whitelisting

Some more advanced techniques involve Internet Whitelisting. Usually this would get a HUGE BOOOOOOOOO from the crowd of users, but John Strand of Black Hills Security who is also a SANS instructor mentioned a good technique for this. Allow *any* website the users request. If they request porn, you should probably sack them. So Facebook, LinkedIn, Twitter, Outlook, General Interest Forums for lunch time surfing. Say yes to them all! This keeps the user base happy. Have you restricted around 99% of the internet? Yeah pretty much. At least 99.9% of evil sites have been blocked, meaning you only need to worry about the ones which you know about. A lot easier to manage than the ones you don’t!

Disable lateral communication between hosts

Another recommendation is to not allow lateral communication between hosts. Does Dolly from Marketing’s PC really need to speak with Mustafa’s PC in Sales? No! If the two of them want to communicate (as in the people) they can send an email or, and forgive me for being radical here, get up and walk to each other and speak! The desktops do not need to speak to each other. Secure them so the only portion of the network they can communicate with is the segment containing the servers.

Providing your local admin passwords are not the same as your domain admin passwords (if they are….. have a word with yourself) lateral movement becomes exceptionally difficult for the attacker.

Protect your Crown Jewels

You need to know what your company does, that no other company can do. Why are you not out of business, what is your companies Crown Jewels?

For some companies this could be a project about the latest Aircraft they are building, for others it may be customer credit card details, and for others it may be as simple as how much they can undercut the competitors. The basic fact is you need to know what makes your company special in order to protect it.

The sad fact about security right now is not about if you will get attacked, but when. The attack may be small and easily fended off, or it may be complex and very difficult to detect. But if you were to see “copy c:\CrownJewels\*.* r:\mwuhahaha\” and there was no R: drive, you may have an issue. Now answer me this, would you see that? Chances are the answer was no, mostly because I never gave any context as to how it happened 🙂 If the files were copied out from under you, or worse yet deleted. You would want to know how, why and when. Logging enabled on this folder would be a very basic start to seeing what happened.

Defence in Depth

Still referring to the Crown Jewels here, but I felt it was a good time to point out the defence in depth model. This is usually best visualised as a Top Secret piece of paper that want protected. How would you do that (physically, not virtually). Let me make a quick list, it may not be complete, but it makes a point.

  • Put the paper in a safe with an expensive lock
    • Put the safe in a secure room, no windows and a heavy duty locked door
      • Have that room in a secured building with security systems in place
        • That building is located inside a military camp which has a fence around it
          • The camp is patrolled by armed personnel
            • With dogs
              • The dogs have teeth
                • And are hungry

In a very broad speaking way this is the defence in depth model; any layer can be beaten alone, however the entire stack makes that Top Secret piece of paper pretty safe.

The same idea can be used with IT systems. I hear people say that Anti-Virus is pointless, why have it. Because that may be the chain link fence of our layer, alone it is kind of flimsy as a security measure, but combined with other layers it becomes far stronger than it is alone. Let me see if I can do a similar model for a digital document…. this may go wrong….

  • Photo of your cat
    • Placed in an NTFS folder with permissions set (correctly)
      • Auditing turned on for that folder (and monitored)
        • Host based IPS
        • Windows Firewall configured to only allow specific connections
        • Boot order set to Hard drive first with BIOS password (deliberately on the same level)
        • No Firewire port (or PCMCIA!!)
          • I will continue with the assumption of network based security, otherwise this list could get crazy
          • Contained on a Windows <latest> domain with strong password policies
            • Network based IPS
            • Network sandboxing (including email)
              • Correctly configured Gateway Firewall

Now I know that isn’t complete, I can already here people screaming “yeah… but….”. To those people I say….. shut up. I know it’s not perfect, its meant to show an idea. If you’re still confused Google “defence in depth” I know there are hundreds of different examples and they are probably better than mine.

Now…. where was I?

Ah yes preparation! As you can see it easily becomes a beast. Knowing your own environment is key. Check your egress points, look for old systems that you’re not even sure what they do any more. AS400 systems sat getting dusty in a corner that Louis in Finance uses once a year? Can it be switched off for 11 months? Is it still supported?

Staff Training

Staff training is another big one. Don’t use this as a stick to punish people, make it an education. Don’t shame people if they click a fake spear phishing email, engage with them and find out what made them click and explain what to look for in the future. Most people already think of us as unsociable sweaty nerdy acolytes of the Mainframe, don’t reinforce this.


Put policies in place and then PRACTICE them! You need to know them inside out when an attack happens. This includes upper management too. Try to arrange a small budget to buy emergency items, maybe £3-5000 or more. Make sure it does not need to be approved before hand (obviously it will need to be reconciled afterwards. If not, I will have a new motorbike please) this can be used for buying food for the staff who are being expected to work all night to get this sorted. Or buying hardware you didn’t even know you needed.


Do you want to phone the CEO at 3am to update her about the latest evolution of the malware? I am guessing no. Having a chain of command for communications not only protects you from the management, but it protects the management from you.

What happens if your IP phone network is compromised, or is taken out? Do you have mobile phones? Are you expected to use your own? These questions need to be answered before the attack happens.


I hope your not planning on using your corporate laptop to resolve this incident are you? Oh dear, you do know the corporate network is riddled with Malware right?!

Get a Jump Kit! Have equipment on standby that you know is clean and fully patched. Use it, know it, learn it, love it.

There is a whole load of equipment needed for this, the laptop is just a start.

Extra help

As I have already said, this stage is HUGE! And potentially never ending. But without it the other steps become weaker. So a couple of links for preparations and mitigations

Australian Government Top 35

US Government


Good luck and remember to protect what you know, you need to know what to protect!

This entry was posted in Incident Response, Preparation and tagged , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s