12 Incident Response Questions to Ask After the NotPetya Dust SettlesOrganizations can use lessons learned to improve their security posture By: Sabrina Sammel and Mike Weber
At the end of June 2017, the media became fixated on news of malware known as NotPetya, which presented itself as ransomware. The threat actor appeared to be more focused on obliterating victims' systems than on making money. The impact for some companies was staggering, largely due to the malware's ability to quickly propagate through an infected host's network.
There are many online resources describing the NotPetya attack, including a webcast presented by SecureWorks® Counter Threat Unit™ (CTU) researchers. This blog post does not focus on the latest intelligence or mitigation techniques, but rather on how organizations can apply lessons learned from this campaign to strengthen their security posture.
Incidents Present Growth Opportunities
NotPetya took exploits developed from various sources and coupled them with custom code to steal credentials and propagate through networks. It highlights the evolution of malware and reinforces that the needs for a robust cybersecurity posture and proactive response planning continue to grow. Threat actors often reuse and amplify techniques that have had proven results.
After organizations ensure that NotPetya is no longer a threat, SecureWorks incident responders encourage them to gather key stakeholders, both technical and non-technical, and perform a lessons learned exercise. The goal of the exercise is to identify strengths and weaknesses in the organization's response and create a plan to identify and address areas of improvement. Budget and resource constraints may prevent resolution of all issues, but identifying them is the first step.
Questions to Evaluate Incident Response
Applicable questions may vary across organizations due to different network configurations, priorities, and processes, but the SecureWorks incident response team recommends the following twelve questions to start the conversation:
- Did your cybersecurity incident response plan (CIRP) provide guidance during the incident, or was the organization largely operating 'off-plan' during response efforts?
- Based on the incident, was there a predefined function that identified who would be in charge of the incident and who would communicate with leadership, management, lines of businesses, stakeholders, and the public?
- Did your communication plan effectively describe the operational tempo so that information was clear, concise, qualified, and consistent with the facts on the ground rather than a flurry of emails and “drive-by” meetings?
- Did participants know who should be involved, or were participants pulled in based on tribal knowledge?
- Did the incident response team have clear authority to segment parts of the network to prevent the spread of the malware?
- How well did associated teams (e.g., HR, Legal, Governance, Communications) engage in assessing potential notification requirements, communications, and other compliance and regulatory measures? (For example, HIPAA considers ransomware to be reportable unless the organization can prove that data exfiltration did not occur.)
- Was your network architecture and segmentation strategy robust enough to limit impact between internal systems?
- How well-insulated were critical systems and restricted data from the attack? Are your data classification policy and practice sufficient to identify and prioritize critical data?
- Are there other cybersecurity tools, processes, training, or internal communication mechanisms that could have enhanced protection, detection, and response?
- How prepared are you to handle zero-day exploits and unknown variables? Dealing with the new and unknown can throw otherwise well-organized incident response teams into disarray and cause them to lose valuable time while trying to contain an attack.
- If external parties were involved with the incident response, how well did they provide support and information during the attack? How effective was the collaboration? How quickly did they respond?
- How well did the business-recovery and continuity processes perform? For example, did the organization fully or partially recoup lost systems? If it was the latter, was it due to untested and/or corrupted backups?
The key to efficient cybersecurity response is to use the most effective resources throughout the incident response lifecycle. Engaging proactive controls helps organizations develop a more mature security posture. These controls include areas such as incident response planning, developing incident-related playbooks, testing, training, and exercising the plan. However, the most important step may be using lessons learned to continually evolve and ensure preparedness for future attacks.