(part one - Preserving Forensic Data - here)
Cyber Intrusion Mitigation Strategies Part Two: Detection and Mitigation Recommendations
ICS-CERT developed this guidance to provide basic recommendations for owners and operators of critical infrastructure to enhance their network security posture.
It is not intended to be a detailed examination of all actions involved in incident response but is an attempt to provide high-level strategies that should can improve overall visibility of a cyber intrusion and aid in recovery efforts should an incident occur.
This guidance applies to both enterprise and control system networks, particularly where interconnectivity could allow movement between networks. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to implementing defensive measures to ensure there is no impact to normal operations.
The guidance is organized into topical areas within the major phases of incident response—detection, mitigation, and eradication/recovery—and closes with recommendations for long term security posture improvements.
The implementation of concepts discussed in this document is the responsibility of each organization and is dependent on the organization’s needs, network topology, and operational requirements.
WHERE TO BEGIN - DETECTION AND MITIGATION RECOMMENDATIONS
Enhancing the organization’s overall network security posture can be an expensive and time consuming process. However, while responding to a suspected or confirmed intrusion, it makes sense to focus on the relatively low cost strategies that can positively impact security in the near term.
INTRUSION DETECTION / PREVENTING LATERAL NETWORK MOVEMENT:
When an organization suspects that a network compromise has occurred, the primary concern should be to minimize lateral movement through networks, including possible migration into control system networks. Lateral movement can be identified by a number of tools and techniques including network intrusion prevention systems (IPS), intrusion detection systems (IDS), firewall logs, proxy logs, DNS logs, system logs, flow data, and packet captures.
Also, while it might seem reasonable to find and eliminate the intruder on a machine-by-machine basis as compromised hosts are identified, unless the response execution prevents lateral movement of the adversary across the network, the cleanup process will likely not succeed.
It is essential that the response team identify the extent of the intrusion—how many machines have been compromised and on which areas of the network—and isolate the affected machines from the network so the adversary cannot continue to spread while the response team deals with the known compromised systems.