| Tactic | Technique ID | Technique Name | Sub-Technique Name | Platforms | Permissions Required |
|---|---|---|---|---|---|
| Initial Access | T1133 | External Remote Services | Containers, Linux, Windows | User |
(P) Preparation
1. Patch asset vulnerabilities
2. Perform routine inspections of controls/weapons
3. Ensure Antivirus/Endpoint Protection software is installed on workstations and laptops
4. Prohibit non-employees from accessing company devices
5. Ensure that all remotely accessible services are logging to a central location
6. Provide security awareness training to employees
7. Use multifactor authentication where possible
8. Ensure proper network segmentation/firewall rules are in place for remote users
9. Routinely audit remote system access
Assign steps to individuals or teams to work concurrently, when possible; this playbook is not purely sequential. Use your best judgment.
- Monitor for:
- Remote access during unusual hours/days
- Remote access from unusual sources (i.e. geographic locations, IPs, etc.)
- Excessive failed login attempts
- IPS/IDS alerts
- Antivirus/Endpoint alerts
- Investigate and clear ALL alerts associated with the impacted assets
- Contact the user out of band to determine the legitimacy of the detected activity
- Plan remediation events where these steps are launched together (or in coordinated fashion), with appropriate teams ready to respond to any disruption.
- Consider the timing and tradeoffs of remediation actions: your response has consequences.
- Inventory (enumerate & assess)
- Detect | Deny | Disrupt | Degrade | Deceive | Destroy
- Observe -> Orient -> Decide -> Act
- Issue perimeter enforcement for known threat actor locations
- Block access from the compromised user
- Lock accounts associated with the compromised user
- Inspect all potentially compromised systems for IOCs
- Close the attack vector
- Patch asset vulnerabilities
- Perform Endpoint/AV scans on affected systems
- Review logs to determine the extent of the unauthorized activity
TODO: Specify financial, personnel, and logistical resources to accomplish remediation.
TODO: Customize communication steps for <Type of Incident>
TODO: Specify tools and procedures (including who must be involved) for each step, below, or refer to overall plan.
In addition to the general steps and guidance in the incident response plan:
In addition to the general steps and guidance in the incident response plan:
- Restore to the RPO within the RTO
- Address collateral damage
- Resolve any related security incidents
- Perform routine cyber hygiene due diligence
- Engage external cybersecurity-as-a-service providers and response professionals
- "Title", Author Last Name (Date)