1. Introduction

This runbook is the TU Oeucumene IT Operations guide to handling security incidents, where it is a matter of finding ongoing attacks that give rise to (or might be expected to give an) operational impact on systems.

...

Appendix 8.3 must be completed here.

3. Phase 2: Mitigation

This phase aims to mitigate, minimize or eliminate the threat and its consequences.

...

Disable the lanman server service on file servers (via script). Stopping this service stops all writing and reading to the file servers and prevents multiple files from being modified or encrypted. 

Step 2: Account disables

If Ground Zero is identified, access from here must also be restricted. The user's account disables in AD. In the case of a stand-alone PC, the user's PC must be peeled off the network and scanned before it can access the network again. 

Step 3: Cleaning files

Bitdefender (if not already on the servers) is installed on all servers and a scan and cleaning is performed.

...

Appendix 8.4 must be completed here.

4. Phase 3: Restore

In this phase, the systems are restored to their original state.

...

Appendix 8.5 must be completed here.

5. Reporting the incident

Before the incident ends, it must be reported in the normal reporting of the operation. It must be assessed whether there is a security incident which should be reported in a security report and registration in Service Desk System (SDS).

...

• More thn one AV solution?
• IDS/IPS systems?

On the Network page

• Cisco Elderberry umbrella?
• SPF
• NAC?
• 802 1x?

7. Closing of the incident

The incident must be closed and it must be acknowledged that the incident has been mitigated and that the root cause has been identified. Reports from external stakeholders may be included as part of the reporting to the customer and relevant authorities or organizations must be contacted.

...

• Decision point 1: What type of attack is this?
• Decision point 2: Has the attack been verified and must it be combated?
• Decision point 3: Who are the contact persons at the customer?
• Decision point 4: Is the case created as a security incident in the Service Desk System and with which id?
• Decision point 5: What has been done to stop infection in the initial phase?

8.2 Impact

• Decision point 1: Has the extent of the affected environment been identified? To what extent are we affected? Number of files, immediate criticality
• Decision point 2: Is the attack still ongoing?

8.3 Identification of Ground Zero

• Decision point 1: What / who is ground zero?
• Decision point 2: Are there other users infected?

8.4 Mitigation

• Decision point 1: Is LANman server disabled (enter name)
• Decision point 2: Are relevant Accounts disabled (specify which)
• Decision point 3: AV installed and scanning and cleaning is performed
• Decision point 4: Is Ground Zero identified (specify where / what)
• Decision point 5: Scan all mailboxes (documents who we have spoken to and attach any email as an attachment)

8.5 Restore

• Decision 1: What type of backup?
• Decision 2: Contact person for backup
• Decision 3: Schedule for recovery
• Decision 4: Are there any concerns? (Plan B) ??)

8.6 Reporting

• Decision 1: Has there been raised an Event in the Service Desk System?
• Decision 2: Do we have a security incident and is it reported to Service Desk and Security dep. if necessary?
• Decision 3: Does the incident give rise to the implementation of further initiatives internally?

8.7 Closing

• Decision point 1: Can root cause be identified?
• Decision point 2: Have reports been received from external collaborators?
• Decision point 3: Which external parties must be informed - Authorities (CERT), the Police, others?
• Decision point 4: Can the case be closed?