Fix customfields on import to TheHive v4

CERT-SG IRM 2022/irm-1-worminfection.json

@@ -1 +1 @@
-{"_id":"~3604508704","_type":"CaseTemplate","_createdBy":"[email protected]","_updatedBy":"[email protected]","_createdAt":1669999678709,"_updatedAt":1670520578079,"name":"IRM-1-WormInfection","displayName":"Malware infection response (CERT-SG IRM1)","titlePrefix":"","description":"This Incident Response Methodology is a cheat sheet dedicated to handlers investigating on a precise security issue.\n\n**WHO SHOULD USE IRM SHEETS?**\n\n- Administrators\n- Security Operation Center\n- CISOs and deputies\n- CERTs (Computer Emergency Response Team)\n\n**Remember: If you face an incident, follow IRM, take notes. Keep calm and contact your business line’s Incident Response team or CERT immediately if needed.**\n\nReferences:\n→ IRM CERT SG: https://github.com/certsocietegenerale/IRM","severity":2,"tags":[],"flag":false,"tlp":2,"pap":2,"customFields":[],"tasks":[{"_id":"~3276943560","_type":"Task","_createdBy":"[email protected]","_createdAt":1670520578071,"title":"Remediation","group":"default","description":"## OBJECTIVE: TAKE ACTIONS TO REMOVE THE THREAT AND AVOID FUTURE INCIDENTS.\n\n\n### Identify\n\nIdentify tools and remediation methods.\nThe following resources should be considered: ▪ Antivirus signature database\n▪ External support contacts\n▪ Security websites\n▪ Yara scan, Loki, DFIR-ORC, ThorLite \n▪ EDR search\n\n> Define a disinfection process. The process has to be validated by an external structure, i.e. CERT, SOC, Incident Response team.\n> The most straight-forward way to get rid of the worm is to remaster the machine.\n\n---\n### Test\n\nTest the disinfection process and make sure that it properly works without damaging any service.\n\n---\n### Deploy\n\nDeploy the disinfection tools. Several options can be used: \n▪ EDR\n▪ Windows WSUS and GPO\n▪ Antivirus signature deployment ▪ Manual disinfection\n▪ Vulnerability patching\n\n> Warning: some worm can block some of the remediation deployment methods. If so, a workaround must be found.\n> Remediation progress should be monitored by the crisis cell.","status":"Waiting","flag":false,"order":3,"extraData":{}},{"_id":"~3481747576","_type":"Task","_createdBy":"[email protected]","_createdAt":1670520578069,"title":"Identification","group":"default","description":"## OBJECTIVE: DETECT THE INCIDENT, DETERMINE ITS SCOPE, AND INVOLVE THE APPROPRIATE PARTIES.\n\n\n\n### Detect the infection\n\nInformation coming from several sources should be gathered and analyzed:\n\n• Antivirus logs\n• IDS/IPS\n• EDR\n• Suspicious connection attempts on servers\n• High number of locked accounts\n• Suspicious network traffic\n• Suspicious connection attempts in firewalls\n• High increase of support calls\n• High load or system freeze\n• High volumes of e-mail sent\n\n> If one or several of these symptoms have been spotted, the actors defined in the “preparation” step will get in touch and if necessary, create a crisis cell.\n\n### Identify the infection\n\nAnalyze symptoms to identify the malware, its propagation vectors and countermeasures.\nLeads can be found from:\n\n• CERT’s bulletins\n• External support contacts (antivirus companies, etc.)\n• Security websites\n• Threat intelligence capabilities and providers\n\n> Notify Chief Information Security Officer.\n> Contact your national CERT and regulators if required.\n\n### Assess the perimeter of the infection\n\nDefine the boundaries of the infection (i.e.: global infection, bounded to a subsidiary, etc.). If possible, identify the business impact of the infection.\n\n\nFor more details, check the Windows and Linux intrusion IRM-2 and IRM-3","status":"Waiting","flag":false,"order":1,"extraData":{}},{"_id":"~3604607080","_type":"Task","_createdBy":"[email protected]","_createdAt":1670520578070,"title":"Containment","group":"default","description":"## OBJECTIVE: MITIGATE THE ATTACK’S EFFECTS ON THE TARGETED ENVIRONMENT.\n\nThe following actions should be performed and monitored by the crisis management cell:\n\n**Disconnect the infected area from the Internet.**\n\n1. Isolate the infected area. Disconnect it from any network.\n2. If business-critical traffic cannot be disconnected, allow it after ensuring that it cannot be an infection vector or find validated circumventions techniques.\n3. Neutralize the propagation vectors. A propagation vector can be anything from network traffic to software flaw. Relevant countermeasures have to be applied (patch, traffic blocking, disable devices, etc.).\n4. Repeat steps 2 to 4 on each sub-area of the infected area until the worm stops spreading. If possible, monitor the infection using analysis tools (antivirus console, server logs, support calls).\n\nFor example, the following tools/techniques can be used: \n\n▪ EDR\n▪ Patch deployment tools (WSUS) ▪ Windows GPO\n▪ Firewall rules\n▪ Operational procedures\n\n> The spreading of the malware must be monitored.\n\n\n### Mobile devices\n\n- Make sure that no laptop, Smartphone or mobile storage can be used as a propagation vector by the malware. If possible, block all their connections.\n- Ask end-users to follow directives precisely.\n\n> At the end of this step, the infection should be contained.","status":"Waiting","flag":false,"order":2,"extraData":{}},{"_id":"~3604611176","_type":"Task","_createdBy":"[email protected]","_createdAt":1670520578072,"title":"Recovery","group":"default","description":"## OBJECTIVE: RESTORE THE SYSTEM TO NORMAL OPERATIONS.\n\nVerify all previous steps have been done correctly and get a management approval before following next steps:\n1. Reopen the network traffic that was used as a propagation method by the malware\n2. Reconnect sub-areas together\n3. Reconnect the mobile laptops to the area\n4. Reconnect the area to your local network\n5. Reconnect the area to the Internet\n\n> All these steps shall be made in a step-by-step manner and a technical monitoring shall be enforced by the crisis team.\n\n*For more details on authentication and infrastructure recovery, check the Large-scale malware compromise IRM-18*","status":"Waiting","flag":false,"order":4,"extraData":{}},{"_id":"~3727540392","_type":"Task","_createdBy":"[email protected]","_createdAt":1670520578068,"title":"Preparation","group":"default","description":"## OBJECTIVE: DETECT THE INCIDENT, DETERMINE ITS SCOPE, AND INVOLVE THE APPROPRIATE PARTIES.\n\n\n▪ Define actors, for each entity, who will be involved into the crisis cell. These actors should be documented in a contact list kept permanently up to date.\n▪ Make sure that analysis tools are up, functional (EDR, Antivirus, IDS, logs analyzers), not compromised, and up-to-date.\n▪ Make sure to have architecture map of your networks.\n▪ Make sure that an up-to-date inventory of the assets is available.\n▪ Perform a continuous security watch and inform the people in charge of security about the threat trends.","status":"Waiting","flag":false,"order":0,"extraData":{}},{"_id":"~3727544488","_type":"Task","_createdBy":"[email protected]","_createdAt":1670520578078,"title":"Lessons learned","group":"default","description":"## OBJECTIVE: DOCUMENT THE INCIDENT’S DETAILS, DISCUSS LESSONS LEARNED, AND ADJUST PLANS AND DEFENSES.\n\n**Report**\nA crisis report should be written and made available to all of the actors of the crisis management cell.\nThe following themes should be described:\n▪ Initial cause of the infection\n▪ Actions and timelines of every important event ▪ What went right\n▪ What went wrong\n▪ Incident cost\n▪ Indicators of compromise\n\n---\n**Capitalize**\n\nActions to improve the worm infection management processes should be defined to capitalize on this experience.","status":"Waiting","flag":false,"order":5,"extraData":{}}]}
+{"_id":"~3604508704","_type":"CaseTemplate","_createdBy":"[email protected]","_updatedBy":"[email protected]","_createdAt":1669999678709,"_updatedAt":1670520578079,"name":"IRM-1-WormInfection","displayName":"Malware infection response (CERT-SG IRM1)","titlePrefix":"","description":"This Incident Response Methodology is a cheat sheet dedicated to handlers investigating on a precise security issue.\n\n**WHO SHOULD USE IRM SHEETS?**\n\n- Administrators\n- Security Operation Center\n- CISOs and deputies\n- CERTs (Computer Emergency Response Team)\n\n**Remember: If you face an incident, follow IRM, take notes. Keep calm and contact your business line’s Incident Response team or CERT immediately if needed.**\n\nReferences:\n→ IRM CERT SG: https://github.com/certsocietegenerale/IRM","severity":2,"tags":[],"flag":false,"tlp":2,"pap":2,"tasks":[{"_id":"~3276943560","_type":"Task","_createdBy":"[email protected]","_createdAt":1670520578071,"title":"Remediation","group":"default","description":"## OBJECTIVE: TAKE ACTIONS TO REMOVE THE THREAT AND AVOID FUTURE INCIDENTS.\n\n\n### Identify\n\nIdentify tools and remediation methods.\nThe following resources should be considered: ▪ Antivirus signature database\n▪ External support contacts\n▪ Security websites\n▪ Yara scan, Loki, DFIR-ORC, ThorLite \n▪ EDR search\n\n> Define a disinfection process. The process has to be validated by an external structure, i.e. CERT, SOC, Incident Response team.\n> The most straight-forward way to get rid of the worm is to remaster the machine.\n\n---\n### Test\n\nTest the disinfection process and make sure that it properly works without damaging any service.\n\n---\n### Deploy\n\nDeploy the disinfection tools. Several options can be used: \n▪ EDR\n▪ Windows WSUS and GPO\n▪ Antivirus signature deployment ▪ Manual disinfection\n▪ Vulnerability patching\n\n> Warning: some worm can block some of the remediation deployment methods. If so, a workaround must be found.\n> Remediation progress should be monitored by the crisis cell.","status":"Waiting","flag":false,"order":3,"extraData":{}},{"_id":"~3481747576","_type":"Task","_createdBy":"[email protected]","_createdAt":1670520578069,"title":"Identification","group":"default","description":"## OBJECTIVE: DETECT THE INCIDENT, DETERMINE ITS SCOPE, AND INVOLVE THE APPROPRIATE PARTIES.\n\n\n\n### Detect the infection\n\nInformation coming from several sources should be gathered and analyzed:\n\n• Antivirus logs\n• IDS/IPS\n• EDR\n• Suspicious connection attempts on servers\n• High number of locked accounts\n• Suspicious network traffic\n• Suspicious connection attempts in firewalls\n• High increase of support calls\n• High load or system freeze\n• High volumes of e-mail sent\n\n> If one or several of these symptoms have been spotted, the actors defined in the “preparation” step will get in touch and if necessary, create a crisis cell.\n\n### Identify the infection\n\nAnalyze symptoms to identify the malware, its propagation vectors and countermeasures.\nLeads can be found from:\n\n• CERT’s bulletins\n• External support contacts (antivirus companies, etc.)\n• Security websites\n• Threat intelligence capabilities and providers\n\n> Notify Chief Information Security Officer.\n> Contact your national CERT and regulators if required.\n\n### Assess the perimeter of the infection\n\nDefine the boundaries of the infection (i.e.: global infection, bounded to a subsidiary, etc.). If possible, identify the business impact of the infection.\n\n\nFor more details, check the Windows and Linux intrusion IRM-2 and IRM-3","status":"Waiting","flag":false,"order":1,"extraData":{}},{"_id":"~3604607080","_type":"Task","_createdBy":"[email protected]","_createdAt":1670520578070,"title":"Containment","group":"default","description":"## OBJECTIVE: MITIGATE THE ATTACK’S EFFECTS ON THE TARGETED ENVIRONMENT.\n\nThe following actions should be performed and monitored by the crisis management cell:\n\n**Disconnect the infected area from the Internet.**\n\n1. Isolate the infected area. Disconnect it from any network.\n2. If business-critical traffic cannot be disconnected, allow it after ensuring that it cannot be an infection vector or find validated circumventions techniques.\n3. Neutralize the propagation vectors. A propagation vector can be anything from network traffic to software flaw. Relevant countermeasures have to be applied (patch, traffic blocking, disable devices, etc.).\n4. Repeat steps 2 to 4 on each sub-area of the infected area until the worm stops spreading. If possible, monitor the infection using analysis tools (antivirus console, server logs, support calls).\n\nFor example, the following tools/techniques can be used: \n\n▪ EDR\n▪ Patch deployment tools (WSUS) ▪ Windows GPO\n▪ Firewall rules\n▪ Operational procedures\n\n> The spreading of the malware must be monitored.\n\n\n### Mobile devices\n\n- Make sure that no laptop, Smartphone or mobile storage can be used as a propagation vector by the malware. If possible, block all their connections.\n- Ask end-users to follow directives precisely.\n\n> At the end of this step, the infection should be contained.","status":"Waiting","flag":false,"order":2,"extraData":{}},{"_id":"~3604611176","_type":"Task","_createdBy":"[email protected]","_createdAt":1670520578072,"title":"Recovery","group":"default","description":"## OBJECTIVE: RESTORE THE SYSTEM TO NORMAL OPERATIONS.\n\nVerify all previous steps have been done correctly and get a management approval before following next steps:\n1. Reopen the network traffic that was used as a propagation method by the malware\n2. Reconnect sub-areas together\n3. Reconnect the mobile laptops to the area\n4. Reconnect the area to your local network\n5. Reconnect the area to the Internet\n\n> All these steps shall be made in a step-by-step manner and a technical monitoring shall be enforced by the crisis team.\n\n*For more details on authentication and infrastructure recovery, check the Large-scale malware compromise IRM-18*","status":"Waiting","flag":false,"order":4,"extraData":{}},{"_id":"~3727540392","_type":"Task","_createdBy":"[email protected]","_createdAt":1670520578068,"title":"Preparation","group":"default","description":"## OBJECTIVE: DETECT THE INCIDENT, DETERMINE ITS SCOPE, AND INVOLVE THE APPROPRIATE PARTIES.\n\n\n▪ Define actors, for each entity, who will be involved into the crisis cell. These actors should be documented in a contact list kept permanently up to date.\n▪ Make sure that analysis tools are up, functional (EDR, Antivirus, IDS, logs analyzers), not compromised, and up-to-date.\n▪ Make sure to have architecture map of your networks.\n▪ Make sure that an up-to-date inventory of the assets is available.\n▪ Perform a continuous security watch and inform the people in charge of security about the threat trends.","status":"Waiting","flag":false,"order":0,"extraData":{}},{"_id":"~3727544488","_type":"Task","_createdBy":"[email protected]","_createdAt":1670520578078,"title":"Lessons learned","group":"default","description":"## OBJECTIVE: DOCUMENT THE INCIDENT’S DETAILS, DISCUSS LESSONS LEARNED, AND ADJUST PLANS AND DEFENSES.\n\n**Report**\nA crisis report should be written and made available to all of the actors of the crisis management cell.\nThe following themes should be described:\n▪ Initial cause of the infection\n▪ Actions and timelines of every important event ▪ What went right\n▪ What went wrong\n▪ Incident cost\n▪ Indicators of compromise\n\n---\n**Capitalize**\n\nActions to improve the worm infection management processes should be defined to capitalize on this experience.","status":"Waiting","flag":false,"order":5,"extraData":{}}]}