As a First Incident Responder, it is commonly an experience that most cases if not all would be placed as an emergency call across your department as soon as they have occurred in an organization. This stems from a myriad of factors which may include:
- Organization not financially capable of having its own in-house first incident response team.
- The organization just started their business, and still at the preliminary stage of structuring its various IT departments.
- The organization has an incident response team whose department is based at the headquarters or regional offices, and not at the branch.
- The organization subcontracted its first incident response team to a trusted institution.
These and many more are just a few factors why most organizations do not have a first incident response team at their various offices or institutions.
When incident occurs, the organization impacted either take a swift action (in this case if they have their own inhouse first incident response team) or place a call across the various institutions responsible for handling any cybersecurity incidents in their organization.
Assuming the incident is a cybercrime-based incident, before heading to the crime scene, the first incident response team would ask a few questions.
These questions asked by the incident response team, assists the team to get prepared with the right equipment in collecting, retrieving, or capturing evidence.
CYBERCRIME NOTICED ON A WEBSERVER AS A CASE STUDY:
Let’s say you work for FixitGearWare Security, and you noticed that one of their servers has been sending a malicious traffic, but you are not sure if it is a test analysis on some malware they plan to use in sensitizing their staffs, so you didn’t take quick action.
However, there was a sudden outbreak, the entire FixitGearWare Security network infrastructure goes off now both internal and external parties aren’t able to access the organization resources over the internet. Obviously as the IT expert you have an idea, that this is a case of a DDOS attack. But now, you have no clue on what triggered the DDOS, which maybe as a result of the following:
- FixitGearWare Training Server during the course of the test being the reason.
- FixitGearWare Training Server being infected by a botnet.
- FixitGearWare Training Server being targeted by a series of bot requests.
- An electrical component in the server control room (assuming we are using on-premises cloud environments).
These and more could be the reasons for such occurrences.
AS AN INCIDENT RESPONSE TEAM, WHAT QUESTIONS SHOULD YOU ASK BEFORE APPROACHING THE CRIME SCENE:
As an incident response team who works for/with FixitGearWare Security, common questions you should ask includes but are not limited to the following:
- When did this incident occur? To have an idea of the time of occurrence.
- Do you run EDR on the server? To have an idea of what possible updates might have triggered the situation.
- What departments where affected during the outbreak? To have an idea of the jurisdictions to map out as crime scenes.
- Who noticed the incident first? To assist in further interrogation and investigation with word of mouth.
- Has this incident occurred previously? To have an idea of the threat actor or gang that might be responsible for the crime.
- Are there any security policies put in place? To understand the organization existing line of protection, detection, and remediation. E.g. Incident response policy, Remote Access Policy etc.
- How old and how long has the server been in use? To have an idea if the incident is based on server life expectancy failure.
- Was there any Firewall put in place? Helps in retrieving logs and IP addresses for further investigation.
- Are there IDS, and IPS put in place? To obtain logs of IP addresses that have targeted the organization server and aid in further investigation.
- Can I have a copy of the organization network infrastructure in an encrypted file? To access the organization network mapping and how evidence will be retrieved. Encryption is to ensure that third parties or unauthorized persons from having access to such sensitive documents.
- What operating systems are used in the organization’s infrastructure? Helps in understanding the respective software that is suitable for imaging of hardware components, as not all imaging software are cross platforms.
- Are the systems NT-based systems that use FAT, exFAT and NTFS? To have an idea of the nature of files on the server.
- Who is the manufacturer of the server ?g. CISCO, IBM, SuperMicro, Oracle, Huawei, Fujitsu etc. To track possible similar occurrences reported by other users.
- What is the model of the server? To narrow down the possible reason for the incident.
- Was the server administrator available when the incident occurred and aware of it? To further assist in asking questions related to possible anomalies noticed or remediated in the past.
- Are there any ongoing Red Team Activities on the organization infrastructure? To contact the penetration testing team of potential simulations ran on the organization network, which might have triggered the incident.
These questions are to be channeled through a secured platform or if the incident response organization already has a template of “Yes and No” responses, then a call can be put across.
However, it is important to have these responses given via a documented format such as an email, for possible reference, and non-repudiation by both parties (the incident response team, and the organization impacted by the crime).
You should know that not all incidents are actually a crime, asking the right questions saves both parties from undue time and resources wasting.
Put your comments below in the comment section on your thoughts about this.