Incident Responder

The answer to this question is often complicated by cyber insurance and legal considerations. But my best advice is to retain an IR team before a crisis strikes. If you’re researching service providers and ironing out contracts while a breach is ongoing, attackers have more time to do damage, and there are more opportunities to inadvertently delete or damage critical evidence by, for example, rolling-off of log files. Your best bet is to be prepared for an incident before it happens. If you suspect you’ve already been breached and haven’t been proactive, hire an IR team as quickly as possible.*

There are four primary phases to the work an IR team does with a client during a suspected attack: Engagement, Investigation, Containment, and Remediation.

Engagement: When a company calls an IR team for help with a possible breach, the IR team leader will ask questions to better understand the problem, the evidence that exists, the company’s own ability to respond internally, and what resources and/or skill-sets are likely needed to form the response team. Additional factors discussed may include: the contractual agreement, logistics of working on-site vs. performing remote analysis, initial requests for evidence review, communication mechanisms, and frequency.

Investigation: Phase two typically begins with evidence gathering, commonly referred to as “collection” or “preservation”. Next, analysts move into “triage”, the preliminary analysis of initial evidence collected. Triage strives to answer basic questions such as: What kind of attack is suspected, and how sophisticated is it? In many ways, triage is a technical validation of the assumptions discussed in stage one. Once completed, IR team members then determine where further analysis is required, commonly referred to as a “Deep Dive.” These efforts aim to answer the questions on everyone’s mind: how did the attacker get in and what did the attacker do while inside, e.g., was sensitive information accessed, and how much of it was taken from the environment?

Containment: The goal of this phase is to stop the current compromise and kick the attacker out of the environment. Containment typically runs in parallel with the investigation, with recommendations made ongoing as soon as enough evidence is drawn from the investigation.

Remediation: Once analysis is complete, the IR team provides recommendations for cleaning up the incident and defending against a similarly waged attack in the future.*

IR teams will require a number of relevant data sources during an investigation. Depending on the type of compromise, evidence source could include: firewall logs, web proxy logs, domain controller logs/image(s), VPN logs, Antivirus logs, Malware sample(s)/binaries, IDS/IPS logs, virtual snapshots, affected host logs/image(s), and the list goes on. Importantly, IR teams focus on chain of custody and defensibility of evidence collection so that litigation needs and regulatory inquiries are adequately addressed.*

There are several techniques IR teams can use to identify evidence of attacker activity, also called indicators of compromise (IOCs). IR analysts work to identify these IOCs and use them to follow the attacker’s trail, moving from system to system within the environment. This information is then aggregated from various sources to compile the ‘story’ of the compromise.*