I was going to do another section on Preparation, but I realised I could continue with that until the end of days.
So lets move on to Identification
How does the Identification phase start?
There are a multitude of ways this phase can begin
- If you believe a lot of the vendor reports out there right now, you will most likely to be told you have an incident by a 3rd party (unless of course you buy the vendors product – some of which are actually worth buying)
- You could get an alert on one of your security tools (SIEM/IDS/Sandbox etc etc). You do monitor those, right?
- Your user base could report suspicious activities for example Spearphishing emails. This does rely heavily on user awareness training carried out in Phase 1.
- Your non-security IT staff could tell you “something doesn’t feel right”. Listen to them, their midichlorian count may not be as high as yours, but they know their systems. It can’t hurt to look.
- And finally a laughing skull on all of your screens, or a pirate with a parrot on his shoulder
There may be sources which I have not listed, as always, this is not an exhaustive list. The 3rd party one is vague enough to cover most that I missed though 🙂
Who can start the identification phase?
Simple, anyone. Once it’s started however, make sure only a select few can finish it. I have seen the analogy of a fire alarm system. I was trying to think of my own, but sadly that one fits the best. Anyone can pull the alarm, but only qualified people can say it’s safe to go back to work. Similar idea for this.
Leading on from Preparation you should have a fully trained and well balanced team, capable of dealing with incidents in your environment.
If your IR team is brought in as an additional resource you need to make sure you have versatility. If the client wants a mobile phone forensicating; you need to be able to provide that service (or at least be able source that service quickly).
Having a point of contact for the client is important, this person can act as a buffer to the investigators. Keeping the client informed and updated is important, but not at the cost of the investigation!
There are many ways to acquire evidence, and many types of evidence to acquire. This part could probably be a post on it’s own. But if you break your mindset down into these three areas, there is less chance of missing something:
- Network Capture – usually just before the NAT device, or before the proxy server. Don’t be afraid to capture in more than one place
- Host Communications – once you have narrowed down your search you may wish to capture network traffic as it leaves the individual host or subnet
- Host data – Look at Windows log files, application log files, anti-virus data and artefacts such as Registry Hives
Make sure you have a plan on how to deal with the volume of information you are about to receive. If you get triaged host data from 5,000 hosts how will you parse it? How will you search it? What are you looking for?
Depending on the size and nature of the breach, you may have the media asking a lot of questions. Make sure your team knows what to say and what not to say. Have a single point of contact to refer the media to and don’t make guesses or assumptions!
Communicating within the team is important, a good incident lead will know who is looking at what and will avoid duplication of effort. If something deemed as ‘critical’ is found that lead may need to divert resources quickly to investigate this new find.
Can you confirm what you are seeing?
If you see communication at the network perimeter, can you track that back to the host perimeter and then further onto the host itself? It may be that two of the three sources prove something the third doesn’t see. It may be possible a rootkit is in play.
Once you think you have finished Identification be prepared to re-visit it during the containment phase. The two phases can go hand in hand on many investigations. It is important everything is identified and ready to be contained ready for the eradication phase!