Part 5 - Maintaining the Integrity of the Scene following an incident
Video Activity
First and foremost, in the wake of an incident, do not panic. This will result in human error and destroy much needed information on the scene. Should an incident occur, the Incident Response Team should refrain from any of the following: · Log in and poke around · Let others do the same · Run attack probes to determine if your site is vulnerable t...
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or
Already have an account? Sign In »
Video Description
First and foremost, in the wake of an incident, do not panic. This will result in human error and destroy much needed information on the scene. Should an incident occur, the Incident Response Team should refrain from any of the following: · Log in and poke around · Let others do the same · Run attack probes to determine if your site is vulnerable to a particular attack · Halt the machine via an unapproved or abnormal procedure · Engage the attacker
Video Transcription
00:04
>> Part of not panicking and not trashing
00:04
the crime scene is to actually
00:04
maintain the integrity of the scene.
00:04
If you're that first responder on
00:04
the scene and something happened,
00:04
and you want to initially start poking around,
00:04
it's actually very important to refrain from trying
00:04
to essentially start handling
00:04
and remediating an incident,
00:04
before you actually know what's going on.
00:04
Unless otherwise directed by the
00:04
>> Incident Response Team,
00:04
>> first responders and individuals who
00:04
happen to be the initial portion on the scene,
00:04
should refrain from doing the following,
00:04
logging in and poking around the system.
00:04
If the machine is actually in an off-state,
00:04
it's very important to leave
00:04
that machine in an off-state.
00:04
If the system actually has a virus on it
00:04
or it's trying to connect to
00:04
a network to do something malicious,
00:04
logging on and poking around,
00:04
one can put that machine
00:04
back in contact with the network.
00:04
Two, you might actually start destroying some of
00:04
the evidence that's on that machine,
00:04
or at least contaminating
00:04
it with additional evidence that
00:04
investigators will have to go back and try and sift
00:04
through to figure out what
00:04
the actions of the first responder were,
00:04
vice the actions of
00:04
the person who had previously logged into that
00:04
>> machine and or the malware incidence that occurred.
00:04
>> Essentially it's important to let other people know
00:04
>> that they should refrain from doing the same thing.
00:04
>> If you happen to be that first responder
00:04
and you call someone for help and they want to come
00:04
in and maybe start poking around in the machine, it's
00:04
>> essential that they refrain from doing that as well.
00:04
>> Another thing is that if you have a limited amount of
00:04
IT experience or even a vast amount of IT experience,
00:04
you should refrain from running
00:04
attack probes to determine if
00:04
your site is vulnerable to some particular attack.
00:04
Essentially leave that to the Incident Response Team.
00:04
Once the event or incident has been escalated to them,
00:04
they will know how to essentially go back and
00:04
>> respond to that incident in that logical fashion
00:04
>> that we've talked to with our react principle.
00:04
The other thing we want to avoid is halting
00:04
the machine being unapproved or abnormal principle.
00:04
Unless the machine is causing
00:04
some grievous damage to
00:04
your network or to the machine itself,
00:04
stopping that process and
00:04
that unapproved manner that abnormal procedure can
00:04
actually limit the availability of
00:04
the information that investigators are able to collect.
00:04
The next thing we want to avoid
00:04
>> is engaging the attacker.
00:04
>> If we're actually,
00:04
>> essentially being sent malicious e-mails
00:04
>> or if we're able to communicate
00:04
somehow with someone who's hacking
00:04
our system by speaking to that individual,
00:04
or we may encourage them to conduct
00:04
additional attacks and we're
00:04
also tipping them off that we're on to them,
00:04
which they may stop doing the attacks or try
00:04
>> and destroy any evidence they've had
00:04
>> themselves perpetrating those attacks.
00:04
Then probing the involved network.
00:04
If there's already some type of
00:04
attack going on with your network,
00:04
if somebody might be probing your network
00:04
or trying to hack it externally,
00:04
starting to probe that network is going to add
00:04
additional probes or information
00:04
that the Incident Response Team
00:04
is going to have to sift through.
00:04
Now they're going to have to essentially figure
00:04
out what was your external traffic,
00:04
which is just going to compliment,
00:04
take the matters and make
00:04
handling that incident prolonged.
00:04
Like we talked about earlier,
00:04
part of maintaining scene integrity
00:04
is also maintaining scene security.
00:04
Operational security is essentially a collection of
00:04
processes by which an organization
00:04
denies to potential adversaries,
00:04
information about its structure,
00:04
intentions, and activities.
00:04
As part of operational security
00:04
as it relates to the incident response,
00:04
it's important to consider what will
00:04
your actions indicate to
00:04
the adversary that something is up?
00:04
Often times an adversary may want to only
00:04
attack a particular target if they feel
00:04
it's adorable and it's not likely that that target
00:04
will respond or that the adversarial want to
00:04
do something and get out of the system or stop
00:04
the attack before the adversary
00:04
or before their target established by them.
00:04
In keeping with that,
00:04
what actions the Incident Response Team
00:04
takes may essentially tip off that adversary.
00:04
Will a flurry of e-mails or
00:04
other in-band communications tip
00:04
off that actor that something has occurred?
00:04
If they're already within inside that network
00:04
that there already able to see certain e-mails,
00:04
essentially e-mailing back and
00:04
forth between each other and the company,
00:04
might tip off that attacker that something is going on.
00:04
Also, essentially,
00:04
individuals talking with each other within the company.
00:04
You may not know how this actor got in the system,
00:04
but if there is essentially a Presley
00:04
or individuals talk this
00:04
inside or outside of work channels,
00:04
it could create essentially a situation
00:04
where the threat actor or adversaries are
00:04
able to discover that the organization is onto them and
00:04
they want to cease their activity or
00:04
destroy evidence of their activity.
00:04
Then another thing that could happen is
00:04
changing your established daily activities.
00:04
If the adversary has done
00:04
homework on you during that reconnaissance phase,
00:04
and essentially he's established
00:04
a pattern or a hack for that company,
00:04
a change in the daily established routines of
00:04
that organization could indicate to
00:04
that adversary that something is happening.
00:04
For instance, a very good indicator that something
00:04
may be up is that a change in physical security.
00:04
If the adversary does
00:04
reconnaissance on a particular target and he
00:04
notices that there's very
00:04
light physical security around the building.
00:04
But then after he's done
00:04
his attack or something has occurred
00:04
and then all of a sudden you see
00:04
gate guards pull up and there's perimeter lighting,
00:04
now that would indicate to the adversary that
00:04
something is different than it used to be.
00:04
Then another aspect of maintaining security,
00:04
is maintaining a strict need to know.
00:04
You don't want everyone within
00:04
your organization or within your company,
00:04
to know that a particular incident
00:04
has occurred until after it's
00:04
already been remediated and
00:04
you're starting to do that education phase.
00:04
The attacker, essentially maybe
00:04
among you or monitoring you.
00:04
We'll talk about attackers
00:04
being among the organization little bit
00:04
later in our discussion
00:04
about malicious insiders or cyber insider threats.
00:04
Essentially maintaining good
00:04
operational security helps that
00:04
Incident Response Team to
00:04
investigate and remediate that incident,
00:04
without providing too much information
00:04
to that adversary or that threat actor.
Up Next
Similar Content
