Part 5 - Maintaining the Integrity of the Scene following an incident

Video Activity

First and foremost, in the wake of an incident, do not panic. This will result in human error and destroy much needed information on the scene. Should an incident occur, the Incident Response Team should refrain from any of the following: · Log in and poke around · Let others do the same · Run attack probes to determine if your site is vulnerable t...

Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *

Already have an account? Sign In »

7 hours 56 minutes
Video Description

First and foremost, in the wake of an incident, do not panic. This will result in human error and destroy much needed information on the scene. Should an incident occur, the Incident Response Team should refrain from any of the following: · Log in and poke around · Let others do the same · Run attack probes to determine if your site is vulnerable to a particular attack · Halt the machine via an unapproved or abnormal procedure · Engage the attacker

Video Transcription
so part of not panicking and not crashing crashing the crime scene is to actually maintain the integrity of the scene.
So if you're that first responders on the scene and something happened on, do you want Thio initially maybe start poking around? It's actually very important to refrain from trying to
sexually start handling and are mediating an incident before you actually know what's going on. So unless otherwise directed by the Incident Response Team, first responders and individuals who happen to be the initial person on the scene to refrain from doing the following,
logging in and poking around the system. So
if the machine is is actually in an off state, it's very important to leave that machine off. State system actually has a virus on it are trying to connect to a network to do something malicious, logging on and poking around. One can put that machine back in contact the network
and or two. You might actually start destroying some of the evidence that's on that machine,
or at least contaminating it with additional evidence that investigators will have to go back and try and sift through to figure out what the actions of the first responders were last, the actions of the person who had previously logged into that machine and or the malware incident had occurred.
So essentially, it's important to let other people know that they should refrain from doing the same thing. So if you happen to be that first responder and you call someone for help and they want to come in and maybe start poking around in the machine, it's essential that they refrain from doing that as well.
Another thing is that if you have a limited amount of I t experience or even a vast amount of I t experience, you should refrain from running attack probes to determine if your site is vulnerable to some particular attack. Essentially, leave that to the incident Response team wants the event are
incident has been escalated to them.
They will know how to essentially go back and respond to that incident in that logical fashion that we've talked to with our react principle.
So, uh, the other thing they want to avoid is halting the machine, being unapproved or an abnormal princip.
So unless the machine is causing some grievous damage to your network or to the machine itself, stopping that process on that unapproved manner. That abnormal procedure can actually limit the availability of the information that investigators were able to collect.
So the next thing we want to avoid is engaging the attacker. So if we're actually essentially being
malicious, e mails are were able to communicate somehow with someone who's hacking our system. By speaking to that individual, we may encourage them. Thio conduct additional attacks.
Uh, and we're also tipping them off that we're kind of on two,
which they may stop doing the attacks or try and destroy any evidence that they've had, uh, themselves perpetrating those attacks and then probing the involved network. So if there's already some type of attack going on with your network, whose somebody might be probing your network or trying to hack it
starting to probe that network is going to add additional
probes are our information that the Incident Response Team is going to have to sift through. So now they're going to have to essentially figure out what was your traffic, what was external traffic, which is just going to compliment cake that matters and make handling that incident prolonged.
So like we talked about earlier. Part of maintaining scene integrity is also maintaining seen security. So Operations Security is essentially a collection of processes by which an organization denies to potential adversaries information about its structure, intentions and activities.
So is part of
Operation Security as it relates to incident response. It's important to consider what will your actions indicate to the adversary that something is
so often times an adversary may want to only attack a particular target if they feel it's vulnerable. And it's not likely that that target will respond, or that the Abbotts cereal want to do something in the end
and get out of the system are stopped. Their attack before the atmosphere are before their target has time to respond to them. So in keeping with that, what actions the incident response team takes may essentially tip off that adversary. So
will a flurry of emails or other in van communications
tip off the actor that something something is occurring?
So they're already within inside that network that they're already able to see certain e mails essentially e mailing back and forth between each other and the company
might tip off that that that attacker, that something is going on.
Also, essentially individuals talking with each other within the company. You may not know how this actor got in the system, but if there is essentially a Presley, are individuals talk about this inside or outside of channels.
It could create essentially a situation where the
the Threat actor at the Siri's able to discover that that organization is on to them and they'll want to cease their activity or destroy evidence of their activity.
And then another thing that could happen is changing your established daily activities.
So if the adversary has done homework on you during that reconnaissance face, and essentially he's established a pattern of life for that company, ah, change in the daily established routines of the organization could indicate to that adversary that something is up.
So, for instance, a very good indicator,
uh, something maybe up. Is that a change in physical security? So if the adversary does reconnaissance on a particular target, and he notices that there's very liked physical security around the building, but then, after he's done, has attacked
are something has occurred, and then all of a sudden you see gate guards
pull up their perimeter lighting now that would indicate to the adversary that something is different than it used to be.
And then another aspect of maintaining security is maintaining a strict need to know you don't want everyone within your organization or in your company to know that a particular incident has occurred until after it's already been remediated, and you're starting to do that education phase.
the attacker, essentially maybe among you are buying trip,
and we'll talk about Attackers being among the organization that later our discussion about malicious insiders or cyber inside of threats. So essentially maintaining good operational security helps that Incident response team to investigate and remediate that incident
without providing too much information
to that ad, the Serie or that bread.
Up Next