Digital Forensics & Incident Response
What is this about?
Post incident flowcharts, cheatsheets, Event IDs, things to look at and for, … will end up here.
Memorize these two things.
Whatever you do, read, copy & paste, Your policy and response procedure are not my policy and response procedure.
It’s also not an if, it’s a when.
That was easy, what’s next?
Instead of going for the stack of Latin quotes that are thrown around because they were in a movie and it sounded cool, lets do some actual ground work here. We’re gonna split this in 3 parts.
Before the incident
Shit happens, prepare for it beforehand so that when it does no one starts swinging at each other or start burning trashcans. This means that everyone needs to know what to do when something happens.
This is one of those times where you get to chose between compliance, by asking your intern to write random stuff up and checking the “Do you have IR stuff somewhere” box on whatever certification checklist you need to do send in every year, and actual security where you bring all your people in so that everyone knows the 5W1H and won’t need to think before reacting to a threat, or worst case scenario they have a flowchart/cheatsheet in physical form somewhere they can reach.
During the incident
If you’re one of those that’s there doing stuff when SHTF, then buy yourself a beer and pat yourself on the back, when everything is over ofc. Right now it’s too late to think, you need to flip your killswitches, follow procedures, pick up your imaginary red phone and move on to the next part because the incident already happened and that’s about all you can do right now.
Oh, I’m sorry, you didn’t prepare properly and didn’t brainstorm the procedures before the incident? You haven’t walked through your known knowns and unknown unknowns and reviewed them regularly? You have every threat imaginable written down somewhere but aren’t actively looking for solutions because it’s cool we’ve accepted the risk? Well good luck then ;)
Also, don’t forget to start polishing that resume of yours and when you’re done with it possibly throw it directly into the closest burning trashcan, because security is about setting up a defense perimeter, constantly testing it, being able to see when it gets breached and knowing how to react when it does, not just writing shit down and calling it a day…
After the incident
Now that the incident is over, you need to find out the 5W1H of anything that happened. This means finding where the breach initially started, what was exfiltrated, changed or accessed, how the intruder escalated, all of the timeframes, … and rebuild the story.
But hey, we’re entering legal entangled waters here, where everything needs to be documented, copies of everything need to be made, …, before plans and architecture are reviewed, machines reimaged and patched, new alert need to be added, …
Then comes the public damage control, collateral damage, employee interviews, might even go to a courtroom, who knows! So, fun times with lots of paperwork ahead basically!
Cool story bro, but I need specific info!
Np, here it is!
Coming soon!