Incident Handling: Key Questions

I am going to present you with a little thought exercise.

Let’s put our cyber caps on and think about Incident Handling.

Incident Handling is the organized approach of analyzing, recording and responding in the aftermath of a Cybersecurity Breach.

A team approaches you with concerns that their network is being attacked. They have noticed degraded performance across all systems, they are no longer able to access their share drive, they are losing control of their Mice and Keyboards as the night goes on.

How do you handle this? What should your first step be?

Well one might want to spring into action and immediately start the investigation. Understandable. But it is important to remember that there are some key questions that need to be asked before any investigation can take place. And sure these questions can be asked concurrently with the investigation, but depending on the available toolset, these questions might determine the level of assistance you can even provide the team.

Some key questions that I think are vital for investigating a network, especially an enterprise network, are below. Answering these questions can determine the level of resources they can provide to aid in the investigation.

Disclaimer: Some of these questions may seem obvious to the advanced Incident Responder, but they are questions that I have seen overlooked and ended up hindering the investigator who may have expected some available resources they could use to perform analysis, only to be left high and dry.

Question 1: Is there some sort of Log Aggregation system in place? An example could be a syslog server that collects logs from all boxes and they are stored on a separate system. This can be an invaluable tool for establishing timelines and ideally determining the initial vector. DNS logs are another valuable type of logs that can reveal potentially malicious sites that could have been the initial point of access.

Question 2: Is there an IPS (Intrusion Prevention System) on the network? IPSs are vital for layered security and in conjunction with a firewall, provide an ‘active’ means of defense, blocking malicious traffic in real time and alerting the network administrators when known bad traffic traverses the network (ideally). These alerts can then be analyzed and used to paint a picture of potentially blocked attempts, before the Threat Actor might’ve shifted gears and attempted different means of accesses. 

Question 3: This one might have been the first question on a lot of Incident Responder’s minds, but I figured without the proper logging, this might be not as useful. But the next question is, is there some sort of SIEM (Security Information and Events Manager) implemented on the network? A SIEM is an invaluable source of information and can save so much time during an investigation. When implemented properly, SIEMs can provide a one-stop shop to look at logs across systems, to correlate events and track down network traffic. There are even SIEMs that have active security built-in. These tools are becoming versatile and evermore valuable to one’s network monitoring and defense.

Question 4: Was vital infrastructure on the network Recently Patched or Updated? This can be an overlooked item with some junior system administrators. If a Domain Controller or some other workhorse on the network was recently patched, maybe the current version of the rest of the infrastructure does not play well with the newly updated DC. The new patch could also be buggy and poorly tested. This is a great example of the importance of testing patches before deploying them into production systems.

Question 5: This question isn’t necessarily vital for investigation but is important for rebuilding a network in a less-than-desirable situation. Are there Incremental Backups/Images of each system that are readily available? Ideally a perfect network has onsite AND offsite incremental backups that can be restored from in the case of catastrophe. If a proper timeline can be determined for initial access, incremental backups can be restored from to revert to a clean image of the system, then hardening the system should be initiated.

All of these are vital questions to ask prior to beginning any network investigation. The answers will help determine what tools you might need, and what resources the affected network’s team can provide to help correlate events and track down any indicators of compromise that can shed light on the 5 Ws.

Hopefully this has been informative and can help any fledgling Incident Responders and Network Defenders plan out their investigations in the future.