10 typical mistakes in the investigation of incidents

At night, money was withdrawn from the company’s account. In the morning, panic begins, which leads to additional problems. For example, IT reinstalls a compromised system from scratch or restores it from a backup. In the first case, the traces of hackers are erased, and the invited incident investigation team can only throw up their hands, and then search for artifacts on other systems for a long time. In the second case, there is a risk to restore an image that has already been compromised. In this article, we will tell you about the main miscalculations that prevent you from responding competently and quickly to the actions of hackers.

Mistake #1 — Lack of a response plan

Money was stolen from the company. Of the information security tools, she has only an antivirus. The management does not allow you to disable the server and accounts, because they do not know how this will affect the business. We spend several days trying to find out who owns the attacked computer and what its role in the company is, and at this time hackers can empty ATMs, withdraw money or steal data. A lot of organizational problems are added to the response to the incident. Another thing is when a company has logging, basic asset management and understanding of business processes. This allows the company’s employees to detect hackers on the network at the intermediate stage of the attack, and if the incident still occurred, we can immediately take up the problem without wasting precious time. This approach significantly increases the effectiveness of the investigation of the incident and makes it possible to prevent serious consequences.

The task of the response plan is to eliminate the element of surprise in the event of an incident and consider steps to minimize damage. It is important to assess the sufficiency of technical means for collecting and storing data required for the investigation of the incident. It is also necessary to understand the qualifications of the internal team in the field of incident investigation. If there is little expertise in investigations, it is necessary to contact external specialists.

The response plan also defines the roles of those responsible in the company in case of an incident. The IT department collects data related to the incident. Management, lawyers or PR (or all together) are responsible for interacting with the outside world. They need to know at what incident (theft of customer data, funds, etc.) and who they need to notify (customers, regulators, authorities).

In some areas (banks, critical infrastructure), the IB is obliged to inform the regulator about the incident. Other companies should contact insurers — this also needs to be prescribed, delay may deprive the victim of insurance compensation. All this is discussed in advance with lawyers and incident investigation specialists.

In order not to collect half of the company for each detected virus, incidents should be divided according to the level of danger and the importance of the affected node. Let’s say spyware malware is found on the accountant’s computer, which means alarm number one. The verification checklist should include all potential actions that an attacker can commit on it: embezzlement of funds, substitution of banking details, authorization in the DBO system, installation of hidden means of remote computer control, copying of a user’s electronic signature key, etc. Next, it is necessary to conduct a full investigation and understand how far the hackers got. This will allow you to understand what countermeasures can be applied and at what stage. Using an example with an accountant, these can be: resetting the keys from the DB, blocking account transactions, replacing the accountant’s computer with a deliberately clean one, or blocking network access. In the same way, a plan should be drawn up for the workstations of the CEO, top managers, ordinary employees and for assets of other classes.

Investigative experts, having discovered a system with suspicious activity, often spend from several days to a week to find out where this computer is physically located, who its owner is and what its role in business processes is, what restrictions there are on disabling it or collecting data. To clarify this in advance is the task of the IT and information security teams. It happens that the system is located in the accounting department, and they simply do not give away the work station, since payment is made on it and the work will stop. For critical systems, without which the company’s activities are impossible, the IT department must have prepared backup computers. But usually there are none, which delays the investigation. And at this time, attackers can withdraw money from the company or steal data.

The plan should be regularly checked for relevance with the help of penetration testing. Pentesters infiltrate the accountant’s computer, and we look at the threats they can implement. We write them down in the plan, and then, in case of a real incident, we check whether the attacker has implemented them. For training, you can also choose a virtual attack scenario, conducting a kind of tabletop exercises (staff exercises). We assign a possible scenario: the computer is compromised, there was a virus incident with the cryptographer or money was stolen. Next, it is necessary to test the operability of the response plan: whether all owners of the systems have been found, whether the sequence of possible actions with this asset has been clarified, whether all participants in the process have been involved. Everything is like in real life, but such training allows you to avoid serious consequences and identify weaknesses in advance that need to be eliminated.

Step-by-step instructions can be for known incidents, such as, for example, a phishing attack or infection by a cryptographer. If suspicious activity cannot be attributed to a specific category, in general it is necessary to understand:

  1. a) where assets were affected in the network,
  2. b) what can be done with these assets, c) who is responsible for them,
  3. d) a communication plan within the company and with the outside world,
  4. e) how to isolate the threat.

It is difficult to overestimate the importance of the plan, because an incident is always a test of strength for a company, and those who are not ready for this may incur large expenses up to the loss of business. Reality dictates its conditions, and today there are no absolutely protected companies, so incidents sooner or later happen to everyone, and it’s better if you are ready for it. After all, a well-thought-out plan turns chaos and crisis into a clear and clear algorithm of actions.

Error #2 — Under-investigated incidents

The company reinstalls the operating system on the affected computer, ticks the “incident closed” box, and a week later loses a large amount of money from the account. This happens quite often — you can’t limit yourself to half measures. It is necessary to understand how the attackers got into the network, restore the chronology of the incident and determine measures to localize and eliminate the threat. Otherwise, infected nodes may remain, through which the attack will continue.

Error #3 — Lack of event collection infrastructure

Penetration into the company’s network could have happened a long time ago, and there are no traces left. Windows, like any operating system, collects events, but stores data locally and for a limited time, often only until the OS is rebooted. The situation is even worse with network devices, which usually have a small amount of memory for storing events. This does not allow you to find out whether a computer connected to a malicious server three months ago or not.

In our investigations, the event collection infrastructure is found in one or two companies out of ten, and SIEM is often just for show. No one inside such companies has checked whether SIEM collects data correctly and in the right format. As the integrator implemented, so they left. The data can be stored for one day or a week, and there is no benefit from them.

IT teams use log collection and monitoring systems as part of their work. Such systems are also effective and can be used in the investigation.

The required minimum for collecting events includes collecting data from operating systems and network equipment (firewalls) and storing such information for at least a year. This will allow you to understand which nodes were connected to where.

Storing such information is also useful for detecting incidents based on new information. Then, using the tools of retrospective analysis, you can find out whether the company was attacked in the past. This will allow you to take action now, and not in a year, when confidential information will pop up on the darknet at the most inopportune moment, for example, before the company’s IPO.

Without an event collection infrastructure, it is impossible to get data from the past. Plus, it saves time — there is no need to analyze dozens, hundreds, and sometimes thousands of computers. But it is better, of course, to use properly configured specialized information security solutions. If there are means of collecting events, for example, a properly configured SIEM system, then they can help identify the incident, restore the chronology and find the attacker’s entry points. The presence of such a system allows you to put a mosaic out of individual micro-events.

Mistake # 4 — Lack of information about assets

At best, we meet with a description of what components the business system consists of, which people are responsible for it and what task it solves. More often the situation is worse. In most asset management companies, either there is simply no information about assets, or the information about assets is irrelevant. You look at the papers from three years ago and realize that they describe one network configuration, but in fact the network has doubled. In this case, there can be no question of a quick and effective response to the incident.

At the basic level, asset management does not require large investments. After all, attackers, who often know the company’s infrastructure better than IT employees, do not use bulky systems. They spend time studying it, find out what works and how, what processes are going on, who is connected to whom and how monitoring is carried out.

There are technical solutions that simplify the work, but in general we are talking about processes. The company must understand its business processes, and how to keep records of all computers – in Excel or automate it using SIEM — is a matter of choice.


Leave a Reply

Your email address will not be published. Required fields are marked *