Phase 9

Investigating Incidents

Well, it’s happened. Somehow, in spite of all your hard work researching technology and devices; planning, budgeting, and managing; and implementing and training, a security breach has occurred.

What now? How should you proceed? What should you do first? What should you do after that? You know that over the next few weeks or months, the big shots will study every move you’ve made, and that they’ll find some level of fault with every step you took.

In the midst of the chaos of the incident, as the head of the Computer Emergency Response Team (CERT), which might also be called the Computer Security Emergency Response Team (CSERT) or the Computer Incident Response Team (CIRT), you must rise to the role of leader. This means you must have a plan and a team. The plan must be rehearsed. That team must be trained. The training must be ongoing, and the process must be updated using the latest tools and technologies. The team must be ready to react at a moment’s notice, 24/7—not to mention the legalistic mumbo-jumbo you’ll have to deal with.

You have auditing and intrusion detection systems (IDSs) in place. Your plan is in place. Your team is trained, rehearsed, and ready to go. Both you and they know what to do and how to do it. Your team knows how to investigate the telltale clues that were left behind by the attacker. They know how to identify, protect, collect, document, store, analyze, transport, and present the evidence to reach conclusions about how the incident occurred. This may be done for “lessons learned,” so you’ll know how to strengthen your system against this type of attack. This may be done for evidence preparation for prosecution, to put the attacker behind bars.

Investigating computer-related incidents is a highly evolved and refined process, and even more, a highly refined science. Your initial job is to stop the bleeding and stabilize the patient. In this case, that means you don’t allow the attack to continue, and you quickly assess the rest of the system to see if this is an isolated incident or if there is a wider attack under way. After that, you begin your detective work. You identify and protect anything that may be evidence. Then you collect and document that evidence. You review the output from your sensors, your IDS, your audit logs, and the memory dump from the attacked system. You examine the system to try to uncover fingerprints left by the attacker, fingerprints that may lead you to the attacker’s exposure and prosecution.

You’ll explore some of these techniques in this phase. The tasks presented in this phase may not make you a forensic investigator, but they lead to that path.

The tasks in this phase map to Domains 1, 2, 4, and 6 in the objectives for the CompTIA Security+ exam (www.comptia.org/certifications/listed/security.aspx).