SANS Summit Question
During the recent SANS Forensic Summit, there were a number of questions handed to Rob during the panels that went unanswered due to time constraints. After the IR panel, I took a look at some of the yellow index cards with questions and grabbed one in particular to answer. The question I found was (no author info was available):
What is the worst thing an IR team internally will do?
As I kept thinking about this, I kept coming back to two answers...either do nothing at all, or do too much of the wrong thing. Now, I'm assuming with my response that an incident has been detected, the IR team has been called into action, and some kind of response process has been initiated. At that point, you very likely have something that occurred to indicate that there is an incident, so you may very well have sensitive data being actively exfiltrated from the environment, so doing nothing at all could be extremely detrimental/harmful to the organization.
On the other hand, grabbing systems, running AV scans, deleting files, even wiping systems and reinstalling them can also be harmful to the organization. In a typical breach situation, the questions that need to be answered are:
1. Was the system compromised?
2. Did the system contain some kind of sensitive data?
3. Did "yes" to #1 lead to the exposure/exfiltration of #2?
If you destroy the indicators or "evidence" of what occurred, and cannot therefore determine the answers to these questions, where does that leave you? If you're just re-installing everything with no idea of the attack/infiltration vector, how do you protect yourself in the future? Heck, how do you even know that you fixed the issue, particularly if you have no idea how long the bad guy or their malware have been on the systems? You may be re-installing the malware itself!
So then I thought to myself, why do IR teams (both internal and external) do this sort of thing? In my experience, a lot of times it has to do with assumptions that are made...very often, incorrect assumptions. Due to lack of knowledge, skills, tools, and/or training, IR teams are very often under the gun to provide answers to management, or just get things working again. If you don't know what to look for, it's simply easier to make assumptions without any hard data and proceed on from there. I mean, really...if you destroy the data, who's going to be able to question you? I'm not saying that this is being done maliciously...what I am saying is that I have seen both internal IR teams as well as consultants make some very unfounded SWAG statements about an incident with no data to back them up, and proceed on from there. Very often, I'll just stand there, shaking my head, as they charge off into the sunset.
So, what's myanswer? The question was about IR teams, and not specifically management...so I'd have to say that, IMHO, the worst thing an internal IR team can do is NOT take it upon themselves to develop their own knowledge and skill sets. "I don't know what to do because management won't send me to training" should be an indicator that you've got the wrong people on your team...both for internal teams as well as consulting companies that provide response services. Not everything is going to be included in a class, and having to sit in a classroom to learn something means that the team member (or members) are unavailable for that time. More importantly, if you do get the opportunity to attend a class, but are unable to process the information and use it in your environment, that basically means that you got a nice paid vacation...and to be honest, I'd much rather have one of those some place other than in a classroom!
In summary, the worst thing an IR team can do is not learn from their mistakes, and not take it upon themselves to expand their skill sets and improve their processes.
Thoughts?
What is the worst thing an IR team internally will do?
As I kept thinking about this, I kept coming back to two answers...either do nothing at all, or do too much of the wrong thing. Now, I'm assuming with my response that an incident has been detected, the IR team has been called into action, and some kind of response process has been initiated. At that point, you very likely have something that occurred to indicate that there is an incident, so you may very well have sensitive data being actively exfiltrated from the environment, so doing nothing at all could be extremely detrimental/harmful to the organization.
On the other hand, grabbing systems, running AV scans, deleting files, even wiping systems and reinstalling them can also be harmful to the organization. In a typical breach situation, the questions that need to be answered are:
1. Was the system compromised?
2. Did the system contain some kind of sensitive data?
3. Did "yes" to #1 lead to the exposure/exfiltration of #2?
If you destroy the indicators or "evidence" of what occurred, and cannot therefore determine the answers to these questions, where does that leave you? If you're just re-installing everything with no idea of the attack/infiltration vector, how do you protect yourself in the future? Heck, how do you even know that you fixed the issue, particularly if you have no idea how long the bad guy or their malware have been on the systems? You may be re-installing the malware itself!
So then I thought to myself, why do IR teams (both internal and external) do this sort of thing? In my experience, a lot of times it has to do with assumptions that are made...very often, incorrect assumptions. Due to lack of knowledge, skills, tools, and/or training, IR teams are very often under the gun to provide answers to management, or just get things working again. If you don't know what to look for, it's simply easier to make assumptions without any hard data and proceed on from there. I mean, really...if you destroy the data, who's going to be able to question you? I'm not saying that this is being done maliciously...what I am saying is that I have seen both internal IR teams as well as consultants make some very unfounded SWAG statements about an incident with no data to back them up, and proceed on from there. Very often, I'll just stand there, shaking my head, as they charge off into the sunset.
So, what's myanswer? The question was about IR teams, and not specifically management...so I'd have to say that, IMHO, the worst thing an internal IR team can do is NOT take it upon themselves to develop their own knowledge and skill sets. "I don't know what to do because management won't send me to training" should be an indicator that you've got the wrong people on your team...both for internal teams as well as consulting companies that provide response services. Not everything is going to be included in a class, and having to sit in a classroom to learn something means that the team member (or members) are unavailable for that time. More importantly, if you do get the opportunity to attend a class, but are unable to process the information and use it in your environment, that basically means that you got a nice paid vacation...and to be honest, I'd much rather have one of those some place other than in a classroom!
In summary, the worst thing an IR team can do is not learn from their mistakes, and not take it upon themselves to expand their skill sets and improve their processes.
Thoughts?
SANS Summit Question
Reviewed by 0x000216
on
Tuesday, July 14, 2009
Rating: 5