Corporate Security
What really happened? Why it’s so hard to get the truth when investigating an incident
S By Tony Campbell ASM Correspondent
omething that all incident responders need to be reminded of is that people lie. When you start to look into the root cause of a security breach, there will almost certainly be times when you ask questions of certain users, administrators and even external agents, where the answers are often intentionally not as accurate as they could be. Let’s take a look at a few of the reasons why this can happen and ways you can cut through the lies and get to the truth of the matter. Start with the Helicopter View… When the red lights start flashing and the warning claxon sounds, the incident manager sweeps in and starts gathering information about what happened, who it happened to and what’s been affected by the ‘event’. They would start by figuring out who was doing what when the problem was first detected, usually by asking simple questions like who was accessing the account that’s been compromised or finding out whether any new software (changes) had been rolled out to the affected systems. The details that the incident manager gets in these very early stages of the process are then used to
28 | Asia ChiefPacific IT Security Magazine
frame and characterise the attack, which can then be used to find further clues that may lead to solving the case. This is where the problems can start. If a priority 1 incident has kicked off as a result of an administrator not doing something they should have done, or because a user has plugged in that USB thumb drive they found in the car park, their first reaction will be to lie to protect themselves. “Have you plugged anything foreign into that PC?” you say. “Ummmm, nope,” they reply, casually glancing at the door and scratching their nose. To try and coax people into telling the truth, try a different line of questioning, maybe starting with some irrefutable evidence from the systems that they won’t be able to deny. So, instead of saying, “Who’s put a dodgy USB drive in our computer system?” you could instead find out who was logged in at the time when the incident kicked off and tell them that attackers have been targeting businesses with USB disk drops, and we’re looking for that user to help in the investigation and to assist in determining how the attackers are targeting the business. This makes them feel part of the solution, thus instead of feeling guilty they feel empowered to help fix the problem and ensure others don’t end up in the