As impact/frequency of cyber attacks increase, so does frequency that #DFIR analyst & incident response lead reports/status updates get scrutiny from counsel (both internal & external)
In this thread I’m going to walk you though examples to head off potential issues w/counsel
In this thread I’m going to walk you though examples to head off potential issues w/counsel
You analyze system & find multi-gig encrypted RAR archive created over month ago in common staging directory (C:\\Users\\Public has been popular) owned by account associated w/current incident. You write report - attacker stole XYZ data
You just made your first mistake w/counsel
You just made your first mistake w/counsel
From your perspective you found what the criminal was after (theft of sensitive XYZ data) - no attacker/criminal would go to all that effort and not go the last mile and steal the data
...but...
Client’s network logs have rolled (or never existed) & no pcap of the exfil’ed data
...but...
Client’s network logs have rolled (or never existed) & no pcap of the exfil’ed data
Counsel argues over your report - “but you have no evidence the data left the network” - even though the data was staged over a month ago
(I’m not making this up - this has happened to me many times)
(I’m not making this up - this has happened to me many times)
So you change your report to say - the attacker “likely” stole the data
You just made your second mistake - in my experience counsel hates conjecture/speculation - “there are lots of things that likely or might have happened”
...back to the drawing board
You just made your second mistake - in my experience counsel hates conjecture/speculation - “there are lots of things that likely or might have happened”
...back to the drawing board
In my experience - best phrasing is:
1) based on evidence it is reasonable to conclude that XYZ data was stolen by attacker
2) in my professional opinion - XYZ data was stolen by attacker
Both aren’t stating a fact - but a logical or/or informed conclusion from the evidence
1) based on evidence it is reasonable to conclude that XYZ data was stolen by attacker
2) in my professional opinion - XYZ data was stolen by attacker
Both aren’t stating a fact - but a logical or/or informed conclusion from the evidence
More often than not - incident response cases have gaps in data. It’s like putting together puzzle without the box top & missing 20-60% of pieces (depending on how long ago incident occurred)
Your job is to paint a reasonable narrative of what occurred based on incomplete data
Your job is to paint a reasonable narrative of what occurred based on incomplete data
I use puzzle & missing box top analogy w/non-tech friends/family when describing IR
You start w/few puzzle pieces & get to ask investigative questions. Best teams have great tech, know “right” questions to get more puzzle pieces & how to analyze data to develop next “question”
You start w/few puzzle pieces & get to ask investigative questions. Best teams have great tech, know “right” questions to get more puzzle pieces & how to analyze data to develop next “question”