What really happened? Why it’s so hard to get the truth when investigating an incident


Something that all incident responders need to be reminded of is that people lie. When you start to look into the root cause of a security breach, there will almost certainly be times when you ask questions of certain users, administrators and even external agents, where the answers are often intentionally not as accurate as they could be. Let’s take a look at a few of the reasons why this can happen and ways you can cut through the lies and get to the truth of the matter.

Start with the Helicopter View…

When the red lights start flashing and the warning claxon sounds, the incident manager sweeps in and starts gathering information about what happened, who it happened to and what’s been affected by the ‘event’. They would start by figuring out who was doing what when the problem was first detected, usually by asking simple questions like who was accessing the account that’s been compromised or finding out whether any new software (changes) had been rolled out to the affected systems. The details that the incident manager gets in these very early stages of the process are then used to frame and characterise the attack, which can then be used to find further clues that may lead to solving the case. This is where the problems can start. If a priority 1 incident has kicked off as a result of an administrator not doing something they should have done, or because a user has plugged in that USB thumb drive they found in the car park, their first reaction will be to lie to protect themselves. “Have you plugged anything foreign into that PC?” you say. “Ummmm, nope,” they reply, casually glancing at the door and scratching their nose…Click HERE to read full article.