By Mark McCullough – Technical Consultant
No matter what role you play in a company, you have responsibilities during a security incident. Do you know what to do when the panic button is hit?
If you aren’t part of the security team, most of your responsibilities during an information security incident deal with communication. First, you need to know who is on the security team so that if they reach out to you to provide instructions, you know it’s coming from an authorized source. Look up the team members and know their names before that happens.
An incident will have an assigned individual responsible for handling communication, as well as determining who should be briefed (i.e. “read in”) on the incident. Even if you are made part of the incident response team, unless explicitly authorized, no one, not even your manager, is to be briefed on the incident by you. You don’t know who the subject of the investigation is, and are often only briefed on a specific portion of the investigation. Communication with persons outside the company can cause even more harm. Leave that to the management assigned external communications teams. Glomar (“I can neither confirm nor deny any information you may possess”) any such questions you get. Then report the query to the incident response team.
Another issue of communication is knowing to whom to report suspicious events. Many information security teams are small, insular by nature, and may not have thought to publish the correct reporting procedure. If in doubt, use your helpdesk. They’ll have the correct procedure to notify information security.
So what should you report? Anything that looks suspicious. The old cliché of “See something, say something” really does apply. Not everything you report will result in an incident, but you never know when that one thing you report is the last piece of evidence to discover an incident. It may even be as innocuous as your web browser goes to a different home page and you know you made no changes recently, or a $0.75 discrepancy on an account balance.
If working on an incident, write down your notes in ink. Use a bound notebook where pages cannot be added or removed, preferably with numbered pages. Engineering notebooks work best, but composition books will do if nothing better is available. Record the date and time and what you are doing. Writing down your notes separately from any online ticketing system may sound antiquated, but that bound notebook recorded in ink is an irrefutable record that cannot be altered without evidence.
Your role in incidents doesn’t stop with making sure you communicate appropriately. You may be asked to do specific tasks to provide information for the incident: from surrendering a laptop to collecting copies of files with an observer, or even installing forensic agents to selected systems.
Follow the instructions of the incident response team. If you’re uncomfortable, ask questions. Ask if you can pull in another individual such as your manager. You’ll even be told how to provide the information, which may not be the normal channels. Remember to record those tasks in your notebook, they’re part of your notes on the incident.
A security incident is stressful, but like any adverse situation, advance preparation can eliminate much of the headless chicken response.