Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:46 PM
John H. Sawyer
John H. Sawyer

Incident Response Prep Extends Beyond Tools, Training

Whenever you read information on how to perform forensics and incident response, there is a preparation phase that comes before anything else. Preparation steps cover how to prepare for dealing with an incident in your environment -- but what about making sure your environment is ready for an incident?

Whenever you read information on how to perform forensics and incident response, there is a preparation phase that comes before anything else. Preparation steps cover how to prepare for dealing with an incident in your environment -- but what about making sure your environment is ready for an incident?I've seen many incidents in which the team responsible for its handling had the standard forensic and IR tools in place. Their jump bag was ready to go with hard drives, forensic imaging equipment, laptops, etc., but when they approached the system in question, it was a proprietary or legacy system that wasn't supported by the typical cadre of forensic software available.

While legacy systems and proprietary systems may be absolutely necessary in some situations, more often I've seen them left hanging around because it's easier (and cheaper) to let them do what they do than to upgrade them to a more modern OS that's less esoteric and easier for IR staff to handle. This is a situation where "if it ain't broke, don't fix it" can seriously throw a monkey wrench into an investigation.

Legacy systems, however, are not the source of so many other problems I've come across. The number one core issue is changes made by system administrators and help desk staff during the course of managing systems and during troubleshooting that don't take into consideration what impact it will have if one of those systems is compromised and must be analyzed.

The best example is an issue that resulted from cached pages in an ERP Web portal. The users were experiencing odd behavior with stale pages and values in forms. Troubleshooting the issue led to a "fix," by having the cache and history cleared upon exit, or not record at all. Shortly after the "fix" was put in place, two incidents occurred that were complicated by it. One dealt with inappropriate Web surfing and the other was malware contracted through Web browsing.

I've seen several others, including turning off firewalls to troubleshoot a problem and never turning it back on, logging disabled not to be re-enabled, and other oversights. Some of the problems are from simple forgetfulness after solving a problem and not having any sort of auditing to confirm that settings were what they should be. The Web caching and history problem, though, was a workaround that no one ever considered the ramifications on other areas, such as IR and forensics.

There's no simple solution to preparing your environment to be ready for an incident. Knowing what's there and making sure you have the necessary tools to handle them is key, but so is having clearly defined policies that get regularly reviewed and updated to address changes in the environment. Security needs to be plugged into all the IT processes in an organization and not just be something that one group is responsible for.

This is one of those problems that I'm sure permeates organizations no matter what industry you're in. Leave a comment or send me an e-mail if you've run into the same problem and how you solved it (if you were able to).

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-11-13
P20 Pro, P20, Mate RS smartphones with versions earlier than Charlotte-AL00A, versions earlier than Emily-AL00A, versions earlier than NEO-AL00D NEO-AL00 have an improper validation vulnerability. The system does not perform...
PUBLISHED: 2019-11-13
P30 smartphones with versions earlier than ELLE-AL00B have an improper authorization vulnerability. The software incorrectly performs an authorization check when a user attempts to perform certain action. Successful exploit could allow the attacker to update a crafted package.
PUBLISHED: 2019-11-13
Huawei smartphones with versions earlier than Taurus-AL00B have an improper authentication vulnerability. Successful exploitation may cause the attacker to access specific components.
PUBLISHED: 2019-11-13
Smartphones with software of ELLE-AL00B,,,,,, have an insufficient verification vulnerability. The system does not verify certain par...
PUBLISHED: 2019-11-12
mysql-gui-tools (mysql-query-browser and mysql-admin) before 5.0r14+openSUSE-2.3 exposes the password of a user connected to the MySQL server in clear text form via the list of running processes.