Victim Notifications Series - Part 2: Post Notification

Recently we introduced the subject of Victim Notifications and emphasized the importance of preparing for a notification. In this post we'll discuss the actions to take following receipt of a victim notification.

First Steps

The first thing a response team must do is ensure the source and information from a victim notification is reliable.

Information is considered reliable if it originates from a trusted source such as law enforcement, recognized experts, or organizations in information security. Regardless of the source, it is always a good idea to verify the source's identity and contact information; particularly before revealing any sensitive information to the source.

Always obtain the source's contact information during the initial communication. You will need this to validate the source's identity and to ask follow-up questions. Validating the source's identity and their ability to answer follow-up questions will go a long way in determining the integrity of the information provided within the victim notification.

During the initial call, request a follow-up meeting or conference call to discuss the information in detail. Tell the source you need time to inform the necessary individuals in your organization. Use the time between the initial contact and follow-up meetings to research the source and assemble a team to review the initial information. Use public sources such as search engines and social networking sites to learn more about the source, the organization they represent, and their likely motivation for providing notification.

If the source suggests sending data to you electronically, request they encrypt the data prior to transmission.

Ask the Right Questions

During the follow-up discussion ask direct questions regarding the information the source is providing. Given the nature of the matter, it is reasonable to ask questions to help you understand how and when the data was collected. Ask the source how they obtained the information and over what period of time it was collected. This will help you determine the timeliness of the information (was the activity recent or did it occur six months ago?) as well as its origin (did the information "leak" from a vulnerability in your own network, or did the source identify it through some external means?).

Ask the source if they are able and willing to continue to collect and share information after the initial notification. Ongoing cooperation from the source may help you remediate the problem and determine if your remediation was successful. In other words, you will know remediation failed if the source continues to identify malicious activity after remediation.

One final question to ask is: "Who else knows about this and how much do they know?" It's much better to learn early and prepare if you need to address the issue with business partners, customers, stakeholders, and/or the media.

Launching the Intrusion Investigation

Once you have validated both the source and the source's information, the next logical step is to shift to intrusion investigation mode. Hopefully your organization has an Incident Response (IR) plan readily available. A well-crafted IR plan will guide the investigative strategy. Keep in mind that any specifics provided to you during the victim notification may only represent a fraction of the activity that has occurred or is occurring on your network - the tip of the iceberg. Your investigative team may need to take that small bit of information and use it to identify a much broader scope of activity.

You should consider the following critical questions in formulating your response:

  1. Do I need help investigating?
  2. What evidence should I collect and analyze?
  3. When and how did the breach occur?
  4. What did the attackers do? What did they take?
  5. What is the scope of the compromise?
  6. What was the attacker's probable motive?
  7. How do I remediate - when and how do I deny the attackers access?
  8. Do I have a legal or regulatory obligation to disclose the incident?
  9. Do I need or want to involve law enforcement?

The ability to answer the questions listed above depends largely on the investigative team's ability to identify, preserve and analyze evidence. Evidence commonly analyzed during an investigation includes: network logs, system logs, hard drives, memory dumps and malware. Throughout the analysis process, the team must recognize key artifacts and understand how to use the artifacts to discover additional compromised hosts. Deficiencies in evidence collection and analysis will prolong the investigation and provide attackers the time and freedom to further embed themselves in your network and conduct malicious activity.

Summary

Most organizations have not considered what to do when receiving a victim notification, and are rightfully suspicious when they receive a call. However, awareness of victim notifications, and taking the time to prepare for them, will go a long way in helping organizations recover from a breach.

Next week Kevin Albano will shift the focus to preparing victim notifications. He'll explore several issues to consider in preparing a notification for a potential victim.

If your question is sensitive in nature, email it to redphone@mandiant.com.