There can be many kinds of suspicious events generated either by the system or by human watchfulness. Every suspicious event (as described in step 6) needs to be checked before launching a full formal investigation. The following situation can move in two directions:
- Excessive monitoring if it is a false positive or not a serious threat
- Immediate escalation due to event seriousness
The purpose of this step is to decide how to react to a suspicious event and to learn when to launch a full formal investigation.
When to launch a full formal investigation?
According to IJDE, once a suspicious event is detected you have to apply a preliminary business impact assessment based on following things:
- Evidence of a reportable crime
- Evidence of internal fraud, theft, other loss
- Estimate of possible damages (a threshold may induce an escalation trigger)
- Potential for embarrassment, reputation loss
- Any immediate impact on customers, partners, or profitability
- Recovery plans have been enacted or are required
- The incident is reportable under a compliance regime.
If the malicious activity that you discover in your network matches most of the above-listed items then you know what to do. If there is any indication of a major business impact the decision to launch a full investigation has to be taken and an investigation team should be gathered in no time.
Just before proceeding with immediate event escalation and reaching out to Computer Security Incident Response Team (CSIRT), IJDE advises to answer the below questions:
- Can an investigation proceed at a cost in proportion to the size of the incident?
- How can any investigation minimize disruption to the business?
These questions need to be answered to assess the impact on the organization of the event response itself.
At this stage of the forensic readiness plan, you are already prepared to answer these questions with ready policies and incident response budget estimations. Refer to the third step of the forensic readiness plan.
Below you can find listed three signs, that security teams are looking for, in evaluating the potential damage and vulnerability of the event:
- Reconnaissance – if a high level of skill or knowledge of sensitive resources is used, then consider escalating.
- Compromise – if an attack shows knowledge of the organization, sensitive resources, or appears focused on a particular objective, then consider escalating. If unable to prevent in the future (e.g. patch the vulnerability), then escalate.
- Exploitation – escalate, unless trivial or closed-down.
It is always advised to have a decision-maker who will lead the event analysis prior to possible escalation. If the escalation proceeds to a full formal investigation that person will become the investigation manager and will be responsible to call out the CSIRT and make informed decisions for further business-related steps.
At all times, all parties involved, need to follow a written policy, by the security team, from the first moment. In this way, all involved stakeholders will know what to do without losing time and money on unnecessary meetings and planning.
In the next step, we will cover internal incident response awareness and training.